CRM 2011 – SPN for service account not working

I had setup CRM 2011 to run using a service account as good practise recommends (well actually you are meant to have separate accounts to run the different services I think).

I have setup the service account but when I tried to call CRM from another machine other than the CRM server I was getting authentication problems.

This was driving me up the wall, I read this very useful page, which describes some different scenarios and setups and I’m sure I had done everything

http://blogs.msdn.com/b/crm/archive/2009/08/06/configuring-service-principal-names.aspx

The main instructions are this

1. Determine the SPN’s that are registered under the current application pool account. The current account is network service which is the local computer object,CRMAppServer.contoso.com. SPN’s can be found with ADSI Edit or SetSPN. Below are the expected SPN’s under this object that would be related to IIS. There may be additional SPN’s added to the object depending on the installed services.

  • HOST/CRMAppServer
  • HOST/CRMAppServer.contoso.com
  • HTTP/CRM
  • HTTP/CRM.contoso.com

2. There are SPNs with two different service classes registered, the default Host SPN’s and the HTTP SPN’s for the host header. The current HTTP SPN’s will need to be removed so they can be added under the new service account. The HOST SPN’s do not get removed as these will not cause duplicates due to the unique service class. The following SPN’s can be removed using ADSI Edit or SetSPN.

  • HTTP/CRM
  • HTTP/CRM.contoso.com

3. The following SPN’s need to be added to the contoso\CRMService object. These are the SPN’s for the servername and the host header. Additional SPN’s will need to be created if other host headers are used.

  • HTTP/CRMAppServer
  • HTTP/CRMAppServer.contoso.com
  • HTTP/CRM
  • HTTP/CRM.contoso.com

so why wasn’t it working.  I was then reading this page about setting up SPN’s for IIS 7+

http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx

now the IIS I was using was IIS6 so this wasn’t really relevant but what I did notice was something called enable kernal-mode authentication

image

image

You no longer need to worry about the correlation between HTTP SPNs and the Application pool Identity that was required in the earlier version i.e. IIS 6.0. But that’s not blindly true. There has been some confusion whether we don’t have to care at all about SPNs or may have to depending upon the settings. Here is a checklist to give more clarity for different scenarios that you may fall under:

SCENARIO 1a

IIS 7.0 Web Site/Application
Authentication Integrated Windows authentication
Application Pool Identity NETWORK SERVICE
Kernel-Mode authentication Enabled (<attribute name=”useKernelMode” type=”bool” defaultValue=”true” /> in the ApplicationHost.config file)
Site URL Accessed with the NetBIOS name, like http://<myIISserver-NetBIOS-name>/Default.aspx

SPNs will be required ONLY for the IIS machine account:

SPNs will be required ONLY for the IIS machine account:

HOST/<myIISserver-NetBIOS-name>
HOST/<myIISserver-NetBIOS-name.fully-qualified-domainname> for e.g. HOST/myIISserver.mydomain.com

what struck me as odd was that if you had kernal mode on then you would only need to setup an SPN for the machine rather than the service account. This was not a setting I wanted.

I was playing around with the SPN’s and found when I set the SPN http/<CRMServername> for the CRMServer then it worked but if I removed this and set the SPN for the service account I would get authentication errors.

To resolve the problem I went into the Microsoft Dynamics Website in IIS

clicked Authentication

clicked Windows Authentication –> Advanced Settings

and unticked Enable Kernal-Mode Authentication

did and IIS restart

and then CRM could be accessed from outside of the CRM server.

I did have to make sure the Windows authentication providers were NTLM and then negotiate as the second choice, this little gem I found on my own blog from a few years ago

https://crmbusiness.wordpress.com/2011/02/01/crm-2011-repeated-credential-prompts-when-accessing-on-premise-install-of-2011/

This is also very useful for people trying to setup the Dynamic Connector because we had to use the same service account to run the NAV Webservices and CRM Web services/app pool etc.  So to get this working we had to use a service account.

 

CRM 2011 – Import stuck on submitted

A quick problem occured for me today.

I was trying to import some records, I had selected the file, selected the entity and run through it all before pressing the final OK button.

 

Then the import just stood there with a status of Submitted.

 

I knew the import process was run as a system job by the Asynchronous service.  I doubled clicked on the import and saw the job was waiting for resource.

logged onto the server and found the Async service had stopped.

After restarting the service it quickly imported the file.

 

The problem with the Async services is they can sometimes stop working but this is obvious to begin with because the CRM website is usually working.

It’s a pity CRM doesn’t have something inside CRM where you can check to see if this is working.

