Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Error when you access Microsoft Dynamics CRM using the NLB address : "HTTP Error 401 - Unauthorized"


View products that this article applies to.

Symptoms

When you access Microsoft Dynamics CRM using the Network Load Balancing address, a prompt for credentials appears and it is not possible to log in to Dynamics CRM using these credentials. You receive the following error messages:

HTTP Error 401 - Unauthorized

The following conditions are true:

  • The Microsoft Dynamics CRM Application Pool runs under a domain user account.
  • In Internet Information Services (IIS) 7.0 and IIS 7.5 the Enable Kernel-mode authentication option is enabled.


↑ Back to the top


Cause

By default, the IIS 7.0 and IIS 7.5 has the feature Enable Kernel-mode Authentication enabled. This feature decrypts the Kerberos ticket used by a specific application, using the Local Machine Account (Local system) of the IIS server.

When this occurs, the Local Machine Account does not have enough privilege to run Microsoft Dynamics CRM. In addition, when using Service Accounts with Network Load Balancing, the service accounts on each CRM server and the NLB Virtual Node must be the same service account. By default, these accounts will not have Service Principal Names configured.

↑ Back to the top


Resolution

  1. Log in to each Microsoft Dynamics CRM Server.
  2. Install the IIS 7 Admin Pack: http://www.iis.net/extensions/AdministrationPack. (Note: The IIS7 admin pack is installed by default in Windows Server 2008 R2).
  3. On the Start menu, point to Administrative Tools, and then click IIS Manager.
  4. Expand the server, click to expand Sites, and then click Microsoft Dynamics CRM.
  5. Under Management, click Configuration Editor.
  6. For the Section location, click to expand system.webServer,expand Security, expand Authentication, and then click Windows Authentication.
  7. In the From section above Properties, select ApplicationHost.config.
  8.  In the properties page, set useAppPoolCredentials to True, and then click Apply.
  9. Restart IIS. 

Next, you must configure two Service Principal Names (SPN) for each Microsoft Dynamics CRM Server and the virtual node. Each Microsoft Dynamics CRM Server and Virtual Node will consist of an SPN for the NetBIOS name and the Fully Qualified Domain Name (FQDN) for the service account being used. For more information on configuring SPNs, see the SPN Checklist for Kerberos Authentication in the More Information section.

↑ Back to the top


More Information

For more information, click the following link to view the article in the Microsoft Knowledge Base:

Service Principal Name (SPN) checklist for Kerberos authentication with IIS 7.0/7.5
http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx

useAppPoolCredentials = True with Kerberos Delegation on 2008
http://blogs.technet.com/b/proclarity/archive/2011/03/08/useapppoolcredentials-true-with-kerberos-delegation-on-2008.aspx

↑ Back to the top


Keywords: kbmbspartner, kbmbsmigrate, kbsurveynew, kb

↑ Back to the top

Article Info
Article ID : 2642455
Revision : 1
Created on : 1/7/2017
Published on : 3/22/2012
Exists online : False
Views : 298