CRM 2011 How to fix NET.TCP issue when .NET is re-installed

We recently had a client who re-installed the .NET framework on a CRM 2011 server which caused major issues with the Asynchronous and Sandbox services.

Error was: “The service endpoint failed to listen on the URI ‘net.tcp://localhost/CRMSandboxSdkListener-CrmAsyncService’ because access was denied. Verify that the current user is granted access in the appropriate allowAccounts section of SMSvcHost.exe.config”

What seemed to have happened is when the framework is re-installed it wiped security settings that were added by the CRM installer.

A normal SMSvcHost.exe.config has the following append to the bottom of it.

    <system.serviceModel.activation>
        <net.tcp>
            <allowAccounts>
                <add securityIdentifier="service.account.1 SID" />
                <add securityIdentifier="service.account.2 SID" />
                <add securityIdentifier="service.account.3 SID" />
            </allowAccounts>
        </net.tcp>
    </system.serviceModel.activation>

The tricky part is getting the SID of each service account. To get the SID of each CRM service account run the following powershell command:

PS C:\Users\someaccount> [wmi]"win32_userAccount.Domain=’domain’,Name=’service account’”

Once you have the result take the SID and add it to the SMSvcHost.exe.config, save and close, then reboot the server. Or restart the .NET TCP Port Sharing service along with all CRM Services as well as ASP.NET and you’re now fixed!