Search Results for: email router

CRM 2011 Email Router Setup and Settings

Often with the setup of CRM 2011. Users experience messages about Pending e-mail warning and sometimes email messages are not sending.

This can be especially frustrating as both the CRM email queuing and tracking system and the Email router application are terrible to help you understand exactly what is going on with your CRM e-mail.

We mentioned some of the issues we have experience here:

http://www.interactivewebs.com/blog/index.php/server-tips/crm-2011-email-router-problemsshes-a-fickle-bitch/

Here are some basic setup tips for email in Microsoft CRM 2011

1. Out of the box, CRM does not send email messages. You need to configure an application known as CRM 2011 Email Router to have email messages send.

2. You also need a working SMTP (email server) that is configured to allow the relay of email messages from email accounts at your domain name. This can be achieved with Amazon SES message service or your own servers. We can assist you setup Amazon SES if you need assistance with this.

3. You should install and configure your Email Router. Some notes to help you may include these: http://www.interactivewebs.com/blog//?s=email+router

Recommended email settings in CRM 2011

1. Out of the box. CRM will only be able to send email messages to leads, contacts, and accounts. Until you change this setting found in the Admin / System Settings in CRM.

image

2. Avoid delayed email messages in CRM by Approve Email Address. In the Administration / Users. Go into each user and approve the configured email address.

image

There is a view of users who are Pending Email address approval to help identify who is needing approval.

image

Also uncheck the option for Process emails only for approved users and process email only for approved queues. Administration / System Settings.

image

 

3. Configure users email settings to use the email router for outbound email messages. (optionally inbound configuration too).

image

Our recommendation is to set the outbound processing for the email router. This will allow emails generated by the crm system to be delivered right away via the email router. This also means that you do need to install and configure the email router.

The above settings can be set automatically for all users by the use of a simpler out of the box workflow that runs on create of new users.

image

4. The next setting is recommended. Knowing that email can be tracked in CRM with the outlook client:

image

Email messages can automatically be tracked too.

image

5. The all powerful features of creating contacts in CRM when and email address is not known.

image

This is a great way to automatically get more leads or contacts (depending on your business) in crm. And depending on your business can also be a great way to pollute your crm full of contacts or leads that you don’t want.

Troubleshooting Tips

To troubleshoot an E-mail Router outgoing profile configuration, follow these steps:

  1. Make sure that you follow the incoming profile configuration procedures in the E-mail Router Configuration Manager Help.
  2. For more information about how to configure an incoming profile, see the E-mail Router configuration information in the latest version of the Installing Guide that is included in the Microsoft Dynamics CRM 4.0 Implementation Guide.
  3. Refer to the following sections for information about how to resolve commonly encountered outgoing profile issues.

Test Access error

If there is a problem with your outgoing e-mail configuration, you may receive the following error message when you click Test Access on the E-mail Router Configuration Manager:

“Outgoing status: Failure – An error occurred while checking the connection to e-mail server EXSERVERNAME. The requested address is not valid in its context”

If you receive this message, follow these steps to troubleshoot the problem:

  1. Run a telnet command to verify that connectivity is functioning between the computer that is running CRM Router and the Exchange Server. For example, start the TELNET utility and enter the following command:TELNET EXSERVERNAME PORT
  2. Make sure that you have no antivirus services running on the Exchange Server computer that prevent connection by using port 25.
  3. For information about how to configure the SMTP server to allow relay messages from Microsoft Dynamics CRM, see KB article 915827.

E-mail error when message sent from the Web application

Symptom: When a user sends an e-mail message by using the Web application, the user might receive one of the following messages:

This message has not yet been submitted for delivery. 1 attempts have been made so far.

The message delivery failed. It must be resubmitted for any further processing.

Resolution: For information about how to resolve this issue, see KB article 915827.

Load Data error

When you click Load Data in the E-mail Router Configuration Manager, you receive the following error:

The E-mail Router Configuration Manager was unable to retrieve user and queue information from the Microsoft Dynamics CRM server. This may indicate that the Microsoft Dynamics CRM server is busy. Verify that URL ‘http://OrganizationName‘ is correct. Additionally, this problem can occur if the specified access credentials are insufficient. To try again, click Load Data. (The request failed with HTTP status 404: Not Found.)

To resolve this problem, follow these steps:

  1. Make sure that the user account that is running the E-mail Router Configuration Manager service is a member of the Active Directory PrivUserGroup security group.
  2. The account that is specified in the Access Credentials field on the General tab of the E-mail Router Configuration Manager must be a Microsoft Dynamics CRM administrative user. If the access credentials are set to Local System Account, the computer account must be a member of the Active Directory PrivUserGroup security group.
  3. Make sure that the URL is spelled correctly. The organization name in the URL field is case-sensitive and must be spelled exactly as it appears in the Microsoft Dynamics CRM server. To view the organization name as it appears in the Microsoft Dynamics CRM server, start the Web application. The organization name appears in the upper-right corner of the application window.
  4. The DeploymentProperties table may have incorrect values if you have modified the port or hostheaders on your Web site. To update the DeploymentProperties table see, KB article 950248.

Pending Email warning

image

On the Email Router, configure:

1. Check event view for Email Router related errros

2. Change the send email

3. Restart CRM email Router service

4. Reduce the pooling time and conneciton timeout

image

 

Automatically Resending Failed Email Messages

The Advanced find can be used to find email messages that have not sent. A workflow can also be created to resend messages automatically. However constant failures is going to indicate a problem some other place. So the use of this automatic workflow should not be introduced in place of fixing your sending issues.

Steps to create the workflow to re-send failed e-mails:

1. Create a new Workflow in CRM | Processes on the E-mail entity

image

2. Set the workflow to be Available to Run “As an on-demand process”, Change the scope to Organization and uncheck “Record is created”.  This will make the workflow available to run On-Demand, function for all e-mails in the organization and also not run when every time a new e-mail is created as we just want to use this when needed on specific e-mails.

image

3. Click “Add Step” and choose “Change Status”

image

4. Set the E-mail to a status of “Pending Send”

image

5. Click Save and then Activate in the toolbar.  Click ”OK” to the message to confirm you want to Activate the workflow and then click “Close” on the workflow.

image

Advanced Find to see how many e-mails are in a failed status:

1. Open Advanced Find by clicking the “Advanced Find” button in the CRM ribbon

image

2. Select “E-mail Messages” in the Look For option set and then select “Status Reason” and set it equal to “Failed”. Then click the Results button in the Advanced Find ribbon.

image

3. You can refine the results using the filter criteria from here as well in case you do not want to re-send all of the e-mails. Once you are done, multi-select the e-mails you want to re-send and then click the “Run Workflow” button in the CRM ribbon.

