Microsoft Knowledge Base Email Alertz
All KB/RSS Links  |  Hot Kb!  |  New Kb!  |  Scott Cate  |  FAQ / KB  |  Web Hosting  |  Unsubscribe  

(911353) - Describes an issue where you receive an Access is denied due to invalid credentials error message when you try to log on to the Web application of Microsoft Dynamics CRM 3.0. Provides several methods to resolve this issue.

Search KbAlertz

Advanced Search

Receive Microsoft Knowledge Base articles by E-Mail?

Every night we scan the Microsoft Knowledge Base. If technologies you're interested in are updated, we'll send you an e-mail. You only get one e-mail a day, and only when new articles are added.
Click here to create a
FREE account
Already have an account?
[Click here to Login]











Microsoft Knowledge Base Article

This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks
Article ID: 911353 - Last Review: January 4, 2008 - Revision: 4.1

Error message when you try to log on to the Web application or when you start a callout event in Microsoft Dynamics CRM: "Access is denied due to invalid credentials"

View products that this article applies to.
Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986  (http://kbalertz.com/Feedback.aspx?kbNumber=256986/ ) Description of the Microsoft Windows registry

On This Page

SYMPTOMS

Symptom 1

When you try to log on to the Web application of Microsoft Dynamics CRM, you receive the following error message:
HTTP Error 401
Unauthorized: Access is denied due to invalid credentials.
Back to the top

Symptom 2

You create one or more callout events that are active in the Microsoft Dynamics CRM system. When you start one of these callout events, you receive the error message that is mentioned in Symptom 1.
Back to the top

CAUSE

This issue may occur for one or more of the following reasons:
  • There are duplicate Service Principal Name (SPN) values in the Active Directory directory service tree.
  • The loopback check may have to be disabled in Microsoft Windows Server 2003.
  • The Microsoft Dynamics CRM Web site is not listed in Local intranet sites in Microsoft Internet Explorer.
  • The account that is used to start the Microsoft Dynamics CRM application pool (CRMAppPool) does not have the correct permissions.
Back to the top

RESOLUTION

To resolve this issue, use the method that is appropriate for your situation.
Back to the top

Method 1: Delete the duplicate SPN values

When you try to log on to the Web application for Microsoft Dynamics CRM, the following error message may be logged to the Application log on one or more of the domain controllers in the domain:
Event Type: Error
Event Source: KDC
Event Category: None
Event ID: 11
Description: There are multiple accounts with name host/SERVERNAME.microsoft.com of type10.
Typically, the duplicate SPN value is located in the ServicePrincipleName attribute of the User container for the user account that originally installed Microsoft Dynamics CRM. To determine the exact location of the duplicate SPN value, use the Ldp.exe tool.

Note Only experienced administrators should use the Ldp.exe tool.

For more information about how to locate the duplicate SPN value, click the following article number to view the article in the Microsoft Knowledge Base:
321044  (http://kbalertz.com/Feedback.aspx?kbNumber=321044/ ) Event ID 11 in the System log of domain controllers
After you locate the duplicate SPN value, use the ADSIEdit tool to remove the duplicate SPN value. To do this, follow these steps.
Notes
  • Only experienced administrators should use the ADSIEdit tool.
  • The ADSIEdit tool is available in the Windows Support Tools pack.
  • The following steps remove the duplicate SPN value from the user account that originally installed Microsoft Dynamics CRM. However, you can also follow these steps to remove a duplicate SPN value from a computer account.
  1. Open Microsoft Management Console. To do this, click Start, click Run, type mmc, and then click OK.
  2. Click File, and then click Add/Remove Snap-in.
  3. Click Add, click ADSI Edit on the list, click Add, and then click Close.
  4. Right-click ADSI Edit, and then click Connect To to connect to the actual domain.
  5. Expand the domain node, and then locate the user account that originally installed Microsoft Dynamics CRM.
  6. Right-click the user account, and then click Properties.
  7. In the Attributes column, double-click ServicePrincipleName.
  8. In the Values window, select and remove all the values that begin with HOST/<servername>. These values match the HOST/<servername> SPN values that are listed in the error message in the Application log.
Back to the top

