When you test access in the Microsoft Dynamics CRM E-mail Router, you receive a "(401) Unauthorized" error

  • Article

This article provides a solution to an error that occurs when you test access in the Microsoft Dynamics CRM E-mail Router.

Applies to:   Microsoft Dynamics CRM
Original KB number:   2003033

Symptoms

When you select Test Access in the E-mail Router Configuration Tool for Microsoft Dynamics CRM, you receive the following error for incoming email messages:

"Incoming Status: Failure - The remote Microsoft Exchange e-mail server returned the error "(401) Unauthorized". Verify that you have permission to connect to the mailbox. The remote server returned an error: (401) Unauthorized."

Cause

One or more of the following conditions may cause this issue:

  • The account that is specified on the Incoming Profile doesn't have Full access to users' mailboxes.
  • There are missing Service Principal Names (SPNs) when an alias is used for Microsoft Office Outlook Web Access.
  • The latest update rollup for Microsoft Dynamics CRM isn't applied.
  • Authentication on the Exadmin and Exchange virtual directories is incorrect.
  • The Outlook Web Access URL is missing from the Local Intranet Zone in Windows Internet Explorer on the server where the E-mail Router is installed.

Resolution 1

Verify that the account that is specified on the Incoming Profile has Full access to users' mailboxes. Also verify that the Local System account is starting the Microsoft CRM Email Router Service.

To verify the account that is starting the Microsoft CRM Email Router, follow these steps on the server where the E-mail Router is installed:

  1. Select Start, select Run, type Services.msc, and then select OK.
  2. Locate the Microsoft CRM Email Router service.

    Note

    The account that is listed in the Log on As column, and then verify that it's set to LocalSystem.

To verify the account that is specified for the Incoming Profile access, follow these steps on the computer that has the Microsoft CRM Email Router installed:

  1. Select Start, select All programs, select Microsoft Dynamics CRM E-mail Router, and then select Microsoft CRM Email Router Configuration Manager.

  2. Select the Configuration Profiles tab, double-click Incoming Profile, and then note the account that is specified in the Access Credentials field. Verify that this account has full access to the user's mailbox.

    1. If you're using the Forward Mailbox option for all your users and queues, we recommend that you use the forward mailbox credentials in this field.
    2. If you're using the Router option for your users and queues, you must make sure that the account that is specified in the Access Credentials field has full access to all those users' inboxes.

For more information about adding extra permissions on users' inboxes, see the following articles:

Resolution 2

If you use http://mail.domain.com to access Outlook Web Access, but your Microsoft Exchange Server name is Exchange01, you must add more SPNs on the account that is running the Application Pool for your Exchange website.

To determine the account that is starting the Exchange Application Pool, follow these steps:

  1. Sign in to the Microsoft Exchange Server.
  2. Select Start, select Run, type Inetmgr, and then select OK.
  3. Expand your server in IIS, and then select Application Pools.
  4. The account that is running the Exchange Application Pool is listed in the preview pane.

To the account that you identified in step 4, add the following SPNs:

  • HTTP/Mail
  • HTTP/Mail.yourdomainname.com

Note

You must change these SPNs to match the alias URL that your users use to access Outlook Web Access.

For more information about adding SPNs, visit the following Microsoft websites:

Resolution 3

Note

This resolution only applies to Microsoft Dynamics CRM 4.0.

Verify that you have a minimum of Update Rollup 3 for Microsoft Dynamics CRM 4.0 installed for the Microsoft Dynamics CRM Server and for the Microsoft Dynamics CRM E-mail Router. The latest update rollup is highly recommended.

For more information and to download the latest update rollup for Microsoft Dynamics CRM, see [Microsoft Dynamics CRM 4.0 updates and hotfixes].

Resolution 4

Check the following authentication on the /Exchange and /Exadmin virtual directories:

  • Verify that Basic Authentication and Windows Authentication are enabled on the /Exadmin virtual directory.
  • Verify that Basic Authentication is enabled on the /Exchange virtual directory.

To check authentication on the virtual directories, follow these steps on the Microsoft Exchange Server as appropriate for the operating system that you're running:

  • On Windows Server 2008:

    1. Select Start, select Run, type Inetmgr, and then select OK.
    2. Expand the Server name, expand Sites, and then expand the Exchange Website.
    3. Select the /Exadmin virtual directory, open Authentication in the Preview pane and verify that Basic Authentication and Windows Authentication are enabled.
    4. Select the /Exchange virtual directory, open Authentication in the Preview pane, and verify that Basic Authentication is enabled.

  • On Windows Server 2003:

    1. Select Start, select Run, type Inetmgr, and then select OK.
    2. Expand the Server name, expand Sites, and then expand the Exchange Website.
    3. Right-click the /Exadmin virtual directory, and then select Properties.
    4. Select the Directory Security tab, select Edit under the Authentication and access control, and then verify that Basic Authentication and Windows Authentication are enabled.
    5. Right-click the /Exchange virtual directory, and then select Properties.
    6. Select the Directory Security tab, select Edit under the Authentication and access control, and then verify that Basic Authentication and Windows Authentication are enabled.

Resolution 5

Add the URL for Outlook Web Access to the Local Intranet Zone, and verify that Automatic Logon is enabled on the server on which the Microsoft Dynamics CRM E-mail Router is installed. To do it, follow these steps:

  1. Sign in to the computer on which the CRM E-mail Router is installed using the account specified in the Incoming Profile.

  2. Open Internet Explorer.

  3. Select Tools, and then select Internet Options.

  4. Select the Security tab, select Local Intranet, and then select Sites.

  5. Select Advanced, add the URL you use to access Outlook Web Access, and then add the URL for the Exchange Server.

  6. Select Close, and then select OK.

  7. Make sure that Local Intranet is selected, select Custom Level, and then select Automatically logon only in Intranet zone.

  8. Select OK two times, and then select Apply.

  9. Close all Internet Explorer sessions.

Note

Internet Explorer can be ran under the context of a specific user account while signed in to Windows as a different user account. Ir can be accomplished by pressing shift and then right-clicking on the Internet Explorer executable, which will display the option to run Internet Explorer as a different user. If Internet Explorer is ran under the context of the incoming profile account on the computer where the e-mail router is installed, it can be used to bypass steps 1 and 2 above.