Hopefully you are fortunate enough to never experience this in the field, however when some smart aleck decides to add the CRM App Pool service account as an actual CRM System User. You will get an error similar to this:
Exception information:
Exception type: CrmException
Exception message: SecLib::RetrievePrivilegeForUser failed - no roles are assigned to user. Returned hr = -2147209463, User: b1eda2c8-dbbd-e511-b14d-0050569b5b86
at Microsoft.Crm.Application.Platform.ServiceCommands.PlatformCommand.XrmExecuteInternal()
at Microsoft.Crm.Application.Platform.ServiceCommands.RetrieveMultipleCommand.Execute()
at Microsoft.Crm.Application.Caching.CustomResourceLoader.GetCustomResources(IOrganizationContext context, Int32 cacheKey)
at Microsoft.Crm.Application.Caching.CustomResourceLoader.LoadCacheData(Int32 key, IOrganizationContext context)
at Microsoft.Crm.Caching.CrmMultiOrgCacheBase`2.LookupEntry(TKey key, IOrganizationContext context)
at Microsoft.Crm.Application.ResourceManager.CustomResourceManager.TryGetCultureString(String name, CultureInfo culture, Boolean getSystemString, IOrganizationContext context)
at Microsoft.Crm.Application.ResourceManager.CustomResourceManager.TryGetCultureString(String name, CultureInfo culture, IOrganizationContext context)
at Microsoft.Crm.Application.ResourceManager.BasicResourceManager.GetCultureString(String name, CultureInfo culture, IOrganizationContext context)
at Microsoft.Crm.Controls.Header..ctor(Boolean isControlHeader)
at Microsoft.Crm.Controls.BasicHeader..ctor()
at Microsoft.Crm.Application.Controls.AppHeader..ctor()
at ASP.dynamicsqa_default_aspx.__BuildControlcrmHeader()
at ASP.dynamicsqa_default_aspx.__BuildControlTree(dynamicsqa_default_aspx __ctrl)
at ASP.dynamicsqa_default_aspx.FrameworkInitialize()
at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
According to https://support.microsoft.com/en-us/kb/2593042 there are other issues that this can also introduce.
Exception type: CrmException
Exception message: SecLib::RetrievePrivilegeForUser failed - no roles are assigned to user. Returned hr = -2147209463, User: b1eda2c8-dbbd-e511-b14d-0050569b5b86
at Microsoft.Crm.Application.Platform.ServiceCommands.PlatformCommand.XrmExecuteInternal()
at Microsoft.Crm.Application.Platform.ServiceCommands.RetrieveMultipleCommand.Execute()
at Microsoft.Crm.Application.Caching.CustomResourceLoader.GetCustomResources(IOrganizationContext context, Int32 cacheKey)
at Microsoft.Crm.Application.Caching.CustomResourceLoader.LoadCacheData(Int32 key, IOrganizationContext context)
at Microsoft.Crm.Caching.CrmMultiOrgCacheBase`2.LookupEntry(TKey key, IOrganizationContext context)
at Microsoft.Crm.Application.ResourceManager.CustomResourceManager.TryGetCultureString(String name, CultureInfo culture, Boolean getSystemString, IOrganizationContext context)
at Microsoft.Crm.Application.ResourceManager.CustomResourceManager.TryGetCultureString(String name, CultureInfo culture, IOrganizationContext context)
at Microsoft.Crm.Application.ResourceManager.BasicResourceManager.GetCultureString(String name, CultureInfo culture, IOrganizationContext context)
at Microsoft.Crm.Controls.Header..ctor(Boolean isControlHeader)
at Microsoft.Crm.Controls.BasicHeader..ctor()
at Microsoft.Crm.Application.Controls.AppHeader..ctor()
at ASP.dynamicsqa_default_aspx.__BuildControlcrmHeader()
at ASP.dynamicsqa_default_aspx.__BuildControlTree(dynamicsqa_default_aspx __ctrl)
at ASP.dynamicsqa_default_aspx.FrameworkInitialize()
at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
The cause is due to the service account now existing as a CRM user. The service account is responsible for running and acting as the service identity for the CRM web application within IIS. This can have severe security implications, in this specific scenario users could no longer log into Dynamics CRM.
According to https://support.microsoft.com/en-us/kb/2593042 there are other issues that this can also introduce.
- Data Import may fail
- CRM Outlook Clients may not configure
- Async Operations may have unexpected behavior including Workflows stopping with a Failed status
- No users can access CRM
- IFD access may fail for some or all users
- Date/Time fields may not display correct timezone offset
The Fix
- Change the CRM service account, which will further involve creating new SPN's etc
- Remove the user from the CRM Sql Database, which is unsupported and will be very tricky to perform.
- In our case we resolved this by marking the specific accounts record as "IsDeleted" within the MSCRM_CONFIG.SystemUserAuthentication table
