Tuesday, August 5, 2008

Now I am the master - Tips for running CRM 4.0 with as a service account

posted at: 2:40 PM by Aaron Elder

Many companies prefer to run applications as a service account instead of as a built-in account like NETWORK SERVICE.  While each approach has its own distinct benefits, this article provides some additional steps, tips and things to verify if you want to do the installation as a service account.

First, be aware that when you as setup to install CRM as a service account, the Environment Diagnostic Wizard will give you the following warning:

"Verify Domain User account SPN for the Microsoft Dynamics CRM ASP.NET Application Pool account."

EDW - Service Account Error 

This is safe to ignore as the steps below will take care of the issue this warning is concerned with.  Asking for Help on this item points you to this article which while useful, isn't very straight forward.  I have provided additional steps and things to verify in the procedure below.

Note that these steps are not always required.  You will know these steps are needed if after installing as a service account you get the following error from Microsoft CRM.

Error:
Caller does not have enough privilege to set the CallerOriginToken to the specified value.

 

Procedure:

  1. Using Windows Support Tools, setup the SPNs for the machine and service account (Important: needs to be done first)

    setspn –A HTTP/servername:5555 domain/serviceusername
    setspn –A HTTP/servername.company.com:5555 domain/serviceusername

    Note: Don’t forget the PORT
    Note: Don’t forget to do both the FQDN and the NetBios name
  2. Trust for Delegation enabled in AD for the Service Account AND CRM Machine

    Note: This option is only available after you add the SPN for the both the NetBios name and FQDN) in step #1
  3. Verify / add the service account to the CRM installation’s PrivUserGroup

    Note: This step must be done after installation. There is a known issue were setup will remove the user used for installation (the "setup user") and if this user is the same as the service account user, it will be missing.
  4. The service account needs to be added to the local machines IIS_WPG group
  5. Restart the CRM server.  Also depending on your domain's replication settings, some of these changes may take a few minutes to propagate.


Cheers,

This posting is provided "AS IS" with no warranties, and confers no rights.

Posted by at
Labels: ,

1 comment:

Anonymous said...

Hi Bill - Thanks for the post - this helped a bunch. One quick note though - in your example, you show the user account with the wrong slash - it should be "user\domain" and not "user/domain". It took me a couple of minutes to figure out what I was doing wrong! :)

March 10, 2009 at 2:47 PM

Post a Comment

Subscribe to: Post Comments (Atom)