Super-Networking Blog

So I ran across something kind of interesting the other day. I was setting up Microsoft CRM 4.0. I got the server setup and the website configured but when I went to the website it prompted me for my username and password. I would type it in and the authentication would fail. I tried it in Firefox and it would work using my correct logged in credentials which is what Integrated Windows Authentication is.

So I check out my IIS settings, I have anonymous access disabled and Integrated Windows Authentication is checked. Why would Integrated Windows Authentication work in Firefox but not in IE. I go into Internet Options on my browser and select the advanced tab. There is an option “Enable Integrated Windows Authentication” and I have it enabled. I tried a couple of more times to make sure I wasn’t fat fingering my login and still get 401 authentication errors.

Well I thought just for the heck of it I would try unchecking the “Enable Integrated Windows Authentication” box in IE. I restarted my browser and bang it works, doesn’t prompt for password or anything. So I uncheck use Integrated Authentication and the Integrated Authentication starts working. Now I am really scratching my head.

I start searching through user groups on the Internet and I finally find the answer. In IE 6 and IE 7 the browser will use Integrated Windows Authentication if you have that checkbox enabled or disabled. The difference is the authentication type. With the box checked it with try Kerberos authentication first then fallback on NTLM. If you uncheck the box then it will just use NTLM. Thank you Microsoft for mislabeling that feature. The really annoying thing is if both ends support Kerberos authentication, you have that Integrated Windows Authentication box checked, and Kerberos fails it will not fail back to NTLM. The only way it will fail back to NTLM is if your website doesn’t support Kerberos.

What I ended up finding out was that Kerberos authentication was broken on my CRM server, quick workaround was to uncheck the box in IE. The problem with that is most features in CRM 4.0 don’t work on NTLM. I will post another time on how I fixed Kerberos on that server.

I was getting the following error from Google in their Google Checkout Integration Console:

We encountered an error trying to access your server at

https://www.website.com/ (URL Path Changed)

the error we got  is: javax.net.ssl.SSLHandshakeException:

sun.security.validator.ValidatorException: PKIX path building failed:

sun.security.provider.certpath.SunCertPathBuilderException:

unable to find valid certification path to requested target

Google’s Info on Cart Integration issues is here

About this error is says:

Use a valid SSL certificate so you can receive callbacks. (If you’re only testing in the sandbox, you won’t need an SSL certificate. Feel free to use an HTTP callback URL for testing purposes.)

So you check out your certificate and it is valid, you go to your site over https and everything looks great. I read that sometimes your certificate chain can be broken so I found these instructions:

To view the current certificate chain being returned by your server:

In Firefox:
1. Navigate to your callback URL in your browser.
2. Click the lock icon in the address bar of your browser.
3. Click ‘View’ under the ‘Security’ tab.
4. Click ‘Details.’
5. Locate the current certificate chain under ‘Certificate Hierarchy.’

In Internet Explorer:
1. Navigate to your callback URL in your browser.
2. Double click the lock icon in the lower right hand corner of the status Bar in your browser.
3. Click the ‘Certification Path’ tab in the window that appears.

Additionally, you can view the current certificate chain being returned by your server by using the OpenSSL and the following command:
openssl s_client -connect {website domain}:443 -showcerts

In both Firefox and IE the chain looked fine. But both browsers have a tendency to fix a missing chain so I downloaded and installed openssl and ran that command above. Found the chain was messed up.

I went into the certificate stores on the webservers, went into Intermediate Certification Authorities only to find the CA for our SSL certificate had expired.

We had a VeriSign SSL Cert and here are the instructions on how to fix it:

https://www.verisign.com/support/ssl-certificates-support/page_dev028341.html

After doing an iisreset on all of the servers with the new CA cert everything started working. I hope this keeps some people from running into the same headaches I ran into.