No matter how lazy we are to add new user, especially during “Proof of Concept” or Testing period.

Do not add CRMAppPool User as Dynamics CRM SystemUser. This will breaks the system, moreover in multi-tenant environment – Considering the amount of time required in repairing might be bad in Multi-Tenancy environment in regards to the SLA, all of your CRM Services will break and show the following error:

“Missing Dynamics CRM Security Role” – Access to Microsoft Dynamics CRM has not been fully configured for this user. The user needs at least one security role before you can continue.

Microsoft stated: “This behavior is by design. Making the account that is running the CRMAppPool into a Microsoft Dynamics CRM user is not supported.” in this KB article: http://support.microsoft.com/kb/2500917

I did that, so what I need to do?

1. Create new AD User to replace the corrupted one.

2. Open Control Panel > Programs and Features

3. Open Microsoft Dynamics CRM Server 2013

4. Select Repair

5. Update the following user configuration with the new AD user 

6. Continue the whole repair process (“Next” button spam!).

7. Test to access your CRM instances back.

Lesson Learned

Before start working with Dynamics CRM Server, read through the Implementation Guide carefully: http://www.microsoft.com/en-au/download/details.aspx?id=40322 (On CRMIGv6_Planning.docx, Section: Microsoft Dynamics CRM Services and IIS Application Pool Identity Permissions).