Problems in CRM when the CRMAppPool user account is a CRM user

Article ID: 2593042 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

Various operation of CRM may fail when the CRMAppPool account is configured as a CRM user. 
  • Data Import may fail
  • CRM Outlook Clients may not configure
  • Async Operations may have unexpected behaviour including Workflows stopping with a Failed status
  • No users can access CRM
  • IFD access may fail for some or all users
  • Date/Time fields may not display correct timezone offset

CAUSE

The CRMAppPool account is considered the “SYSTEM” user in CRM. It is not a true user, and shouldn’t be. It is allowed access in CRM through the PrivUserGroup in Active Directory, along with other groups that it is a member of on the CRM server and through internal CRM platform and application code.

Many CRM operations are called through the CRM API's udner the context of the SYSTEM user account. If the CRMAppPool user account is a CRM user these calls will run under the context of the CRM user and not the SYSTEM user and could fail to execute in various parts of CRM described in the Symptoms section.

Once this user is created it may cause various problems if the following is not met:

  • The user has been disabled
  • The user has not been granted a security role
  • The role does not contain all privileges to complete various operations including hidden roles

RESOLUTION

  1. Resolution 1: Change the CRMAppPool user account to a new Active Directory user account.
  2. Resolution 2: Change the CRM user to a new Active Directory user account which is not tied to any CRM services.

MORE INFORMATION

Please refer to the CRM Implementation Guide for setting up service accounts.

  • We strongly recommend that you select a low-privilege domain account that is dedicated to running these services and is not used for any other purpose. Additionally, the user account that is used to run a Microsoft Dynamics CRM service cannot be a Microsoft Dynamics CRM user. This domain account must be a member of the Domain Users group. Additionally, if the Asynchronous Service and Sandbox Processing Service roles are installed, such as in a Full Server or a Back End Server installation, the domain account must a member of the Performance Log Users security group.

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2593042 - Last Review: September 20, 2011 - Revision: 1.0
APPLIES TO
  • Microsoft Dynamics CRM 3.0
  • Microsoft Dynamics CRM 4.0
  • Microsoft Dynamics CRM 2011
Keywords: 
kbmbsmigrate kbsurveynew KB2593042

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com