Anyone seen this? -- RetrievePrivilegeForUser failed - no roles are assigned to user RRS feed

  • Question

  • I think there is a major bug in 2011 concerning adding a user account to an organization (via the regular CRM web interface) where that same user account is the service account running the CRM Application Pool in IIS. I have repeated this process 3 times now and each time, I immediately start getting error screens on every CRM window telling me that my currently logged in ID has no license, no roles, blah, blah, blah. If you then log out, you will not be able to login again with ANY User ID because it will start complaining that the user account that you added that caused the problem does not exist. The only way I've found to be able to even get back into your system is to restore the database to a backup prior to adding the user, or go directly to the database and make complex and unsupported changes to both the Organizational database and the Config database. It is VERY BAD that you can do something as innocent as use the Settings | Administration | Users page correctly, and have it totally whack your entire organization. Has anyone else had this problem? Can someone from Microsoft try this?
    • Moved by Chris Wirth Monday, July 25, 2011 5:27 PM (From:Dynamics CRM)
    • Moved by Donna EdwardsMVP Thursday, August 25, 2011 7:16 PM (From:CRM Development)
    • Changed type Donna EdwardsMVP Saturday, September 3, 2011 7:59 PM
    Sunday, July 24, 2011 6:35 AM

All replies

  • I've just confirmed the behavior on a VMWare machine and think I recall a reference in the implementation guide that states the user running the App Pool should not be a CRM User account.  Here is the related error when you try to add the user

    Unhandled Exception: System.ServiceModel.FaultException`1[[Microsoft.Xrm.Sdk.OrganizationServiceFault, Microsoft.Xrm.Sdk, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]: SecLib::RetrievePrivilegeForUser failed - no roles are assigned to user. Returned hr = -2147209463, User: a2a7d56a-4dcf-e011-851d-000c29839d4cDetail:
    <OrganizationServiceFault xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/xrm/2011/Contracts">
      <ErrorDetails xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Collections.Generic" />
      <Message>SecLib::RetrievePrivilegeForUser failed - no roles are assigned to user. Returned hr = -2147209463, User: a2a7d56a-4dcf-e011-851d-000c29839d4c</Message>
      <InnerFault i:nil="true" />
      <TraceText i:nil="true" />

    And here is the screenshot when you try to log back into the CRM org with a valid Deployment Admin. 

    Regards, Donna

    Thursday, August 25, 2011 7:16 PM
  • This just happened to us using 2013....unbelievable.

    Does anyone have a solution for this?  We will lose literally 100's of hours of work....


    Here is the solution...


    • Edited by neostile Monday, September 15, 2014 7:39 PM
    Monday, September 15, 2014 7:32 PM