Home > MS CRM 2015 > RetrievePrivilegeForUser failed – no roles are assigned to user

RetrievePrivilegeForUser failed – no roles are assigned to user


I had a very interesting issue this morning in one of our on-premise dev environment.  Issue was all of sudden one of our organization not accessible at all , i was able to access other organization on the same server. Same error message was shown to all the user regardless user has admin or ordinary user role.  I stumbled for sometime with this issue then enabled crm trace to capture actual error message. The error message was

“Crm Exception: Message: SecLib::RetrievePrivilegeForUser failed – no roles are assigned to user Returned hr = -2147209463, User: fe0d891a-87ea-e411-80d4-00155d016008, ErrorCode: -2147209463” . I knew I have system administrator role though i just verified this by querying the sql server. Then i queried crm for an user with guid shown in the trace log. Sql returned user name of the Guid that is not at all my user name that’s service account name used in CRM App pool of IIS.

When googled with this error message I found a Microsoft KB article with exact error message

https://support.microsoft.com/en-us/kb/2500917/

Issue :

By default, when a CRM user is created in Microsoft Dynamics CRM, the user has no security roles. Because the CRM service account is mapped with the newly created user, the CRM service account cannot operate anything. Therefore, the system crashes.

This behavior is by design. Making the account that is running the CRMAppPool into a Microsoft Dynamics CRM user is not supported.

Resolution:

Keep the CRM service account as a dedicated service account.

Kb article explains the issue  but it does not provide resolution to fix the issue.

To fix this issue  i followed below steps

1.Disabled Organization using deployment manager

2.Once disabled, deleted the organization from the deployment Manger

3.Re-imported the organization , while re-importing in user mapping step removed service account user ( CRM App pool)  mapping and and kept all other user mapping as it is.

Once Organization imported everything worked like a charm.

The real story is, one of our new team memebr added service account as a crm user that caused this issue.

Advertisements
  1. April 26, 2015 at 10:50 am

    Reblogged this on CRM Backlog.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: