Symptoms

When you access Microsoft Dynamics CRM 2011, you are continously prompted with credentials when Microsoft Dynamics CRM is trying to access web resources.

Cause

Kernel mode authentication within Internet Information Systems is disabled for the Microsoft Dynamics CRM website

Resolution

Kernel mode authentication must be enabled.  In situations where you require the use of SPNs, such as Load Balancing, you must modify the applicationHost.config file to useAppPoolCredentials. To correct this issue, go through the following:

1. Enable Kernel-mode authentication
a. On the Microsoft Dynamics CRM server(s), open up IIS Manager:
Start > Run: inetmgr
b. Expand SERVER > Sites
c. Click on Microsoft Dynamics CRM
d. Within the Features view, double click on Authentication
e. Right-click on Windows Authentication and go to Advanced Settings
f. Check "Enable Kernel-mode authentication"
g. Click Ok
h. Close IIS Manager

2. Modify the applicationHost.config file for IIS to useAppPoolCredentials:
a. On the Microsoft Dynamics CRM server(s), go to:
%SystemDrive%/Windows/System32/inetsrv/config
b. Make a backup of the "applicationHost.config" file
c. Edit the applicationHost.config file with NotePad
d. Modify the system.webServer tag to include useAppPoolCredentials:
<system.webServer>
   <security>
      <authentication>
         <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true" />
      </authentication>
   </security>
</system.webServer>

NOTE:  There are a lot of different system.webServer references within the applicationHost.config file. To determine which element you should be modifying, load the applicationHost.config file in Visual Studio. Then compress all of the elements under <configuration> so you can see all of the main elements:
  alternate text

Expand the system.webServer element and make your modifications within here.

3. Set the proper SPNs for the Service Account running the CRMAppPool. This is explained in the following article:
http://blogs.msdn.com/b/crm/archive/2009/08/06/configuring-service-principal-names.aspx

More Information

Service Principal Name (SPN) checklist for Kerberos authentication with IIS 7.0/7.5
http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Any additional feedback? (Optional)

Thank you for your feedback!

×