4. Select the e-mail workflow that you created using the steps above and click OK.

The workflow will then run and change the status of all the e-mails you had selected back to “Pending Send”.  This is an asynchronous process, so it may take a few minutes depending on your current asynchronous workload in CRM.  Then the CRM e-mail router will process them again and send them out through SMTP as expected.

Still Need Help?

Here at InteractiveWebs we know how terrible this component of Microsoft CRM is. Actually, in our opinion, it is difficulties like these that really shows Microsoft is not at all interested in giving it’s customers a good experience. Much of the multitude of steps and better monitoring could be fixed with very little effort from Microsoft, yet after years of CRM, much remains the same.

In any case, if you need paid administration assistance to get your email working on your CRM system, be it Cloud Microsoft Hosted, IFD, or On Premises, we are available. Please contact us at: http://www.interactivewebs.com by submitting a support ticket.

CRM 2011 Email Router Problems–She’s a Fickle Bitch

CRM 2011 Email Router Problems–She’s a Fickle Bitch

imageSince we published an extensive set of step by step instructions on how to setup CRM 2011 as an Internet Facing Deployment IFD.

We have continued on to find a few issues with the Email Router Tool that are probably worth sharing.

The Tool Does Not Connect to Exchange 2010 like the CRM 4.0 tool.

We had a previous test environment that included CRM 4.0 and the well patched Email Router Tool. It was talking nicely to Exchange Server 2010 using the Exchange Web Service URL: https://server.domain.com/EWS/Exchange.asmx

In our instance the HTTPS was configured with an service signed certificate that was a trusted provider. In other words. We purchase an expensive certificate and used that for testing a real world deployment. No self signed junk.

That all hummed nicely, but we find that in CRM 2011, the Email Router Incoming Settings, using the same settings are worked in 4.0 fails.

image

Name: FirstName Last Name
Incoming Status: Failure – No results were found.

image

Note: It is worth noting that after you import an Organization into CRM 2011 from CRM 4.0 that all the user credentials in each users CRM E-mail setting for user defined access:

image

have the wrong passwords. They need to be reset.

 

We have not fixed this yet!

Try as we may, and generally we know what we are doing with this stuff, we have not as yet found a solution. We tried heaps of things, from opening up Non SSL access to the Exchange Server to running REG EDITS on the CRM server. Nothing as yet!

We can verify that the URL can be hit from the CRM server (Where the Email Router Resides) and that the return of information is the same as it was for CRM 4.0 Email Router.

We also have verified that the Error Changes once user pass words are made invalid.

Incoming Status: Failure – The remote Microsoft Exchange e-mail server returned the error “(401) Unauthorized”. Verify that you have permission to connect to the mailbox. The request failed with HTTP status 401: Unauthorized.

 

Indicating that it is authenticating correctly.

We have deployed Rollup 2 at this time, and really are starting to think it is a bug. So we are about to get the BIG Microsoft Involved with a support ticket. Will let you know how that works out.

 

One Big Problem

We did not think a lot of the issue, and left our test Environment sitting doing a few things that included a DotNetNuke integration that was running some automatic billing processes from web service calls into CRM. This generated email messages in CRM that needed to be sent, and naturally the email router would have sorted that.

Again, we thought nothing of that.

We also noted that huge amounts of memory were being allocated toward the CRM test server in Hyper-V. Like 12-14 GB. That that was high, being that it was a SQL server and website in essence. Memory sits nicely at around 3-4 GB if things are working well.

What we have since discovered is that with the invalid inbound CRM – Exchange access, the CRM Email Router service consumed huge amounts of memory (Over 48 GB if allowed), and also bogged down process time to the point that nothing else ran on the server.

She’s a Fickle Bitch! and obviously there is a memory leak of epic proportions there some place.

The solution, was to remove the invalid Inbound Rule while we sort out what the heck is going on with the program.

Stay Tuned….

UPDATE

After much mucking around, we found our problem.

In our instance the Default Global Address List had us listed, but our mailbox was tied to another custom address list, that was not listing our address correctly due to a typo. The access to the GA was being blocked by custom security settings.

This comes back to the same post above. Although nothing to do with the check box about  “Hide from Exchange address lists” – we were in effect being hidden from the address list that mattered.

Removing IP from AOL email Black List postmaster

I’m finding the AOL process really really annoying. We have been trying to clear up blacklist and reputation problems with a new IP range that was previously abused.

AOL have some tools that pretend to help. What you need to know is this.

1. Ensure your mail server IP has a RDNS – so when you do an NS lookup on the IP address it will show a name, like smtp.interactivewebs.com

2. Setup an email account like abuse@ or postmaster@  that domain. Make sure you get that mail.

3. Ensure that you verify with AOL that you are the admin for that RDNS lookup name. That is by submitting a ticket called Feedback Loop here: http://postmaster.aol.com/SupportRequest.FBL.php

4. Wait till they verify your Feedback Loop. AKA. that you are getting mail on that domain.

6. Use this link: http://www.mxtoolbox.com/SuperTool.aspx?action=mx%3aaol.com
to work out the IP of an AOL mail server.

7. Work out what code error is given when you try to connect from your mail server using Telnet. Follow these instructions. http://support.microsoft.com/kb/153119 but use the IP address and port 25 of the AOL mail server from step 6 above.

8. Look at the error result and compare it to this page: http://postmaster.aol.com/Postmaster.Errors.php

9. Follow the support request process from that page, to submit a ticket to have them fix things up.

Easy as that.!


Imagine if we had to do that crap for every email domain in the world. This was a recent blog from AOL about their update:

http://postmaster-blog.aol.com/2011/05/05/general-update/

We are in the process of automating email problem report resolution. This is a mid-term project, and is being implemented in stages on a queue-by-queue basis. (Ex: Each unique error code type represents a different queue, as do feedback loop and whitelist requests. http://postmaster.aol.com/Postmaster.Errors.php )
The last couple of months were spent migrating our sundry ticketing systems onto one common platform — essentially readying a back-end for the front-end logic flow that you will interface with. We are excited to finally be addressing the part of this project that will offer, in most cases, immediate resolution to your issues.
We are starting with router-level queues, the first of which will be RTR:BB errors. I will post on our progress as we push the code into production, along with what ticket submitters should expect with the automated process specific to the queue addressed. If you are seeing problems with the queues in transition, please comment on that particular blog post, and we’ll take a look.
Meanwhile, our Postmaster staff will continue handling every ticket we receive.
Thanks for your patience and support during this transition!

