Recently, I was attempting to install a new CRM 2011 server into a CRM Network Load Balancing environment that was using an Internet-Facing Deployment (IFD). For some reason, I kept getting a certificate error on the System Checks screen, even though there was nothing wrong with the certificate.
The encryption certificate ‘CN=*.yourdomain.com, OU=Domain Control Validated, O=*.yourdomain.com’ cannot be accessed by the CRM service account.
Okay, maybe the certificate needed to be added to the local certificate store. It was supposed to be done already, but hey – no harm in checking! I went ahead and opened a new mmc.exe console, added the snap-in Certificates (Computer Account > Local Computer), and expanded the Personal Certificates store. Okay, the wildcard certificate was there already.
Next step was to check the Private Keys for the certificate, as CRM requires the CRM Service account (which in our example is simply named “CRMservice”) to have permissions to the certificate.
So what now?
Turns out, that error really doesn’t have anything to do with the certificate at all. In a blog post on MSDN Blogs, a Microsoft tech explained the way to resolve the issue (although without explaining the actual reason the error occurs, sadly).
Simply put, in order to install the new CRM 2011 server, you will need to do the following:
- Disable IFD on the current server
- Disable Claims-Based Authentication on the current server
- Install the new CRM 2011 server (you will no longer receive the certificate error)
- Enable Claims-Based Authentication on the existing server
- Enable IFD on the existing server
Once you do that, your new NLB CRM 2011 Deployment should be up and running with no issues!
Please note: This error and solution applies to Microsoft Dynamics CRM 2011 running in a Network Load Balancing (NLB) scenario, and using Internet-Facing Deployment with Claims-Based Authentication utilizing ADFS. If you have a different CRM deployment scenario, additional research may be necessary.
Have questions or issues with your Dynamics CRM? We can help!