Unable to add user with CrmService API in Dynamics CRM

We have Dynamics CRM 4 update rollup 6 configured as an IFD and have set the UserRootPath using the deployment configuration tool. Adding users through the CRM interface works perfectly. However, when trying to add a user through the CrmService API, the user is not added and we get the trace message included below. Adding users through the CrmService API works if we remove the UserRootPath setting from the organization. The path appears to be correct, works within other LDAP tools, and the user is within the specified OU. We are using the path "LDAP://dcserver/OU=testorg;OU=Hosting;DC=domain;DC=local".

[2009-09-29 13:19:54.7] Process: w3wp |Organization:---- |Thread:    9 |Category: Platform.Sdk |User: ---- |Level: Error | CompositeSoapExtensionExceptionHandler.Handle
>CrmSoapExtension detected CrmException:
System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.DirectoryServices.DirectoryServicesCOMException (0x80072020): An operations error occurred.

   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_AdsObject()
   at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)
   at System.DirectoryServices.DirectorySearcher.FindOne()
   at Microsoft.Crm.ObjectModel.SystemUserServiceInternal`1.CheckUserUnderRootPath(String domainAccountName, ExecutionContext context)
   at Microsoft.Crm.ObjectModel.SystemUserServiceInternal`1.CreateInternal(Guid organizationId, IBusinessEntity systemuser, ExecutionContext context)
   at Microsoft.Crm.ObjectModel.SystemUserServiceInternal`1.Create(IBusinessEntity systemuser, ExecutionContext context)
   --- End of inner exception stack trace ---
   at System.RuntimeMethodHandle._InvokeMethodFast(Object target, Object[] arguments, SignatureStruct& sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture, Boolean skipVisibilityChecks)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at System.Web.Services.Protocols.LogicalMethodInfo.Invoke(Object target, Object[] values)
   at Microsoft.Crm.Extensibility.InternalOperationPlugin.Execute(IPluginExecutionContext context)
   at Microsoft.Crm.Extensibility.PluginStep.Execute(PipelineExecutionContext context)
   at Microsoft.Crm.Extensibility.Pipeline.Execute(PipelineExecutionContext context)
   at Microsoft.Crm.Extensibility.MessageProcessor.Execute(PipelineExecutionContext context)
   at Microsoft.Crm.Extensibility.InternalMessageDispatcher.Execute(PipelineExecutionContext context)
   at Microsoft.Crm.Extensibility.ExternalMessageDispatcher.Execute(String messageName, Int32 primaryObjectTypeCode, Int32 secondaryObjectTypeCode, PropertyBag fields, CorrelationToken correlationToken, CallerOriginToken originToken, UserAuth userAuth, Guid callerId)
   at Microsoft.Crm.Sdk.RequestBase.Process(Int32 primaryObjectTypeCode, Int32 secondaryObjectTypeCode, CorrelationToken correlationToken, CallerOriginToken originToken, UserAuth userAuth, Guid callerId)
   at Microsoft.Crm.Sdk.RequestBase.Process(CorrelationToken correlationToken, CallerOriginToken originToken, UserAuth userAuth, Guid callerId)
   at Microsoft.Crm.Sdk.CrmServiceInternal.Execute(RequestBase request, CorrelationToken correlationToken, CallerOriginToken originToken, UserAuth userAuth, Guid callerId)
   at Microsoft.Crm.Sdk.Crm2007.CrmService.Execute(Request request)
   --- End of inner exception stack trace ---

The 0x80072020 error is related to a generic "Access Denied" in AD.

Depending on your configuration, you could try to pinpoint the issue by modifying the following:

1) Grant the "delegate" option to the application pool user using Active Directory Users and Computers. 2) Add a web.config to the MSCRMServices folder and turn impersonation on such as:

< identity impersonate="true" userName="mydomain\bob" password="builder" />