locked
Adding the windows account which is running the CRM services/IIS AppPool breaks CRM2011 RRS feed

  • Question

  • Hello,

    If I add the CRM AD account which is running the CRM service/IIS App Pool as a CRM user no users can access CRM2011 anymore. Instead we get error:
    HTTP Error 401.1 - Unauthorized
    You do not have permission to view this directory or page using the credentials that you supplied.

    there is a similar issue already with this URL in the CRMBeta-Forum which seems to be closed:

    http://boardreader.com/thread/Adding_the_windows_account_which_is_runi_6f9yq__866c6007-d57a-42cf-9519-587587b88b52.html

    I exactly did this:
    1) Create a new organisation in CRM Deployment Manager
    2) Login using ADFS with the user that created the new organisation and thus had the role system administrator
    3) Adding a fully functioning user from another CRM organisation with roles to this new organisation
    4) Then added the user which is also used to run the CRM appPool service to this new organisation
    5) This user gets resolved properly but after saving this user no one can log in anymore to this organisation; iisreset, restarting the browser etc. does not help.
    6) now every user trying to log on (also the one with system administrator rights in this organisation) gets the error with the red x:

    License error
    The selected user or the user trying to log on has not been assigned a security role, and does not have sufficient privileges for this action. For more information, contact your Microsoft Dynamics CRM administrator.

    Now EVERY user seems to be thoroughly logged out. What can I do in order to get back into the system other than re-installing the organisation or the server or some such?
    Could MS make availalbe the old thread of the beta-forum or post the contents here?

     


    Thank you

    Andreas


    Andreas
    Wednesday, June 8, 2011 1:03 PM

Answers

  • Andreas,

    Looking at the link reply you posted: "This is a known issue. The service account for the CRM Services, such as IIS, Async Service, etc., cannot be a CRM user. In order for an account to be the service account it becomes a highly privileged account (higher than it would be as a CRM user). By creating a CRM user with the same AD account, the system won't know how to authenticate the user. Michael Marked As Answer by Donna Edwards."

    so moral of the story is, dont add the svc account as a CRM user yeah? Having said that,  I did mange to get 'pass' this restriction by doing the following:

    1) Add SVC account as Deploy Admin

    2) Run deploy admin as SVC account and provision an ORG

    3) SVC account is now a user in CRM

    Still rather confused over this..

    Cheers,

    Dan

    Wednesday, June 22, 2011 5:53 AM

All replies

  • Hello Andreas,

    Did you ever find out the resolution for this issue?  We're having the same exact issue.

    Thanks,

    Steve

    Monday, June 13, 2011 11:16 PM
  • Hi Andreas,

     

    Interestingly enough, I am seeing the same issue with CRM 2011 RTM MSDN license and SQL 2008 R2 setup.

    Do you have any updates on this?

     

    Cheers,

    Dan Chia

    Wednesday, June 22, 2011 3:57 AM
  • Andreas,

    Looking at the link reply you posted: "This is a known issue. The service account for the CRM Services, such as IIS, Async Service, etc., cannot be a CRM user. In order for an account to be the service account it becomes a highly privileged account (higher than it would be as a CRM user). By creating a CRM user with the same AD account, the system won't know how to authenticate the user. Michael Marked As Answer by Donna Edwards."

    so moral of the story is, dont add the svc account as a CRM user yeah? Having said that,  I did mange to get 'pass' this restriction by doing the following:

    1) Add SVC account as Deploy Admin

    2) Run deploy admin as SVC account and provision an ORG

    3) SVC account is now a user in CRM

    Still rather confused over this..

    Cheers,

    Dan

    Wednesday, June 22, 2011 5:53 AM
  • Update: Tested the same scenario with Microsoft's CRM2011 lab setup eval copy and confirmed that it WILL break the system as soon as I add CONTOSO\CRM_SERVICES as a user in the CRM system..

    Cheers,
    Dan

    Wednesday, June 22, 2011 11:41 AM
  • Sounds like Kerberos issue.  The app pool was authenticated before by network service which is a local account or machine account.

    Within AD, the machine account is delegated for Kerberos authentication between AD , the application server and  the SQL server.

    The SPN on the app server machine account is read and the SQL server allows authentication.

    Delegate Kerberos authentication to the account on the app pool.

     


    Curtis J Spanburgh
    Wednesday, June 22, 2011 7:26 PM
    Moderator
  • You can not make the CRMAppPool user account a CRM user.

    http://support.microsoft.com/kb/2593042


    Regards, Donna

    Thursday, January 12, 2012 2:50 PM
  • Upfortunately I did the same thing and added the App Pool Account as new user. How do I undo this and go back to the state where it was before I add this user to CRM?

     

    Thanks!

    Thursday, January 26, 2012 8:59 PM
  • Based on the KB article you can

    1. Resolution Change the CRMAppPool user account to a new Active Directory user account.
    2. Resolution Change the CRM user to a new Active Directory user account which is not tied to any CRM services

    http://support.microsoft.com/kb/2593042


    Regards, Donna

    Thursday, January 26, 2012 9:12 PM
  • Thanks for the quick reploy.

    Resolution #2 seems not possible as I cannot even go to Users page in CRM. I keep getting this error message.

    Thursday, January 26, 2012 9:37 PM
  • Agree, it would have to be a direct database update which I don't recommend.  I would go with option #1 and see if that works.

    Regards, Donna


    Thursday, January 26, 2012 9:41 PM