 


This was my comment.

1. Good that you are improving things. Sucks that your process is so stupid in the first place. An example of how frigging annoying I am finding things.
We at: http://www.interactivewebs.com have been forced by a chapter 11 of an upstream provider to move all our servers to a new IP range.
First thing we did was to setup RDNS and check mail reputation (on all the major Black Lists, and senderbase.org). What we found was that the IP range has been abused. So we set about cleaning that up.
Naturally we checked AOL, and found that the IP was "undisclosed" reputation. Helpful Right… NOT!
But it does not show AOL was listing it.
So we move and fire up services. THEN and only then do we find out that AOL does have the address on a BL and mail cannot be delivered.
How about tools that work, and a process that works to allow proper checking/de-listing.
The ironic part of dealing with your 1990 process, is that it really does not work as well as other systems. AOL users get more spam than many other reputable spam systems. There is even free spam software services that do better.
So why stick with such a lame process, when the end result is HEAPS of false positives?

How to Set Up Microsoft CRM 2016 IFD on Windows 2012 R2 Server

How to Set Up Microsoft CRM 2016 IFD on Windows 2012 R2 Server

We already have a popular post for the configuration of IFD setup with CRM 2015, CRM 2013, CRM 2011. Now we are updating this post to support CRM 2016.

Microsoft have a compatibility listing for CRM 2016 here: https://support.microsoft.com/en-us/kb/3124955

The Development Setup

 Once again we are running this configuration as a test environment for development. As such we will be running, we are running the server on a Hyper V server. A single VM machine, that is running a fully patched version of:

  • Windows 2012 R2 SP2 64 Bit – (MSDN File: en_windows_server_2012_r2_x64_dvd_2707946
  • SQL 2014 R2 64 Bit – SQL Server 2014 Standard Edition x64 – (MSDN File: en_sql_server_2014_standard_edition_x64_dvd_3932034) – Patched to SP2
  • Microsoft Dynamics CRM Server 2016 – en_microsoft_dynamics_crm_server_2016_x86_x64_dvd_7171743
NOTE: The Domain we have used for setup with this dev server is: iwebscrm16.com You can substitute your domain in place throughout these step by step IFD instructions CRM 2016.

Getting Windows Server Ready

1. Install and Update Windows 2012 R2.

2. From the Server ManagerAdd Roles and Features

3. Role-Based or Feature-Based instilllation

Windows 2012 Install Roles

4. Select the Server from the Pool (usually the default option)

5. Scroll Down and Select Web Server IIS

Screenshot 2016 01 07 01 22 53

6. Add Features

Screenshot 2016 01 07 01 23 41

And .NET 3.5 Features

Screenshot 2016 01 07 06 38 25

7. Next / Next

8. under Web Server Roles (IIS) Use the default options, but add under Performance – Dynamic Content Compression

Dynamic Compression Install IIS

9. Next / Install

10. Update Window Server again as there is likely a restart update available. 

11. After Restart. Ensure that you turn off the IE enhanced security. It’s Crap and no one benefits from it. This is done in the Server Manager under Local Security.

Screenshot 2016 01 07 23 28 08

 

SQL 2014 Setup

1. First Up have the Windows Server Join the Domain you will be using.

2. Reboot and login with the domain admin account.

3. Start the SQL Install Disk

4. Click Instillation / New SQL Server Stand Alone

Screenshot 2016 01 07 06 24 23

5. Enter Product Key / Next

6. Agree to Terms / Next

7. use Microsoft Update / Next

8. Ignore the Windows Firewall Warning at this Stage

Screenshot 2016 01 07 06 26 41

9. Select SQL Server Feature Instillation / Next

10. Select: Database Engine Service / Full Text Indexing / Reporting Service Native / Management Tools Basic and Complete / Next

SQL Setup for MS CRM 2016

11. Leave Default Name

Screenshot 2016 01 07 11 58 41 

12. Server Configuration Default and Next

Screenshot 2016 01 07 12 13 33

13. Windows Authentication Mode / Add Current User (Remembering we are logged in as a Domain Admin domain/administrator)

Screenshot 2016 01 07 12 14 33

14. Install and Configure / Next

Screenshot 2016 01 07 12 16 22

15. Install

Screenshot 2016 01 07 12 17 11

16. After Completion, Check again for Windows Updates and Reboot. (At the time of writing this blog, the SP 1 for SQL 2014 will be installed if your install disks do not already have this. Like everything Microsoft, it’s not super reliable until they SP1 their product!).

 

Getting your Active Directory OU Ready

1. Login to your Active Directory Domain Controller as a Domain Administrator

2. Using the Active Directory Users and Computers, Select the Root and Create a new OU named something like Microsoft CRM 2016

Screenshot 2016 01 07 19 30 47

3. Log Out of the Active Directory Domain Server.

 

Installing CRM 2016

During the install, we were asked to install services associated with the services required for CRM 2016.

CRM 2015 Install Process

We Selected all options on install:

Screenshot 2015 02 12 14 57 24

Select “Create New Deployment” and enter theServer Name as the SQL server. Screenshot 2016 01 07 19 32 24

If you are not sure of the name, Right Click “This Computer” from the start menu, and select Properties:

Screenshot 2016 01 07 19 34 07

Browse to the OU we created in the Steps Above Getting the AD OU Ready, and select the OU we created there. “CRM 2016″

Screenshot 2016 01 07 19 36 25

We selected the default account for authority. Note that the blog referenced above suggests a dedicated account for security. As we are setting up a dev environment we did not bother with this.

CRM 2015 Security Account

IMPORTANT

Create a new Website with port 5555

CRM 2015 IFD Website 5555

As we intend to set up the Email Router service on this server later, we set this server “VSERVER06” in this instance as the server for email router service, or you can leave this blank.

Screenshot 2016 01 07 19 39 30

We set “CRM2016″ As the default initial test environment deployment.

CRM 2016 Setup IFD

Reporting Server defaulted to the server name/reportserver

Screenshot 2016 01 07 19 40 53

We received a few warnings about the install:

CRM 2015 Install Warnings

For a deployment that is more secure, the Microsoft Dynamics CRM Sandbox Processing Service should be run under a least-privileged domain user account that is not shared by other Microsoft Dynamics CRM services on this computer.

For a deployment that is more secure, the Microsoft Dynamics CRM VSS Writer Service should be run under a least-privileged domain user account that is not shared by other Microsoft Dynamics CRM services on this computer.

Data encryption will be active after the install or upgrade. We strongly recommend that you copy the organization encryption key and store it in a safe place. For more information, see http://go.microsoft.com/fwlink/?LinkId=316366.

