Abstract: I have a temporary fix to an error received when using a custom identity to run the Microsoft Dynamics CRM application pool. If you receive the error: Exception message: Could not find entry for server: <servername>$ With SearchFilter: samAccountName, continue to read how I resolved this issue, consider this a band aid solution until Microsoft gets back to me.
Situation
I wanted to test Microsoft Dynamics CRM 2013 in an all Windows 2012 R2 environment. I setup CRM 2013 with a Front End and Back End deployment against a Windows 2012/SQL 2012 database server. The installation and role deployments went fine; I configured claims and IFD using Network Services as the CRM App Pool, all went fine and could connect internally and externally using windows authentication and forms authentication.
Next step was to change the CRM App Pool to a custom identity.
Once the new AD user was created and added to the appropriate security groups, and SPNs added, I changed the CRM App Pool user to my new AD user, and then restarted IIS. Next, I tried logging back into CRM 2013 but received this error:
Event occurrence: 1
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/1/ROOT-1-130436233113758797
Trust level: Full
Application Virtual Path: /
Application Path: C:\Program Files\Microsoft Dynamics CRM\CRMWeb\
Machine name: <servername>
Process information:
Process ID: 1424
Process name: w3wp.exe
Account name: <domainname>\<servicename>
Exception information:
Exception type: CrmSecurityException
Exception message: Could not find entry for server: <servername>$ With SearchFilter:samAccountName
at Microsoft.Crm.SecurityUtils.GetActiveDirectoryEntry(String searchItem, String searchFilter, String searchItemLogInfo, Boolean throwIfNotFound)
at Microsoft.Crm.SecurityUtils.GetLocalSystemGuid()
at Microsoft.Crm.Caching.OrganizationSettingsCacheLoader.LoadCacheData(Guid key, ExecutionContext context)
Request information:
Request URL: http://localhost/default.aspx
Request path: /default.aspx
User host address: ::1
User: <domainname>\<username>
Is authenticated: True
Authentication Type: Negotiate
Thread account name: <domainname>\<servicename>
Thread information:
Thread ID: 24
Thread account name: <domainname>\<servicename>
Is impersonating: False
Stack trace: at Microsoft.Crm.SecurityUtils.GetActiveDirectoryEntry(String searchItem, String searchFilter, String searchItemLogInfo, Boolean throwIfNotFound)
at Microsoft.Crm.SecurityUtils.GetLocalSystemGuid()
at Microsoft.Crm.Caching.OrganizationSettingsCacheLoader.LoadCacheData(Guid key, ExecutionContext context)
Troubleshooting
After speaking with Microsoft and performing a number of their recommendations, I decided to add the service account to the Domain Admin’s group (something I strongly wanted to avoid doing). Once I added the account and reset IIS on the servers, I was now able to login!
Microsoft is testing this issue on their end to see if this is a bug, or how to resolve this with minimum permissions. Hopefully this helps if you’re experiencing the same issue on Windows 2012! I’ll update this post when I hear back from Microsoft.
Cause: Application Pool account missing Read Privileges on the Active Directory Computers OU.
Resolution: Assign the Application Pool account with Read Privileges on Computer OU in AD resolves the issue.
*The solution to this issue is not documented in Microsoft’s setup documents.
If this does not resolve the issue, feel free to contact or email us at Support@axonom.com for more help!
At Axonom, we provide powerful CRM extensions certified for Microsoft Dynamics including cloud-based Configure-Price-Quote (CPQ), Visual 3D Product Configurator, and Partner Portal software solutions. Learn how our Powertrak software solutions can help your business today.
-Dan Brunn