Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Problems in CRM when the CRMAppPool user account is a CRM user


View products that this article applies to.

Symptoms

Various operation of CRM may fail when the CRMAppPool account is configured as a CRM user. 
  • Data Import may fail
  • CRM Outlook Clients may not configure
  • Async Operations may have unexpected behaviour including Workflows stopping with a Failed status
  • No users can access CRM
  • IFD access may fail for some or all users
  • Date/Time fields may not display correct timezone offset

↑ Back to the top


Cause

The CRMAppPool account is considered the “SYSTEM” user in CRM. It is not a true user, and shouldn’t be. It is allowed access in CRM through the PrivUserGroup in Active Directory, along with other groups that it is a member of on the CRM server and through internal CRM platform and application code.

Many CRM operations are called through the CRM API's udner the context of the SYSTEM user account. If the CRMAppPool user account is a CRM user these calls will run under the context of the CRM user and not the SYSTEM user and could fail to execute in various parts of CRM described in the Symptoms section.

Once this user is created it may cause various problems if the following is not met:

  • The user has been disabled
  • The user has not been granted a security role
  • The role does not contain all privileges to complete various operations including hidden roles

↑ Back to the top


Resolution

  1. Resolution 1: Change the CRMAppPool user account to a new Active Directory user account.
  2. Resolution 2: Change the CRM user to a new Active Directory user account which is not tied to any CRM services.

↑ Back to the top


More Information

Please refer to the CRM Implementation Guide for setting up service accounts.

  • We strongly recommend that you select a low-privilege domain account that is dedicated to running these services and is not used for any other purpose. Additionally, the user account that is used to run a Microsoft Dynamics CRM service cannot be a Microsoft Dynamics CRM user. This domain account must be a member of the Domain Users group. Additionally, if the Asynchronous Service and Sandbox Processing Service roles are installed, such as in a Full Server or a Back End Server installation, the domain account must a member of the Performance Log Users security group.

↑ Back to the top


Keywords: kbmbspartner, kbmbsmigrate, kbsurveynew, kb

↑ Back to the top

Article Info
Article ID : 2593042
Revision : 1
Created on : 1/7/2017
Published on : 9/20/2011
Exists online : False
Views : 328