The only one of real interest in our Dev environment would be the last item. making a backup of data encryption keys is always a good idea. 

Test First

Test that your CRM setup is working. Go to the local computer name (ours is vserver12) on the correct port: http://vserver12:5555

We called our Deployment of CRM – “CRM2016″ in the CRM Setup phase above, so the URL redirects to: http://vserver12:5555/CRM2016/main.aspx

Because we were were logged in as the server administrator, we were able to load, but may take some time to fire up the various server requirements.

Microsoft CRM 2016 Home Page

Apply a Wildcard SSL Certificate

In CRM, the accessing of deployments is handled by the sub domains. So if we call a deployment (known as organisation) “business1″ we will access that as: https://business1.domain.com:444 (note the the :444 will be because of how we set up Internet Facing Deployment.

For testing, we purchased a standard Wildcard SSL certificate that applied that to the IIS Server 

In our case we registered a test domain: iwebscrm16.com and set the SSL wildcard to: *.iwebscrm16.com and applied that cert to the server. The services we used for purchasing the wildcard certificate were starts.com who provide a very cost effective certificate services. Once authenticated, certificates are free to issue.

Application for a certificate

Here, I will be a wildcard certificate, for example, describes how to create a certificate:

1) Open IIS Manager

2) Click the server name in the main screen double click Server Certificates

3) In the right panel, click Create Certificate Request…

image

4) fill in the following diagram each column, click Next

image

5) Cryptographic Service Provider Properties page change the Bit Length to at least 2048 click Next.

Screenshot 2014 07 05 18 50 18

6) In the File Name page, enter C: \ req.txt , and then click Finish. (You can save it any place you like, with any name)

7) Open the certificate in Notepad, and copy the contents.

Screenshot 2014 07 05 18 53 05

This is the text that is pasted into the Start SSL Certificate request page to generate the certificate:

Screenshot 2014 07 05 18 55 03

8) After you finish generating the certificate text in StartSSL.com you get a bunch of code that looks similar to the request code. Copy that generated code

9) Paste the code back into a new Text / Notepad Document on the Web server, but call it something that ends in .cer  (not .txt). 

10) back to the IIS Manager, click No. 3)  Step graph Complete Certificate Request …

11) Select the the file you created at point 9 above to complete the request.

12) Click OK.
Note: We did get an error message: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
In this instance, it turned out to be a crappy Microsoft Error. After doing some research, we found that it was likely meaningless and the cert installed correctly. We rebooted the machine and logged in again, to find that the CERT was there installed as we wanted it to be.

Binding site for the default SSL certificate

1) Open IIS Manager.

2) In the Connections panel, expand Sites , click Default Web Site.

3) In the Actions pane, click Bindings.

image

4) In the Site Bindings dialog box, click Add.

5) Type select HTTPS.

6) SSL Certificate , select the certificate you just created *. contoso.com , and then click OK.

Screenshot 2015 02 18 18 03 45

 Ours is *.iwebscrm15.com

CRM 2015 SSL

7) Click Close.

For the CRM 2016 binding site SSL certificate

This is in effect repeating the above process like you did for the default certificate, but using a different port (444 for example). This way you are binding the same certificate to the two websites in your IIS instance.

1)Open IIS Manager.

2) In the Connections panel, expand Sites , click CRM Web Site.

3) In the Actions pane, click Bindings.

4) In the Site Bindings dialog box, click Add.

5) Type select HTTPS.

6) SSL Certificate , select the certificate you just created *. contoso.com .

7) Port to select a different 443 (e.g. 444 ) and port number, and then click OK

 SSL CERT CRM 2015

IFD CRM 2015 CERT.png

8) Click Close.

DNS configuration

We are going to add a few DNS “A” records so that the records listed in point 1-4 below in DNS Goal are resolving correctly to the IP address of your CRM server.

There are two ways you can achieve the desired result. But first lets understand the desired result.

  1. We make the assumption that your server is running at least one static IP address.
  2. Because this is Internet Facing, that IP needs to be accessible to the world.
  3. That same IP can be used for access to your server both internally on the matching we are playing with, and externally form anyone on the net.
Lets Get Basic

Start a Command Prompt, and work out what your IP address of the server is.

Click START > RUN > CMD

Type IPCONFIG – Enter

Under the name: IPv4 Address is a number that looks like: 66.34.204.220

image

That is Your IP Address of the Server.

The DNS Goal

Make sure that when you PING xxx.domain.com that it points to that IP address. Both for the world and for you when you do that on your server.

(xxx is the sub domain that we are about to configure.)

To configure CRM, we need some sub domains to point to the server IP.
Adding records in DNS like this:

Screenshot 2014 07 05 19 28 02

  1. sts1.domain.com
  2. auth.domain.com
  3. dev.domain.com
  4. internalcrm.domain.com
  5. Your ORG name.  org.domain.com (Where ORG is the CRM deployment name of your organization or organizations), e.g.
  6. crm2016.iwebscrm16.com (We usually set up a dev environment with CRM2016 being the year of the version. Just something we select to do).
  7. adfs.domain.com (used for reference to the ADFS server)
  8. one for the root domain so that domain.com points to the same server. (This is for the ADFS logout URL)

CRM 2015 IFD DNS SETTINGS

We have two setup here: CRM and CRM2016. So we need to configure crm.iwebscrm16.com and crm2016.iwebscrm16.com (Not necessary but our choice for this instance).

DNS The Easy Way!

The really easy way to solve all this (now we have explained the background) is to simply create a * A record that points to the machine we are using to set up the CRM system.

Test DNS

You must be able to ping all of those names and get the correct server IP address. Both from computers on the internet, and from the server. At the command prompt, type “ping sts1.iwebscrm15.com” for example with our config. Ping them all to be sure you get them correct. 

Note: If you have added the DNS records, but still encounter name resolution problems, you can try running on the client ipconfig / flushdns to clean up the cache. You can also click the DNS server root and click CLEAR CACHE so that the server is responding with the latest updates.

image

Note: Don’t bother proceeding past this step if you cannot ping your sub domains internally and externally correctly.

 

Firewall configuration

You need to set the firewall to allow the CRM 2013 and the AD FS 3.0 port used by the incoming data stream. HTTPS (SSL) is the default port 443.

For Initial setup testing etc. We recommend just turning the thing off. Better start from a place where it does not muck you around, then turn it all back on after you are successful.

