Authentication when you are adding a new user to CRM, or a user to a new Organization in CRM

We have seen a couple of errors such as:

"The specified Active Directory user already exists as a CRM user"

"You are attempting to create a user with a domain logon that is already used by another user. Select another domain logon and try again."

When the user which you are trying to add is not an existing CRM user, or not an existing CRM user in the Organization you are trying to add to.

If you see this type of error, please log a case with the Support team and we will be looking at the following stored procedure and database tables to rectify the issue.

N.B. Please do not make direct database modifications, as this is unsupported.

The stored procedure explained:

There are 3 tables that the stored procedure p_GetCrmUserId checks to authenticate the user from the Domain\LoginName provided.

We will assume that the Admin user is logged in to CRM and adding a new user.





ALTER procedure [dbo].[p_GetCrmUserId] (@OrganizationId uniqueidentifier, @AuthInfo nvarchar(128)) as

The parameters passed are the OrganizationId(of the database the Admin user is currently logged into) and the AuthInfo(the ObjectSID from AD of the user you are trying to add W:S-x-x-xx-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxx)


set nocount on

select suo.CrmUserId as CrmUserId

from SystemUserOrganizations suo

join SystemUserAuthentication sua on (suo.UserId = sua.UserId)

From the MSCRM_CONFIG database a join is made on the UserId column:
SystemUserAuthentication table UserId column
SystemUserOrganization table UserId column

where sua.AuthInfo = @AuthInfo and suo.OrganizationId = @OrganizationId

The ObjectSID is matched with the value in the AuthInfo column in SystemUserAuthentication table and the OrganizationId of the organization the Admin User is logged in to is matched with the value in the OrganizationId column of the SystemUserOrganization table.

and suo.IsDeleted = 0

and sua.IsDeleted = 0

Confirm the IsDeleted value is not ‘1’ (or ‘True’)in either SystemUserAuthentication or SystemUserOrganization table.


A graphical representation of how the 3 tables correspond to one another, AD and CRM:

AD Explorer:





There will only ever be one row in this table for a user.



There will be one row in this table for EACH Organization the user belongs to




There will be one row in this table in EACH ORG_MSCRM database for each Organization the user belongs to.

Note the DomainName\Login from the above table corresponds to the user we are trying to add in CRM:


Despina Kitsantonis

Senior Support Engineer