CRM Exception message: Principal user (Id=GUID, type=8) is missing prvReadComplexControl privilege (Id=GUID)

Recently one of my customers started getting insufficient permissions messages and having issues accessing files on the CRM.

Exception detail was as below.

Unhandled Exception: System.ServiceModel.FaultException`1[[Microsoft.Xrm.Sdk.OrganizationServiceFault, Microsoft.Xrm.Sdk, Version=8.0.0.0, Culture=neutral, PublicKeyToken=31bf3s344d364e35]]: System.Web.HttpUnhandledException: Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #CBE39829Detail:

<OrganizationServiceFault xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/xrm/2011/Contracts">

  <ActivityId>f6dfec3a-6114-4eef-9544-a9396f5d1572</ActivityId>

  <ErrorCode>-2147220970</ErrorCode> 

<ErrorDetails xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Collections.Generic" />

  <Message>System.Web.HttpUnhandledException: Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #CBE39829</Message>

  <Timestamp>:44:42.8709171Z</Timestamp>

  <ExceptionRetriable>false</ExceptionRetriable>

  <ExceptionSource i:nil="true" />

  <InnerFault>

    <ActivityId>GUID</ActivityId>

    <ErrorCode>-2147220960</ErrorCode>   

<ErrorDetails xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.Collections.Generic" />

    <Message>Principal user (Id=GUID, type=8) is missing prvReadComplexControl privilege (Id=GUID)</Message>

    <Timestamp>2019-07-04T07:44:42.8709171Z</Timestamp>

    <ExceptionRetriable>false</ExceptionRetriable>

    <ExceptionSource i:nil="true" />

    <InnerFault i:nil="true" />

    <OriginalException i:nil="true" />

    <TraceText i:nil="true" />

  </InnerFault>

  <OriginalException i:nil="true" />

  <TraceText i:nil="true" />

</OrganizationServiceFault>

The actual error is given in the inner fault section, the same error is logged in the event log of the CRM server as below.

Exception information:

Exception type: CrmException

Exception message: Principal user (Id=GUID, type=8) is missing prvReadComplexControl privilege (Id=GUID)  at Microsoft.Crm.Application.Platform.ServiceCommands.PlatformCommand.XrmExecuteInternal()

   at Microsoft.Crm.Application.Platform.ServiceCommands.RetrieveCommand.Execute()   at Microsoft.Crm.Caching.ComplexControlLoader.LoadCacheData(Guid key, IOrganizationContext context)   at Microsoft.Crm.Caching.CrmMultiOrgCacheBase`2.CreateEntry(TKey key, IOrganizationContext context)   at Microsoft.Crm.Caching.CrmMultiOrgCacheBase`2.LookupEntry(TKey key, IOrganizationContext context)   at Microsoft.Crm.Application.Components.Sdk.InlineEditControls.Web.CompositionLinkControl.GetFlyOutDescriptor()    at Microsoft.Crm.Application.Components.Sdk.InlineEditControls.Web.LinkControl.GetRequiredColumns(Int32 entityTypeCode)   at Microsoft.Crm.Application.Forms.CompositeControlVisitor.HandleColumnProvider(Control control, FormDescriptor formDescriptor)   at Microsoft.Crm.Application.InlineEdit.Mediators.FormMediator.AddControlProperties(ICrmControl crmControl, ControlDescriptor controlDescriptor)   at Microsoft.Crm.Application.InlineEdit.Mediators.FormMediator.ProcessControlHierarchy(Action`2 controlHandler)   at Microsoft.Crm.Application.InlineEdit.Mediators.FormMediator.GetInstance(FormFactor formFactor, FormDescriptor descriptor, Guid processId, Int64 processVersionNumber, IOrganizationContext organizationContext)   at Microsoft.Crm.Application.InlineEdit.ReadFormDataBuilder..ctor(String recordId, String entityTypeCode, Guid formId, FormFactor formFactor)   at Microsoft.Crm.Application.Pages.Form.FormDataPage.Render(HtmlTextWriter writer)   at System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer, ControlAdapter adapter)   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

After a while found the “Complex Control” privileges are listed as “Process Configuration” in CRM security roles. To fix the issue go to CRM Security Roles and open Customization tab. There you will find Process Configuration for which you need to provide Read permission.

Giving permissions according to the error you see will fix the issue, for example if your error showed your were missing prvCreateComplexControl, then you need to provide Create permissions.

More details about security role UI and privilege mapping can be obtained from the Microsoft article.

Advertisement

Unable to Enlist in the Transaction

I recently received an error while trying to run a SSIS package in Visual Studio. The full error is seen as below.

