locked
invalid user authorization - the user authentication passed to the platform is not valid - cannot login with certain profile RRS feed

  • Question

  • We recently moved our network onto new servers and when I import the organization, one of the users has issues.

    History:  on the old network, this user was setup to sign in as the Domain Admin and the CRM profile would have that AD profile but with the real name.  At some point, I changed them over to their actual AD profile name and took on the administrator profile.  

    The current issue is that the other person cannot login to CRM with their actual AD profile name.  It gives the error stated above.

    I have used an admin to remove and give roles, but when I went in as the domain\administrator and removed the roles from domain\client, it removed the roles from the domain\administrator itself and booted me out.  Of course I went back in as another admin and give myself back the roles. 

    How can I fix this?

    If this is something that is not easily fixed, I would be willing to have a specialist come out and do this fix and pay the going rate.

    Tuesday, February 2, 2010 8:22 PM

Answers

  • As I understand you redeployed Dynamics CRM to new Active Directory and you mapped users manually or automatically ?
    It looks that Dynamics CRM have two users matching just now to one.

    Resolution (unfortunatly unsupported) is edit Organization DB and Configuration DB and match Active Directory UID and Dynamics User GUID.

    Check in Organization DB table: UserSettings

    and in Configuration DB (MSCRM_CONFIG) table: SystemUserOrganizations

    verify it with Active Directory ( you can use dsquery to find AD UID).

    When you will find these records you may delete it (and create user with a right name).

    NOTE: Please remember to take backup of both your Dynamics CRM databases because direct operation on your DBs are not supported by Microsoft.


    My Dynamics CRM Blog: http://bovoweb.blogspot.com
    • Marked as answer by Jim Glass Jr Thursday, February 4, 2010 6:50 PM
    Wednesday, February 3, 2010 12:00 PM

All replies

  • As I understand you redeployed Dynamics CRM to new Active Directory and you mapped users manually or automatically ?
    It looks that Dynamics CRM have two users matching just now to one.

    Resolution (unfortunatly unsupported) is edit Organization DB and Configuration DB and match Active Directory UID and Dynamics User GUID.

    Check in Organization DB table: UserSettings

    and in Configuration DB (MSCRM_CONFIG) table: SystemUserOrganizations

    verify it with Active Directory ( you can use dsquery to find AD UID).

    When you will find these records you may delete it (and create user with a right name).

    NOTE: Please remember to take backup of both your Dynamics CRM databases because direct operation on your DBs are not supported by Microsoft.


    My Dynamics CRM Blog: http://bovoweb.blogspot.com
    • Marked as answer by Jim Glass Jr Thursday, February 4, 2010 6:50 PM
    Wednesday, February 3, 2010 12:00 PM
  • Not sure if you got this fixed, but I had a simlar problem when I migrated my CRM 4.0 from one domain to another... and at the same time went from W2k3 to W2k8 in both cases I used SQL2K5, but again the sql server was moved as well. Here is what I found. (this assumes you have installed SQL \ CRM & have already imported your organization.)

     
    Add the account you installed CRM with to the DBO schema for all CRM databases

    1)      Disable the Organization you created when for your New instance when you installed CRM (default install).

    2)      Enable the new organization that you imported  and set it as your default

    a.       Restart the server

    b.      Or try iisreset and restart the async service for CRM

    3)       If that does not work try removing\deleting the default installed CRM org. from deployment mgr. (Do not delete the one your imported)

    Restart server

    After that when logging into CRM from my computer I got this error: Server Error In '/' Application Runtime error.

    When I tried to access CRM from the server I got a different error message... Then I re-read the MS KB950100 and found something that was confusing, but in the end I got CRM migrated and up and running:

    The article states on a 2K8 install CRM must be installed under a Network Service account AKA don’t create an account let windows handle it. (that statment only applies to W2K8 per the MS article)

    Later in the document is says to add the account your created to the IIS_USRS & CRM_WPG group, since one was not created I added the local NETWORK Service account to the both groups and restarted the server.

     

    -          I am suspecting the MS document is poorly written… as it would make sense to create an account, but that is not how the document is written.

    Then I got the following message when I tested from the  URL from the server:

    System.InvalidOperationException: ExecuteNonQuery requires the command to have a transaction when the connection assigned to the command is in a pending local transaction. The Transaction property of the command has not been initialized.

     

    To get the system up and running again you have to do the followoing 

    1.     Identify the identity of the  account being used by the IIS application pool

    1.  
      1. In my case it was the Network Service Account

    2.     Ensure the app pool idenity for IIS has a sql user assigned for the organization database

     **Again this was the local group on the CRM\SQL server called Network Service

    3.     Grant the app pool identity the right db_owner on the organization database . To do this follow the steps listed below:

    1.  
      1. Connect Sql open roles... ad the the user into the SYSADMIN role, be sure to check the box for the Schema DBO
      2. Or click Security then choose logins right click choose new. Now select your user (choose windows account or local depending upon your setup) for me I typed network service  and click serarch. On the left click server roles click sysadmin. Now click user mappings check the boxes for MSCRM_CONFIG and XXXX_MSCRM (where XXXX is the db org name). Now click ok.
      3. Or create new role and assign that role to the user if you don't or cant grant it sysadmin. The new account would still need access to the schema dbo.

    4.     Restart IIS  & you should get logged in!!

     

    Good luck, and I hope this helps

    • Proposed as answer by ntschultz Wednesday, March 31, 2010 4:27 PM
    Wednesday, March 31, 2010 4:26 PM
  • As I understand you redeployed Dynamics CRM to new Active Directory and you mapped users manually or automatically ?
    It looks that Dynamics CRM have two users matching just now to one.

    Resolution (unfortunatly unsupported) is edit Organization DB and Configuration DB and match Active Directory UID and Dynamics User GUID.

    Check in Organization DB table: UserSettings

    and in Configuration DB (MSCRM_CONFIG) table: SystemUserOrganizations

    verify it with Active Directory ( you can use dsquery to find AD UID).

    When you will find these records you may delete it (and create user with a right name).

    NOTE: Please remember to take backup of both your Dynamics CRM databases because direct operation on your DBs are not supported by Microsoft.


    My Dynamics CRM Blog: http://bovoweb.blogspot.com


    Can you please elaborate a little more on the above mentioned solution?

    How do I use the dsquery command, and what exact steps do i have to make to match the IDs of AD and CRM.

     

    Thank you in advance


    Dimitris Missiris Dynacom Ltd Greece
    Wednesday, July 28, 2010 1:26 PM
  • Good day!

    i have deal with the same error like you

    have you found solution for this error?

    Monday, May 23, 2011 9:57 AM
  • Have a look at this post: http://www.yousavirtual.com/index.php/install-and-config/87/75

     

     


    CRM Consultant
    Tuesday, May 24, 2011 6:24 AM