Symptom

When accessing the internal URL for Microsoft Dynamics CRM 2011 with Claims Based Authentication enabled, a user may be unable to access the CRM site. If Internet Facing Deployment (IFD) is setup, users may be able to access the CRM site still using the IFD URL.

If you turn on developer errors in IIS you may see the following error:

"No Microsoft Dynamics CRM user exists with the specified domain name and user ID. (0x80040354)"

In a CRM platform trace, the following messages may appear:

The SID that is passed below is for a user other than the user that is actually trying to be authenticated:

[2013-01-01 12:00:30.000] Process: w3wp |Organization:00000000-0000-0000-0000-000000000000 |Thread: 13 |Category: Platform.Sql |User: 00000000-0000-0000-0000-000000000000 |Level: Verbose |ReqId: 9974c2ee-fa8d-4578-a4fc-814e41804192 | CrmDbConnection.InternalExecuteReader ilOffset = 0x16
 at CrmDbConnection.InternalExecuteReader(IDbCommand command, Boolean capturePerfTrace)  ilOffset = 0x16
 at CrmDbConnection.ExecuteReader(IDbCommand command, Boolean impersonate, Boolean capturePerfTrace)  ilOffset = 0x10
 at ServerLocatorService.TryGetDefaultUserOrganizationFromDatabase(String authenticationInfo, Guid& organizationId)  ilOffset = 0x66
 at ServerLocatorService.TryGetDefaultOrganization(String authenticationInfo, Guid& orgId)  ilOffset = 0x40
 at ServerLocatorService.GetDefaultOrganization(String authenticationInfo)  ilOffset = 0x16
 at WindowsAuthenticationProvider.QueryForOrganizationId(String userToken)  ilOffset = 0xC
 at WindowsAuthenticationProviderBase.Authenticate(HttpApplication application, WindowsIdentity userIdentity)  ilOffset = 0x90
 at AuthenticationStep.Authenticate(HttpApplication application)  ilOffset = 0x31
 at AuthenticationPipeline.Authenticate(HttpApplication application)  ilOffset = 0x11
 at AuthenticationEngine.Execute(Object sender, EventArgs e)  ilOffset = 0x10D
 at SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()  ilOffset = 0x5D
 at HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)  ilOffset = 0x15
 at ApplicationStepManager.ResumeSteps(Exception error)  ilOffset = 0x10E
 at HttpApplication.System.Web.IHttpAsyncHandler.BeginProcessRequest(HttpContext context, AsyncCallback cb, Object extraData)  ilOffset = 0x5C
 at HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr)  ilOffset = 0xFC
 at ISAPIRuntime.ProcessRequest(IntPtr ecb, Int32 iWRType)  ilOffset = 0x45
>exec p_GetDefaultOrgFromAuthInfo 'W:S-1-5-21-1229272821-1580436667-839522115-500'

 

[2013-01-01 12:00:00.000] Process: w3wp |Organization:00000000-0000-0000-0000-000000000000 |Thread: 15 |Category: Platform |User: 00000000-0000-0000-0000-000000000000 |Level: Verbose |ReqId: 3a0bbe3f-565a-4bdb-80f4-056ccf2fa688 | ClaimsIdentityAuthorizationManager.Authenticate ilOffset = 0x1E4
 at ClaimsIdentityAuthorizationManager.Authenticate(OperationContext operationContext)  ilOffset = 0x1E4
 at ClaimsIdentityAuthorizationManager.CheckAccessCore(OperationContext operationContext)  ilOffset = 0xA0
 at AuthorizationBehavior.Authorize(MessageRpc& rpc)  ilOffset = 0x28
 at ImmutableDispatchRuntime.ProcessMessage11(MessageRpc& rpc)  ilOffset = 0x293
 at MessageRpc.Process(Boolean isOperationContextSet)  ilOffset = 0x62
 at ChannelHandler.DispatchAndReleasePump(RequestContext request, Boolean cleanThread, OperationContext currentOperationContext)  ilOffset = 0x1D7
 at ChannelHandler.HandleRequest(RequestContext request, OperationContext currentOperationContext)  ilOffset = 0xF1
 at ChannelHandler.AsyncMessagePump(IAsyncResult result)  ilOffset = 0x21
 at AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)  ilOffset = 0x0
 at AsyncResult.Complete(Boolean completedSynchronously)  ilOffset = 0xC2
 at ReceiveItemAndVerifySecurityAsyncResult`2.InnerTryReceiveCompletedCallback(IAsyncResult result)  ilOffset = 0x55
 at AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)  ilOffset = 0x0
 at AsyncResult.Complete(Boolean completedSynchronously)  ilOffset = 0xC2
 at AsyncQueueReader.Set(Item item)  ilOffset = 0x21
 at InputQueue`1.EnqueueAndDispatch(Item item, Boolean canDispatchOnThisThread)  ilOffset = 0xDD
 at InputQueue`1.EnqueueAndDispatch(T item, Action dequeuedCallback, Boolean canDispatchOnThisThread)  ilOffset = 0x0
 at SingletonChannelAcceptor`3.Enqueue(QueueItemType item, Action dequeuedCallback, Boolean canDispatchOnThisThread)  ilOffset = 0x35
 at HttpChannelListener.HttpContextReceived(HttpRequestContext context, Action callback)  ilOffset = 0x109
 at HostedHttpTransportManager.HttpContextReceived(HostedHttpRequestAsyncResult result)  ilOffset = 0x52
 at HostedHttpRequestAsyncResult.HandleRequest()  ilOffset = 0x101
 at HostedHttpRequestAsyncResult.BeginRequest()  ilOffset = 0x0
 at HostedHttpRequestAsyncResult.OnBeginRequest(Object state)  ilOffset = 0x9
 at AspNetPartialTrustHelpers.PartialTrustInvoke(ContextCallback callback, Object state)  ilOffset = 0x19
 at HostedHttpRequestAsyncResult.OnBeginRequestWithFlow(Object state)  ilOffset = 0x30
 at ScheduledOverlapped.IOCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* nativeOverlapped)  ilOffset = 0x22
 at IOCompletionThunk.UnhandledExceptionFrame(UInt32 error, UInt32 bytesRead, NativeOverlapped* nativeOverlapped)  ilOffset = 0x5
 at _IOCompletionCallback.PerformIOCompletionCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* pOVERLAP)  ilOffset = 0x3C
>CrmSessionAuthenticationManager published CrmClaimsIdentity [UserToken:C:admin@contoso.local] [UserId:{447814A1-6C8C-DE11-B14D-000F4B2EB21A}].

Cause

Physical path credentials are specified in IIS. These credentials should not be in place as this will overwrite the kerberos authentication that is taking place.

Resolution

1. Go to Start, point to Administrative Tools, click to open Internet Information Services (IIS) Manager.
2. Expand the Server and then expand Sites.
3. Right click on the Microsoft Dynamics CRM site and select Manage Website and select Advanced Settings.
4. In the window that appears, find the Physical Path Credentials line and verify it does not contain credentials.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Any additional feedback? (Optional)

Thank you for your feedback!

×