Error: The SSIS Runtime has failed to enlist the OLE DB connection in a distributed transaction with error 0x8004D024 "The transaction manager has disabled its support for remote/network transactions.".

This error is happening when a component with transactions try to connect and manipulate data on a remote server.

To avoid this error, two things can be done.

* Remove the transaction handling from the component. – This should be done only if the transactions are not required or as a temporary measure.

You can do this by selecting the properties of the component, also check the package properties to make sure transactions are not enabled at the package level.

For an explanation of the options please visit the URL.

* Configure the Distributed Transaction Coordinator (DTC).

For a component to work correctly with transactions, below two things are required.
1. Running Distributed Transaction Coordinator (DTC) Service

This service should be running on the database server the component connects to and on  the machine where the package is running. This will coordinate the work between two machines / servers.

This can be checked and started by going to Windows Services.

2. Properly configuring the security of DTC.

To make the DTC service work properly, it should be given permission as required. This can be done by opening the Component Services window. In the component services window, navigate to Component Services –> Computers –> My Computer –> Distributed Transaction Coordinator. Right click Local DTC and click on Properties to open properties window.

If you are intending to run any workloads with transactions via any external servers you should enable “Network DTC Access”.

Depending on the situation you should allow Inbound, Outbound or both transaction manager communication options.

For complete list of explanations on each property please refer the following URL.

Filtering Results of a Stored Procedure

Recently I needed to filter the results of a Stored Procedure, After some searching I found 2 options for this as below.

1. Using OpenRowSet Command

SELECT * FROM OPENROWSET (‘SQLOLEDB’, ‘Server=ServerName;TRUSTED_CONNECTION=YES;’, ‘EXEC sp_Who2’)

Remember in this method this feature should be enabled in the server.

2. Using Temporary Tables.

— Creating a temporary table.
CREATE TABLE #tblSPWho2
(SPId INT, Status NVARCHAR(200), LoginName NVARCHAR(200), HostName NVARCHAR(200), BlockedBy NVARCHAR(200), DBName NVARCHAR(200),
Command NVARCHAR(200), CPUTime BIGINT, DiskIO BIGINT, LastBatch NVARCHAR(200), ProgramName NVARCHAR(200), SPId2 INT, RequestId NVARCHAR(200))

— Inserting the results of the Stored Procedure into the temporary table.
INSERT INTO #tblSPWho2
EXEC sp_Who2

— Doing the required filtering using the temporary table.
SELECT * FROM #tblSPWho2 WHERE LoginName = ‘Domain\UserName’

— Removing the temporary table.
DROP TABLE #tblSPWho2

SP_Who2 Stored Procedure will bring all the processes that is currently active in SQL server with the relevant information, the above query will filter the results and will only display the processes that are initiated by the given username (Domain\UserName).

It is an error to use a section registered as allowDefinition=’MachineToApplication’ beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.

Today a friend of mine started getting this error while he tried to deploy his solution to a server. This only started when ‘Precompiling during publishing’ option is selected.

“Error 20 It is an error to use a section registered as allowDefinition=’MachineToApplication’ beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.”

After having a look, I identified this was caused by a temporary copy of a Web.Config file. Earlier developer created a copy of the Web.Config and placed it inside a folder named Backup within the solution. This backup config file had authentication tag (<authentication>), which is a tag that can be only used in global Web.Config file or the Web.Config file in applications root. Due to the presence of authentication tag, compiler started complaining that there is a virtual directory not configured as a application in IIS.

The solution for my friend’s issue was to simply exclude the copy of the Web.Config file from project by right clicking the file. Then the project started deploying happily.

SQL – The target principal name is incorrect. Cannot generate SSPI context.

Recently in one of my Virtual Machine (VM)s I received the above error message when trying to connect to a SQL Server which I used to connect on other times.

After having a look I found that the trust between my virtual machine and the domain was broken. You can find the status of the secure channel by using the PowerShell command Test-ComputerSecureChannel.

This will also be evident when you try to login to the computer using a domain account. It will generate the following message.

To fix this you can try using the below methods.

1. PowerShell

Use the command Test-ComputerSecureChannel.

If your current login has the required access in the domain you can use the below command.

Test-ComputerSecureChannel –Repair

If you need to use another account than the current logged user then you need to use the –Credential parameter when calling the command.

Test-ComputerSecureChannel –Repair –Credential MyDomain\MyUser

2. Joining the domain again.

This will also get fixed by removing the machine from the domain and adding it back. Before removing the computer from the domain make sure you have access to a local administrator account on the computer. Otherwise you will not have a way to login to the computer.