1) In Windows 2012 I can’t frigging work out how to find anything. Literally!  But most things you can search for. As is the case here if you search for “Firewall”. Select the firewall option:

Screenshot 2015 02 18 18 14 37

2) Select Turn Windows Firewall on or off

Screenshot 2015 02 18 18 16 04

4) Turn Off or On Firewall

Screenshot 2014 07 05 19 33 53

Just turn it all off for now. (Remember to come back, turn it on and allow access for the unusual port 444 that you configured earlier for the SSL on the CRM site. But for testing and setting up… the last things you want is to be banging your head agains a firewall.

Screenshot 2015 02 18 18 18 31

Snapshots

Just a reminder that at this point we have been keeping snapshots on our Hyper-V environment to allow us to fail back to a location and try again. This is really useful for the setup of something like this that has a lot of moving parts.

CRM 2016 Snapshots

Configuration Claim-based authentication internal access

Configure the internal access Claim-based authentication requires the following steps:

  • Install and configure AD FS 3.0
  • Set Claims-based authentication configuration CRM 2016 server.
  • Set the Claims-based authentication configuration AD FS 3.0 server.
  • Test claims-based authentication within the access.

Install and configure ADFS 3.0

This article uses Active Directory Federation Services (AD FS) 3.0 to provide a security token service (security token service or STS ).

Note: AD FS 3.0 will be installed to the default site, so install AD FS 3.0 , you must have CRM 2016 installation in the new site. (Remember we said that earlier)

IIS Looks like this if it is correctly installed: image

If you only see the default website with CRM installed in that. Start AGAIN! – We are working with the process as shown here.

Install ADFS Server Role

From Server Manager – Add A Server role for: Active Directory Federation Services

Screenshot 2014 07 05 19 39 54 

Screenshot 2015 02 18 18 24 23

Screenshot 2015 02 18 18 24 53

Screenshot 2015 02 18 18 25 34

Click Install at the last step.

Screenshot 2015 02 18 18 26 20

After if Finishes: 

Configure the Fediration service on this server

Click the Configure the Federation Services on this server.

Configure AD FS 3.0

1 Click on Configure the federation service on this server.

2 In the AD FS 3.0 Management page , click AD FS 3.0 Federation Server Configuration Wizard .

3 In the Welcome page , select Create the first federation server in a federation server farm, and then click Next.

Screenshot 2014 07 05 19 43 52

4 Select next to continue with the current administrator (must be a domain admin).

Screenshot 2014 07 10 16 34 34

5 Choose your SSL certificate (the one we created and imported above i.e. *.iwebscrm15.com ) ,add a Federation Service name ( Selecting the second one for the dropdown in this instance iwebscrm15.com, don’t select the one with the wildcard in the name, so not the *.iwebscrm15.com for example.), then Select a Service Display Name for your business – selecting the one that is NOT starting with a *, then click Next.

ADFS Setup with CRM 2016

6 Open PowerShell and run the following command: “Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)”

 Screenshot 2014 07 10 16 40 55

Screenshot 2015 02 18 18 42 53

If you don’t you will se the error: Group Managed Service Accounts are not available because the KDS Root Key has not been set.

7 We specified the Administrator account for the service account, as security is not our primary concern here with a Dev environment. You could and probably should use a defined account for a production environment.

ADFS Service Account

7 Create a database on this server using Windows Internal Database (or you can use SQL instance in the step below), click Next.

Screenshot 2014 07 10 16 43 30

Or use the local SQL instance etc if you have one. (Because we have SQL installed on this same server. We are using this SQL instance for the database host. 

ADFS SQL Database

Note that this will create two new databases in SQL.

ADFS SQL Databases 

8 Review Options click Next

Screenshot 2015 02 18 18 49 33

9 Pre-requisits checklist, click Configure

Screenshot 2014 07 10 16 45 44

10 You should see a message that “This Server was successfully configured

Screenshot 2015 02 18 18 53 47

11 Close out the Instillation progress window

Screenshot 2015 02 18 18 54 07

Screenshot 2015 02 18 18 54 33

Verify the AD FS 3.0 is working

Follow the steps below to verify that the AD FS 3.0 is working :

1 Open Internet Explorer.

Under Internet Options

IE Options

Security / Local Intranet

Screenshot 2015 02 19 08 49 36

Sites / Advanced

IE Sites Advance

Add *.domain.com to the websites. In our case here we added: *.iwebscrm16.com

Screenshot 2016 01 08 12 29 46

Close all this down when added.

2 Now we need browse to the the federation metadata in Internet explorer to test access is working. 

Use this URL below as an example to browse to your own server. Remembering that we set up a DNS entry earlier for “ADFS’ on your domain, thus you should be able to browse to the URL below replacing our domain name with yours and have it access the server we are configuring.

  • https://adfs.iwebscrm16.com/federationmetadata/2007-06/federationmetadata.xml

(Replace your domain name in place of ours iwebs16.com)

3. to ensure that no certificate associated with the warning appears, and you can view the certificate to be sure it is showing.

Screenshot 2016 01 08 12 34 21

Check the certificate is correct and working by clicking on the padlock looking thing and viewing certificate.

Screenshot 2016 01 08 12 34 59 

Take another Snapshot!

Claims-based authentication configuration CRM 2016 server

After you install and configure the AD FS 3.0 , we need to configure the Claims-based authentication before setting CRM 2016 binding types and the root domain.

1 Open the CRM Deployment Manager.
CRM 2016 Deployment Manager

2 In the Actions pane , click Properties .

3 Click the Web Address page.

4 In the Binding Type , select HTTPS .

Screenshot 2014 07 10 17 09 07

CRM 2017 hsttps

5. Change the Server name to the internalcrm.domain.com:444 format. In our case here. internalcrm.iwebscrm16.com:444

CRM 2016 IFD

6. Then Apply

7. Then OK to close

8 In the Deployment Manager console tree, right-click Microsoft Dynamics CRM, and then click Configure Claims-Based Authentication.

Screenshot 2014 07 10 17 59 37

9 Click Next on the Welcome page

10  On the Specify the security token service page, enter the Federation metadata URL, in our case because we setup a DNS record for “adfs” we are going to use that: https://adfs.iwebscrm16.com/federationmetadata/2007-06/federationmetadata.xml 
Note: that this is the same URL we tested ADFS was set up correctly on in the steps above. Also note that the step of adding the domain to internal sites in the IE security settings that we did above is an important one! If you can’t hit that URL on the web browser of the server and get a clean XML defined page, then you deployment will not work.

CRM 2015 Claims Based Authentication

11 Click Next then select the certificate that we created perviously for the *.domain connection

CRM 2016 Certificate

12 Select Next
Note: At this point it is possible to get an error something along the lines of “Encrypted Certificate Error”. This is implying that the account used to run CRM does not have access to the Private Key of the certificate being used. Skip forward to point 25 below, and add the service accounts that CRM is using to the private key of the certificate to be used. This will ensure that this next configuration step has access to the certificate. Then come back to this point and continue. 

