I did something very stupid yesterday but luckily I knew what the problem was almost as soon as I had done it.
I was looking to add a user to an organisation so I could login to CRM as a different user with a different security to see what they can do.
I added the user and then before I could add a security role, I couldn’t login and it was complaining I didn’t have the correct security role. hmmm what had happened had someone remove my user (they could do because there were 3 system admins if there was only one and my user was that user then it can’t be removed).
Next I noticed the person next to me couldn’t login and in fact no one could login.
CRM was completely knocked out again, the 3rd time this week on 3 different CRM 2011 installations, although this time this was completely my fault.
I had added this user to my the DEV CRM organisation which is held on a different server.
I logged onto the problem CRM 2011 server and looked in the event log, there were errors about tracing and .NET 4 errors.
I then looked at the user in the CRM app pools, it was the user I had tried to add to CRM. This was also the user who was running the CRM services.
Oh damn I just added the CRM service account as a user in CRM 2011.
for those of you who do not know (or haven’t installed CRM 2011) never add the CRM service account to an organisation it will break everything. The CRM Service account CANNOT exist in a CRM organisation, this is one of those important bold messages in the CRM installation instructions, oops.
you also might see this message
ecLib::RetrievePrivilegeForUser failed – no roles are assigned to user. Returned hr = -2147209463, User: [userid]
Microsoft have a KB article for people who do this
They explain the cause
By default, when a CRM user is created in Microsoft Dynamics CRM, the user has no security roles. Because the CRM service account is mapped with the newly created user, the CRM service account cannot operate anything. Therefore, the system crashes.
This behavior is by design. Making the account that is running the CRMAppPool into a Microsoft Dynamics CRM user is not supported.
The resolution isn’t that helpful
Keep the CRM service account as a dedicated service account.
What I would have really liked to do was to remove the service account user from the CRM organisation but I couldn’t login to do this, I couldn’t figure out what use it was looking at the tables in the SQL database and this wouldn’t be supported so this wasn’t an option.
So I had to add a new user in the active directory (you can use another user already setup), I copied the previous user. I then when to ADD/REMOVE programs and clicked on CRM 2011 and chose Repair.
I then put in the new user into the service account choices in the repair. I had to add the user to the performance counter, you can read how to do that here .
Once the CRM 2011 repair had gone through CRM 2011 was back up and working. Running the repair is easier than changing all the places where the CRM service account is used and it might also change some other settings in the SQL database and possible active directory groups.
I’m not entirely sure why adding the service account to CRM 2011 causes this error but I think it’s basically to do with privileges, when you add a user they start off with no user role, this might mean it can’t read certain tables which the service account needs to do to work properly.
Luckily I managed to fix CRM 2011 pretty quickly before anyone started to complain but one of the reason was because I did it at 5.15 so most people were off home but I did have to stay an extra 30 minutes after work to fix it.
Hosk's Dynamic Blog 