This can be achieved by going to computer system properties,

1. removing the computer from the current domain,
2. restarting the computer.
3. adding the computer to the domain again
4. restarting the computer

To avoid the two restarts you can try using the following PowerShell commands.

$myPC = Get-WmiObject Win32_ComputerSystem
$myPC.UnjoinDomainOrWorkGroup("Account Password", "Account Username”, 0)
$myPC.JoinDomainOrWorkGroup("Domain", "Account Password", "Account Username", $null, 3)
Restart-Computer -Force

Open Live Writer – Plugin Not Working

While trying to setup and use the Code Plugin by Rich Hewlett I had trouble getting the plugin loaded into Live Writer. I did add the registry entry required as mentioned in the site, but still the plugin did not load.

Registry

Location – HKEY_CURRENT_USER\SOFTWARE\OpenLiveWriter\PluginAssemblies

Key – SyntaxHighlight_WordPressCom_OLWPlugIn

Value – C:\Users\Arjuna\AppData\Local\OpenLiveWriter\Plugins\SyntaxHighlight_WordPressCom_OLWPlugIn.dll

After a while I figured out that, when loading the plugin Live Writer encounters the following error.

"System.IO.FileLoadException: Could not load file or assembly ‘file:///C:\Users\Arjuna\AppData\Local\OpenLiveWriter\Plugins\SyntaxHighlight_WordPressCom_OLWPlugIn.dll’ or one of its dependencies. Operation is not supported. (Exception from HRESULT: 0x80131515)
File name: ‘file:///C:\Users\Arjuna\AppData\Local\OpenLiveWriter\Plugins\SyntaxHighlight_WordPressCom_OLWPlugIn.dll’ —> System.NotSupportedException: An attempt was made to load an assembly from a network location which would have caused the assembly to be sandboxed in previous versions of the .NET Framework. This release of the .NET Framework does not enable CAS policy by default, so this load may be dangerous. If this load is not intended to sandbox the assembly, please enable the loadFromRemoteSources switch. See http://go.microsoft.com/fwlink/?LinkId=155569 for more information.

This is due to a security feature of .Net Framework 4 or later. Before framework 4, if a DLL is downloaded (which is created in another computer), they used to run in full trust in the zone the assembly is running, but with frameworks 4 and later, downloaded DLLs will not run by default. To make them run, simply grant the DLL full access by going to file properties and selecting the Unblock checkbox in the security section as seen in the below image. This will apply to any plugin you download from internet. Also keep in mind to do this to DLLs you trust safe. Otherwise your computer will be unsafe.

To troubleshoot plugin and other errors you can refer to Open Live Writer log file located in C:\Users\Arjuna\AppData\Local\OpenLiveWriter\Open Live Writer.log.

Monitoring Windows Services using PowerShell

Recently I was interested in finding a way to monitor a windows service. What I needed was to check whether the service is running and if not running get a notification and try to restart the service. Following PowerShell script does exactly that, it checks for Microsoft CRM Asynchronous Service and the Microsoft CRM Asynchronous Maintenance Service activity and send 2 emails to Admin and Dev. This needs to be then scheduled using Windows Task Scheduler or SQL Server Job.

### Checking for CRM Async and Maintenance service failure and try restarting, if failing send an email notification.

 

## Function to send mail notification.

function Send_Email ([string]$strEmailSubject, [string]$strEmailBody)

{

       $EmailFrom = "Arjuna@Email.com"

       $EmailTo = "Admin@Email.com, Dev@Email.com"

       $EmailSubject = $strEmailSubject

       $EmailBody = $strEmailBody

       $EmailSMTPServer = "SMTP.server.com"

       ## Creating Mail Message object.

       $SMTPMessage = New-Object System.Net.Mail.MailMessage $EmailFrom, $EmailTo, $EmailSubject, $EmailBody

       ## Enabling HTML mail body.

       $SMTPMessage.IsBodyHtml = $true

       ## Creating SMTP client object.

       $SMTPClient = New-Object System.Net.Mail.SMTPClient $EmailSMTPServer

       ## Sending mail.

       $SMTPClient.Send($SMTPMessage)

       ## Sending mail method 2.

       ##send-mailmessage -from "Arjuna@Email.com" -to "Admin@Email.com, Dev@Email.com" -subject "CRM Async Service Failed" -body "Please check." -smtpserver "SMTP.server.com"

       ## Sending mail method 2 using parameters.

       ##send-mailmessage -from $EmailFrom -to $EmailTo -subject $EmailSubject -body $EmailBody -smtpserver $EmailSMTPServer

