Error message when you try to access the Microsoft Dynamics CRM Web site: "You are not authorized to view this page"

Applies to: Microsoft Dynamics CRM 2011Dynamics CRM 4.0

Symptoms


When you try to access the Microsoft Dynamics CRM Web site, you are prompted for domain credentials three times. Then, you receive the following error message:

You are not authorized to view this page.


HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials.

Cause


This problem may occur when either of the following conditions is true:
  • The Microsoft Internet Information Services (IIS) authentication for the Microsoft Dynamics CRM Web site is not configured to use Kerberos authentication.
  • The Microsoft Dynamics CRM Web site is configured to use host headers.

Resolution


To resolve this problem, follow these steps.

Determine the identifier that the Microsoft Dynamics CRM Web site uses
  1. On the Microsoft Dynamics CRM server, click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.
  2. Expand the Microsoft Dynamics CRM computer name, and then click Web Sites.
  3. Click the Microsoft Dynamics CRM Web site, and then note the value in the Identifier column.

    Note If you installed Microsoft Dynamics CRM on the default Web site, this value is 1.
  4. Verify the Microsoft Dynamics CRM Web site identifier. To do this, follow these steps:
    1. Click Start, click Run, type regedit, and then click OK.
    2. Locate the following registry subkey:
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM
    3. Click website, and then note the value in the Value data field.

      Note The value resembles "/LM/W3SVC/1." The last number is supposed to be the same as the Web site identifier that you noted in step 3.
Configure IIS to use Kerberos authentication for the Microsoft Dynamics CRM Web site
  1. Click Start, click Run, type cmd, and then click OK.
  2. At the command prompt, type the following command, and then press Enter:
    C:\Inetpub\AdminScripts\adsutil.vbs get w3svc/1/NTAuthenticationProviders
    Note In this command, 1 represents the value that you determined in the "Determine the identifier that the Microsoft Dynamics CRM Web site uses" section.

    The result states that the authentication is not set at this level or that the authentication is set to NTAuthenticationProviders: (STRING) "NTLM." Therefore, you have to set Kerberos authentication.
  3. At the command prompt, type the following command, and then press Enter:
    C:\Inetpub\AdminScripts\adsutil.vbs set w3svc/1/NTAuthenticationProviders "Negotiate,NTLM"
    Note In this command, 1 represents the value that you determined in the "Determine the identifier that the Microsoft Dynamics CRM Web site uses" section.
  4. To verify that Kerberos authentication is set correctly, type the following command at the command prompt, and then press Enter:
    C:\Inetpub\AdminScripts\adsutil.vbs get w3svc/1/NTAuthenticationProviders
    Note In this command, 1 represents the value that you determined in the "Determine the identifier that the Microsoft Dynamics CRM Web site uses" section.

    The result is as follows:
    NTAuthenticationProviders: (STRING) "Negotiate,NTLM" 
  5. Restart the Microsoft Dynamics CRM server.
Note You can use a host header to access the Microsoft Dynamics CRM Web site. If you do this, you must also follow the instructions in this Microsoft Knowledge Base article to resolve the problem.