Invalid User Authorization. The user authentication passed to the platform is not valid.
After a quick search, I found that Microsoft has provided some sort of solution at http://support.microsoft.com/kb/860612. The knowledge base page has provided some good explanation about the nature of the issue, but the solution didn't make much sense to our situation.
My sense with this issue is that the CRM users were somehow out of sync with Active Directory accounts. Two solutions came to my mind quickly:
- Re-import the organization, and let the CRM Deployment Manager provision all CRM users using latest AD user IDs.
- Open each user in CRM, and change its Domain Logon Name to a temporary one (I used MyDomain\Guest as shown below, save it. And then change back to the user’s actual MyDomain\Firstname.Lastname, and save it again. The user will be able to login without any error, as CRM is actually re-mapping the CRM user to the correct AD user during the changes. Regarding the temporary AD user, it's not my intention to suggest that you use GUEST account as the temporary AD user due to obvious security reason. I just knew this account was there, so I didn’t have to request a new temporary AD account through the infrastructure team. You may want to use a different account which is more appropriate.
Either solution worked for us, because both of them are actually re-provisioning CRM user records. The first approach does it through some sort of batch process when the organization is imported, while the 2nd approach does it on an individual user record basis. The good thing about 2nd approach is that you don't need to shut down or disconnect the system for re-importing the organization, you can recover the invalid users while other valid CRM users still have access. But if you have a large number of invalid CRM users, you might find the first approach a little bit easier.
[Update - Apr 11, 2010]
Re-importing CRM organization (the first approach) does have a number of complications associated with it. Make sure to use it with extra caution. Ensure that you have full backup of both MSCRM_CONFIG and CRM organization databases before you actually perform the re-importing.
[End of Update - Apr 11, 2010]
You may be wondering why ever a CRM user account could be out-of-sync with the Active Directory account. The most common case is, the AD user account has been deleted and recreated using the same name.
The reason is, when a CRM user account is created, it's linked to an AD account, with the Active Directory ID (GUID) of the user account stored in CRM database. If the AD account is deleted, then the CRM user is no longer linked to a valid Active Directory user. Even you have recreated an AD account with the same name, the actual ID of the Active Direcotry user is different, that's why you are seeing the "Invalid User Authorization" error message.
After I have determined the solutions and recovered all CRM users, I was informed by the infrastructure team supporting the application, what they did was, a change request was initiated to have all previous AD users deleted from Active Directory, and they re-generated all the users using an automated script without knowing the impact of such change to CRM application. What matters with regard to the CRM platform is, as I have explained above, after running such script, all CRM users are no longer linked to valid AD users, which was the cause of such authentication error.
Hope this helps if you run into similar error.