}

 

## Function to check the service activity.

function Check_Service

{

       ## Get all services which has a Name like MSCRMAsyncService, Start Mode is Auto and service State is Running.

       $FailedAsyncService = Get-WmiObject Win32_Service | Where-Object {$_.Name -like ‘MSCRMAsyncService’ -and $_.StartMode -eq ‘Auto’ -and $_.State -ne ‘Running’} | Select-Object DisplayName

       ## For Testing.

       ##Write-Host "A: " $FailedAsyncService

 

       ## Get all services which has a Name like MSCRMAsyncService$maintenance, Start Mode is Auto and service State is Running.

       $FailedAsyncMainteService = Get-WmiObject Win32_Service | Where-Object {$_.Name -like ‘MSCRMAsyncService$maintenance’ -and $_.StartMode -eq ‘Auto’ -and $_.State -ne ‘Running’} | Select-Object DisplayName

       ## For Testing.

       ##Write-Host "B: " $FailedAsyncMainteService

 

       ## Checking whether the Async Service has failed.

       if ($FailedAsyncService -ne $NULL)

       {

              ## Trying to start the failed Async Service.

              Start-Service -displayname "Microsoft Dynamics CRM Asynchronous Processing Service"

              ## Service Name can also be used to start the servie.

              ##Start-Service MSCRMAsyncService

              ## Get all services which has a Name like MSCRMAsyncService, Start Mode is Auto and service State is Running.

              $AsyncServiceStarted = Get-WmiObject Win32_Service | Where-Object {$_.Name -like ‘MSCRMAsyncService’ -and $_.StartMode -eq ‘Auto’ -and $_.State -ne ‘Running’} | Select-Object Name

              ## Checking the service to see whether it started.

              if ($AsyncServiceStarted -ne $NULL)

              {

                     ## Calling Send_Mail function to notify.

                     Send_Email ("CRM Async Service Failed.") ("System has detected that the following CRM Async Service has failed. System automatically tried restarting the service but it was unsuccessful. Try manual start. <BR/><BR/>" + $FailedAsyncService)

              }

              else

              {

                     ## Calling Send_Mail function to notify.

                     Send_Email ("CRM Async Service Restarted.") ("System has detected that the following CRM Async Service has failed. System automatically tried restarting the service and it was successful. <BR/><BR/>" + $FailedAsyncService)

              }

       }

 

       ## Checking whether the Async Maintenance Service has failed.

       if ($FailedAsyncMainteService -ne $NULL)

       {

              ## Trying to start the failed Async Maintenance Service.

              Start-Service -displayname "Microsoft Dynamics CRM Asynchronous Processing Service (maintenance)"

              ## Get all services which has a Name like MSCRMAsyncService$maintenance, Start Mode is Auto and service State is Running.

              $AsyncMainteServiceStarted = Get-WmiObject Win32_Service | Where-Object {$_.Name -like ‘MSCRMAsyncService$maintenance’ -and $_.StartMode -eq ‘Auto’ -and $_.State -ne ‘Running’} | Select-Object Name

              ## Checking the service to see whether it started.

              if ($AsyncMainteServiceStarted -ne $NULL)

              {

                     ## Calling Send_Mail function to notify.

                     Send_Email ("CRM Async Service Failed.") ("System has detected that the following CRM Async Service has failed. System automatically tried restarting the service but it was unsuccessful. Try manual start. <BR/><BR/>" + $FailedAsyncMainteService)

              }

              else

              {

                     ## Calling Send_Mail function to notify.

                     Send_Email ("CRM Async Service Restarted.") ("System has detected that the following CRM Async Service has failed. System automatically tried restarting the service and it was successful. <BR/><BR/>" + $FailedAsyncMainteService)

              }

       }

}

 

## Calling the Check_Service function.

Check_Service

Changing Registry Key Values using PowerShell

As you may be knowing, you can use Windows PowerShell to change registry values. In this article I am going to do five things.

I have created few registry entries to use in this example as seen below. In real world you can use whatever entries in your registry. It is always advisable to backup your registry before changing it.

1. Set a registry key value.

To set a value you need to use the “Set-ItemProperty” cmdlet as below.

Set-ItemProperty -Path "HKLM:\Software\Test\Live" -Name "TestValue2" –Value “TestData2”

Above command will put “TestData2” in the registry key “TestValue2” located in HKEY_LOCAL_MACHINE\Software\Test\Live.

2. Read a registry key value.

Reading from the registry can be done by using the cmdlet “Get-ItemProperty”.

