Error message: The request for security token could not be satisfied because authentication failed_问答_开发者

Error message: The request for security token could not be satisfied because authentication failed

开发者 https://www.devze.com 2023-03-05 17:01 出处：网络

I am trying to access a WCF service (MS CRM 2011) and getting the above error.If I run my sample program from the VS2010 debugger with either Cassini or IIS Express it works great.No authentication er

I am trying to access a WCF service (MS CRM 2011) and getting the above error. If I run my sample program from the VS2010 debugger with either Cassini or IIS Express it works great. No authentication errors.

However, if I publish the site to my local IIS 7.5 (running Windows 7 64 bit), I get the error on the line that grabs the CRM UserId (WhoAmIResponse).

I opened Fiddler to compare the requests between running under the debugger and running under IIS. On the site running under IIS the request never even comes across, so it must be failing before getting that far.

The site as published to IIS has its web.config set for ...

    <authentication mode="Windows">
    </authentication>
    <identity impersonate="true"/>

The site is running under the preinstalled ASP.NET v4.0 app pool, Integrated pipeline mode, ApplicationPoolIdentity account.

Here is my code...

public class DemoController : Controller
{
    public ActionResult Index()
    {
        ClientCredentials credentials = new ClientCredentials();
        credentials.Windows.ClientCredential = CredentialCache.DefaultNetworkCredentials;

        var _serviceProxy = new OrganizationServiceProxy(new Uri("http://svr-rex2011-dev/TimeEntry/XRMServices/2011/Organization.svc"),
                                                            null,
                                                            credentials,
                                                            null);

        // This statement is required to enable early-bound type support.
        _serviceProxy.ServiceConfiguration.CurrentServiceEndpoint.Behaviors.Add(new ProxyTypesBehavior());

        IOrganizationService service = (IOrganizationService)_serviceProxy;

        // Dis开发者_如何学编程play information about the logged on user.
        Guid userid = ((WhoAmIResponse)service.Execute(new WhoAmIRequest())).UserId;
        SystemUser systemUser = (SystemUser)service.Retrieve("systemuser", userid,
            new ColumnSet(new string[] { "firstname", "lastname" }));

        // Retrieve the version of Microsoft Dynamics CRM.
        RetrieveVersionRequest versionRequest = new RetrieveVersionRequest();
        RetrieveVersionResponse versionResponse =
            (RetrieveVersionResponse)service.Execute(versionRequest);

        ViewBag.FirstName = systemUser.FirstName;
        ViewBag.LastName = systemUser.LastName;
        ViewBag.Version = versionResponse.Version;

        return View();
    }

}

Any ideas? Much appreciated!!!

It seems the situation you are describing is this: you are getting authentication errors when your app tries to access the CRM service when it is running on IIS. When you run your app from Visual Studio or IIS Express then you don't have authentication errors.

If this is true, I'm pretty sure your issue is due to the identity used to run the IIS AppPool for your application. You need to change the AppPool identity to one that has network access to the CRM service. Normally it should be a domain account with the correct permissions but there are ways of doing this using local machine accounts that have the same password (definitely not recommend if a domain is available).

I was having the same problem and, in my case, it turned out to be due to the fact that CRM was load-balanced. It turns out that Authentication delegation through Kerberos does not work in load-balanced architectures.

We got around this by pointing our application directly to one of the CRM servers via a HOST entry, which bypassed the load balancing.

I hope that saves someone the several hours it cost me.