This article outlines what to do if you get the following failure notice: Request failed wiht HTTP status 401: Unauthorized.
Also this error message could occur.
Why do you receive these error messages?
If you are in a Windows Server 2003 functional level domain and the CRM and SharePoint are installed on different servers, you get this error because Windows default security does not allow delegation. This means, that the CRM server is not allowed to forward the user credentials to SharePoint and so, the SharePoint login failes for all anonymous users.
At the moment, there is only a workaround to overcome this problem. You could select one special user for this. All document and template related connections will be processed via this user and so you have no control about template-security. All WordMailMerge users have the same permissions as the user you select for impersonation. To set this user, open the WordMailMerge web.config in the installation directory (C:\Program Files\PTM EDV-Systeme GmbH\WordMailMerge Server for MS CRM 3\web.config) and add the following line in the system.web-node: .
Another Possible Solution
There is another solution with full functionality. But if you want to apply this solution, you definitely need some knowledge about your network infrastructure and security. Please read the article to end before you change anything!
At the moment it is only tested with SharePoint Server 2007 and SharePoint Services 3.0.
Configuration on Domaincontroller
Open Active Directory Users and Computers on the domain controller and find your CRM Server. Open the properties and go to the Delegation-tab. Change the setting to Trust this computer for delegation to any services (Kerberos only).
Configuration on CRM Server
You must change the authentication provider to Kerberos. To do so, simply follow the Knowledge-Base article from Microsoft.
A short explanation of this step:
1. Open the ISS Manager and find out the Website-ID of the CRM application. See next screenshot:
2. Click on Start, Run ..., enter cmd and click on Enter. Change to C:\inetpub\adminscripts. Enter the following line:
cscript adsutil.vbs set w3svc/##/root/NTAuthenticationProviders Negotiate,NTLM
(## stands for the ID you found out in the previous step)
Configuration on SharePoint
First you have to change the IIS Applicationpool User. Please make sure that the NetworkService has enough rights for the SharePoint-database! To change this, open IIS Manager and open the properties of the SharePoint Application Pool. Switch to the Identity-tab page and change the Predefined user to Network Service.
Now you can change the SharePoint itself to Kerberos. To do sp, open Start > Administrative Tools > SharePoint 3.0 Central Administration. Go to the Application Management-tab and click on Authentication Providers.
Please change the Integrated Windows authentication to Negotiate (Kerberos)
That’s it! We appreciate your feedback! Please share your thoughts by sending an email to firstname.lastname@example.org.