Method 2: Disable the loopback check on the Microsoft Dynamics CRM server

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then right-click the following registry subkey:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
  3. Point to New, and then click DWORD Value.
  4. Type DisableLoopbackCheck, and then press ENTER.
  5. Right-click DisableLoopbackCheck, and then click Modify.
  6. In the Value data box, type 1, and then click OK.
  7. On the File menu, click Exit.
After you install security update 957097, applications such as Microsoft SQL Server or Internet Information Services (IIS) may fail when making local NTLM authentication requests. For more information about how to resolve this issue, click the following article number to view the article in the Microsoft Knowledge Base:
957097  (http://kbalertz.com/Feedback.aspx?kbNumber=957097/ ) MS08-068: Vulnerability in SMB could allow remote code execution
Warning This workaround may make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
896861  (http://kbalertz.com/Feedback.aspx?kbNumber=896861/ ) You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or IIS 6
Back to the top

Method 3: Add the Microsoft Dynamics CRM Web site to "Local intranet" sites in Internet Explorer

  1. Start Internet Explorer.
  2. On the Tools menu, click Internet Options.
  3. Click the Security tab.
  4. Click Local intranet, and then click Sites.
  5. In the Local intranet dialog box, click Advanced.
  6. In the Add this Web site to the zone box, type the URL for the Microsoft Dynamics CRM Web site, and then click Add.
  7. If you do not use the secure socket layer (SSL), click to clear the Require server verification (https:) for all sites in this zone check box, and then click OK.
Back to the top

Method 4: Change the Microsoft Dynamics CRM application pool to run under a different account

  1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
  2. Expand the computer name.
  3. Expand Application Pools.
  4. Right-click CRMAppPool, and then click Properties.
  5. Click the Identity tab.
  6. If the application pool is running under a domain account or under the local system account, try to change the application pool to run under the Network Service account. To do this, click Network Service in the Predefined box.
  7. Click OK to close the CRMAppPool Properties dialog box.
  8. Click Start, click Run, type iisreset, and then click OK to stop and then restart IIS.
  9. Log on to the Web application of Microsoft Dynamics CRM.
Notes
  • These steps are valid only in IIS 6.0.
  • If you change the user account that runs the application pool to the Network Service account, we recommend that you also change the account that starts the following services on the Microsoft CRM server:
    • Microsoft CRM Bulk E-mail Service
    • Microsoft CRM Deletion Service
    • Microsoft CRM Workflow Service
    To do this, follow these steps for each service:
    1. Click Start, click Run, type services.msc, and then click OK.
    2. Right-click the service, click Properties, and then click the LogOn tab.
    3. Change the user account that starts the service to the Network Service account, and then click OK.
    4. Right-click the service, and then click Restart.
Back to the top
APPLIES TO
  • Microsoft Dynamics CRM 4.0
  • Microsoft CRM 3.0
Back to the top
Keywords: 
kbmbscrm40 kblogin kberrmsg kbtshoot kbmbsmigrate kbprb KB911353
Back to the top
        

Community Feedback System

Very often, it takes hours to solve a problem. Very often, you've looked high and low, and have tried a lot of solutions. When you finally found it, chances are, it was because someone else helped you. Here's your chance to give back. Use our community feedback tool to let others know what worked for you and what didn't.

Please also understand that the community feedback system is not warranted to be correct, it's simply a system that we've built to let people try and help each other. If something in a feedback response doesn't make sense to you, or you're not comfortable making changes that the feedback talks about (like registry edits), please consult a professional.

Thank you for using kbAlertz.com Feedback System.

-- Scott Cate

Copyright © 2002-2007 KBALERTZ.COM.  All Rights Reserved. Terms / PrivacyDiscount ASP.NET Hosting