Screenshot 2014 07 10 18 09 58

13 Select Apply (BUT – NOT FINISH)

Screenshot 2014 07 10 18 10 31

14 IMPORTANT – Click View Log File

Screenshot 2016 01 08 13 06 25

15 Scroll to the end, and Copy the URL from the bottom of the file.

CRM 2016 Internal Federation Metadata URL

This will be used in the next configuration. 
Note: that this is different to the URL used in step 4 above, as it represents the internal URL. Subtle but vital (and the cause of frustration the first 10 times we tried this). In our case the URL looked like this: https://internalcrm.iwebscrm16.com:444/FederationMetadata/2007-06/FederationMetadata.xml

16 Click Finish.

Set the CRM AppPool account and the Microsoft Dynamics CRM Encryption certificate.

17 Right Click the Start Button and select RUN

18 Type MMC and enter

Run MMC

19 Select File / Add/Remove Snap-in

Add Remove Snap-in

20 Select Certificates and Add

Add Certificates MMC

21 Select Computer Account

Computer Account

22 Local Computer is selected, so click Finish

Screenshot 2015 02 19 16 57 47

23 Expand the console tree / Personal / Click Certificates

Screenshot 2015 02 19 17 00 09

24 Right click the certificate we used for the CRM endpoint, and select All Tasks / Manage Private Keys

CRM IFD Manage Private Keys

25 Select Add

Screenshot 2015 02 19 17 04 11

26 Select Advanced

Screenshot 2015 02 19 17 11 47

27 Select Find Now

Screenshot 2015 02 19 17 12 34

28 Scroll Down and Find the NETWORK SERVICE Account

Network Service Account

29 Select OK / OK

Screenshot 2015 02 19 17 15 08

Ensuring that the NETWORK SERVICE has Read Access

Screenshot 2015 02 19 17 40 44

Note: We have used the NETWORK SERVICE account here because that is the one associated with the CRMAppPool used in IIS by default for the Microsoft Dynamics CRM Website that was automatically configured with the CRM setup.

Screenshot 2015 02 19 17 19 28

CRMAppPool

If you are using another account for running the application pool, then you should ensure that this account has access to the encryption certificate. Some details can be found here.

30 Validate that you can browse to the URL above. If you cannot view this in a browser, then have a look again at your permissions on the certificate in relation to the account on the application pool in IIS for CRM. Read above: Claims-based authentication configuration CRM 2016 server.

The URL Above that we are checking is the one from the View Log step, that we said to copy.

Screenshot 2015 02 19 18 24 33

Once you can browse this URL, you are done if it fails, then repeat the process till you can access the URL on the server in question. Note: Often it is confusion over the port :5555 that defaults in CRM Deployment Manager Web settings and the HTTPS Port :444 that we defined in the binding for the Microsoft CRM Dynamics Website. So double check that you have the correct port set in the Deployment Manager, then run the steps again following that setting.

Checkpoint the Hyper-V at this point.

 

Claims-based authentication configuration AD FS 3.0 server

Start AD FS 3.0 Management. In the Navigation Pane, expand Trust Relationships, and then click Claims Provider Trusts. Under Claims Provider Trusts, right-click Active Directory, and then click Edit Claims Rules.

Screenshot 2016 01 08 13 15 35

Screenshot 2014 07 10 18 27 02

 

In the Rules Editor, click Add Rule, In the Claim rule template list, select the Send LDAP Attributes as Claims template, and then click Next

Screenshot 2014 07 10 18 27 33

 

Step10: Create the following rule

Claim rule name: UPN Claim Rule (or something descriptive)
Attribute store: Active Directory
LDAP Attribute: User Principal Name
Outgoing Claim Type: UPN

Screenshot 2014 07 10 18 34 58

Click Finish, and then click OK to close the Rules Editor

After you enable claims-based authentication, you must configure Dynamics CRM Server 2016 as a relying party to consume claims from AD FS 3.0 for authenticating internal claims access.

Add Relying Party Trusts to AD FS

Start AD FS Management. Select Trust Relationships / Relying Party Trusts. Then On the Actions menu located in the right column, click Add Relying Party Trust. In the Add Relying Party Trust Wizard, click Start.

AD FS Relying Party Trust

On the Select Data Source page, click Import data about the relying party published online or on a local network, and then type the URL you copied earlier from the log file during the creation of the CRM Claims Based Authentication. e.g. https://internalcrm.iwebscrm16.com:444/FederationMetadata/2007-06/FederationMetadata.xml – Note it is probably still open in your browser in the background.

Screenshot 2016 01 08 13 21 41

On the Specify Display Name page, type a display name, such as CRM Claims Relying Party, and then click Next.

Screenshot 2014 07 10 18 40 57

Click Next on the multi-factor authentication options.

Screenshot 2014 07 10 18 41 35

On the Choose Issuance Authorisation Rules page, leave the Permit all users to access this relying party option selected, and then click Next.

Screenshot 2014 07 10 18 41 44

On the Ready to Add Trust page Click Next

CRM 2016 Relying Party Trust

On Finish Page, click the checkbox option to Open the Edit Claim Rules, Next, and then click Close.

Screenshot 2015 02 19 19 04 59

The Rules Editor appears, click Add Rule. Otherwise, in the Relying Party Trusts list, right-click the relying party object that you created, click Edit Claims Rules, and then click Add Rule.

Screenshot 2014 07 10 18 42 52

In the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next.

Screenshot 2014 07 10 18 44 21

Create the following Rule #1
Claim rule name: Pass Through UPN (or something descriptive)
Incoming claim type: UPN
Pass through all claim values

Click Finish.

Screenshot 2014 07 10 18 44 59

Screenshot 2014 07 10 18 50 07

In the Rules Editor, click Add Rule, in the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next

Screenshot 2014 07 10 18 50 26

Create the following Rule #2

Claim rule name: Pass Through Primary SID (or something descriptive)
Incoming claim type: Primary SID
Pass through all claim values

Click Finish

Screenshot 2014 07 10 18 51 11

Screenshot 2014 07 10 18 51 23

In the Rules Editor, click Add Rule. In the Claim rule template list, select the Transform an Incoming Claim template, and then click Next.

Screenshot 2014 07 10 18 51 59

Create the following rule #3

Claim rule name: Transform Windows Account Name to Name (or something descriptive)
Incoming claiming type: Windows account name
Outgoing claim type: Name
Pass through all claim values

Screenshot 2016 01 11 20 20 17

Click Finish, and when you have created all three rules, click OK to close the Rules Editor.