Does anyone have a system they use to email themselves or a solution to the Async jobs stopping working.

I see you can start a problem if it doesn’t restart on the second time of asking, so you could make a program to update something in CRM or perhaps send an email out to certain people.

 

CRM/NAV Connector – The accounts needed to install the CRM/NAV Connector

When you are going to install the connector you will need quite a few accounts created and you will need to talk to the customer and get them to create these accounts and give you the details before you can install and run the connector.

Below is a list of the accounts you will need, the text below is taken from the CRM/NAV connector installation guide which you can find on the partner source website here

CRM 2011 – Outlook CRM Disconnected – Check the time on the server!

Today I had a very unusual problem, suddenly no one could connect to CRM 2011 using outlook.

The web url to CRM 2011 worked fine

but Outlook couldn’t connect.

Oddly my outlook was the only one in the company who could connect (I don’t see what the problem is guys :-))

I turned on tracing on one of the outlooks and the error file didn’t really help me much.  Googling the problem pulled back lots of entries but nothing that worked for me.

I tried to remove the organisation and add it again and then I got a slightly different error  message

CRM 2011 outlook There is a problem communicating with the microsoft Dynamics CRM server

Communication problem, no kidding, they were giving each other the silent treatment.

googling this error message finally brought me to this kb article

This issue may occur for any of the following causes:

  1. The operating system date on the client computer is not set to the correct date.
  2. The operating system time on the client computer is not set to the correct time.
  3. The operating system time zone on the client computer is not set to the correct time zone.
  4. The Microsoft Dynamics CRM server might be unavailable.

What??!?!?  I then got called into a meeting but when I came out one of the salesmen found out the time on the CRM server was 5 minutes slowly than his computer time and when he changed his computer time it worked.

The solution to the problem was to change the time on the CRM server to the correct time, for some reason it had lost 5 minutes.

it took me ages to find the cause of this problem, I can’t really understand why CRM has a such a strict policy about this.

 

Here is the solution from the KB article

For Causes 1, 2, and 3

  1. Exit the CRM Configuration Wizard.
  2. Change the operating system date and time. To do this, use one of the following methods.

    Method 1: Manually change the operating system time

    1. Click Start, click Control Panel, click Clock, Language, and Region, and then click Date and Time.
    2. In the Date and Time dialog box, click Change date and time to change the date and time settings. For example, click a date such as February 1, 2011 from the calendar, and change the time.
    3. Click OK.
    4. Click Change time zone, and then select your time zone.
    5. Click OK.

    Note These steps are for Windows 7 or Windows Server 2008 operating systems. To change date and time in Windows XP, please refer to the Windows XP help manual.

    Method 2: Configure the operating system time to synchronize with an Internet time server

    1. Click Start, click Control Panel, click Clock, Language, and Region, and then click Date and Time.
    2. In the Date and Time dialog box, click the Internet Time tab, and then click Change Settings.
    3. Click to select the Synchronize with an Internet Time Server check box, select a time server, click Update Now, and then click OK.

    Method 3: Use a command to sync time with the domain if the computer is a member of a domain

    1. Click Start, click All Programs, click Accessories, right-click Command Prompt, and then clickRun as Administrator.
    2. At the command prompt, type the following text, and then press Enter:
      net time [{\\ComputerName | /domain[:DomainName] | /rtsdomain[:DomainName]}] [/set]

      If you do not know the ComputerName or the Domain Name, try the following simple command:

      net time /set

      Then, type Y to finish the change.

      Expand this image

    For more information about the net time command, visit the following Microsoft website:

    Method 4: Force a synchronization of the NTP client if the computer uses an NTP client to sync with an NTP server

For Cause 4

To resolve the issue for Cause 4, you must contact your system administrator to verify the availability of the Dynamics CRM Server. Or, try to run the configuration again.

 

CRM 2011 – License Error – the selected user has not been assigned a security role

I did something very stupid yesterday but luckily I knew what the problem was almost as soon as I had done it.

 

I was looking to add a user to an organisation so I could login to CRM as a different user with a different security to see what they can do.

I added the user and then before I could add a security role, I couldn’t login and it was complaining I didn’t have the correct security role.  hmmm what had happened had someone remove my user (they could do because there were 3 system admins if there was only one and my user was that user then it can’t be removed).

Next I noticed the person next to me couldn’t login and in fact no one could login.

CRM was completely knocked out again, the 3rd time this week on 3 different CRM 2011 installations, although this time this was completely my fault.

I had added this user to my the DEV CRM organisation which is held on a different server.

