Microsoft Dynamics CRM IIS Pool Service Account Configuration

Summary

The default CRM installation wizard provides some flexibility in specifying a deployment account. However, much consideration is required for this special item. The varying options seem to revolve around: a SYSTEM (computer account of the deployment server), NETWORK SERVICE (default network service account), or an Active Directory Service Account (user-class object). Whichever is being selected as the referenced account, these are the required configuration as such SSRS Deployment Service:

  1. App Deployment Server:
    1. primary HTTP SPN registrant
    2. IIS: pool identity for CRMAppPool & CrmDeploymentServiceAppPool
    3. Member of the CRM Deployment Administrators group
  2. SSRS Server: Member of Local Administrators (or Full access to Site Settings, Home Folder settings security, & a few Registry hives)
  3. Database: PrivReportingGroup (syadmin role)
  4. Active Directory:
    1. Full permissions to these objects: PrivReportingGroup, PrivUserGroup, ReportingGroup, SQLAccessGroup, and OU containing those objects
    2. Membership of these groups: PrivReportingGroup, SQLAccessGroup, Domain Users (optional: PrivUserGroup, ReportingGroup)
CRM Permissions Troubleshooting Process

- Symptom: when an action such as Disable-CRMOrganization is invoked from PowerShell, errors would occur.

Disable-CrmOrganization : Source        : mscorlib
Method  : HandleReturnMessage
Date    : 3:55:05 PM
Time    : 2/30/1850
Error   : Message: The Deployment Service cannot process the request because one or more validation checks failed.
ErrorCode: -2147167645
Stack Trace     :
======================================================================================================================
Inner Exception Level 1 :
==DeploymentServiceFault Info==========================================================================================
Error   : The Deployment Service cannot process the request because one or more validation checks failed.
Time    : 2/30/1850 10:55:05 PM
ErrorCode       : -2147167645
Date    : 3:55:05 PM
Time    : 2/30/1850
Error Items:
        ActiveDirectoryRightsCheck raising error : The current user does not have required permissions (read/write) for
the
following Active Directory group: CN=ReportingGroup {},OU=CRM Security
Groups,DC=kimconnect,DC=net
        SysAdminCheck raising error : You do not have sufficient permission to perform this operation on the specified
organization database
        ExistingRSCheck raising error : Setup failed to validate specified Reporting Services Report Server
http:// SSRS-SERVER/ReportServer. Error: Error occurred while finding an item on the report server.
The permissions granted to user 'iisPoolServiceAccount' are insufficient for performing this operation. --->
Microsoft.ReportingServices.Diagnostics.Utilities.AccessDeniedException: The permissions granted to user
'iisPoolServiceAccount' are insufficient for performing this operation.
======================================================================================================================
At line:1 char:1
+ Disable-CrmOrganization Joe
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (Microsoft.Crm.P...anizationCmdlet:DisableCrmOrganizationCmdlet) [Disable-C
   rmOrganization], FaultException`1
    + FullyQualifiedErrorId : CRM Deployment Cmdlet Error,Microsoft.Crm.PowerShell.DisableCrmOrganizationCmdlet
	
Actions:
- Enabled iisPoolServiceAccount to the OU with Full permissions => no effects
- Added iisPoolServiceAccount to the OU with Full permissions => no effects
- Added iisPoolServiceAccount to SSRS-SERVER with Full Permissions => no effects
- Added iisPoolServiceAccount to Reporting Group {org-id} with full permissions => error changes to complain about PrivReportingGroup
- Added iisPoolServiceAccount to PrivReportingGroup, PrivUserGroup, SQLAccessGroup with Full Permissions => no complaints about groups, but rather
Error Items:
        SysAdminCheck raising error : You do not have sufficient permission to perform this operation on the specified
organization database
        ExistingRSCheck raising error : Setup failed to validate specified Reporting Services Report Server
http:// SSRS-SERVER/ReportServer. Error: Error occurred while finding an item on the report server.
The permissions granted to user 'iisPoolServiceAccount' are insufficient for performing this operation. --->
Microsoft.ReportingServices.Diagnostics.Utilities.AccessDeniedException: The permissions granted to user
'iisPoolServiceAccount' are insufficient for performing this operation.

Read somewhere: One needs to add the CrmDeploymentServiceAppPool Identity account to your SSRS server under the Site Settings and under the Home Folder settings security. NOTE TWO places the user needs to be added to the SSRS server

- Added iisPoolServiceAccount to the Local Administrators of the Report Server => new error
        SysAdminCheck raising error : You do not have sufficient permission to perform this operation on the specified
organization database

- Added iisPoolServiceAccount to the Local Administrators of the CRM App Server => no changes
- Added iisPoolServiceAccount as Deployment Administrator using Deployment Manager => no changes

Read from: social. microsoft .com /Forums/en-US/a9e144ec-42a0-4612-9bb4-3e1792d955a5/unable-to-create-crm-organisation-using-powershell?forum=crmdeployment
Domain User membership
That account must be granted the Logon as service permission in the Local Security Policy.
Local administrator group membership on the computer where the Deployment Web Service is running.
Local administrator group membership on the computer where SQL Server is running.
Sysadmin permission on the instance of SQL Server to be used for the configuration and organization databases.
Folder read and write permission on the Trace and CRMWeb folders, by default located under \Program Files\Microsoft Dynamics CRM\, and user account %AppData% folder on the local computer.
Read and write permission to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM and HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MSCRMSandboxService subkeys in the Windows Registry.
CRM_WPG group membership. This group is used for IIS worker processes. The group is created and the membership is added during Microsoft Dynamics CRM Server Setup.

- Added PrivReportingGroup, ReportingGroup, & SQLAccessGroup to sysadmin role on SQL Server => Result: bingo!
- Tested DBCreator roles: failed
- Working config: PrivReportingGroup (syadmin), ReportingGroup (public), & SQLAccessGroup (public)
Other struggles:

get-crmserver : The underlying connection was closed: An unexpected error occurred on a send.
At line:1 char:1
+ get-crmserver -DwsServerUrl "https://localhost/" -Credential $cred
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (Microsoft.Crm.P...CrmServerCmdlet:GetCrmServerCmdlet) [Get-CrmServer], WebException
    + FullyQualifiedErrorId : CRM Deployment Cmdlet Error,Microsoft.Crm.PowerShell.GetCrmServerCmdlet

Attempts:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $false }

$deploymentWSUrl="https://$thisMachineIp/XrmDeployment/"
get-crmserver -DwsServerUrl $deploymentWSUrl -Credential $cred

get-crmserver : The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
At line:1 char:1
+ get-crmserver -DwsServerUrl $deploymentWSUrl -Credential $cred
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (Microsoft.Crm.P...CrmServerCmdlet:GetCrmServerCmdlet) [Get-CrmServer], WebException
    + FullyQualifiedErrorId : CRM Deployment Cmdlet Error,Microsoft.Crm.PowerShell.GetCrmServerCmdlet

$deploymentWSUrl="https://$env:COMPUTERNAME/XrmDeployment/"
get-crmserver -DwsServerUrl $deploymentWSUrl -Credential $cred

$deploymentWSUrl="https://$fqdn/XrmDeployment/"
get-crmserver -DwsServerUrl $deploymentWSUrl -Credential $cred

add-type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(
            ServicePoint srvPoint, X509Certificate certificate,
            WebRequest request, int certificateProblem) {
            return true;
        }
    }
"@

[Net.ServicePointManager]::Expect100Continue = $true;
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
[Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$false}

No dice.

Leave a Reply

Your email address will not be published. Required fields are marked *