Unable to Log in to CRM after User Name Changed

Unable to Log in to CRM after User Name Changed

Error: Access Denied 404

Scenario:
A user changes his or her name in AD then when the username is updated in CRM it does not allow them to login under the new username. Access Denied Error or 404
Cause:
This issue occurs when a user signs in via ADFS, the sign-in information may be cached on the Active Directory Federation Services (AD FS) server, or the UPN may no longer be valid. When the SAM account of the user is changed, the cached sign-in information may cause problems the next time that the user tries to access CRM.
Resolution: (Action Performed by Administrator on the ADFS Server)
Open Registry Editor, and then locate the following subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Right-click Lsa, click New, and then click DWORD Value (32-bit).
Type LsaLookupCacheMaxSize, and then press ENTER to name the new value.
Right-click LsaLookupCacheMaxSize, and then click Modify.
In the Value data box, type 0, and then click OK.
Close Registry Editor.
Restart ADFS Server
Remove LsaLookupCacheMaxSize key
Restart ADFS Server
Note: LsaLookupCacheMaxSize can affect sign-in performance. Therefore, we recommend that you delete the LsaLookupCacheMaxSize value when the issue is resolved.

This is a known issue arguably “by design” by Microsoft and there are many blogs about the steps above. However, for one user, I was not so lucky. This user added themselves in CRM with a new username. They also had a disabled CRM record with an old username.

For example:

Old Disabled CRM user NuSoft\jsmith
New Desired user in CRM NuSoft\johnsmith

Despite the new user johnsmith enabled in CRM, set up correctly to a business unit with the security role System Administrator, each time johnsmith tried to login to CRM received this error:

The specified user is either disabled or is not a member of any business unit

This error message prevented access to CRM only when going through the ADFS endpoint urls
Example:
https://crm.nusoftsolutions.com”
https://internalcrm.nusoftsolutions.com”

However, johnsmith CAN log in to CRM when accessing the url via port 80 (direct CRM Site URL) therefore bypassing ADFS entirely.

http://servername/CRMORG”

Of course when ADFS in configured, everyone should access CRM via the ADFS endpoint relying party urls and not the direct IIS website.

Below are the steps I took to diagnose and solve the issue.

Disclaimer: The steps below interact directly with the CRM databases. If you aren’t familiar with these databases, please do not attempt these steps as many things can go wrong if you make a mistake.

Cause/Identify issue:

Query MSCM_CONFIG database SystemUserAuthentication Table

select * from MSCRM_CONFIG.dbo.SystemUserAuthentication

where AuthInfo = ‘C:johnsmith@nusoftsolutions.com

The query Result returned the disabled jsmith user in CRM

jsmith UserID : 98E5506D-B1EF-E211-A3F4-000C29831021

WRONG/OLD USER ID

Resolution:

Adjust MSCM_CONFIG database SystemUserAuthentication Table.

Each user should have at least 2 records in this table with AuthInfo in this format:

  1. W:S-1-5-21-41449369-1611465302-763373030-24573 (this is the Active Directory SID format which explains how johnsmith was able to login locally through port 80 bypassing ADFS. This record entry was pointing to the correct user and ID)
  2. C:johnsmith@nusoftsolutions.com (This record exists, however didn’t show in the query below because it was still set to his old UserId jsmith – which is incorrect)

Use the query below to determine johnsmith correct UserId. Don’t confuse this with the SystemUserID.

select

sub.SystemUserId, sub.fullname, sub.ActiveDirectoryGuid, sua.AuthInfo, sua.UserId, sub.IsDisabled

from SystemUserbase sub
inner join MSCRM_CONFIG.dbo.SystemUserOrganizations suo ON
suo.CrmUserId = sub.SystemUserID
inner join MSCRM_CONFIG.dbo.SystemUserAuthentication sua ON
sua.UserId = suo.UserId

where sub.DomainName = ‘nusoft\johnsmith’

Query Result:
W:S-1-5-21-41449369-1611465302-763373030-24573
johnsmith 
UserID is 52ABE275-B996-E411-B3BF-000C29831021

But no record C:johnsmith@nusoftsolutions.com because the query is joining on the UserId and while C:johnsmith@nusoftsolutions.com exists in MSCRM_CONFIG.dbo.SystemUserAuthentication, it is incorrectly referencing the disabled UserId = 98E5506D-B1EF-E211-A3F4-000C29831021 and username jsmith
So we identified the ‘Disconnect’ here where the disabled user jsmith is ‘stealing’ johnsmith’s authentication record. So every time you try and login via ADFS, it sees johnsmith@nustoftsolutions.com and then matches the user in CRM to a disabled user jsmith in which case denies access and shows the disabled user error message.

To fix this, set the correct user ID for the C:johnsmith@nusoftsolutions.com AuthInfo authentication record

update MSCRM_CONFIG.dbo.SystemUserAuthentication
Set UserId = ’52ABE275-B996-E411-B3BF-000C29831021′
where AuthInfo = ‘C:johnsmith@nusoftsolutions.com

Now johnsmith can login via ADFS to CRM

Jordan Quinn
})(jQuery)