CRM 2011 Administrator is missing read privilege error - dynamics-crm-2011

I have a user in CRM 2011 having System Administrator security role (image), when I use that user in my Web Service to retrieve Account entity this error comes up
Principal user (Id=927fbba4-d61a-e311-992b-000c295c9030, type=8) is missing
prvReadAccount privilege (Id=886b280c-6396-4d56-a0a3-2c1b0a50ceb0)

I found the issue:
Below is the work-around if some is having issue:
I We had assigned the user Administrator role:
Looking at different user fields in CRM I cam across:
Clien Access License (CAL) Information:
It was having values:
Access Mode : Administrative
License Type: Full
So I changed the Access Mode to :
Read-Write // Yahooooooooooooooo everything is working on the fly :)
Thanks for your time people.

The System Administrator role has all privileges on all records and this cannot be limited in any way.
I have two hypothesis(es?)
Your Web Service isn't actually operating under credentials of a user having the System Administrator role. This is the most probable explanation, you have to make sure your connection gets passed the correct username/password(/domain unless IFD).
Since you have an ID to check against, you can double check who that user is with a simple OData query:
[crm url]/XrmServices/2011/OrganizationData.svc/SystemUserSet(guid'927fbba4-d61a-e311-992b-000c295c9030')
Your CRM setup is messed up (highly unlikely unless you've been fiddling with the database, in that case odd errors and misbehaviors become a quite real possibility)

Related

Graph API create groups and teams from SPFx webpart with elevated privileges

I have a SPFx webpart which is a form for users to submit requests which will run the group and teams provisioning code.
The code works fine when the user is logged in as a 'Global Admin', but when a normal user with minimum permission levels uses the form, the provisioning is not allowed and is faced with these errors:
Creating group is not allowed:
Tenant admin has not enabled Unified group creation error
Creating teams is not allowed:
Teams disabled in user license admin error
Is there a way to run the code regardless of the user context? or any ways to elevate the privilege of the webpart or block of code with admin permissions?
https://learn.microsoft.com/en-us/sharepoint/dev/spfx/use-aad-tutorial
You will need to specify that specific api permissions your application needs.
basically starting from here: https://learn.microsoft.com/en-us/sharepoint/dev/spfx/use-aad-tutorial
specifically, the graph api permissions that you will need is at least Group.ReadWrite.All, Directory.ReadWrite.All in order to create a team.
Hopefully this helps a bit.
Is there a way to run the code regardless of the user context?
Yes. You could implement Get access without a user to use Application permission to create the resources. It will allow you to create a group without a user.
You can also check with your admin if the ability of creation Groups for users has been disabled. See Manage who can create Groups.
And it's strongly recommended to check if the Teams license is assigned to the user.

Getting users from MS Graph API with a $filter causes 403 for some users

We have a single-page Javascript app that makes calls to Microsoft Graph API using delegated permissions.
One of the things it does is get a list of users via the /users endpoint.
Now when the request URL was https://graph.microsoft.com/v1.0/users?$select=id,displayName,givenName,surname,mail,userPrincipalName,
everything worked fine.
But then we changed it to include a filter.
Specifically we only want Guest users.
So we changed the request URL to https://graph.microsoft.com/v1.0/users?$filter=userType eq 'Guest'&$select=id,displayName,givenName,surname,mail,userPrincipalName,userType.
Now some of the users get a 403 Forbidden when we try to make the query.
What is puzzling is that they can get the full list of users, but are unable to get a subset of the users.
This user is themselves a Guest user, and has the Guest Inviter directory role.
This gives them the ability to read all users.
I have a Global Admin account which is able to use the second request as well (it would be pretty stunning if it could not).
The app itself has the necessary scopes since it is able to read the users, it just depends on the user and their permissions in AAD.
My theory is that the user does not have permission to access the userType property, and this causes the 403.
It is probably part of the "full profile".
Philippe confirmed this by stating you cannot access this property through the User.ReadBasic.All scope.
If we look at the Guest Inviter role's permissions: https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#guest-inviter.
We can see that they have microsoft.aad.directory/users/basic/read, a Global admin on the other hand has microsoft.aad.directory/users/allProperties/allTasks.
My question is, what do I need to do to enable this query for the user?
I would like to avoid giving them Global Admin in this case.
The application's token has the following scopes:
Directory.AccessAsUser.All
User.Read
We used a less privileged scope before,
but we needed to add features that required higher privileges.
The scope we have is the "most privileged" scope for listing users: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_list.
The application is also registered as a Native app, if that makes a difference.
Signing out and signing back in (to refresh the token) also does not help.
This problem occurs with a fresh sign-in with the same scopes in the token.
The only difference is the role of the user in AAD.
Request id: 6079bcb2-6f90-44cc-8a57-83a8e1676333, timestamp Thu, 15 Nov 2018 06:49:59 GMT.
Unfortunately your theory is actually correct about guest users not being able to filter on userType. I have just spoken to the engineering team behind this logic on Microsoft Graph. They are looking into a fix here so that it adheres to our Roles based access control (RBAC) for this property and not the pre RBAC logic that it is doing right now. There is no time frame currently on this, they are planning it into their sprint. I'll see if I can get an update in the next few days.
You are most likely experiencing this if your application only has delegated permissions for https://graph.microsoft.com/User.ReadBasic.All. With only User.ReadBasic.All, your app doesn't have permission to read the userType property, which also means it doesn't have permission to filter on that property.
You'll probably find any user in the tenant will have the same experience, including a member or a global admin, not just your guest user. If your app requests for User.Read.All instead, the filter should work as expected for your guest user in the Guest Inviter role.
What do you have set under Azure Active Directory -> User Settings -> External collaboration settings -> Guest user permissions are limited?
If the guest permissions are limited, guest users are unable to enumerate the directory users & groups.

