Tuesday, September 15, 2009

Error: Invalid User Authorization. The user authentication passed to the platform is not valid

In one of our CRM projects, a large number of users recently started to receive the following error when they try to login to the CRM system.

Invalid User Authorization. The user authentication passed to the platform is not valid.

InvalidUserAuthorization
After a quick search, I found that Microsoft has provided some sort of solution at http://support.microsoft.com/kb/860612. The knowledge base page has provided some good explanation about the nature of the issue, but the solution didn't make much sense to our situation.

My sense with this issue is that the CRM users were somehow out of sync with Active Directory accounts. Two solutions came to my mind quickly:
  • Re-import the organization, and let the CRM Deployment Manager provision all CRM users using latest AD user IDs.

    or
     
  • Open each user in CRM, and change its Domain Logon Name to a temporary one (I used MyDomain\Guest as shown below, save it. And then change back to the user’s actual MyDomain\Firstname.Lastname, and save it again. The user will be able to login without any error, as CRM is actually re-mapping the CRM user to the correct AD user during the changes. Regarding the temporary AD user, it's not my intention to suggest that you use GUEST account as the temporary AD user due to obvious security reason. I just knew this account was there, so I didn’t have to request a new temporary AD account through the infrastructure team. You may want to use a different account which is more appropriate.
InvalidUserAuthorization-Solution
Either solution worked for us, because both of them are actually re-provisioning CRM user records. The first approach does it through some sort of batch process when the organization is imported, while the 2nd approach does it on an individual user record basis. The good thing about 2nd approach is that you don't need to shut down or disconnect the system for re-importing the organization, you can recover the invalid users while other valid CRM users still have access. But if you have a large number of invalid CRM users, you might find the first approach a little bit easier.

[Update - Apr 11, 2010] 
Re-importing CRM organization (the first approach) does have a number of complications associated with it. Make sure to use it with extra caution. Ensure that you have full backup of both MSCRM_CONFIG and CRM organization databases before you actually perform the re-importing.
[End of Update - Apr 11, 2010] 

You may be wondering why ever a CRM user account could be out-of-sync with the Active Directory account. The most common case is, the AD user account has been deleted and recreated using the same name.

The reason is, when a CRM user account is created, it's linked to an AD account, with the Active Directory ID (GUID) of the user account stored in CRM database. If the AD account is deleted, then the CRM user is no longer linked to a valid Active Directory user. Even you have recreated an AD account with the same name, the actual ID of the Active Direcotry user is different, that's why you are seeing the "Invalid User Authorization" error message.

After I have determined the solutions and recovered all CRM users, I was informed by the infrastructure team supporting the application, what they did was, a change request was initiated to have all previous AD users deleted from Active Directory, and they re-generated all the users using an automated script without knowing the impact of such change to CRM application. What matters with regard to the CRM platform is, as I have explained above, after running such script, all CRM users are no longer linked to valid AD users, which was the cause of such authentication error.

Hope this helps if you run into similar error.

15 comments:

  1. How do you re-import the organization?

    ReplyDelete
  2. To re-import the organization, you use Deployment Manager. If you have only one organization, you probably need to create a temporary organization, and make the temporary organization as default one so that you can disable and delete your current default organization. After that, you can import the organization.

    ReplyDelete
  3. Thanks

    This worked for me.

    ReplyDelete
  4. Thank you for your post,

    I wonder that is 2nd approach effect any workflow which is owned by the missing AD user?

    ReplyDelete
  5. Thank you! Worked for me!

    ReplyDelete
  6. Hi Yasin,

    Very good question, sorry for not being able to respond your question sooner.

    Re-importing CRM organization does have a number of complication associated with it. By providing it as an alternative solution, I was assuming that all important users will be re-mapped. I haven't really tried whether it will actually affect, but most likely it's a YES from theoretical point of view. I am going to add a warning message to the original post so that people use it wisely.

    Thanks,
    Daniel

    ReplyDelete
  7. individual solution worked like a charm. thank you.

    ReplyDelete
  8. Daniel Hi !

    I was foolish enough to delete the security groups the CRM creates in AD in an attempt to clear several instances of the same groups (as i had tried several times to install crm.

    Now, I have the above mentioned problem: I cannot log on to the platform.

    I understood the reason why, when read your explanation about the AD IDs and CRM IDs.
    The question is:

    Do you know how i can re-link or rename the AD accounts or CRM accounts in order to have the same ID and solve the problem?

    Best Regards

    Dimitris

    ReplyDelete
  9. before you try this,

    only restart crmAsync service and iisreset

    that works for me

    ReplyDelete
  10. Thanks Daniel Worked a treat

    Hiren

    ReplyDelete
  11. Hi Daniel,

    My problem is that I even can't logon the CRM website, after I enter the account and password, the error come out. so I can't do as what you said, I had added my user to the PrivUserGroup and SQLAccessGroup, but it doesn't work!

    Best Regards
    Peng

    ReplyDelete
  12. I appear to be having the same problem with last Anonymous user.
    None of my mapped users/administrators are able to login after importing the organization.
    If I remember correctly I believe even before the import, using the temporary organization created during setup, I was getting blank page when I tried to the web portal. I am guessing this issue might be related with IIS settings rather than with users in the organization.
    But since I went in the default website and disabled anonymous login, in which prompted me to get the Invalid User Authorization rather than the white page; I am not sure if I had disabled logon before importing if I would login just fine.
    I will spend this weekend creating a new setup and see if I can get it working, without having asp.net 4 and so forth. I will also install sql sql 2005 sp2 like the original server instead of sql 2005 sp3 I did on the new server.
    Thanks for your help.

    ReplyDelete
  13. Second option worked just fine: •Open each user in CRM, and change its Domain Logon Name to a temporary one (I used MyDomain\Guest as shown below, save it. And then change back to the user’s actual MyDomain\Firstname.Lastname, and save it again...

    ReplyDelete
  14. Thanks, above was a great help. When setting up a testing environmrnt from live DB organisation Import.

    ReplyDelete
  15. I simply restarted "Active Directory Domain Services" service & alas! It worked!!
    Steps for beginners:
    Ctrl+R --> services.msc --> --> BingO!

    ReplyDelete