Archive

Posts Tagged ‘RetrievePrivilegeForUser failed – no roles are assigned to user’

RetrievePrivilegeForUser failed – no roles are assigned to user

April 24, 2015 1 comment

I had a very interesting issue this morning in one of our on-premise dev environment.  Issue was all of sudden one of our organization not accessible at all , i was able to access other organization on the same server. Same error message was shown to all the user regardless user has admin or ordinary user role.  I stumbled for sometime with this issue then enabled crm trace to capture actual error message. The error message was

“Crm Exception: Message: SecLib::RetrievePrivilegeForUser failed – no roles are assigned to user Returned hr = -2147209463, User: fe0d891a-87ea-e411-80d4-00155d016008, ErrorCode: -2147209463” . I knew I have system administrator role though i just verified this by querying the sql server. Then i queried crm for an user with guid shown in the trace log. Sql returned user name of the Guid that is not at all my user name that’s service account name used in CRM App pool of IIS.

When googled with this error message I found a Microsoft KB article with exact error message

https://support.microsoft.com/en-us/kb/2500917/

Issue :

By default, when a CRM user is created in Microsoft Dynamics CRM, the user has no security roles. Because the CRM service account is mapped with the newly created user, the CRM service account cannot operate anything. Therefore, the system crashes.

This behavior is by design. Making the account that is running the CRMAppPool into a Microsoft Dynamics CRM user is not supported.

Resolution:

Keep the CRM service account as a dedicated service account.

Kb article explains the issue  but it does not provide resolution to fix the issue.

To fix this issue  i followed below steps

1.Disabled Organization using deployment manager

2.Once disabled, deleted the organization from the deployment Manger

3.Re-imported the organization , while re-importing in user mapping step removed service account user ( CRM App pool)  mapping and and kept all other user mapping as it is.

Once Organization imported everything worked like a charm.

The real story is, one of our new team memebr added service account as a crm user that caused this issue.