Now I am the master - Tips for running CRM 4.0 with as a service account

by Bill Owens 6. August 2008 08:06
posted at: 2:40 PM by Aaron Elder

Many companies prefer to run applications as a service account instead of as a built-in account like NETWORK SERVICE.  While each approach has its own distinct benefits, this article provides some additional steps, tips and things to verify if you want to do the installation as a service account.

First, be aware that when you as setup to install CRM as a service account, the Environment Diagnostic Wizard will give you the following warning:

"Verify Domain User account SPN for the Microsoft Dynamics CRM ASP.NET Application Pool account."

EDW - Service Account Error 

This is safe to ignore as the steps below will take care of the issue this warning is concerned with.  Asking for Help on this item points you to this article which while useful, isn't very straight forward.  I have provided additional steps and things to verify in the procedure below.

Note that these steps are not always required.  You will know these steps are needed if after installing as a service account you get the following error from Microsoft CRM.

Error:
Caller does not have enough privilege to set the CallerOriginToken to the specified value.

 

Procedure:

  1. Using Windows Support Tools, setup the SPNs for the machine and service account (Important: needs to be done first)

    setspn –A HTTP/servername:5555 domain/serviceusername
    setspn –A HTTP/servername.company.com:5555 domain/serviceusername

    Note: Don’t forget the PORT
    Note: Don’t forget to do both the FQDN and the NetBios name
  2. Trust for Delegation enabled in AD for the Service Account AND CRM Machine

    Note: This option is only available after you add the SPN for the both the NetBios name and FQDN) in step #1
  3. Verify / add the service account to the CRM installation’s PrivUserGroup

    Note: This step must be done after installation. There is a known issue were setup will remove the user used for installation (the "setup user") and if this user is the same as the service account user, it will be missing.
  4. The service account needs to be added to the local machines IIS_WPG group
  5. Restart the CRM server.  Also depending on your domain's replication settings, some of these changes may take a few minutes to propagate.


Cheers,

This posting is provided "AS IS" with no warranties, and confers no rights.

Tags: ,

CRM 4.0

E-mail | Kick it! | DZone it! | del.icio.us
Permalink | Comments (0) | Post RSSRSS comment feed

Page List

About the author

I work for a consulting firm in Dublin Ohio called Affiliated Resource Group. For the last five years I have been spearheading our Microsoft Dynamics CRM practice. I have a deep appreciation for the Microsoft CRM platform and I am very excited about it. You might even describe me as a Microsoft CRM Advocate. I have many battle scars from my experience with the product and I’m constantly being asked questions about CRM and how-to-do something in it. Hence, this BLOG is to help disseminate that knowledge and information to everyone. As of last year I was posting links to many other blogs to help spread the knowledge, but now with the community.dynamics.com doing that for me, I will be following that practice unless a really juicy article catches my eye. Many people have asked where my post are for the first half of 2010, my company had me posting to another blog and maintain two was near impossible. I am now down to just this blog. So good luck and I hope that this blog may help in some way. If you have suggestions or questions, please email me them.

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.

© Copyright 2012 BillOnCRM