Below command will get the value in the “TestValue1” key.

Get-ItemProperty -Path "HKLM:\Software\Test\Live" -Name "TestValue1"

3. Using variables in PowerShell.

Here I am going to read a registry key value and put it to another registry key. This can be done using a variable. First you need to read the value into a variable using the “Get-ItemProperty” cmdlet and that value can be saved using the “Set-ItemProperty” cmdlet.

1. # Check for the existance of the registry key.
2. IF (Get-ItemProperty -Path “HKLM:\Software\Test\Live” -Name “TestValue1” -ea 0)
3. {
4.     # Fetching the value from TestValue1.
5.     $OldValue = Get-ItemProperty -Path “HKLM:\Software\Test\Live” -Name “TestValue1”
6. }
7. ELSE
8. {
9. # Inserting a blank, if the registry key is not present.
10.     $OldValue = “”
11. }
13. # Printing the value in the variable.
14. Write-Host $OldValue.TestValue1
16. # Setting the value to TestValue2.
17. Set-ItemProperty -Path “HKLM:\Software\Test\Live” -Name “TestValue2” -Value $OldValue.TestValue1

4. Working with registry keys with spaces.

In case your registry keys contain spaces, you need to use double quotes in your script as seen below.

1. # Check for the existance of the registry key.
2. IF (Get-ItemProperty -Path “HKLM:\Software\Test\Live” -Name “Test Value 1” -ea 0)
3. {
4.     # Fetching the value from Test Value 1.
5.     $OldValue = Get-ItemProperty -Path “HKLM:\Software\Test\Live” -Name “Test Value 1”
6. }
7. ELSE
8. {
9.     # Inserting a blank, if the registry key is not present.
10.     $OldValue = “”
11. }
13. # Printing the value in the variable.
14. Write-Host $OldValue.“Test Value 1”
16. # Setting the value to Test Value 2.
17. Set-ItemProperty -Path “HKLM:\Software\Test\Live” -Name “Test Value 2” -Value $OldValue.“Test Value 1”

 

5. Saving PowerShell commands as scripts and running them.

Both above can be saved as a PowerShell script by saving it in a file with the extension ps1. For example I did save it as “ChangeReg.ps1” in my C drive inside the folder “new”. Then the script can be run by browsing to the folder and using the command “.\ChangeReg.ps1”.

After the script is run my registry keys looked like this.

In case you need to retrieve values from other registry hives (locations), following table may be helpful.

	Registry Hive	Abbreviation
1.	HKEY_CLASSES_ROOT	HKCR
2.	HKEY_CURRENT-USER	HKCU
3.	HKEY_LOCAL_MACHINE	HKLM
4.	HKEY_USERS	HKU
5.	HKEY_CURRENT_CONFIG	HKCC

 

In case you need to read more on “Get-ItemProperty” and “Set-ItemProperty”, use the links to visit official documentation from Microsoft TechNet.

Deleting Service Application Pools in SharePoint 2010

Recently while deleting a service application my system got unresponsive and while trying to create the service application again i constantly got the following error.

“An unhandled exception occurred in the user interface.Exception Information: An object of the type Microsoft.SharePoint.Administration.SPIisWebServiceApplicationPool named "SearchServiceApplication" already exists under the parent Microsoft.SharePoint.Administration.SPIisWebServiceSettings named "SharePoint Web Services". Rename your object or delete the existing object.”

This seems to be happening because one of the service application pools were not removed while deleting the service application. This can be removed by using PowerShell.

First load the SharePoint 2010 Management Shell by navigating to Start –> Microsoft SharePoint 2010 Products –> SharePoint 2010 Management Shell.

Then use the “Get-SPServiceApplicationPool” command to view all the existing service application pools.

Get-SPServiceApplicationPool

Now use the “Remove-SPServiceApplicationPool -Identity SearchServiceApplicationPoolName” command to remove the service application you want removed. If the service application pool’s name is having spaces remember to use double quotes.

Remove-SPServiceApplicationPool -Identity SearchServiceApplicationPool1

PowerShell will ask to confirm the deletion, after confirming the action, it will remove the service application pool.

Microsoft.Ace.OLEDB.12.0 Provider Not Registered

Recently while trying to import some data from Excel onto SQL on a new machine I got the following error at SQL Server Import and Export Wizard Step 2. After doing some searching found the solution is to install Office 2007 Data Connectivity Components System Driver.

If you need to  get it fixed use the following link to get it from Microsoft Download Center.

http://www.microsoft.com/en-us/download/details.aspx?id=23734