Error message when you try to log on to the Web application or when you start a callout event in Microsoft Dynamics CRM: "Access is denied due to invalid credentials"

Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows registry

Symptoms

Symptom 1

When you try to log on to the Web application of Microsoft Dynamics CRM, you receive the following error message:
HTTP Error 401
Unauthorized: Access is denied due to invalid credentials.

Symptom 2

You create one or more callout events that are active in the Microsoft Dynamics CRM system. When you start one of these callout events, you receive the error message that is mentioned in Symptom 1.

Cause

This issue may occur for one or more of the following reasons:
  • There are duplicate Service Principal Name (SPN) values in the Active Directory directory service tree.
  • The loopback check may have to be disabled in Microsoft Windows Server 2003.
  • The Microsoft Dynamics CRM Web site is not listed in Local intranet sites in Microsoft Internet Explorer.
  • The account that is used to start the Microsoft Dynamics CRM application pool (CRMAppPool) does not have the correct permissions.

Resolution

To resolve this issue, use the method that is appropriate for your situation.

Method 1: Delete the duplicate SPN values

When you try to log on to the Web application for Microsoft Dynamics CRM, the following error message may be logged to the Application log on one or more of the domain controllers in the domain:
Event Type: Error
Event Source: KDC
Event Category: None
Event ID: 11
Description: There are multiple accounts with name host/SERVERNAME.microsoft.com of type10.
Typically, the duplicate SPN value is located in the ServicePrincipleName attribute of the User container for the user account that originally installed Microsoft Dynamics CRM. To determine the exact location of the duplicate SPN value, use the Ldp.exe tool.

Note Only experienced administrators should use the Ldp.exe tool.

For more information about how to locate the duplicate SPN value, click the following article number to view the article in the Microsoft Knowledge Base:

321044 Event ID 11 in the System log of domain controllers

After you locate the duplicate SPN value, use the ADSIEdit tool to remove the duplicate SPN value. To do this, follow these steps.
Notes
  • Only experienced administrators should use the ADSIEdit tool.
  • The ADSIEdit tool is available in the Windows Support Tools pack.
  • The following steps remove the duplicate SPN value from the user account that originally installed Microsoft Dynamics CRM. However, you can also follow these steps to remove a duplicate SPN value from a computer account.
  1. Open Microsoft Management Console. To do this, click Start, click Run, type mmc, and then click OK.
  2. Click File, and then click Add/Remove Snap-in.
  3. Click Add, click ADSI Edit on the list, click Add, and then click Close.
  4. Right-click ADSI Edit, and then click Connect To to connect to the actual domain.
  5. Expand the domain node, and then locate the user account that originally installed Microsoft Dynamics CRM.
  6. Right-click the user account, and then click Properties.
  7. In the Attributes column, double-click ServicePrincipleName.
  8. In the Values window, select and remove all the values that begin with HOST/<servername>. These values match the HOST/<servername> SPN values that are listed in the error message in the Application log.

Method 2: Disable the loopback check on the Microsoft Dynamics CRM server

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then right-click the following registry subkey:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
  3. Point to New, and then click DWORD Value.
  4. Type DisableLoopbackCheck, and then press ENTER.
  5. Right-click DisableLoopbackCheck, and then click Modify.
  6. In the Value data box, type 1, and then click OK.
  7. On the File menu, click Exit.
After you install security update 957097, applications such as Microsoft SQL Server or Internet Information Services (IIS) may fail when making local NTLM authentication requests. For more information about how to resolve this issue, click the following article number to view the article in the Microsoft Knowledge Base:

957097 MS08-068: Vulnerability in SMB could allow remote code execution

Warning This workaround may make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

896861 You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or IIS 6

Method 3: Add the Microsoft Dynamics CRM Web site to "Local intranet" sites in Internet Explorer

  1. Start Internet Explorer.
  2. On the Tools menu, click Internet Options.
  3. Click the Security tab.
  4. Click Local intranet, and then click Sites.
  5. In the Local intranet dialog box, click Advanced.
  6. In the Add this Web site to the zone box, type the URL for the Microsoft Dynamics CRM Web site, and then click Add.
  7. If you do not use the secure socket layer (SSL), click to clear the Require server verification (https:) for all sites in this zone check box, and then click OK.

Method 4: Change the Microsoft Dynamics CRM application pool to run under a different account

  1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
  2. Expand the computer name.
  3. Expand Application Pools.
  4. Right-click CRMAppPool, and then click Properties.
  5. Click the Identity tab.
  6. If the application pool is running under a domain account or under the local system account, try to change the application pool to run under the Network Service account. To do this, click Network Service in the Predefined box.
  7. Click OK to close the CRMAppPool Properties dialog box.
  8. Click Start, click Run, type iisreset, and then click OK to stop and then restart IIS.
  9. Log on to the Web application of Microsoft Dynamics CRM.
Notes
  • These steps are valid only in IIS 6.0.
  • If you change the user account that runs the application pool to the Network Service account, we recommend that you also change the account that starts the following services on the Microsoft CRM server:
    • Microsoft CRM Bulk E-mail Service
    • Microsoft CRM Deletion Service
    • Microsoft CRM Workflow Service
    To do this, follow these steps for each service:
    1. Click Start, click Run, type services.msc, and then click OK.
    2. Right-click the service, click Properties, and then click the LogOn tab.
    3. Change the user account that starts the service to the Network Service account, and then click OK.
    4. Right-click the service, and then click Restart.
คุณสมบัติ

รหัสบทความ: 911353 - การตรวจสอบครั้งสุดท้าย: 19 มี.ค. 2009 - ฉบับแก้ไข: 1

คำติชม