The security ID structure is invalid - dynamics-crm-2011

I i'm trying to install crm on a server, but getting this error..
System.Exception: Action Microsoft.Crm.Setup.Server.GrantAspNetServiceAccountAccessAction failed. ---> System.Runtime.InteropServices.COMException: The security ID structure is invalid.
any help ?
have trying:
reinstall my server
closing the server with my sql

The problem have been found and solved.
The problem lies in the administrator being member of many AD groups.
The solution:
Open regedit
Browse to "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters"
Create new DWORD named MaxTokenSize
Set value data to 65535 (Decimal)
Close regedit and reboot server
Cause:
The user cannot authenticate because the Kerberos token that is generated during authentication attempts has a fixed maximum size. Transports such as remote procedure call (RPC) and HTTP rely on the MaxTokenSize value when they allocate buffers for authentication. In Windows 2000 (the original release version), the MaxTokenSize value is 8,000 bytes. In Windows 2000 Service Pack 2 (SP2) and Windows Server 2003, the MaxTokenSize value is 12,000 bytes.
Kerberos uses the Privilege Attribute Certificate (PAC) field of the Kerberos packet to transport Active Directory Group membership. Starting with Windows Server 2012, this also applies to the Active Directory Claims information (Dynamic Access Control) field. If there are many group memberships for the user, and if there are many claims for the user or the device that is being used, these fields can occupy lots of space in the packet.
If a user is a member of more than 120 groups, the buffer that is determined by the MaxTokenSize value is not large enough. Therefore, users cannot authenticate, and they may receive an "out of memory" error message. Before you apply the hotfix that is described in this article, every group that is added to a user account increases this buffer by 40 bytes.

Sounds like you're trying to install this on a server logged in as a user that doesn't have the required permissions. Taken from MS Dynamics on Technet:
Required for installation of Dynamics CRM 2011
Domain administrator
If you cannot be domain administrator the following privileges are required:
Member of Active Directory Domain Users
Permissions to create security groups in Active Directory (alernatively you can ask an administrator to pre-create the required security groups; you must then install Microsoft Dynamics CRM 2011 from the command line specifying a configuration file).
Member of the Administrators group on the computer where you install the CRM
Read and write permissions on the folder 'Program Files' on that computer
Member of the Administrators group on the computer where SQL Server installed
SQL Server sysadmin.
Reporting Services:
Content Manager root level
System administrator for site-wide SSRS
Tip:
To find out what security groups the logged in user belongs to open up a command prompt and run the following command:
gpresult /V

Related

Can not open Excel Workbook in ASP classic with Excel.Application

I have a Windows 2016 Server and I have installed and activated Office 2013 64bit in it.
I have a classic ASP application that is trying to open an Excel workbook like this:
<%
Set appExcel = CreateObject("Excel.Application")
appExcel.Workbooks.Open("C:\intranet\web\Libro1.xlsx")
%>
I'm aware that this kind of Office automation is discouraged by Microsoft but this is a legacy app that I've inherited and has to manage to make it work on Windows 2016.
If I execute this piece of code as a VBS script there is no issue but if I try to execute it as an ASP page i get:
Microsoft Office Excel error '800a03ec' Microsoft Office Excel cannot access the file 'C:\intranet\web\Libro1.xlsx'.
There are several possible reasons:
• The file name or path does not exist.
• The file is being used by another program. (...)
I have discarded all the suggested reasons, I have also checked that if I really use a file that does not exist the error message is different.
I'm running my ASP application pool as user "Administrator" (Administrador in my spanish installation).
I have given permissions for everyone in all three sections of the permissions for Microsoft Excel DCOM Configuration entry in components services.
I have checked an installed updates in my operating system and my office package.
I'm running out of ideas, any reasonable clue will be welcome.
Recommendations for Setting up Websites in IIS
Things to consider while setting up IIS websites
Anonymous Access Account
Application Pool
NTFS Permissions
Setting up an Anonymous Account
Method One - Use ApplicationPoolIdentity Instead of IUSR
The ApplicationPoolIdentity is a special term for one of the corresponding IIS AppPool\<AppPoolAccounts> in the IIS_IUSRS security group.
The reason is it ties the security context to the Application Pool rather than having the Anonymous Account running as IUSR and the Application pool running as ApplicationPoolIdentity leaving two security contexts to manage.
Method Two - Use a Custom Account as the Identity of the Application Pool
For more control use a Custom Account in place of ApplicationPoolIdentity in the Application Pool Advanced Settings. Borrowing from Method One the Anonymous Account should be set to ApplicationPoolIdentity so there is now only one security context to manage.
The main benefit to this approach over using IUSR is you know the password for the Custom Account, whereas IIS controls the IUSR password making using it in place of the ApplicationPoolIdentity as the Application Pool Identity troublesome.
Assigning NTFS Permissions
WARNING: UAC (User Account Control) can modify the NTFS permissions when running in "Admin Approval Mode", make sure the setting User Account Control: Run all administrators in Admin Approval Mode is set to False in the Local Group Policy located under Computer settings\Windows settings\Security settings\Local policies\Security options.
Depending on the method used for adding an Anonymous Account to a IIS Website there should be one of two accounts added to the Websites root folder;
Method One - IIS_IUSRS (Read Permission)
Method Two - Custom Account (Read Permission)
At the basic level the Websites root folder should contain the following permissions;
| User Account | Permission | Notes
| ------------------ | --------------------- | ---------------------
| Administrators | Full Control | For File System access.
| <IIS Anonymous> | Read & Execute | Either IIS_IUSRS or a Custom Account.
Don't Inherit Permissions
Recommend disabling Inheritance on the Websites root folder to stop parent permissions propagating down and overwriting any existing permissions, which can be a costly exercise to restore.
Finally I found what the issue was.
Following some pointers about DCOM permissions I had configured "Microsoft.Excel" DCOM configuration permissions using the "Components service" tool. But this wasn't enough.
Today I saw that apart from "Permissions" tab there is an "Identity" tab there. By default it chooses to use the "initial user", which I expected to be the user that is running the IIS application pool. I had already executed the pool with a "real" user so I was not expecting this to be related but when I changed it and selected an specific user there everything started to work.
So to sum-up my solution was:
Open "Components services administration"
Find in "DCOM Configs" section the entry related to "Microsoft.Excel" and right click on "Properties".
In the "Identity" tab set a "real" user that will run Excel when the Interop API's are used.
In the "Permissions" tab adjust the permission so that the user you have set in the identity tab has the required right
Hope this gives some clues to anyone.

