RE: CRM Reports not running from a client machine that is not in F by minfan
minfan
Sat May 20 20:55:01 CDT 2006
Here are steps will help you.
1. Create regkey NTLMForSQLRSServer DWORD to 1 on CRM server in the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM registry.
2. Run IE from a third machine. Uncheck Internet
option->Advanced->Security->Enable Integrated Windows Authentication (require
restart). Close all IE windows, and start a new IE window.
Unchecking this option makes sure Kerberos does not work on your client. So
your browser will use NTLM always.
If you see the listing working, but when you view the report contents, you
saw "null" connection error returned by SRS. (this will happen when SRS and
CRM DB are not on the same machine).
Open SRS report manager.
Modify the property of â??MSCRM_DataSourceâ??
1.Chang the credentials from â??Windows integrated securityâ?? to â??Credentials
stored securely in the report serverâ??.
2.Type in domain user account name, such as â??crmdom\user1â??, and password.
This user should be a high priviledge SQL user, such as SQL admin.
3.Check both options â??Use as Windows credentials when connecting to the data
sourceâ?? and â??Impersonate the authenticated user after a connection has been
made to the data sourceâ??.
4.Hit â??applyâ??.
Thanks!
Min Fan
--
This posting is provided "AS IS" with no warranties, and confers no rights.
"Curt Spanburgh" wrote:
> Looks Like I will have to go that route.
>
> If you set authentication to Anyomonous with an global account with lots of
> rights every thing works.
>
> This is a clear indication that login rights have to be transfered from the
> "out of forest client" to the forest if there is going to be complete
> resolution to a remote web client.
>
> Seems like MS has some work to do.
>
>
> "Min Fan [MFST]" wrote:
>
> > There are workaround for CRM reports withouth requirement for Kerberos. But
> > there are limitations, such as "report scheduling" won't work.
> >
> > If the client machine in forest scenario blocks you, you can contact support
> > team to get the workaround steps.
> >
> > Min Fan
> >
> > --
> > This posting is provided "AS IS" with no warranties, and confers no rights.
> >
> >
> > "Curt Spanburgh" wrote:
> >
> > > A few of our CRM 3.0 installs for clients involve a four server deployment.
> > >
> > > With SRS databases resting on on SQL server and CRM databases residing on
> > > another.
> > >
> > > The SRS web server is on a seperate server from the CRM server.
> > >
> > > As many of you already know this often causes a double hop Kerberos error.
> > >
> > > Some of the clients already had problems with their Time Syncs and the w32tm
> > > tool helps with that. Also properly configured SPNs and kerberos
> > > authentication to the services resolves authentication within the domain. We
> > > must not forget the changes to be made in IE security.
> > >
> > > If you get a System.Net.WebException: The request failed with HTTP status
> > > 401: Unauthorized response when accessing the server from a client on the
> > > kerberos realm, the above changes normally solve the problem.
> > >
> > > BUT!!!!!!!!!
> > >
> > > A stand alone laptop has a problem when it hit's the web client remotely
> > > while not being part of the domain.
> > >
> > > In this context the access to reports give the System.Net.WebException: The
> > > request failed with HTTP status 401: Unauthorized error.
> > >
> > > I have been trying to get around this.
> > >
> > > I am trying several things. Since this type of machine is remote, I suspect
> > > that a VPN will fix the problem because it brings the machine into the
> > > network. Well, even if you are on the same broadcast domain, it will not work
> > > because a remote machine may not be part of the Forest.
> > >
> > > One Idea was that the Kerberos Packet was to big.
> > > So I entered the MaxTokenSize Reg_Dword in the registry at
> > > HKLM\SYSTEM\CCS\Control\LSA\Kerberos.
> > >
> > > Well, that helped to get the error sooner, since failed authentication
> > > occured faster.
> > >
> > >
> > > Has anyone got around this?