locked
Error 401 (unauthorized) with CrmAppPool with domain user RRS feed

  • Question

  • Hi all

    I have CRM 4.0 (Rollup 10) installation. Everithing work fine with the CrmAppPool running under NETWORK SERVICE account.

    If I try to change the account identity of CrmAppPool to a domain user the clients cant' authenticate against the Crm. They receive the authentication mask three times and then, even if correct credential are passed, Error 401 - Access Denied.

    I have tried everithing, but the issue remain.

    These are the steps that I have done:

    -put the domain user in the PrivUserGroup{GUID}
    -put the domain user in the SQLAccessGroup{GUID}
    -put the domain user in the CrmServer IIS_WPG group
    -put the domain user in the CrmServer CRM_WPG group
    -grant the domain user the Log on as a service right
    -Disable the looopback check in the registry
    -Add the SPN for the HTTP/crm.... domain\user
    -Setting the crmAsyncService running under the same domain\user
    -The domain\user is a crm distribution administrator
    -the domain\user is a crm user with System Adminstrator Role
    -the domain\user is member of local administrator grup of crm server


    Anyone can help me?

    Thank you

    Wednesday, January 5, 2011 2:26 PM

Answers

  • I had a very similar issue, but I was using the Network Service account. It ended up being lack of SPN's that allowed it to authenticate. There should be two different SPN's set

    SETSPN -A http/CRMSERVER domain\user

    SETSPN -A http/CRMSERVER.domain.local domain\user

     

    This might help?

    • Marked as answer by Thesalex Friday, January 7, 2011 1:29 PM
    Wednesday, January 5, 2011 5:08 PM

All replies

  • I had a very similar issue, but I was using the Network Service account. It ended up being lack of SPN's that allowed it to authenticate. There should be two different SPN's set

    SETSPN -A http/CRMSERVER domain\user

    SETSPN -A http/CRMSERVER.domain.local domain\user

     

    This might help?

    • Marked as answer by Thesalex Friday, January 7, 2011 1:29 PM
    Wednesday, January 5, 2011 5:08 PM
  • Hey,

    I get your problem but don't see why you should do that? Do you have a specific reason to change the setting of the crmapppool?


    Steven De Waele CRM Consultant
    Wednesday, January 5, 2011 5:45 PM
  • Thank you MeridianIT,

    your solution is ok.

    After

    SETSPN -A http/CRMSERVER domain\user

    SETSPN -A http/CRMSERVER.domain.local domain\user

    my crm installation work fine with the CrmAppPool running under the domain user account.

     

    Thank you again for your help.

     

    Friday, January 7, 2011 1:29 PM
  • Hi Steven,

     

    Thank you for your interest.

    I don't have a specific reason to  to change the crmAppPool identity,

    it's only a test to solve another strange issue with plugin/workflow impersonation.

    Friday, January 7, 2011 1:35 PM