While trying to enable and test the mailbox of a user, I got the following error message:
|
1 2 |
Appointments, contacts, and tasks can't be synchronized for the mailbox *** because the mailbox user doesn't have sufficient permissions on this mailbox. Email Server Error Code: Crm.80048306.Not enough privilege to access the Microsoft Dynamics 365 object or perform the requested operation. |
Following message appears in the details:
|
1 2 3 |
T:790 ActivityId: 853c1ac9-7b2a-42f1-aa3c-7ddf392ee825 >Exception : Unhandled Exception: Microsoft.Crm.CrmSecurityException: SecLib::AccessCheckEx failed. Returned hr = -2147187962, ObjectID: 00000000-0000-0000-0000-000000000000, OwnerId: 0b89575a-c7da-e511-80d7-005056a25129, OwnerIdType: 8 and CallingUser: 00000000-0000-0000-0000-000000000000. ObjectTypeCode: 4120, objectBusinessUnitId: 828b64c8-6918-e811-910c-005056a27e36, AccessRights: WriteAccess at Microsoft.Crm.BusinessEntities.SecurityLibrary.AccessCheckEx2(ExecutionContext context, SecurityPrincipal principal, SecurityPrincipal ownerPrincipal, Guid objectId, Int32 objectTypeCode, Guid objectBusinessUnitId, AccessRights rights) at Microsoft.Crm.Asynchronous.EmailConnector.ExchangeSyncUtility.HasExchangeSyncIdMappingAccess(Guid userId, Int32 userIdTypeCode, IACTProviderContext orgContext) at Microsoft.Crm.Asynchronous.EmailConnector.ExchangeSyncWorker.PerformPreMailboxSyncChecks() at Microsoft.Crm.Asynchronous.EmailConnector.ExchangeS... |
Checking the traces on the backend server, I got the following error message:
|
1 2 3 4 5 6 7 8 9 10 |
>Crm Exception: Message: SecLib::AccessCheckEx failed. Returned hr = -2147187962, ObjectID: 00000000-0000-0000-0000-000000000000, OwnerId: 0b89575a-c7da-e511-80d7-005056a25129, OwnerIdType: 8 and CallingUser: 00000000-0000-0000-0000-000000000000. ObjectTypeCode: 4120, objectBusinessUnitId: 828b64c8-6918-e811-910c-005056a27e36, AccessRights: WriteAccess , ErrorCode: -2147187962 [2018-04-18 06:34:10.508] Process:CrmAsyncService |Organization:11c36b53-f478-e711-90fd-005056a25a34 |Thread: 790 |Category: ExchangeSync |User: 00000000-0000-0000-0000-000000000000 |Level: Error |ReqId: 00000000-0000-0000-0000-000000000000 |ActivityId: 853c1ac9-7b2a-42f1-aa3c-7ddf392ee825 | EmailConnectorTraceHandler.EmailConnectorTraceFormat ilOffset = 0x13E >User 0b89575a-c7da-e511-80d7-005056a25129 does not have write access to ExchangeSyncIdMapping. [2018-04-18 06:34:10.509] Process:CrmAsyncService |Organization:11c36b53-f478-e711-90fd-005056a25a34 |Thread: 790 |Category: ExchangeSync |User: 00000000-0000-0000-0000-000000000000 |Level: Error |ReqId: 00000000-0000-0000-0000-000000000000 |ActivityId: 853c1ac9-7b2a-42f1-aa3c-7ddf392ee825 | EmailConnectorTraceHandler.EmailConnectorTraceFormat ilOffset = 0x13E >Exchange sync worker for the mailbox is failed/terminated : {95CA491B-4134-E811-9111-005056A27E36}. Exception details : Unhandled Exception: Microsoft.Crm.CrmSecurityException: SecLib::AccessCheckEx failed. Returned hr = -2147187962, ObjectID: 00000000-0000-0000-0000-000000000000, OwnerId: 0b89575a-c7da-e511-80d7-005056a25129, OwnerIdType: 8 and CallingUser: 00000000-0000-0000-0000-000000000000. ObjectTypeCode: 4120, objectBusinessUnitId: 828b64c8-6918-e811-910c-005056a27e36, AccessRights: WriteAccess > at Microsoft.Crm.BusinessEntities.SecurityLibrary.AccessCheckEx2(ExecutionContext context, SecurityPrincipal principal, SecurityPrincipal ownerPrincipal, Guid objectId, Int32 objectTypeCode, Guid objectBusinessUnitId, AccessRights rights) > at Microsoft.Crm.Asynchronous.EmailConnector.ExchangeSyncUtility.HasExchangeSyncIdMappingAccess(Guid userId, Int32 userIdTypeCode, IACTProviderContext orgContext) > at Microsoft.Crm.Asynchronous.EmailConnector.ExchangeSyncWorker.PerformPreMailboxSyncChecks() > at Microsoft.Crm.Asynchronous.EmailConnector.ExchangeSyncWorker.Initialize() > at Microsoft.Crm.Asynchronous.EmailConnector.ExchangeSyncWorker.SynchronizeACTs() |
In the error message, you can see, that there is a problem with the ObjectTypeCode 4120 and the message “User 0b89575a-c7da-e511-80d7-005056a25129 does not have write access to ExchangeSyncIdMapping”.
To verify the entity, I used the following query to get the name of the entity:
|
1 2 3 4 5 |
SELECT TOP 1000 [EntityId] ,[Name] ,[ObjectTypeCode] FROM [Testsystem_MSCRM].[MetadataSchema].[Entity] WHERE ObjectTypeCode = '4120' |
The result is, that this object type code belongs to the entity: ExchangeSyncIdMapping
Checking the security roles, I wasn’t able to find this entity, to define the privileges for the users. Therefore searching the web, I found a Microsoft article, which described the privileges of this entity. But there was no information on how to set this privileges.
After some searching, I was able to find out, that the default roles have set different privileges in the background. I added the sales manager role to a new solution and exported this, but in this XML, there were no privileges listed. Therefore I changed in the CRM-UI on of the entity privileges and exported the solution again.
Now you can see all privileges of this role. I searched for all ExchangeSyndId-Privileges
and added these 4 entries to my security role (previously exported my custom role with a solution), imported this again and added the security role directly to the user. Now, the synchronization is working.