DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 929388 - Last Review: March 22, 2013 - Revision: 5.0

Symptoms

When you run the CRMAppPool application pool after you configure the application pool for a domain account user in Microsoft Dynamics CRM, the following message is logged in the Application log:

Event Type: Error
Event Source: W3SVC
Event Category: None
Event ID: 1059
Date: Date
Time: Time
User: N/A
Computer: ComputerName
Description: A failure was encountered while launching the process serving application pool 'CRMAppPool'. The application pool has been disabled.

Note In this error message, Date and Time represent the actual date and actual time. For example, these values could be "2007-12-12" and "17:53:26.138."

When this issue occurs, the CRMAppPool application pool cannot start. Additionally, you receive the following error message:
Service Unavailable.
This issue occurs even if the domain account user is a member of the local administrator group.

Cause

The issue occurs because the permissions or the user rights of the domain account user are insufficient.

Resolution

To resolve this issue, follow these steps:
  1. Include the domain account user in the following groups in Active Directory:
    • The Domain Users Active Directory group
    • PrivUserGroup
    • SQLAccessGroup
    To do this, follow these steps:
    1. Log on to a server as a user who has the Domain Admin rights or the rights to update these groups.
    2. Right-click the Domain Users group in Active Directory, and then click Properties.
    3. In the Group name box, type the name of the user who is running the CRM Application Pool, and then click OK two times.
    4. Repeat steps b and c for the PrivUserGroup group and for the SQLAccessGroup group.
    If you have more than one Microsoft Dynamics CRM deployment installed, multiple groups exist in Active Directory. To determine the groups that you want to update, follow these steps.

    For Microsoft Dynamics CRM 3.0
    1. Run the following SQL statement against the MSCRM database:
      select organizationid from organizationbase
    2. Note the GUID. For example, the GUID may be C8AB1D52-9383-4164-B571-4C80D46674E3.
    3. Find the PrivUserGroup group and the SQLAccessGroup group in Active Directory. The group name contains the GUID that you noted in step b.
    For Microsoft Dynamics CRM 4.0
    1. Run the following SQL statement against the MSCRM_config database:
      select id, friendlyname from organization
    2. Note the GUID. For example, the GUID may be C8AB1D52-9383-4164-B571-4C80D46674E3 Org Name.
    3. Find the PrivUserGroup group and the SQLAccessGroup group in Active Directory. The group name contains the GUID that you noted in step b.
  2. Include the domain account user in the following groups in the Microsoft Dynamics CRM server:
    • The local IIS_WPG group
    • The local CRM_WPG group
    Note The domain account user must have the following local user rights:
    • The Impersonate a client after authentication right
    • The Log on as a service right
    To do this, follow these steps:
    1. In the Microsoft Dynamics CRM server, click Start, point to Administrative Tools, and then click Local Security Policy.
    2. Expand Local Policies, and then click User Rights Assignment.
    3. Right-click Impersonate a client after authentication, and then click Properties.
    4. Click Add User or Group.

      Note You may have to click Location to select the domain instead of the local computer.
    5. In the Group name box, type the name of the user who is running the CRM Application Pool, and then click OK two times.
    6. Repeat steps 2c through 2e for the Log on as a service right.
  3. Configure the CRMAppPool application pool security account to use a service principal name (SPN). For more information about how to configure SPNs, see the following Configuring service principal names (SPN) document on the Resource Center:
    Configuring service principal names (SPNs) (http://rc.crm.dynamics.com/rc/regcont/en_us/op/articles/configurespn.aspx)
    Note For Microsoft Dynamics CRM 4.0, you do not have to create an SPN for the domain account.
  4. Set up the user account on the Microsoft Dynamics CRM server that is to be trusted for Delegation 1. To do this, follow these steps:
    1. On the domain controller, open Active Directory Users and Computers.

      Note If constrained delegation is available, use a server that is running Windows Server 2003 to open Active Directory Users and Computers. Otherwise, you will not see the options to set constrained delegation.
    2. Expand the domain, and then expand Users.
    3. Right-click the user name, and then click Properties.
    4. Follow the steps for the appropriate method that you are using.

      Full delegation
      1. Click the Account tab.
      2. In the Account options section, scroll down, and then select Account is trusted for delegation.

        Note This option is not displayed if the SPN has not been defined.
      IIS 6.0 and constrained delegation
      1. Click the Delegation tab.
      2. Click Trust this account for delegation to specified services only.
      3. Click Use Kerberos only.
      4. Click Add.
      5. Click Users or Computers, click Advanced, click Find Now, select the Reporting Services server, and then click OK two times.
      6. Select the HTTP service, and then click OK.
  5. Restart the server.

More information

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
909588  (http://support.microsoft.com/kb/909588/ ) How to configure Kerberos authentication for Microsoft CRM 3.0 and Microsoft SQL Server Reporting Services

Applies to
  • Microsoft Dynamics CRM 4.0
Keywords: 
kbmbscrm40 kbtshoot kbmbsadministration kberrmsg kbmbsmigrate kbprb KB929388
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support