Answered by:
Error 401 (unauthorized) with CrmAppPool with domain user

Question
-
Hi all
I have CRM 4.0 (Rollup 10) installation. Everithing work fine with the CrmAppPool running under NETWORK SERVICE account.
If I try to change the account identity of CrmAppPool to a domain user the clients cant' authenticate against the Crm. They receive the authentication mask three times and then, even if correct credential are passed, Error 401 - Access Denied.
I have tried everithing, but the issue remain.
These are the steps that I have done:
-put the domain user in the PrivUserGroup{GUID}
-put the domain user in the SQLAccessGroup{GUID}
-put the domain user in the CrmServer IIS_WPG group
-put the domain user in the CrmServer CRM_WPG group
-grant the domain user the Log on as a service right
-Disable the looopback check in the registry
-Add the SPN for the HTTP/crm.... domain\user
-Setting the crmAsyncService running under the same domain\user
-The domain\user is a crm distribution administrator
-the domain\user is a crm user with System Adminstrator Role
-the domain\user is member of local administrator grup of crm server
Anyone can help me?Thank you
Wednesday, January 5, 2011 2:26 PM
Answers
-
I had a very similar issue, but I was using the Network Service account. It ended up being lack of SPN's that allowed it to authenticate. There should be two different SPN's set
SETSPN -A http/CRMSERVER domain\user
SETSPN -A http/CRMSERVER.domain.local domain\user
This might help?
- Marked as answer by Thesalex Friday, January 7, 2011 1:29 PM
Wednesday, January 5, 2011 5:08 PM
All replies
-
I had a very similar issue, but I was using the Network Service account. It ended up being lack of SPN's that allowed it to authenticate. There should be two different SPN's set
SETSPN -A http/CRMSERVER domain\user
SETSPN -A http/CRMSERVER.domain.local domain\user
This might help?
- Marked as answer by Thesalex Friday, January 7, 2011 1:29 PM
Wednesday, January 5, 2011 5:08 PM -
Hey,
I get your problem but don't see why you should do that? Do you have a specific reason to change the setting of the crmapppool?
Steven De Waele CRM ConsultantWednesday, January 5, 2011 5:45 PM -
Thank you MeridianIT,
your solution is ok.
After
SETSPN -A http/CRMSERVER domain\user
SETSPN -A http/CRMSERVER.domain.local domain\user
my crm installation work fine with the CrmAppPool running under the domain user account.
Thank you again for your help.
Friday, January 7, 2011 1:29 PM -
Hi Steven,
Thank you for your interest.
I don't have a specific reason to to change the crmAppPool identity,
it's only a test to solve another strange issue with plugin/workflow impersonation.
Friday, January 7, 2011 1:35 PM