05.28.2008
Now I am the master - Tips for running CRM 4.0 with as a service account 

Many companies prefer to run applications as a service account instead of as a built-in account like NETWORK SERVICE.  While each approach has its own distinct benefits, this article provides some additional steps, tips and things to verify if you want to do the installation as a service account.

First, be aware that when you as setup to install CRM as a service account, the Environment Diagnostic Wizard will give you the following warning:

"Verify Domain User account SPN for the Microsoft Dynamics CRM ASP.NET Application Pool account."

EDW - Service Account Error  

This is safe to ignore as the steps below will take care of the issue this warning is concerned with.  Asking for Help on this item points you to this article which while useful, isn't very straight forward.  I have provided additional steps and things to verify in the procedure below.

Note that these steps are not always required.  You will know these steps are needed if after installing as a service account you get the following error from Microsoft CRM.

Error:
Caller does not have enough privilege to set the CallerOriginToken to the specified value.

 

Procedure:

  1. Using Windows Support Tools, setup the SPNs for the machine and service account (Important: needs to be done first)

    setspn –A HTTP/servername:5555 domain\serviceusername
    setspn –A HTTP/servername.company.com:5555 domain\serviceusername

    Note: Don’t forget the PORT
    Note: Don’t forget to do both the FQDN and the NetBios name
    Note: You may not need the port number for the FQDN depending on your host headers.  The important thing is that the FQDN and port match what users requests are coming in on.  As a general rule, I will specific port 80 even though it is assumed.
  2. Trust for Delegation enabled in AD for the Service Account AND CRM Machine

    Note: This option is only available after you add the SPN for the both the NetBios name and FQDN) in step #1
  3. Verify / add the service account to the CRM installation’s PrivUserGroup

    Note: This step must be done after installation. There is a known issue were setup will remove the user used for installation (the "setup user") and if this user is the same as the service account user, it will be missing.
  4. The service account needs to be added to the local machines IIS_WPG group
  5. Restart the CRM server.  Also depending on your domain's replication settings, some of these changes may take a few minutes to propagate.


Cheers,

This posting is provided "AS IS" with no warranties, and confers no rights.

posted at: 2:40 PM by Aaron Elder
locations: None
capabilities: None
Comments
Tuesday 7/8/2008 1:10 AM by Assaf Lev
Didn't work for me,
still asking for password until failing and getting 401 Error.
Wednesday 7/9/2008 1:40 PM by Aaron Elder
This is not a total "how to" guide... these are things just to check. 401 is an HTTP error and is either thrown by IIS or CRM (in the case the CrmAuthenticationToken is wrong).

If you are getting 401 errors, it is probably not related to the service account (it would be a different error), but is instead related to IIS configuration or Active Directory configuration.
Friday 1/23/2009 11:06 AM by Dan Blake
Aaron,

I know this is an old post but it's still coming up high in Google searches due to the popularity of your blog. Please make a correction to this post. You need to remove the port number and change the direction of the / to \ in the following SPN:

setspn –A HTTP/servername.company.com:5555 domain/serviceusername

It should be:

setspn –A HTTP/servername.company.com domain\serviceusername

Kerberos problems causing 401.1 can be caused by so many different issues in addition to this one. I posted on my blog to start accumulating all of the different resolutions I and others have come across.

Pingback at http://thecrmarchitect.wordpress.com coming soon

-Dan

P.S. Thanks for your continuing generousity and contributions to the CRM community. I've drawn on your knowledge many times.
Wednesday 2/4/2009 7:19 PM by Jamelle
hey man I believe you need to fix your syntax to
setspn –A HTTP/servername:5555 domain\serviceusername
setspn –A HTTP/servername.company.com:5555 domain\serviceusername

second slashes for the domain\account is now fixed
Add a New Comment
Name

Email Address
Url

Comment
Blog Search
Keywords:
Author:
Posted Between ...
and ...
Archive by Month
Archive by Author
© 2009 Ascentium Corporation. All rights reserved.