Last week I was working on CRM 2016 On-Premise Organizations to set up production environment. There was an existing Organization which I was trying to correct. When I browse the organization, it always comes up with error message that user doesn’t have permissions. I can see below message in Event Log as well under Classic ASP.Net as a warning not as an error.

Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 9/22/2017 3:03:23 PM
Event time (UTC): 9/22/2017 5:03:23 AM
Event ID: c56d8ed0a4b24a51a3f9d9c88c8064d4
Event sequence: 17
Event occurrence: 7
Event detail code: 0

Application information:
Application domain: /LM/W3SVC/1/ROOT-1-131505292265306633
Trust level: Full
Application Virtual Path: /
Application Path: C:\Program Files\Microsoft Dynamics CRM\CRMWeb\
Machine name: machine name

Process information:
Process ID: 3728
Process name: w3wp.exe
Account name: account name

Exception information:
Exception type: CrmException
Exception message: SecLib::RetrievePrivilegeForUser failed – no roles are assigned to user. Returned hr = -2147209463, User: 26a4ea76-3a9c-e711-80ec-0050568128c0
at Microsoft.Crm.Application.Platform.ServiceCommands.PlatformCommand.XrmExecuteInternal()
at Microsoft.Crm.Application.Platform.ServiceCommands.RetrieveMultipleCommand.Execute()
at Microsoft.Crm.Application.Caching.CustomResourceLoader.GetCustomResources(IOrganizationContext context, Int32 cacheKey)
at Microsoft.Crm.Application.Caching.CustomResourceLoader.LoadCacheData(Int32 key, IOrganizationContext context)
at Microsoft.Crm.Caching.CrmMultiOrgCacheBase`2.LookupEntry(TKey key, IOrganizationContext context)
at Microsoft.Crm.Application.ResourceManager.CustomResourceManager.TryGetCustomString(String name, CultureInfo culture, IOrganizationContext context)
at Microsoft.Crm.Application.ResourceManager.CustomResourceManager.TryGetCultureString(String name, CultureInfo culture, IOrganizationContext context)
at Microsoft.Crm.Application.ResourceManager.BasicResourceManager.GetCultureString(String name, CultureInfo culture, IOrganizationContext context)
at Microsoft.Crm.Controls.Header..ctor(Boolean isControlHeader)
at Microsoft.Crm.Controls.BasicHeader..ctor()
at Microsoft.Crm.Application.Controls.AppHeader..ctor()
at ASP.prdetams_default_aspx.__BuildControlcrmHeader()
at ASP.prdetams_default_aspx.__BuildControlTree(prdetams_default_aspx __ctrl)
at ASP.prdetams_default_aspx.FrameworkInitialize()
at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Upon investigating found that Service Account under which CRMAppPool in Internet Information Services was added as a user in CRM. This crashes CRM from displays permission issue.

There is a Microsoft article (here) on this however it doesn’t provide any solutions. However to resolve the issue,

1. Login into CRM Servers as a Domain Administrator
2. Open Deployment Manager
3. Disable the Organization and then Delete the Organization from Deployment Manager Console.
4. Import Organization and make sure you select import users manually.
5. While importing, change the mapping of CRMAppPool account to a different Account.

This should resolve the issue and you would be able to browse CRM Organization.