CRM 2011 Administrator is missing read privilege error

I have a user in CRM 2011 having System Administrator security role (image), when I use that user in my Web Service to retrieve Account entity this error comes up
Principal user (Id=927fbba4-d61a-e311-992b-000c295c9030, type=8) is missing
prvReadAccount privilege (Id=886b280c-6396-4d56-a0a3-2c1b0a50ceb0)
I found the issue:
Below is the work-around if some is having issue:
I We had assigned the user Administrator role:
Looking at different user fields in CRM I cam across:
Clien Access License (CAL) Information:
It was having values:
Access Mode : Administrative
License Type: Full
So I changed the Access Mode to :
Read-Write // Yahooooooooooooooo everything is working on the fly :)
Thanks for your time people.
The System Administrator role has all privileges on all records and this cannot be limited in any way.
I have two hypothesis(es?)
Your Web Service isn't actually operating under credentials of a user having the System Administrator role. This is the most probable explanation, you have to make sure your connection gets passed the correct username/password(/domain unless IFD).
Since you have an ID to check against, you can double check who that user is with a simple OData query:
[crm url]/XrmServices/2011/OrganizationData.svc/SystemUserSet(guid'927fbba4-d61a-e311-992b-000c295c9030')
Your CRM setup is messed up (highly unlikely unless you've been fiddling with the database, in that case odd errors and misbehaviors become a quite real possibility)

How can I change what user connects to TFS when using TFS power tools 2012 shell extensions?

I have the TFS power tools installed, and I can see the shell extensions context menus; however, I can't find a way to bypass the integrated windows authentication and specify a new username per operation. I am using a common username on a server due to some legacy software, and I need to access TFS with a different domain user. Is there an option to do this on the fly?
I expected to receive a prompt when connecting, but I just get an error indicating that the current user doesn't have permissions.
If you want to ALWAYS use a certain user name & password when authenticating to a TFS server then you can use Windows Credentials Manager and add a new Windows Authentication entry. You type in the full server name, domain username, and password. Additionally, you'll want to add the server name into the "Trusted Sites" list in Internet Explorer.
Just remember to edit that entry in the future if you ever need to change it like when the account's password has been updated. You'll be pulling out your hair until you remember that it is in there.

Add user to DefaultAppPool that isn't within IIS_WPG Group

My issue is two-fold:
Need a user account to write to inetpub/wwwroot that isn't in the IIS_WPG Group
Change the DefaultAppPool account to specified user account in #1
We cannot have anonymous HTTP writing to Server A from Server B from the default anon user account Windows reads from, hence for #2. And due to said server permissions, we cannot have Group IIS_WPG do any writing to inetpub/wwwroot either.
I created a new user account, but it isn't associated to any groups. Then, I added this user to the DefaultAppPool Identity instead of using Network Service. Then, under Inetpub/wwwroot I gave read/write permissions to this user account. Then I restart w3svc.
I am getting a Service Unavailable error now when I try to view any web page with this error in the logs: A failure was encountered while launching the process serving application pool 'DefaultAppPool'. The application pool has been disabled.
Note: I am not a Windows admin by any means, so what I'm doing is based off of any articles I can find and trusting their accuracy 100%.
The whole point of the IIS_WPG group is to have a pre-set grouping of the permissions required to run an application pool. So the best case is going to be creating your new user but then just adding that user to the IIS_WPG group.
If you can't do that, then I believe you have to explicitly give your new user the same permission set that IIS_WPG has already. Which can be found here: http://support.microsoft.com/kb/812614

Querying remote system via WMI returns access denied for non-administrator

I have a simple WMI query that runs fine locally, but querying a remote system gives an access denied error. When I add the local user to the remote system as member of the administrator group, the query works as expected, but I don't want to have that user as a member of that group.
I already tried the following things, unfortunately not successful so far:
I enabled RemoteAdmin for the firewall (netsh firewall set service RemoteAdmin enable)
I added the user with all possible access rights to the WMI Security settings (for the root name space, and I also checked that the settings are correctly propagated to the namespace I'm querying, root/cimv2) via wmimgmt.msc
I enabled remote access for the user in DCOM COM security
I still get the same error every time I run my query, is there anything else that I may have missed?
WMI rights are much tighter than typical, as the link provided by Uros describes in detail. In short, you will either need to enable the Active Directory right called "Trusted for Delegation", which is extremely powerful and not recommended, or add explicit credentials, as described in the MS link referenced by Uros.

Resources