locked
CRM 4 Async account changed - workflows stopped working RRS feed

  • Question

  • Hi,

    As part of security cleanup exercise, we are removing the network admin account from our CRM servers and replacing them with a custom CRM Administrator account.

    The CRM Admin account is a full network administrator - it will be stripped of redundant privileges once we have got it working with our CRM deployment.

    However when we change the Async logon account to CRM Admin and restart the CRMAsync process the workflows all fail.

    if we revert back to our network Account and the workflows start working again.


    I feel I am missing something obvious?!!

    Our CRM deployment is  1 x CRM 4 Server, 1 x SQL 2008 Server with reporting Services 2008.

    Thanks for any help !

     

    Tuesday, March 29, 2011 12:53 PM

All replies

  • Have you tried giving the CRM admin account access in SQL server
    Wednesday, March 30, 2011 1:04 AM
  • If you haven't already done so, add the CRM Admin account to the following AD Groups:

    • PrivUserGroup
    • SQLAccessGroup

    --pogo (pat)
    • Proposed as answer by Khaja Mohiddin Tuesday, April 12, 2011 11:26 AM
    Wednesday, March 30, 2011 3:17 AM

  • - I have given the CRM Admin account admin privileges on all the relevant db in SQL Server (though as a network admin it should already be builtin administrators group already?)

    - I have added the CRM Admin account to both the PrivUserGroup and SQLAccessGroup in AD


    After these changes, when I modified the CRMAsync service login identity to CRMAdmin and then ran workflows they still failed - however they didn't fail immediately (which was the case before).  They remain 'In progress' for a few minutes and then failed.


    - On a related matter, the CRM App pool on IIS was also running as the network admin. When I changed this to the CRMAdmin and added CRMAdmin to the IIS_WPG group and restarted IIS,  CRM request failed with an authentication error.

    So i guess all these issues are down to missing rights of the CRMAdmin role!


    Do you have any further suggestions?


    Thanks for your help so far.



    Wednesday, March 30, 2011 1:54 PM
  • My next suggestion is to read through the following Support Article to see if there's anything else that's been missed:

    How to install Microsoft Dynamics CRM 4.0 with the minimum required permissions

     


    --pogo (pat)
    Thursday, March 31, 2011 12:15 AM
  • Hi,

    I reviewed the document and CRMAsync services is now running under our new CRMAdmin role - success!

    However when I  change the CRMAppPool to the CRMAdmin role, and users try to access to CRM they keep getting authentication errors - 401 and failed logons.


    When I login ON the CRM machine - I can login as any User without issues.

    Any further clues would be appreciated!

    Thanks

    Thursday, April 7, 2011 5:39 PM
  • You may need to add Log on as a batch job rights to the account in CRMAppPool.


    http://www.eggheadcafe.com/software/aspnet/32260408/deployment-administrator.aspx 

    Tuesday, April 12, 2011 11:04 AM
  • ·         In the IIS manager, after making the change, disabled the Kernel Mode Authentication and add the appropriate SPNs against the new CRM app pool account

    ·         Also add the New app pool account into the PrivUserGroup and the SQLAccessgroup in the Active Directory users and computers.


    Khaja Mohiddin
    Tuesday, April 12, 2011 11:28 AM