Error message when you try to log on to the Web application of Microsoft Dynamics CRM 3.0: "Access is denied due to invalid credentials" (911353)


The information in this article applies to:

  • Microsoft CRM 3.0
Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry

SYMPTOMS

When you try to log on to the Web application of Microsoft Dynamics CRM 3.0, you receive the following error message:
HTTP Error 401
Unauthorized: Access is denied due to invalid credentials.

CAUSE

This issue may occur for one or more of the following reasons:
  • There are duplicate service principal name (SPN) values in the Active Directory directory service tree.
  • The loopback check may have to be disabled in Microsoft Windows Server 2003.
  • The Microsoft Dynamics CRM Web site is not listed in Local intranet sites in Microsoft Internet Explorer.
  • The account that is used to start the Microsoft Dynamics CRM application pool (CRMAppPool) does not have the correct permissions.

RESOLUTION

To resolve this issue, use the method that is appropriate for your situation.

Method 1: Delete the duplicate SPNs

When you try to log on to the Web application for Microsoft CRM 3.0, the following error may be logged to the Application log:
Event Type: Error
Event Source: KDC
Event Category: None
Event ID: 11
Description: There are multiple accounts with name host/SERVERNAME.microsoft.com of type10.
To determine the location of the duplicate SPN value, use the Ldp.exe tool. Then, use the Adsiedit.msc tool to remove the duplicate SPN value. For more information about the tools and the procedures to resolve this issue, click the following article number to view the article in the Microsoft Knowledge Base:

305971 Windows 2000 Server prompts domain user for credentials

Note Only experienced administrators should consider using the Ldp.exe and Adsiedit.msc tools.

Method 2: Disable the loopback check on the Microsoft Dynamics CRM server

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then right-click the following registry subkey:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa

  3. Point to New, and then click DWORD Value.
  4. Type DisableLoopbackCheck, and then press ENTER.
  5. Right-click DisableLoopbackCheck, and then click Modify.
  6. In the Value data box, type 1, and then click OK.
  7. On the File menu, click Exit.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:

896861 You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or IIS 6

Method 3: Add the Microsoft Dynamics CRM Web site to "Local intranet" sites in Internet Explorer

  1. Start Internet Explorer.
  2. On the Tools menu, click Internet Options.
  3. Click the Security tab.
  4. Click Local intranet, and then click Sites.
  5. In the Local intranet dialog box, click Advanced.
  6. In the Add this Web site to the zone box, type the URL for the Microsoft Dynamics CRM Web site, and then click Add.
  7. If you do not use the secure socket layer (SSL), click to clear the Require server verification (https:) for all sites in this zone check box, and then click OK.

Method 4: Change the Microsoft Dynamics CRM application pool to run under a different account

  1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
  2. Expand the computer name.
  3. Expand Application Pools.
  4. Right-click CRMAppPool, and then click Properties.
  5. Click the Identity tab.
  6. If the application pool is running under a domain account or under the local system account, try to change the application pool to run under the Network Service account. To do this, click Network Service in the Predefined box.
  7. Click OK to close the CRMAppPool Properties dialog box.
  8. Click Start, click Run, type iisreset, and then click OK to stop and then restart IIS.
  9. Log on to the Web application of Microsoft Dynamics CRM 3.0.
Notes
  • These steps are valid only in IIS 6.0.
  • If you change the user account that runs the application pool to the Network Service account, we recommend that you also change the account that starts the following services on the Microsoft CRM server:
    • Microsoft CRM Bulk E-mail Service
    • Microsoft CRM Deletion Service
    • Microsoft CRM Workflow Service
    To do this, follow these steps for each service:
    1. Click Start, click Run, type services.msc, and then click OK.
    2. Right-click the service, click Properties, and then click the LogOn tab.
    3. Change the user account that starts the service to the Network Service account, and then click OK.
    4. Right-click the service, and then click Restart.
Modification Type:MajorLast Reviewed:9/13/2006
Keywords:kblogin kberrmsg kbtshoot kbMSCCSearch kbMBSMigrate kbprb KB911353 kbAudEndUser
©2004 Microsoft Corporation. All rights reserved.