Microsoft Dynamics CRM 2011 continuously prompts for credentials when it attempts to access a webresource

Article ID: 2536453 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

When you access Microsoft Dynamics CRM 2011, you are continously prompted with credentials when Microsoft Dynamics CRM is trying to access web resources.

CAUSE

Kernel mode authentication within Internet Information Systems is disabled for the Microsoft Dynamics CRM website

RESOLUTION

Kernel mode authentication must be enabled.  In situations where you require the use of SPNs, such as Load Balancing, you must modify the applicationHost.config file to useAppPoolCredentials. To correct this issue, go through the following:

1. Enable Kernel-mode authentication
a. On the Microsoft Dynamics CRM server(s), open up IIS Manager:
Start > Run: inetmgr
b. Expand SERVER > Sites
c. Click on Microsoft Dynamics CRM
d. Within the Features view, double click on Authentication
e. Right-click on Windows Authentication and go to Advanced Settings
f. Check "Enable Kernel-mode authentication"
g. Click Ok
h. Close IIS Manager

2. Modify the applicationHost.config file for IIS to useAppPoolCredentials:
a. On the Microsoft Dynamics CRM server(s), go to:
%SystemDrive%/Windows/System32/inetsrv/config
b. Make a backup of the "applicationHost.config" file
c. Edit the applicationHost.config file with NotePad
d. Modify the system.webServer tag to include useAppPoolCredentials:
<system.webServer>
   <security>
      <authentication>
         <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true" />
      </authentication>
   </security>
</system.webServer>

NOTE:  There are a lot of different system.webServer references within the applicationHost.config file. To determine which element you should be modifying, load the applicationHost.config file in Visual Studio. Then compress all of the elements under <configuration> so you can see all of the main elements:
 
Collapse this imageExpand this image
Example of the applicationHost.config within Visual Studio


Expand the system.webServer element and make your modifications within here.

3. Set the proper SPNs for the Service Account running the CRMAppPool. This is explained in the following article:
http://blogs.msdn.com/b/crm/archive/2009/08/06/configuring-service-principal-names.aspx

MORE INFORMATION

Service Principal Name (SPN) checklist for Kerberos authentication with IIS 7.0/7.5
http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2536453 - Last Review: November 4, 2011 - Revision: 4.0
APPLIES TO
  • Microsoft Dynamics CRM 2011
Keywords: 
kbmbsmigrate kbsurveynew KB2536453

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com