DaveHealey
Sun Mar 06 15:51:03 CST 2005
Hi François,
Just wanted to let you know that this solution worked perfectly for me.
Thanks for sharing it.
Regards,
Dave
"François Miermont" wrote:
> Ok, here is a more detailled solution :
>
> First of all, you have to remove the duplicate SPN (in my case, it's
> host/dozer.mydomain.com => the FQDN of your CRM Server).
> To find which obect have this SPN, you shoul use ldp.exe on your DC
> (anderson in my case) :
> start/run ldp.exe
>
> Then click Connection, and Connect...
> Leave the Server empty, check that port is 389 and clear the checkboxes.
> CLick Ok.
> Click connection again, and Bind...
> Leave all the fileds empty, and click Ok.
> You should have "Authenticated as dn:'NULL'."
>
> Now, click Browse, and Search...
> Base DN : DC=mydomain,DC=com (you should replace with your domain name)
> Filter : (servicePrincipalName=host/dozer.mydomain.com) (with the '(' and
> ')', and replace dozer.mydomain.com with the FQDN of your CRM Server).
>
> Scope : Select Subtree
>
> Click options : in the attributes field, add "servicePrincipalName;" at the
> end (without the "").
> Click Ok.
> Click Ok again on the Search Window.
>
> You should have a result like this (supposing that CRMUser is on on the
> default user's OU : Users, and Dozer in on the default computer's OU :
> Computers) :
> Getting 2 entries :
> >> Dn: CN=CRMUser,CN=Users,DC=mydomain,DC=com
> 4> objectClass: top; person; organizationalPerson; user;
> 1> cn: CRMUser;
> 1> distinguishedName: CN=CRMUser,CN=Users,DC=mydomain,DC=com;
> 1> name: CRMUser;
> 2> servicePrincipalName: host/dozer.mydomain.com; HOST/DOZER;
> 1> canonicalName: domain.com/Users/CRMUser;
> >> Dn: CN=DOZER,CN=Computers,DC=mydomain,DC=com
> 5> objectClass: top; person; organizationalPerson; user; computer;
> 1> cn: DOZER
> 1> distinguishedName: CN=DOZER,CN=Computers,DC=mydomain,DC=com;
> 1> name: DOZER;
> 2> servicePrincipalName: host/dozer.mydomain.com; HOST/DOZER;
> 1> canonicalName: domain.com/Computers/Dozer;
> ------
>
> The first Dn correspond to the User that you use to launch the CRM services.
> The second Dn correspond to your CRM Server.
>
> Now, you have to remove the SPN host/dozer.mydomain.com to your CRM User
> (not the CRM Server, if you do that the Server should not be able to log in
> into the domain).
>
> To do that, you have to have the setspn utility on your DC. (if you don't
> have it, you can install it from your Windows 2003 CD : directory
> SUPPORT/TOOLS, you have SUPTOOLS.msi).
> Now, open a command prompt, and execute this command :
> setspn -D host/dozer.mydomain.com CRMUser
>
>
> Okay, now the KDC error should stop.
>
> Another problem then appears : you are not able to log in to your CRM
> Website (IE gives you a 401.1 error).
>
> See
http://support.microsoft.com/default.aspx?scid=kb;en-us;871179 if you
> want a detailled explication.
>
> If your CRM Server just host the CRM Website, AND ONLY IF, you have to add 2
> SPN to your CRM User. If not, see the Workaround section.
>
> The 2 SPN are : http/dozer and http/dozer.mydomain.com
>
> To add it, jsut do
> setspn -a http/dozer CRMUser
> and
> setspn -a http/dozer.mydomain.com CRMUser
>
> Now, you should be able to log in again to your CRM Website.
>
> Hope this could be helpfull :)
>
> "FriendOfCRM" wrote:
>
> > Hi!
> > I would be so greatful if you could please specify in more detail
> > exactly how you solved this problem, since I seem to be in the exact
> > same situation.
> > Which duplicate of the SPN did you remove? The one on the user account?
> > And did you follow the instructions in the MS link you provided right
> > after this?
> > Could you also please specify which commands you gave the setspn.exe?
> > No troubles experienced afterwards?
> > I'm trying to solve this problem in our production environment, and of
> > course don't want to mess up the application or the Admin account used
> > with CRM....
> >
> > Regards /J
> >
> >
> > François Miermont wrote:
> > > Finaly I found the solution here :
> > >
http://support.microsoft.com/default.aspx?scid=kb;en-us;871179
> > >
> > > Seems to work fine !
> > >
> > >
> > > "François Miermont" wrote:
> > >
> > > > Hi,
> > > >
> > > > I've just successfuly installed MSCRM 1.2 in my domain. I have two
> > servers,
> > > > the both with Windows 2003 :
> > > > -the first is the DC, with Exchange 2003, and CRM Router (name :
> > anderson)
> > > > -the second is a dedicated server to the CRM : it just have SQL
> > Server 2000
> > > > and CRM 1.2 installed. SQL Server is just for the CRM (name :
> > dozer).
> > > >
> > > > All the specific services for CRM, on the both server, are launched
> > with a
> > > > dedicated domaine user : CRMUser. This user have no specific right.
> >
> > > > The installation is successfull : my CRM works fine. The local url
> > to
> > > > access to the CRM is
http://mscrm. Just have to open IE, type the
> > url, and
> > > > the CRM will launch, without having to give my password (my user
> > is register
> > > > on the CRM).
> > > >
> > > > But now, I have a KDC error, IDEvent 11, logged on my DC :
> > > > There are multiple accounts with name host/dozer.mydomain.com of
> > type
> > > > DS_SERVICE_PRINCIPAL_NAME. After some research, I found that this
> > problem
> > > > occured when many objects use the same SPN (in this case, the SPN
> > is
> > > > host/dozer.mydomain.com).
> > > >
> > > > Using ldp.exe, I found two objects with this SPN :
> > > > -the CRM server, dozer
> > > > -the user account CRMUser.
> > > >
> > > > I tried to remove the SPN on the both :
> > > > -when I removed it on CRM Server, CRM crashes, and the computer is
> > unable to
> > > > lg to the domain.
> > > > -when I removed it on CRMUser, KDC error stop. The CRM server
> > reports no
> > > > problem.
> > > >
> > > > But in this case, I'm unable to launch the CRM on my local
> > computer. When I
> > > > want to access to
http://mscrm, it prompt a user/pass. Even if I
> > give the
> > > > correct user/pass, it didnt work (access denied).
> > > >
> > > > Any help would be welcome !
> > > >
> > > > PS: sorry for my poor English ;)
> >
> >