Screenshot 2014 07 10 18 53 20

Click OK

Enable Forms Authentication

AD FS in Windows Server 2012 R2, forms authentication is not enabled by default.

Open the AD FS management console and click Authentication PoliciesUnder Primary Authentication, Global Settings , Authentication Methods, click Edit.

Screenshot 2015 02 19 19 13 39

Under Intranet, enable (check) Forms Authentication

Screenshot 2014 08 02 18 06 40

So now we have claims setup for CRM.

Add the ADFS server to the Local intranet zone.

We previously added the *.domain.com or in our case, *.iwebscrm16.com to the Local intranet zone in Internet explorer on the server. If you have not done this you should do it now. Then:

1. Open Internet Options Select the Advanced tab. Scroll down and verify that under Security Enable Integrated Windows Authentication is checked.

Screenshot 2015 02 19 19 37 22

2. Click OK to close the Internet Options dialog box.You will need to update the Local intranet zone on each client computer accessing Microsoft Dynamics CRM data internally. 

Specify the security token service

1 Open a command line tool .

2 Enter the following command : ( application, in your own environment, substitute the name of the name of the command line )

setspn -a http/sts1.iwebscrm16.com fserver4\VSERVER40”  

– Note – remove the “ “

fserver4\VSERVER12 = the domain / machine name of the server.

Screenshot 2015 02 19 21 33 22

c: \> iisreset 

Probably good to do a Snapshot again!

Configure Internet-Facing Deployment in CRM Deployment Manager.

1 Open the CRM Deployment Manager.

2 In the tree structure , right-click Microsoft Dynamics CRM , and then click Configure Internet-Facing Deployment.

Screenshot 2014 08 02 18 14 52

3 Click Next.

Screenshot 2014 08 02 18 15 20

4 Fill in the correct domain information for the Web Application

Thus we use:

  • Web Application Server Domain: iwebscrm16.com:444
  • Organization Web Service Domain: iwebscrm16.com:444
  • Web Service Discovery Domain: dev.iwebscrm16.com:444 Screenshot 2016 01 10 14 38 59

Leave the Default option for the Internet Facing Server Location

Screenshot 2016 01 10 14 39 32

System Checks work

Screenshot 2015 02 19 20 18 19

IFD Summary looks like this. Then Apply

Screenshot 2016 01 10 14 40 02

Finish

Screenshot 2015 02 19 20 19 41

9. Open a command line tool, run: iisreset

Screenshot 2015 02 19 22 11 38

 

ADFS Relying Party Trust for the IFD Endpoint

Effectively you are creating the third Relying party trust in your deployment and the second that you have manually set up at this point. We are doing this again as this is now for the IFD endpoint.

Step 1: Start AD FS Management. On the Actions menu located in the right column, click Add Relying Party Trust. In the Add Relying Party Trust Wizard, click Start.Screenshot 2016 11 21 13 47 57

Step 2: On the Select Data Source page, click Import data about the relying party published online or on a local network, and then type the URL to locate the federationmetadata.xml file. This federation metadata is created during IFD Setup.

For example, https://auth.iwebscrm16.com:444/FederationMetadata/2007-06/FederationMetadata.xml (Remember to replace your domain for ours)

Type this URL in your browser and verify that no certificate-related warnings appear.

Screenshot 2016 01 10 14 45 48

Step 3: On the Specify Display Name page, type a display name, such as CRM IFD Relying Party, and then click Next

Screenshot 2016 11 21 13 39 52

Step4: On the Choose Issuance Authorization Rules page, leave the Permit all users to access this relying party option selected, and then click Next.

Screenshot 2015 02 19 21 51 44

Click Next

Screenshot 2016 11 21 13 49 04

Screenshot 2015 02 19 21 52 25

Step 5: On the Ready to Add Trust page, click Next, and then click Close.

Step 6: If the Rules Editor appears, click Add Rule. Otherwise, in the Relying Party Trusts list, right-click the relying party object that you created, click Edit Claims Rules, and then click Add Rule

Screenshot 2016 11 21 13 49 53

Step 7: In the Claim rule template list, select the Pass Through or Filter an Incoming Claimtemplate, and then click Next.

Screenshot 2016 11 21 13 54 38

Step 8: Create the following rule#1

Claim rule name: Pass Through UPN (or something descriptive)

Incoming claim type: UPN

Pass through all claim values

Click Finish

Screenshot 2016 11 21 13 55 24

Step 9: In the Rules Editor, click Add Rule, and in the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next

Screenshot 2016 11 21 13 56 06

Step 10: Create the following rule#2

Claim rule name: Pass Through Primary SID (or something descriptive)

Incoming claim type: Primary SID

Pass through all claim values

Click Finish

Screenshot 2016 11 21 13 56 49

Step 11: In the Rules Editor, click Add Rule. In the Claim rule template list, select the Transform an Incoming Claim template, and then click Next.

Screenshot 2016 11 21 13 58 18

Step 12: Create the following rule #3

Claim rule name: Transform Windows Account Name to Name (or something descriptive)

Incoming claim type: Windows account name

Outgoing claim type: Name

Pass through all claim values

Click Finish, and when you have created all three rules, click OK to close the Rules Editor.

Screenshot 2016 01 11 20 19 11

Now, you should see three Relying Party Trusts in the ADFS Trust Relationships.

Screenshot 2015 02 19 22 23 41

Step 13 – Change Port

Open Powershell and run this command

Set-ADFSProperties –nettcpport 809


Screenshot 2016 01 11 19 58 17

Restart the ADFS in Services

Restart ADFS

Restart IIS in CMD

iisreset

IISRESET

Browse to the URL: https://sts1.iwebscrm16.com/adfs/services/trust/mex  (replacing the iwebscrm16.com with your domain). You should be abel to hit this URL and get a result looking like this:

adfs services trust mex

 

Test External Access to CRM 2016 with IFD

Now, you should use the claims certified external access CRM 2016 a. In IE the browser CRM 2016 external address (for example: https://crm2016.iwebscrm16.com:444/main.aspx ), you should have success with login.

Screenshot 2016 01 11 19 21 09

CRM 2016 Login Default Page

Problems We Encountered

While developing this blog post we encountered many small errors along the way. We have reverted to CheckPoints and fixed the instructions to allow you to avoid them. One thing we would say is that when resolving errors, it is most likely associated with the AD FS IFD login. When this happens, the AD FS Event Log is your best friend. Hit the Event ID errors up in google and resolve as best you can. Checkpoints are also your friend here!