Restrictive Access with System Administrator security role in CRM2011

I am encountered with an insane problem when working in Dynamics CRM 2011 on-premises environment. Everything was working just fine 2 days back. There are two different CRM environment on my clients network (PreProd and Production).
I have System Administrator role on PreProd. The problem is that somehow I have restrictive access in CRM. Meaning, I am not able to create, update entity records. Create buttons are not even visible to my user for all entities!! When I open an entity form, Customize tab is not visible. In short, I have limited access even with System Administrator security role. I have never been in a problem like this before.
Any ideas that what could cause this? I don't have access to PreProd server so I can't troubleshoot this problem by myself. Any suggestions which I can convey them which might be helpful??
Thanks.
Try to recheck Access Mode field for mentioned user. Ensure that it has Read-Write value. If it is not - ask to update that field to Read-Write value.
Open user form in CRM and recheck following field:

The security ID structure is invalid

I i'm trying to install crm on a server, but getting this error..
System.Exception: Action Microsoft.Crm.Setup.Server.GrantAspNetServiceAccountAccessAction failed. ---> System.Runtime.InteropServices.COMException: The security ID structure is invalid.
any help ?
have trying:
reinstall my server
closing the server with my sql
The problem have been found and solved.
The problem lies in the administrator being member of many AD groups.
The solution:
Open regedit
Browse to "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters"
Create new DWORD named MaxTokenSize
Set value data to 65535 (Decimal)
Close regedit and reboot server
Cause:
The user cannot authenticate because the Kerberos token that is generated during authentication attempts has a fixed maximum size. Transports such as remote procedure call (RPC) and HTTP rely on the MaxTokenSize value when they allocate buffers for authentication. In Windows 2000 (the original release version), the MaxTokenSize value is 8,000 bytes. In Windows 2000 Service Pack 2 (SP2) and Windows Server 2003, the MaxTokenSize value is 12,000 bytes.
Kerberos uses the Privilege Attribute Certificate (PAC) field of the Kerberos packet to transport Active Directory Group membership. Starting with Windows Server 2012, this also applies to the Active Directory Claims information (Dynamic Access Control) field. If there are many group memberships for the user, and if there are many claims for the user or the device that is being used, these fields can occupy lots of space in the packet.
If a user is a member of more than 120 groups, the buffer that is determined by the MaxTokenSize value is not large enough. Therefore, users cannot authenticate, and they may receive an "out of memory" error message. Before you apply the hotfix that is described in this article, every group that is added to a user account increases this buffer by 40 bytes.
Sounds like you're trying to install this on a server logged in as a user that doesn't have the required permissions. Taken from MS Dynamics on Technet:
Required for installation of Dynamics CRM 2011
Domain administrator
If you cannot be domain administrator the following privileges are required:
Member of Active Directory Domain Users
Permissions to create security groups in Active Directory (alernatively you can ask an administrator to pre-create the required security groups; you must then install Microsoft Dynamics CRM 2011 from the command line specifying a configuration file).
Member of the Administrators group on the computer where you install the CRM
Read and write permissions on the folder 'Program Files' on that computer
Member of the Administrators group on the computer where SQL Server installed
SQL Server sysadmin.
Reporting Services:
Content Manager root level
System administrator for site-wide SSRS
Tip:
To find out what security groups the logged in user belongs to open up a command prompt and run the following command:
gpresult /V

programmatically access sharepoint lists using impersonation

I building a console app that runs under a normal user account to access sharepoint lists programmatically. In order to access Sharepoint objects the console application impersonates the user under the context of which the Sharepoint is running. The impersonation is successful but when I try to access any share point SPWeb objects the following error is given as follows
spWeb.ID = 'spWeb.ID' threw an exception of type 'System.Data.SqlClient.SqlException'
base {System.Data.Common.DbException} = {"Cannot open database \"WSS_Content_92\" requested by the login. The login failed.\r\nLogin failed for user 'DOM\USER'."}
Doesnt the imepersonation should have allowed to access to the underlying database and also do i need to explicitly grant access to the current user to give access to sharepoint lists etc.
Thanks in advance
In a console or windows app when accessing the object model - when you are impersonating the user then the database connection will be made under the users account credentials - so in effect you will have to give each of your users fairly high level permissions to access the database (or better make them a member of a group that has these permissions).
http://technet.microsoft.com/en-us/library/cc721638(office.12).aspx
This is different to the web app where the account used is the AppDomain account of the IIS site.
However - this is a very non-standard setup and is fraught with security risks - do you really want to give your users permission to access that database directly?
Instead can I suggest that you look again at your design - what are you trying to achieve?
Running the console application in the context of the same user as the application pool did the trick. So the solution would be to use the runas command.

Resources