Wednesday, June 29, 2016

Login failed for User ‘NT AUTHORITY\ANONYMOUS LOGON’

There are three different ways to solve this issue.

  • Register SPN 
  • Delegation
  • If this error occur in visual studio or after hosted in IIS, IIS setting


Register SPN 

A Service Principal Name (SPN) must be registered for the SQL Server service account (when the local system account will not be used) to allow clients to identify and authenticate the service using Kerberos authentication.

setspn -A MSSQLSvc/<SQL Server FQDN>:1433 <Domain\Account>

Verify Domain user account 

setspn -l <Domain\Account>

Example:

setspn -A MSSQLSvc/computerName.cloud.s1au.org:1433 cloud\admin


https://technet.microsoft.com/en-in/library/bb735885.aspx

Delegation


  1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
  2. Expand domain, and then expand the Computers folder.
  3. In the right pane, right-click the computer name for the Web server, select Properties, and then click the Delegation tab.
  4. Click to select Trust this computer for delegation to specified services only.
  5. Ensure that Use Kerberos only is selected, and then click OK.
  6. Click the Add button. In the Add Services dialog box, click Users or Computers, and then browse to or type the name of the Microsoft SQL server that has the App-V data store and is to receive the users credentials from IIS. Click OK.
  7. In the Available Services list, select the MSSQLSvc service that lists port number on which the Microsoft SQL Server is accepting connections for the App-V database (the default port is 1433). Click OK.
  8. And In the Users folder, right-click the user account, and then click Properties.
  9. In the user account properties dialog box, click the Account tab.
  10. Under Account Options, click to select the Account is Trusted for Delegation check box. Make sure that the Account is sensitive and cannot be delegated check box is cleared for this account. 

    Note The 'Account is trusted for delegation' right is required for the SQL Server service account only when you are delegating credentials from the target SQL server to a remote SQL server such as in a double hop scenario like distributed queries (linked server queries) that use Windows authentication.
If this error occur in visual studio or after hosted in IIS, IIS setting

  1. Check your application pool identity user account has rights to database. If not, create it.


Monday, June 20, 2016

The provided uri did not return any Service Endpoints! {0}" Data[1] in CRM plugin

Error:
System.InvalidOperationException: Data[0] = "The provided uri did not return any Service Endpoints! {0}" Data[1] = "" at 
Microsoft.Xrm.Sdk.Client.ServiceConfiguration`1..ctor(Uri serviceUri, Boolean checkForSecondary) at 
Microsoft.Xrm.Sdk.Client.OrganizationServiceConfiguration..ctor(Uri serviceUri) at 
Microsoft.Xrm.Sdk.Client.ServiceConfigurationFactory.CreateConfiguration[TService](Uri serviceUri) at Microsoft.Xrm.Sdk.Client.ServiceProxy`1..ctor(Uri uri, Uri
 homeRealmUri, ClientCredentials clientCredentials, ClientCredentials deviceCredentials) at RMSystem.MyService.SaveAdditionalRef(clsRegistration reg, ResultSet& 
Cause:
This error is due to memory shortness on the CRM server. CRM automatically shuts down its exposed webservice interface when resources get scarce.

Solution:
There are three steps to solve this issue.


  • Open a connection to the CRM server and open the IIS manager. In here, navigate to the application pools, find the CRMAppPool, right-click it and click Recycle and try again to test app.
  • type iisreset in a command prompt on the server which hosts the CRM website and try again to test app.
  • Reset the Asynchronous processing service(run->type service.msc, Reset Microsoft dynamics CRM Asynchronous processing service) and try again to test app.




Tuesday, June 14, 2016

Check the CRM Database overall usage

If the CRM is on-premises, it is useful to find out about which out-of-the-box CRM entities are used, custom entities if any, number of records, and size of tables. You can find out all about this easily through few clicks and without having to write any T-SQL.



  • Logon to SQL Server Management Studio
  • Right-click on the CRM database (e.g. org_MSCRM), then select Reports > Standard Reports > Disk Usage by Table
  • A report will be loaded in a new tab. This may take a couple of minutes depending on the overall size of the database.


The report cannot be displayed. (rsprocessingaborted) in CRM 2011(Part-1)




To find out the actual error, go to the SQL Reporting Services Server, and look at the log file in

C:\Program Files\Microsoft SQL Server\MSRS11.MSSQLSERVER\Reporting Services\LogFiles.

To resolve this issue I had to follow these steps

Start SQL Server Management Studio
Expand Security, then expand Logins or select the CRM database and click securitiy and click logins/users
Double click PrivReporting Group,
Check db_owner and CRMReaderRole




or
May be this issue because of SPN

SPN:
Put simply, an SPN (Service Principal Name) mapping allows a service on a particular server to be associated with an account responsible for the management of the service, thereby permitting mutualKerberos Authentication. To use mutual Kerberos authentication, the Windows security layer must be able to determine the account that a service is using.

Simple explanation:
CRM can have a database server separate to the Application Server (where IIS is hosted). For security purposes, it is advisable to run CRM as a service account which is also existed on Domain.
Similarly, it is advisable to run SQL server on the Database server in a separate service account on domain.
So, when SPN is not configured Application server is not able to authenticate SQL server as both are running under different accounts.
SPN creates a mapping so that Authentication can happen and thus reports start working most times after this is configured correctly.
Thanks to Deepesh Somani for sharing good explanation of SPN.

The report cannot be displayed. (rsprocessingaborted) in CRM 2011(Part-2)

A best practice is to install CRM using service accounts.

 Most administrators will do the same for SQL Server.  Many of the warnings about SPN’s during the install are igorned users. Many DBA’s will change the SQL service accounts after installation which will also cause issues.

CRM 2011 offers a new service called the Sandbox processing service. Failure to set the special SPN for this service while trying to run custom reports created with the report wizard will result in RS failure message.

SPN
A common configuration step when establishing a Kerberos authentication method is the use of a Service Principal Name, or SPN, to identify a specific service. This article shows you how to specify a user or computer account to be identified with that specific service by using the SetSPN utility.

An SPN is a reference to a specific service, for example, an instance of SQL or a web application run by IIS. Since SPNs are specific, they reference not only what the service is (such as an SQL server), but also which hostname runs the instance and on which port it’s running (however, you don’t have to specify the port if running on default ports).

Syntax:
-a    Add an entry to an account (explicitly)
-s    Add an entry to an account (only after checking for duplicates first)
-d    Delete an entry from an account
-x    Search the domain for duplicate SPNs

-q    Query the domain for a specific SPN

ext, check the SPN for the CRM server so that it has HTTP using the following command:
setspn -L ( crm service account) 
Look for http/servername and http/servername.FQDN you will need both.
To set them if missing:
setspn -A http/crmservername domainname\crmservice account
setspn -A http/crmservername.fqdn.com domainname\crmservice account

To view use the setspn -L with the service account name to see http has been set. (See screenshot below)

Eg:
CRM service account:       CRM_APP_SVC_TEST
domainname:                      iff.local
crmservername :                CRMDEV.iff.local
crmservername.fqdn.com:CRMDEV

setspn -l CRM_APP_SVC_TEST

setspn -a http/CRMDEV.iff.local iff.local\CRM_APP_SVC_TEST

setspn -a http/CRMDEV iff.local\CRM_APP_SVC_TEST

Now, on to the secret spn for the sandbox service..

setpsn -A MSCRMSandboxService domainname\crmsandbox service account

Once that has been completed on the CRM server, now head over to the SQL Server and check the service accounts for SQL. Let’s assume they are running under a SQL Service Account. IF the SQL service accounts were specified during the original install, the SPNs were created automatically.