locked
Could not create crm user (one way trusted domain) RRS feed

  • Question

  • Hi.

    We have 2 domains:

    Forest A Domain A . Contains CRM server

    Forest B Domain B  users would access to the CRM

    Domain A trust domain B.

     

    When we create a CRM user based on a user in domain B with the web interface, the crm application populated automaticaly the user information.

     

    When we save the user we receive an error page: You are attemting to create a user with a domain logon that does not exists. Select another domain logon and try again.

     

    After activating the CRM trace see here above:

     

    >MSCRM Error Report:
    --------------------------------------------------------------------------------------------------------
    Error: Exception has been thrown by the target of an invocation.

    Error Number: 0x80041D2A

    Error Message: LookupAccountNameW failed with error

    Error Details: LookupAccountNameW failed with error

    Source File: Not available

    Line Number: Not available

    Request URL: http://xxx:5555/CRMServer/biz/users/edit.aspx?_CreateFromType=10&_CreateFromId={D457C7FE-D62B-DD11-AF69-005056A676D4}

    Stack Trace Info: [CrmSecurityException: LookupAccountNameW failed with error]
       at Microsoft.Crm.BusinessEntities.SecurityUtils.GetSidFromAccount(String accountName)
       at Microsoft.Crm.BusinessEntities.SecurityUtils.AddPrincipalToGroupByName(String principalName, Guid groupId)
       at Microsoft.Crm.BusinessEntities.SecurityLibrary.AddPrincipalToGroupByName(String NTName, Guid groupId)
       at Microsoft.Crm.ObjectModel.SystemUserServiceInternal`1.CreateInternal(Guid organizationId, IBusinessEntity systemuser, ExecutionContext context)
       at Microsoft.Crm.ObjectModel.SystemUserServiceInternal`1.Create(IBusinessEntity systemuser, ExecutionContext context)

    [TargetInvocationException: Exception has been thrown by the target of an invocation.]
       at System.RuntimeMethodHandle._InvokeMethodFast(Object target, Object[] arguments, SignatureStruct& sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner)

     

    It seems the sid associate to the user could not be resolved by the method : LookupAccountNameW in advapi32.dll

     

    The documentation in msdn says.

    The LookupAccountName function attempts to find a SID for the specified name by first checking a list of well-known SIDs. If the name does not correspond to a well-known SID, the function checks built-in and administratively defined local accounts. Next, the function checks the primary domain. If the name is not found there, trusted domains are checked.

    Use fully qualified account names (for example, domain_name\user_name) instead of isolated names (for example, user_name). Fully qualified names are unambiguous and provide better performance when the lookup is performed. This function also supports fully qualified DNS names (for example, example.example.com\user_name) and user principal names (UPN) (for example, someone@example.com).

    In addition to looking up local accounts, local domain accounts, and explicitly trusted domain accounts, LookupAccountName can look up the name for any account in any domain in the forest.

     

     

    The remark indicates that the method can lookup the name for the account in any domain in the forest, but what appen if the two domains are in different forests?

     

    Could you help me to solve this issue.

     

    Angelo

     

    Thursday, November 13, 2008 5:02 PM

Answers

  • Sorry for my post an my analysis. The source of problem is not the trust but the type of groups used by the CRM.

     

    When you add a CRM user, it's added in two groups:

     

    UserGroup<organisation GUID>

    ReportingGroup<organisation GUID>

     

    The group's scope is GLOBAL when CRM is installed. You need to change the scope to LOCAL to be able to add user comming from an other domains, or any trusted domain. To do that we need to create new group and change the record in organisation table in CRM to reference the new GUID associated to these group.

    To finish ,add the user in CRM to these new groups.

     

    I hope this post could help you. 

    Friday, November 14, 2008 4:24 PM

All replies

  • I don't know the details on how LookupAccountName works, but I may be that you'll need a two-way trust to make this work. The reason I think this is the case is that the CRM server code wants to read AD information about the user (e.g. their name, email address etc.), and will have to connect to a domain controller in the user's domain to get this information (which I assume is where LookupAccountName comes in)

    Friday, November 14, 2008 12:48 PM
    Moderator
  • David as I explained in the post, when you enter the logon name for the user the form is populated with the user information. In this phase the ajax code in CRM call a web service on Crm to retrieve user information. When you save the customer , the create methode in the web service use the method LookupAccountName to retrieve the sid. The sid is used after analysing the assembly with reflector to check if the user is not a local user.

    I don't know why I could retrieve user information in active directory but not this SID. It is a limitation of one way trust between CRM domain and user domain?

     

    Angelo

    Friday, November 14, 2008 1:16 PM
  • Sorry for my post an my analysis. The source of problem is not the trust but the type of groups used by the CRM.

     

    When you add a CRM user, it's added in two groups:

     

    UserGroup<organisation GUID>

    ReportingGroup<organisation GUID>

     

    The group's scope is GLOBAL when CRM is installed. You need to change the scope to LOCAL to be able to add user comming from an other domains, or any trusted domain. To do that we need to create new group and change the record in organisation table in CRM to reference the new GUID associated to these group.

    To finish ,add the user in CRM to these new groups.

     

    I hope this post could help you. 

    Friday, November 14, 2008 4:24 PM
  • Hi,

     

    It will be great if you can let me know how do you set it to domain local?

     

    Is it something that we can access from the CRM setup? OR in my active directory?

    Monday, April 25, 2011 6:00 PM
  • Hi Apacifico,

    Can you please let me where i have to change the user groups ? Is the oraganisation table in database or in CRM web interface ?


    Regards, Vijeesh
    Tuesday, April 26, 2011 9:31 AM
  • Sorry for my post an my analysis. The source of problem is not the trust but the type of groups used by the CRM.

    When you add a CRM user, it's added in two groups:

    UserGroup<organisation GUID>

    ReportingGroup<organisation GUID>

    The group's scope is GLOBAL when CRM is installed. You need to change the scope to LOCAL to be able to add user comming from an other domains, or any trusted domain. To do that we need to create new group and change the record in organisation table in CRM to reference the new GUID associated to these group.

    To finish ,add the user in CRM to these new groups.

    I hope this post could help you. 

    Hi apacifico,

    I am getting the same error, but i have checked in my groups, its LOCAL.

    still same error i am getting. do you have any thought on this, it will be really helpful to me.

    Thanks in advance.

    Regards,

    yes.sudhanshu


    yes.sudhanshu

    http://bproud2banindian.blogspot.com
    http://ms-crm-2011-beta.blogspot.com

    Thursday, May 2, 2013 2:07 AM