Reputation: 45
The security ID structure is invalid
I i'm trying to install crm on a server, but getting this error.. System.Exception: Action Microsoft.Crm.Setup.Server.GrantAspNetServiceAccountAccessAction failed. ---> System.Runtime.InteropServices.COMException: The security ID structure is invalid. any help ?
have trying: reinstall my server closing the server with my sql
Upvotes: 4
Views: 7886
Answers (2)
Reputation: 46
The problem have been found and solved.
The problem lies in the administrator being member of many AD groups.
The solution:
- Open regedit
- Browse to "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters"
- Create new DWORD named MaxTokenSize
- Set value data to 65535 (Decimal)
- Close regedit and reboot server
Cause:
The user cannot authenticate because the Kerberos token that is generated during authentication attempts has a fixed maximum size. Transports such as remote procedure call (RPC) and HTTP rely on the MaxTokenSize value when they allocate buffers for authentication. In Windows 2000 (the original release version), the MaxTokenSize value is 8,000 bytes. In Windows 2000 Service Pack 2 (SP2) and Windows Server 2003, the MaxTokenSize value is 12,000 bytes.
Kerberos uses the Privilege Attribute Certificate (PAC) field of the Kerberos packet to transport Active Directory Group membership. Starting with Windows Server 2012, this also applies to the Active Directory Claims information (Dynamic Access Control) field. If there are many group memberships for the user, and if there are many claims for the user or the device that is being used, these fields can occupy lots of space in the packet.
If a user is a member of more than 120 groups, the buffer that is determined by the MaxTokenSize value is not large enough. Therefore, users cannot authenticate, and they may receive an "out of memory" error message. Before you apply the hotfix that is described in this article, every group that is added to a user account increases this buffer by 40 bytes.
Upvotes: 3
Reputation: 1499
Sounds like you're trying to install this on a server logged in as a user that doesn't have the required permissions. Taken from MS Dynamics on Technet:
Required for installation of Dynamics CRM 2011
- Domain administrator
If you cannot be domain administrator the following privileges are required:
- Member of Active Directory Domain Users
- Permissions to create security groups in Active Directory (alernatively you can ask an administrator to pre-create the required security groups; you must then install Microsoft Dynamics CRM 2011 from the command line specifying a configuration file).
- Member of the Administrators group on the computer where you install the CRM
- Read and write permissions on the folder 'Program Files' on that computer
- Member of the Administrators group on the computer where SQL Server installed
- SQL Server sysadmin.
- Reporting Services:
- Content Manager root level
- System administrator for site-wide SSRS
Tip:
To find out what security groups the logged in user belongs to open up a command prompt and run the following command:
gpresult /V
Upvotes: 0
Related Questions
- Dynamics CRM error: The issuer of the security token was not recognized by the IssuerNameRegistry
- An error occurred when verifying security for the message on CRM SDK
- MS Dynamics Error Code 2147220891
- crmsvcutil.exe Identityprovider cannot be null
- System.Security.SecurityException In Microsoft Dynamics CRM 2013
- User Id Invalid - uninformative error after a fresh installation
- CRM 2011 GUID ID
- CRM: plugin error - onCreate (<Message>Expected non-empty Guid.</Message>)
- a sql server error occurred. try this action again
- Microsoft CRM could not log you on to the system. Make sure your user record