Hi,
Sorry for not answering earlier. I was quite busy as I asked another college and together we came up with a solution: First we redirected the CRM site to the default appl pool instead of the CRM one. I can then access the CRM site but it does not use the my logon (it uses the netlogon account) and therefore I cannot work with program. We captured packages from the server and found out that the NTLM authentication is working fine so CRM must use the Kerberos authentication from which we couldn't find any packages - sorry about the wrong information I'm not very good in this as I never digged in authentications before. I did do some testing in regards to the SPNs on the server: 1. I unregistered that http SPN from the computer account and registered http on port 1030 (on which my intranet is running) on the server 2. I registered Http on port 80 to the account used by CRM This resulted in the following: A) the intranet is still running (as http and port 1030 is registered for the server) B) The CRM application runs as well (as http port 80 is registered to the CRM user account) Interesting was that although we reversed the changes my other college did it was still not working and I had to manually register the services with the right port. I am not sure if we still have any errors in the eventviewer of the Dcs but we are having a big network change starting next Mo and I will work on that after that is finished. Just one more thing in regards to the logfiles: logging for failure was/is enabled and the httperr logs have only entries with 'Timer_ConnectionIdle' - but only after hours. Thanks once more for the help! As without all your questions I was able to solve it. Cheers, Kat -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: Wednesday, 30 November 2005 1:38 PM To: [email protected] Subject: RE: [ActiveDir] authentication problem Hi, A) IIS logfiles must have something. The browser pops-up the credentials dialogue when it receives a 401 HTTP status (Access Denied) back from the server. Can you look in your IIS logfiles please, and post the corresponding logfile entries please? If there is nothing in the IIS logfiles, then the requests are not making it to IIS. Either there is a proxy device between the client and server, or the connection is being dropped - have a look in the httperr.log file on your server. B) Have you got auditing for logon failure events enabled? C) SPNs would be needed when using Kerberos Auth, but you indicated that previous logons where using NTLM. That's a bit odd. Cheers Ken -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katrin Wilhelm Sent: Wednesday, 30 November 2005 12:39 AM To: [email protected] Subject: RE: [ActiveDir] authentication problem Hi Ken, Thanks heaps for your respond. Currently I can give the following answers: A) the IIS log files say nothing in particular they all look the same as before the incident B) I get no log entry in the security that authentication is failing - seems to not get through at all so it keeps asking; not sure what is normally used to authenticate think it's NTLM as the log files prior to this where using it C) the situation was that we had a new admin who was / is quite annoyed with errors in log files ( me too but we have just about enough staff to run the system and do some urgent projects so if it doesn't cause an error I just don't touch it). He told me that we got KDC errors (11) stating the ds_service_principal_name is registered to multiple accounts - and around 1 week ago he deleted some SPN entrances by using ADSIEDIT after checking in LDP which accounts have the service registered. I first had my CRM down and then after a needed shutdown (we had work on site with power turned off and prior to this I shutdown the servers) and reboot nothing was working at all. I tried a few things and told my college to reverse what he was doing but this didn't really fixed it. The only way I could the intranet going again (with basically no restrictions) was to register the cifs and http for this server manually. Interesting is that if I am logged on the server CRM and intranet is working perfectly. So it must be the actual authentication on the server. D) thanks for the auditing information - I turned it instantly on. Thanks for the help. Cheers, Kat -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: Tuesday, 29 November 2005 10:17 PM To: [email protected] Subject: RE: [ActiveDir] authentication problem Hi, Do not change any more values without an understanding of the root cause of the issue. Do not uncheck that checkbox, and do not change the security zone that the site is in. a) What do your IIS logfiles say for the requests in question? b) What do your event logs say as far as failed logon attempts? What authentication package is being used (NTLM or Kerberos) and why is the logon failing? c) Why did you add those alternate SPN values? The HOST SPN is registered, by default, under the computer account. Why were you adding it under user accounts? d) In Win2k3 SP1 there's something called IIS Metabase Auditing that you can enable, which will help you the "I didn't change anything, I swear" scenario: http://www.adopenstatic.com/faq/iismetabaseauditing.aspx Cheers Ken -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, 29 November 2005 2:40 PM To: [email protected] Subject: Re: [ActiveDir] authentication problem Should be error messages in your IIS log files though and if you have a system state backup from before the changes that would have those [or should have those] old AD values? When if fails to log in what's the resulting error code? 401.1? Something like that? Also I've seen permiission changes to web sites, .NET framework will screw things up and start asking for passwords. Did he mess with any of the accounts that the aspnet and CRM services are running in? So exactly what was he doing again? Google Groups : microsoft.public.crm: http://groups.google.com/group/microsoft.public.crm/tree/browse_frm/thre ad/e7 80a75e03330399/21602ba7ff5148b1?rnum=1&q=prompted+by+username+crm&_done= %2Fgr oup%2Fmicrosoft.public.crm%2Fbrowse_frm%2Fthread%2Fe780a75e03330399%2Ff4 c11fb 795df5768%3Flnk%3Dst%26q%3Dprompted+by+username+crm%26rnum%3D1%26#doc_f4 c11fb 795df5768 I'd look at some of these threads. And on the off chance... try this too and see if this value is checked.... In IE, go to Tools menu >> Internet Options >> Advanced and scroll down through the list until you see the Enable Integrated Windows Authentication option near the bottom of the list. Uncheck this value. And check the security level for IE...put the web sites in the trusted zone. Remember you can always call Microsoft product support. Try the appropriate group or community, but if you need something working and in a hurry, and newsgroups are not cutting it, I grab the credit card and I'll call product support if I need things working. Katrin Wilhelm wrote: > It's CRM 1.2 as far I know he didn't change anything in IIS and I do > not get any error messages in regards to this. My feeling tells me > that it must be the Service principal names with which he was working > on are the reasons for the problem. As I never done any work with it I > have no idea where to start looking. So far used setspn -R to reset > the host SPN and added with setspn -A the HOST SPN to the user > accounts which earlier created an event ID 11 (KDC) on DC's. Not sure where to go from here. > > Regards, > > Katrin Wilhelm (MCSA) > CVGT Employment & Training Specialists Australia > E-mail: [EMAIL PROTECTED] > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Susan > Bradley, CPA aka Ebitz - SBS Rocks [MVP] > Sent: Tuesday, 29 November 2005 2:02 PM > To: [email protected] > Subject: Re: [ActiveDir] authentication problem > > What are the errors you are getting in the error logs? IIS access logs? > > CRM 1.2 or 3.0? {I'm assuming 1.2 since 3.0 is just out} > > CRM uses integrated authentication on that web app if memory serves me > right...given that its both your CRM and your intranet what IIS > changes did he/she make? I think it's supposed to be set for basic and > integrated security enabled, but I know enough about CRM to be > dangerous.... there are CRM yahoogroups and newsgroups that I'd head > off > > to if you don't hear from here. > > Katrin Wilhelm wrote: > >> Hello, >> >> I got a weird problem on a member server (2003) running MS CRM, SQL >> and our intranet. >> >> Every time you are accessing the intranet or the CRM site you get a >> pop up window for identification. It then does not accept any user >> name and password. Everything worked fine until last week and I am >> not >> > > >> sure what has changed. I believe the other admin used adsiedit to >> change SPN for 'host as it was registered to several user accounts. I >> found a work around that way that I allowed anonyms access and >> granted >> > > >> the everyone group read access but do not want to leave it like this. >> Does anybody know how I can fix this? I have no idea about SPN and >> had >> > > >> a look around but I am stuck an my CRM is not working as the access >> is >> > > >> not granted. Any suggestions? >> >> Thanks for this. >> >> *Katrin Wilhelm **(MCSA) List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Confidentiality: The contents contain privileged and/or confidential information intended for the named recipient of this email. CVGT does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email is prohibited. If you receive this email in error, please reply to us immediately and delete the document. Viruses: It is the recipient/client's duties to virus scan and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect or error. Any loss/damage incurred by using this material is not the sender's responsibility. CVGT's entire liability will be limited to resupplying the material. Please contact us at www.cvgt.com.au for further information regarding this disclaimer List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Confidentiality: The contents contain privileged and/or confidential information intended for the named recipient of this email. CVGT does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email is prohibited. If you receive this email in error, please reply to us immediately and delete the document. Viruses: It is the recipient/client's duties to virus scan and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect or error. Any loss/damage incurred by using this material is not the sender's responsibility. CVGTs entire liability will be limited to resupplying the material. Please contact us at www.cvgt.com.au for further information regarding this disclaimer List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
