mscrm-addons.com - Blog

News.mscrm-addons.com Blog

rss

Hello and welcome to our blog! What can we do for you? Are you looking for further technical information or step-by-step instructions to our products? Or would you like to read the latest news on mscrm-addons? Please feel free to browse our blog for detailed information and to share our posts!


The request failed with HTTP status 401: Unauthorized

This article outlines what to do if you get the following failure notice: Request failed wiht HTTP status 401: Unauthorized. 

Requirements: WordMailMerge

Example:


Figure 1: WordMailMerge Error The request failed with HTTP status 401: Unauthorized.

Also this error message could occur. 


Figure 2: Alternative error message

If you click on the [Create Document]-button, you should get the following error message:


Figure 3: Another related error message

Why do you receive these error messages?     
If you are in a Windows Server 2003 functional level domain and the CRM and SharePoint are installed on different servers, you get this error because Windows default security does not allow delegation. This means, that the CRM server is not allowed to forward the user credentials to SharePoint and so, the SharePoint login failes for all anonymous users.
 
Workaround
At the moment, there is only a workaround to overcome this problem. You could select one special user for this. All document and template related connections will be processed via this user and so you have no control about template-security. All WordMailMerge users have the same permissions as the user you select for impersonation. To set this user, open the WordMailMerge web.config in the installation directory (C:\Program Files\PTM EDV-Systeme GmbH\WordMailMerge Server for MS CRM 3\web.config) and add the following line in the system.web-node: .


Figure 4: workaround

Another Possible Solution
There is another solution with full functionality. But if you want to apply this solution, you definitely need some knowledge about your network infrastructure and security. Please read the article to end before you change anything!
At the moment it is only tested with SharePoint Server 2007 and SharePoint Services 3.0.

Configuration on Domaincontroller
Open Active Directory Users and Computers on the domain controller and find your CRM Server. Open the properties and go to the Delegation-tab. Change the setting to Trust this computer for delegation to any services (Kerberos only).


Figure 5: Configuration on Domaincontroller

Configuration on CRM Server
You must change the authentication provider to Kerberos. To do so, simply follow the Knowledge-Base article from Microsoft.

A short explanation of this step:
1. Open the ISS Manager and find out the Website-ID of the CRM application. See next screenshot:


Figure 6: IIS Manager

2. Click on Start, Run ..., enter cmd and click on Enter. Change to C:\inetpub\adminscripts. Enter the following line:
cscript adsutil.vbs set w3svc/##/root/NTAuthenticationProviders Negotiate,NTLM 
(## stands for the ID you found out in the previous step)

Configuration on SharePoint
First you have to change the IIS Applicationpool User. Please make sure that the NetworkService has enough rights for the SharePoint-database! To change this, open IIS Manager and open the properties of the SharePoint Application Pool. Switch to the Identity-tab page and change the Predefined user to Network Service


Figure 7: SharePoint - Properties

Now you can change the SharePoint itself to Kerberos. To do sp, open Start > Administrative Tools > SharePoint 3.0 Central Administration. Go to the Application Management-tab and click on Authentication Providers.


Figure 8: Application management window

Please change the Integrated Windows authentication to Negotiate (Kerberos)

image

That’s it! We appreciate your feedback! Please share your thoughts by sending an email to support@mscrm-addons.com.




Comments are closed.