Recently I worked with a customer that encountered the error message “Scheduling reports on behalf of other users is prohibitted” when they tried to schedule reports in CRM 2011. After some troubleshooting we found the error was happening because the account running their CRMAppPool was also a CRM User. It is a against best practices to run the CRM application pool as an account which is also a CRM user. The knowledge base article KB2593042 provides some other issues which may happen if CRM is configured in this way.
Below are the options available to resolve the issue. To avoid reconfiguring the application pool and service principal names we opted to change the CRM user to another Active Directory user account. After making this change the users could schedule reports without any issues.
Resolution 1: Change the CRMAppPool user account to a new Active Directory user account. Click here for steps on changing the CRMAppPool account.
Resolution 2: Change the CRM user to a new Active Directory user account which is not tied to any CRM services.
a. Open Microsoft Dynamics CRM 2011 as a System Administrator user.
b. Click Settings, click Administration, click Users, and then open the user record that you want to change.
c. In the Domain Logon Name box, type an Active Directory user account that is not used by a Microsoft Dynamics CRM 2011 user record.
Note: The word “prohibited” is misspelled in the actual error message. This misspelling should be addressed in a future Update Rollup.
CRM Stack Trace Error: Crm Exception: Message: Scheduling reports on behalf of other users is prohibitted., ErrorCode: -2147220970, InnerException: Microsoft.Crm.CrmException: Scheduling reports on behalf of other users is prohibitted.
CRM Stack Trace Error:
Crm Exception: Message: Scheduling reports on behalf of other users is prohibitted., ErrorCode: -2147220970, InnerException: Microsoft.Crm.CrmException: Scheduling reports on behalf of other users is prohibitted.
at Microsoft.Crm.ObjectModel.ReportServiceInternal`1.CreateSchedule(Guid originalReportId, String scheduleXml, String parameterXml, String scheduledReportName, ExecutionContext context)
Please refer to the CRM Implementation Guide (http://technet.microsoft.com/en-us/library/hh367322.aspx) for setting up service accounts.
- We strongly recommend that you select a low-privilege domain account that is dedicated to running these services and is not used for any other purpose. Additionally, the user account that is used to run a Microsoft Dynamics CRM service cannot be a Microsoft Dynamics CRM user. This domain account must be a member of the Domain Users group. Additionally, if the Asynchronous Service and Sandbox Processing Service roles are installed, such as in a Full Server or a Back End Server installation, the domain account must a member of the Performance Log Users security group.