Symptom 1When you try to log on to the Web application of Microsoft Dynamics CRM, you receive the following error message:
Unauthorized: Access is denied due to invalid credentials.
Symptom 2You create one or more callout events that are active in the Microsoft Dynamics CRM system. When you start one of these callout events, you receive the error message that is mentioned in Symptom 1.
- There are duplicate Service Principal Name (SPN) values in the Active Directory directory service tree.
- The loopback check may have to be disabled in Microsoft Windows Server 2003.
- The Microsoft Dynamics CRM Web site is not listed in Local intranet sites in Microsoft Internet Explorer.
- The account that is used to start the Microsoft Dynamics CRM application pool (CRMAppPool) does not have the correct permissions.
Method 1: Delete the duplicate SPN valuesWhen you try to log on to the Web application for Microsoft Dynamics CRM, the following error message may be logged to the Application log on one or more of the domain controllers in the domain:
Event Source: KDC
Event Category: None
Event ID: 11
Description: There are multiple accounts with name host/SERVERNAME.microsoft.com of type10.
Note Only experienced administrators should use the Ldp.exe tool.
For more information about how to locate the duplicate SPN value, click the following article number to view the article in the Microsoft Knowledge Base:
- Only experienced administrators should use the ADSIEdit tool.
- The ADSIEdit tool is available in the Windows Support Tools pack.
- The following steps remove the duplicate SPN value from the user account that originally installed Microsoft Dynamics CRM. However, you can also follow these steps to remove a duplicate SPN value from a computer account.
- Open Microsoft Management Console. To do this, click Start, click Run, type mmc, and then click OK.
- Click File, and then click Add/Remove Snap-in.
- Click Add, click ADSI Edit on the list, click Add, and then click Close.
- Right-click ADSI Edit, and then click Connect To to connect to the actual domain.
- Expand the domain node, and then locate the user account that originally installed Microsoft Dynamics CRM.
- Right-click the user account, and then click Properties.
- In the Attributes column, double-click ServicePrincipleName.
- In the Values window, select and remove all the values that begin with HOST/<servername>. These values match the HOST/<servername> SPN values that are listed in the error message in the Application log.
Method 2: Disable the loopback check on the Microsoft Dynamics CRM serverWarning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
- Click Start, click Run, type regedit, and then click OK.
- Locate and then right-click the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
- Point to New, and then click DWORD Value.
- Type DisableLoopbackCheck, and then press ENTER.
- Right-click DisableLoopbackCheck, and then click Modify.
- In the Value data box, type 1, and then click OK.
- On the File menu, click Exit.
Method 3: Add the Microsoft Dynamics CRM Web site to "Local intranet" sites in Internet Explorer
- Start Internet Explorer.
- On the Tools menu, click Internet Options.
- Click the Security tab.
- Click Local intranet, and then click Sites.
- In the Local intranet dialog box, click Advanced.
- In the Add this Web site to the zone box, type the URL for the Microsoft Dynamics CRM Web site, and then click Add.
- If you do not use the secure socket layer (SSL), click to clear the Require server verification (https:) for all sites in this zone check box, and then click OK.
Method 4: Change the Microsoft Dynamics CRM application pool to run under a different account
- Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
- Expand the computer name.
- Expand Application Pools.
- Right-click CRMAppPool, and then click Properties.
- Click the Identity tab.
- If the application pool is running under a domain account or under the local system account, try to change the application pool to run under the Network Service account. To do this, click Network Service in the Predefined box.
- Click OK to close the CRMAppPool Properties dialog box.
- Click Start, click Run, type iisreset, and then click OK to stop and then restart IIS.
- Log on to the Web application of Microsoft Dynamics CRM.
- These steps are valid only in IIS 6.0.
- If you change the user account that runs the application pool to the Network Service account, we recommend that you also change the account that starts the following services on the Microsoft CRM server:
- Microsoft CRM Bulk E-mail Service
- Microsoft CRM Deletion Service
- Microsoft CRM Workflow Service
- Click Start, click Run, type services.msc, and then click OK.
- Right-click the service, click Properties, and then click the LogOn tab.
- Change the user account that starts the service to the Network Service account, and then click OK.
- Right-click the service, and then click Restart.
รหัสบทความ: 911353 - การตรวจสอบครั้งสุดท้าย: 19 มี.ค. 2009 - ฉบับแก้ไข: 1