locked
401.2 Unauthorized Access Denied - from the browser RRS feed

  • Question

  • When I try to access the CRM 4 server from a client machine (with IE), it pops up an authentication box, and even if I enter the correct domain account it continues to ask for authentication. In the end it gives a 401.2 error, but not a nice IE formatted error screen, it just gives a line of text saying

    HTTP Error 401.2 - Unauthorized: Access is denied

     

    I've made sure that the IE settings are set to 'login using current username password' in the IE security settings for the intranet zone.

     

    I've made sure that the IIS settings on the server are set to 'Integrated Authentication'.

     

    I can access the CRM site if I browse to it, physically on the same server.

     

    Any ideas as to why the authentication is failing?

    Monday, February 11, 2008 3:41 PM

Answers

  • Fixed.

     

    If CRM app pool is running under a domain account, you have to set the SPN for that account. As a domain admin, run:

     

    setspn -a HOST/[full crm server name including domain suffix] [account crm is running under]

     

     

    Tuesday, February 12, 2008 3:59 PM

All replies

  • “You do not have permission to view this directory or page using the credentials that you supplied because your Web browser is sending a WWW-Authenticate header field that the Web server is not configured to accept.”

     

    This error will occur if you are trying to use NTLM authorization on a web site, and the users are hitting it from behind a proxy server.  There is no 'fix' for this.  The web site will need to be reconfigured to use basic or digest authentication.

     

    Regards,

    Imran

     

    http://microsoftcrm3.blogspot.com

     

    Monday, February 11, 2008 4:01 PM
    Moderator
  • No, that's not the issue.

     

    Further investigation has shown that it was something to do with Kerberos auth failing because the user account that was running the app pool needed to have a spn set.

     

    To bypass this (just to investigate further) I have now set the crm app poll to run under NETWORK SERVICE. I now get an error saying NETWORK SERVICE does not have access to the temp dir... but I still get this error if I give Net Service account full access to it.

     

    ????

    Monday, February 11, 2008 4:19 PM
  • Fixed.

     

    If CRM app pool is running under a domain account, you have to set the SPN for that account. As a domain admin, run:

     

    setspn -a HOST/[full crm server name including domain suffix] [account crm is running under]

     

     

    Tuesday, February 12, 2008 3:59 PM
  •  

    Paul,

     

    i have similar problem - my CRM app pool running under Network_Service account, from browser i open CRM ok but when i click to new accounts a get error on page (ie message in the left corner), view this picture http://www.adastracorp.com/err.jpg

    - i write something to New Account name but form dont complete Address Name field,TCPDump show me http packet 401.2 Unauthorized - Access Denied 

     

    other findings:

    - i use alias CRM for crm server

    - when i use netbios name of crm server with website on another port then default 80, CRM access is OK without error

    - when i connect from computer which never access to CRM 3.0 in the past, CRM access is OK without error

    - when i access from any win2003 server, CRM access is OK without error

     

    Do you have any recommendations or anything ?

     

    thx

    • Proposed as answer by Fareedkh Tuesday, October 1, 2013 10:55 AM
    Wednesday, February 13, 2008 11:48 AM
  •  

    hi all,

    i do have the same problem.. when i try to connect to my CRM server using webclient(using IE).

    i m using a domain User/admin account.. i found its working with the same username n password last night..

    today it throws an error

    HTTP Error 401.1 - Unauthorized: Access is denied
    using Application pool as configurable using domain user a/c..
    not network service..
    ????????.. will it be any fault here.. 
    but i found CRM is working fine while accessing it from other system..
    does there any settings for IE in client side..
    Thanks all.
    Monday, April 28, 2008 10:25 AM
  • Recently we have been having this problem and found that there is a setting on the Advanced Tab in IE for Enable Integrated Windows Authentication which we turned off and the application worked for us.

     

    Monday, September 29, 2008 7:36 PM
  • I had the same issue. Dynamics CRM application pool is running under a domain account so I had to:

    • Execute: setspn -a HOST/[full crm server name including domain suffix] [account crm is running under]
    • Integrated Windows Authentication was already enabled in IE
    • Add URL to Trusted Sites and set Trusted Sites security level to low in IE on the client computer. 

    Thanks for your help!


    Tuesday, September 30, 2008 3:17 PM
  • Hi..

    Where do i execute this statement setspn -a HOST/[full crm server name including domain suffix] [account crm is running under]


    Hehe
    Thursday, November 25, 2010 12:43 PM
  • Hello,

    bot CRM Service and CRM app pool is running under local system.

    How do I set SPN for that?

    Also, CRM Server is a DC, Does that matter?

    Thanks...

    Wednesday, July 13, 2011 12:46 PM