Hi, Do not change any more values without an understanding of the root cause of the issue. Do not uncheck that checkbox, and do not change the security zone that the site is in.
a) What do your IIS logfiles say for the requests in question? b) What do your event logs say as far as failed logon attempts? What authentication package is being used (NTLM or Kerberos) and why is the logon failing? c) Why did you add those alternate SPN values? The HOST SPN is registered, by default, under the computer account. Why were you adding it under user accounts? d) In Win2k3 SP1 there's something called IIS Metabase Auditing that you can enable, which will help you the "I didn't change anything, I swear" scenario: http://www.adopenstatic.com/faq/iismetabaseauditing.aspx Cheers Ken -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, 29 November 2005 2:40 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] authentication problem Should be error messages in your IIS log files though and if you have a system state backup from before the changes that would have those [or should have those] old AD values? When if fails to log in what's the resulting error code? 401.1? Something like that? Also I've seen permiission changes to web sites, .NET framework will screw things up and start asking for passwords. Did he mess with any of the accounts that the aspnet and CRM services are running in? So exactly what was he doing again? Google Groups : microsoft.public.crm: http://groups.google.com/group/microsoft.public.crm/tree/browse_frm/thread/e7 80a75e03330399/21602ba7ff5148b1?rnum=1&q=prompted+by+username+crm&_done=%2Fgr oup%2Fmicrosoft.public.crm%2Fbrowse_frm%2Fthread%2Fe780a75e03330399%2Ff4c11fb 795df5768%3Flnk%3Dst%26q%3Dprompted+by+username+crm%26rnum%3D1%26#doc_f4c11fb 795df5768 I'd look at some of these threads. And on the off chance... try this too and see if this value is checked.... In IE, go to Tools menu >> Internet Options >> Advanced and scroll down through the list until you see the Enable Integrated Windows Authentication option near the bottom of the list. Uncheck this value. And check the security level for IE...put the web sites in the trusted zone. Remember you can always call Microsoft product support. Try the appropriate group or community, but if you need something working and in a hurry, and newsgroups are not cutting it, I grab the credit card and I'll call product support if I need things working. Katrin Wilhelm wrote: > It's CRM 1.2 as far I know he didn't change anything in IIS and I do not > get any error messages in regards to this. My feeling tells me that it > must be the Service principal names with which he was working on are the > reasons for the problem. As I never done any work with it I have no idea > where to start looking. So far used setspn -R to reset the host SPN and > added with setspn -A the HOST SPN to the user accounts which earlier > created an event ID 11 (KDC) on DC's. Not sure where to go from here. > > Regards, > > Katrin Wilhelm (MCSA) > CVGT Employment & Training Specialists > Australia > E-mail: [EMAIL PROTECTED] > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, > CPA aka Ebitz - SBS Rocks [MVP] > Sent: Tuesday, 29 November 2005 2:02 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] authentication problem > > What are the errors you are getting in the error logs? IIS access logs? > > CRM 1.2 or 3.0? {I'm assuming 1.2 since 3.0 is just out} > > CRM uses integrated authentication on that web app if memory serves me > right...given that its both your CRM and your intranet what IIS changes > did he/she make? I think it's supposed to be set for basic and > integrated security enabled, but I know enough about CRM to be > dangerous.... there are CRM yahoogroups and newsgroups that I'd head off > > to if you don't hear from here. > > Katrin Wilhelm wrote: > >> Hello, >> >> I got a weird problem on a member server (2003) running MS CRM, SQL >> and our intranet. >> >> Every time you are accessing the intranet or the CRM site you get a >> pop up window for identification. It then does not accept any user >> name and password. Everything worked fine until last week and I am not >> > > >> sure what has changed. I believe the other admin used adsiedit to >> change SPN for 'host as it was registered to several user accounts. I >> found a work around that way that I allowed anonyms access and granted >> > > >> the everyone group read access but do not want to leave it like this. >> Does anybody know how I can fix this? I have no idea about SPN and had >> > > >> a look around but I am stuck an my CRM is not working as the access is >> > > >> not granted. Any suggestions? >> >> Thanks for this. >> >> *Katrin Wilhelm **(MCSA) List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