I logged onto the problem CRM 2011 server and looked in the event log, there were errors about tracing and .NET 4 errors.

I then looked at the user in the CRM app pools, it was the user I had tried to add to CRM.  This was also the user who was running the CRM services.

Oh damn I just added the CRM service account as a user in CRM 2011.

for those of you who do not know (or haven’t installed CRM 2011) never add the CRM service account to an organisation it will break everything.  The CRM Service account CANNOT exist in a CRM organisation, this is one of those important bold messages in the CRM installation instructions, oops.

you also might see this message

ecLib::RetrievePrivilegeForUser failed – no roles are assigned to user. Returned hr = -2147209463, User: [userid]

Microsoft have a KB article for people who do this

The system crashes when you add an account that is running the CRMAppPool as a Microsoft Dynamics CRM user

They explain the cause

By default, when a CRM user is created in Microsoft Dynamics CRM, the user has no security roles. Because the CRM service account is mapped with the newly created user, the CRM service account cannot operate anything. Therefore, the system crashes.

This behavior is by design. Making the account that is running the CRMAppPool into a Microsoft Dynamics CRM user is not supported.

 

The resolution isn’t that helpful

Keep the CRM service account as a dedicated service account.

 

What I would have really liked to do was to remove the service account user from the CRM organisation but I couldn’t login to do this, I couldn’t figure out what use it was looking at the tables in the SQL database and this wouldn’t be supported so this wasn’t an option.

So I had to add a new user in the active directory (you can use another user already setup), I copied the previous user.  I then when to ADD/REMOVE programs and clicked on CRM 2011 and chose Repair.

I then put in the new user into the service account choices in the repair.  I had to add the user to the performance counter, you can read how to do that here .

Once the CRM 2011 repair had gone through CRM 2011 was back up and working.  Running the repair is easier than changing all the places where the CRM service account is used and it might also change some other settings in the SQL database and possible active directory groups.

I’m not entirely sure why adding the service account to CRM 2011 causes this error but I think it’s basically to do with privileges, when you add a user they start off with no user role, this might mean it can’t read certain tables which the service account needs to do to work properly.

Luckily I managed to fix CRM 2011 pretty quickly before anyone started to complain but one of the reason was because I did it at 5.15 so most people were off home but I did have to stay an extra 30 minutes after work to fix it.

CRM 2011 – Windows could not start the Microsoft Dynamics CRM Asynchronous Processing Service

I had a red alert today when a customers recently live CRM installation completely stopped working.

It stop working so badly that no one could even log in and when you tried to the screen just mentioned a Generic SQL error.

When ever you cannot login into CRM the first thing to check is Microsoft Dynamics CRM Asynchronous Processing Service because if this has stopped so has CRM.

I tried to restart the service and then it complained it couldn’t logon.

I wasn’t sure what had happened here, it was one of those times when no one had touched the system and it had just gone down.

I tried to repair CRM 2011 by going to Add Remove Programs, Microsoft Dynamics CRM 2011, Repair.  This gave me the exact reason it wasn’t working, which is a nice surprise because most error messages point in some vague direction of the problem or sometimes in completely the opposite direction.

Basically the password for the user I set up to run the web services part of CRM (App pools) and the CRM ASync services needed to change his password because it had expired.

To resolve this problem you need to get the IT person to change the settings on the active directory user to make the password never expire (otherwise CRM will stop working every month\couple of months).  The setting is in

Account–> Account Options –> Password never expires

I confirmed this by trying to log onto the CRM Server as that user and it asked me to change my password.  DON’T change the password because then you will have to change the password in all the places the user is used or run the CRM Repair to do it for you.

 

once the option for the password to never expired is ticked, the CRM Async services should magically start to run again and CRM will be back and working.

Luckily for me I managed to do this before the customer had time to call in and complain.

 

CRM 2011 – How to rename your CRM organisation?

You can rename an organisation but only for CRM on premise.

The reason for this is because you need to temporarily disable the organisation, rename it and then enable it again.

To do this you need to go to the Deployment manager

Select the Organisation you want to rename

Click the disable button on the right menu

When you click on the disabled organisation you now have the option to edit the organisation.  This will now allow you to change the display name of the organisation

After you have changed the display name it will run through changes this link on the report server and SQL databases.

Now you need to enable the organisation

Now next time you login you will see the new name of the organisation under you user name on the top right of the CRM 2011.

One thing to point out is the url for the organisation will remain the same.  If you want to change that then you will need to uninstall and reinstall.  You can delete organisations after you have disabled them in the deployment manager.

As always make sure you back up everything you rename or delete organisations or any other major changes to your CRM environment