Create New User Error

Yesterday, I got the following error when I tried to add a new user:

You are attempting to create a user with a domain logon that is already used by another user. Select another domain logon and try again.

The strange thing I noticed about the error is that, the user I was trying to add was not already there in CRM. I checked this in the SystemUser table and confirmed that it is definitely not there. After tracing SQL Server, I found CRM uses SystemUserAuthentication table to do this check.

Here is the sequence to events

No user A -> Backup organisation database -> User A created -> Restore organisation db from backup

In my situation, the error started happening after I restored the organisation db from the backup. At the time of the backup, the user I was trying to add had not been created. After the organisation db was restored from backup, the SystemUser table in the organisation database does not contain User A, but the MSCRM_CONFIG does (as per SystemUserAuthentication). This is the root cause of this error message.

The fix was to delete the organisation and re-import the organisation from the Deployment Manager. Once this is done, the new user can be added without any issue. This was the additional step I had to perform after I restored the db from the backup.

Chart Error in Dashboard

Today I encountered a strange issue, that took little longer than expected to solve. In the dashboard, I have multiple charts. All charts display correct data without any issue.

When you click the table icon on the chart, to look at the records that were the source for this chart, an error is displayed.
The user can run the saved view from Advanced Find, without any issue, and hence this is not a lack of privilege for this entity.

When I checked the Event Log in the CRM Server, I noticed an error message about the missing Privilege {8437FA7C-3681-4FC7-BFD8-53A23FDECD65}.

I then queried the Privilege view in the MSCRM database for the Organisation, and found this is prvReadUserSetting.

When I opened the security role for this user, read privilege was missing all together.
Granting Organisation wide read permission for this role, resolved this issue.

Deployment Manager exception after installing UR17 in CRM 2011

I recently encountered an issue with an existing CRM 2011 environment after installing Rollup 17. The deployment manager would crash with this following error.

Type is not resolved for member ‘Microsoft.Crm.CrmSecurityException,Microsoft.Crm.Core, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35’.
I turned on CRM tracing and this seems to be the underlying error.

CrmException..ctor(String message, Exception innerException, Int32 errorCode, Boolean isFlowControlException)  ilOffset = 0x0
at CrmException..ctor(String message, Exception innerException, Int32 errorCode)  ilOffset = 0x0
at SecurityUtils.GetActiveDirectoryEntry(String searchItem, String searchFilter, String searchItemLogInfo, Boolean throwIfNotFound, String domainName)  ilOffset = 0x44
at SystemUserService.GetCaseSafeName(String domain, String accountName)  ilOffset = 0x188
at SystemUserService.GetCaseSafeName(String name)  ilOffset = 0x50
at SystemUserService.GetIdsFromName(String userName)  ilOffset = 0xB
at SecurityRoleService.TryVerifyUser(String userName, SecurityRole role)  ilOffset = 0xC
at SystemUserController.TryVerifyUser()  ilOffset = 0xD
at DMSnapInHelper.DisplayMessageBoxIfCurrentUserIsNotSystemUser(Console console)  ilOffset = 0x0
at DMSnapIn.OnInitialize()  ilOffset = 0x27
at SnapInBase.Initialized()  ilOffset = 0x41
at SnapInClient.Microsoft.ManagementConsole.Internal.ISnapInClient.Initialize(ISnapInPlatform snapInPlatform)  ilOffset = 0x14
at UnsafeNativeMethods.DispatchMessageW(MSG& msg)  ilOffset = 0xFFFFFFFF
at ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushMessageLoop(IntPtr dwComponentID, Int32 reason, Int32 pvLoopData)  ilOffset = 0x18E
at ThreadContext.RunMessageLoopInner(Int32 reason, ApplicationContext context)  ilOffset = 0x1F7
at ThreadContext.RunMessageLoop(Int32 reason, ApplicationContext context)  ilOffset = 0x13
at SnapInMessagePumpProxy.Microsoft.ManagementConsole.Internal.ISnapInMessagePumpProxy.Run()  ilOffset = 0x34
>Crm Exception: Message: Could not find AD entry for : 09283477 with SearchFilter: samAccountName, ErrorCode: -2147214038, InnerException: System.DirectoryServices.ActiveDirectory.ActiveDirectoryObjectNotFoundException: The specified domain does not exist or cannot be contacted.
at System.DirectoryServices.ActiveDirectory.Domain.GetDomain(DirectoryContext context)
at Microsoft.Crm.SecurityUtils.GetActiveDirectoryEntry(String searchItem, String searchFilter, String searchItemLogInfo, Boolean throwIfNotFound, String domainName)

After much troubleshooting with CRM tracing, Netmon, LDAP Tracing and Wireshark I was able to ascertain that this exception is thrown right after Deployment Manager sends a NbtNs packet before crashing.

 I wrote a small console application to see if this could be a Domain Controller issue. There was no NbtNs packet sent out in my console application and it was successfully able to query the user details.
I posted this in CRM forums and it seems that others also are having the same issue, after moving to Rollup 17. This seems to be a bug in UR17, which cannot handle more than 15 characters in Domain Name (according to the poster). Here is the forum post

There was also an additional issue I encountered when I tried to uninstall UR17. The uninstall process would crash with a owner_importlogs key violation on ImportLogBase table. It seems the uninstall process wants to insert two rows with Owner Id = Guid.Empty in the ImportLogBase table.

I had to disable this constraint, allow the uninstall process to finish and later delete these two rows.

So if are having similar issues with Deployment Manager after installing UR17, downgrade to UR16 or wait for UR18.

Quick Tip: Don’t use underscore character in CRM webservices URL

Recently I was setting up CRM for Outlook client on a existing environment that we took over. CRM for Outlook would always display the following error after entering the organisation url details in the configuration screen.

The underlying cause seems to be the underscore character in all the crm service urls. The relevant KB316112 article says:
Security patch MS01-055 prevents servers with improper name syntax from setting cookies names. Domains that use cookies must use only alphanumeric characters (“-” or “.”) in the domain name and the server name. Internet Explorer blocks cookies from a server if the server name contains other characters, such as an underscore character (“_”).

Since CRM for Outlook cannot set the cookies, the client cannot be configured.