 

Turn the Firewall Back On

As you may expect, this is a rather important last step

1. Turn on all Firewall Settings as they were at the start

Screenshot 2015 02 19 22 50 17

2. Click Advanced Settings 

Screenshot 2015 02 19 22 51 06

3. Click Inbound Rules / New Rule

Screenshot 2015 02 19 22 52 22

4. Select Port / Next

Screenshot 2015 02 19 22 46 28

5. Select TCP and Specify Port 444

Screenshot 2015 02 19 22 46 54

6. Allow the Connection

Screenshot 2015 02 19 22 47 08

7. Domain, Private and Public all ticked.

Screenshot 2015 02 19 22 47 28

8. Give it a name like: CRM Port 444

Screenshot 2015 02 19 22 47 46

And you are about finished. Remember if in the future you are mucking with something and getting no place. Turn off the Firewall as a starting point. Banging heads with firewalls is a waste of time!

Remember to test access again externally!

 

Your Feedback and Our Services

Please post a comment or note if you have anything to add about these notes. We welcome feedback that helps us improve them.

If you have a need for CRM 2016 Developer Services, we offer professional services and support for CRM 2016. This includes upgrade services for upgrading from any of the past CRM releases to new ones. We also write custom plugin solutions and are specialists with advanced web services and portals that connect to CRM for many applications. http://www.interactivewebs.com/crm and websites.

 

 

 

How to Set up CRM 2015 IFD on Windows 2012 and ADFS 3.0

We already have a popular post for the configuration of IFD setup with CRM 2013 and CRM 2011. Now we are updating this post to support CRM 2015.

Microsoft have a compatibility listing for CRM 2015 here: http://support.microsoft.com/kb/3018360

The Development Setup

 Once again we are running this configuration as a test environment for development. As such we will be running, we are running the server on a Hyper V server. A single VM machine, that is running a fully patched version of:

  • Windows 2012 R2 SP2 64 Bit – (MSDN File: en_windows_server_2012_r2_x64_dvd_2707946
  • SQL 2014 R2 64 Bit – SQL Server 2014 Standard Edition x64 – (MSDN File: en_sql_server_2014_standard_edition_x64_dvd_3932034) – Patched to SP2
  • Microsoft Dynamics CRM Server 2015 (x86 and x64) – DVD (English) – (MSDN File: en_microsoft_dynamics_crm_server_2015_x86_x64_dvd_5853339)
NOTE: The Domain we have used for setup with this dev server is: iwebscrm15.com You can substitute your domain in place throughout these step by step IFD instructions CRM 2015.

Installing CRM 2015

We pretty much followed a combination of these instructions:
http://blogs.msdn.com/b/niran_belliappa/archive/2013/11/05/step-by-step-installing-dynamics-crm-2013-on-windows-server-2012.aspx

During the install, we were asked to install services associated with the services required for CRM 2015.

CRM 2015 Install Process

We Selected all options on install:

Screenshot 2015 02 12 14 57 24

We selected the default account for authority. Note that the blog referenced above suggests a dedicated account for security. As we are setting up a dev environment we did not bother with this.

CRM 2015 Security Account

IMPORTANT

Create a new Website with port 5555

CRM 2015 IFD Website 5555

As we intend to set up the Email Router service on this server later, we set this server “VSERVER06” in this instance as the server for email router service:

CRM 2015 Email Router Server

We set “CRM2015” As the default initial test environment deployment.

CRM 2015 Default Deployment

Reporting Server defaulted to the server name/reportserver

CRM 2015 Report Server

We received a few warnings about the install:

CRM 2015 Install Warnings

For a deployment that is more secure, the Microsoft Dynamics CRM Sandbox Processing Service should be run under a least-privileged domain user account that is not shared by other Microsoft Dynamics CRM services on this computer.

For a deployment that is more secure, the Microsoft Dynamics CRM VSS Writer Service should be run under a least-privileged domain user account that is not shared by other Microsoft Dynamics CRM services on this computer.

Data encryption will be active after the install or upgrade. We strongly recommend that you copy the organization encryption key and store it in a safe place. For more information, see http://go.microsoft.com/fwlink/?LinkId=316366.

The only one of real interest in our Dev environment would be the last item. making a backup of data encryption keys is always a good idea. 

Test First

Test that your CRM setup is working. Go to the local computer name (ours is vserver06) on the correct port: http://vserver06:5555

We called our Deployment of CRM – “CRM2015″ So the URL redirects to: http://vserver06:5555/CRM2015/main.aspx

Because we were were logged in as the server administrator, we were able to load

CRM 2015 Initial Login 

Apply a Wildcard SSL Certificate

In CRM, the accessing of deployments is handled by the sub domains. So if we call a deployment “business1″ we will access that as: https://business1.domain.com

For testing, we purchased a standard Wildcard SSL certificate that applied that to the IIS Server 

In our case we registered a test domain: iwebscrm15.com and set the SSL wildcard to: *.iwebscrm15.com and applied that cert to the server.

Application for a certificate

Here, I will be a wildcard certificate, for example, describes how to create a certificate:

1) Open IIS Manager

2) Click the server name in the main screen double click Server Certificates

3) In the right panel, click Create Certificate Request…

image

4) fill in the following diagram each column, click Next

image

5) Cryptographic Service Provider Properties page change the Bit Length to 2048 click Next.

Screenshot 2014 07 05 18 50 18

6) In the File Name page, enter C: \ req.txt , and then click Finish. (You can save it any place you like, with any name)

7) Open the certificate in Notepad, and copy the contents.

Screenshot 2014 07 05 18 53 05

This is the text that is pasted into the Start SSL Certificate request page to generate the certificate:

Screenshot 2014 07 05 18 55 03

8) After you finish generating the certificate text in StartSSL.com you get a bunch of code that looks similar to the request code. Copy that generated code

9) Paste the code back into a new Text / Notepad Document on the Web server, but call it something that ends in .cer  (not .txt). 

10) back to the IIS Manager, click No. 3)  Step graph Complete Certificate Request …

11) Select the the file you created at point 9 above to complete the request.

12) Click OK.
Note: We did get an error message: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
In this instance, it turned out to be a crappy Microsoft Error. After doing some research, we found that it was likely meaningless and the cert installed correctly. We rebooted the machine and logged in again, to find that the CERT was there installed as we wanted it to be.

Binding site for the default SSL certificate

1) Open IIS Manager.

2) In the Connections panel, expand Sites , click Default Web Site.

3) In the Actions pane, click Bindings.

image

4) In the Site Bindings dialog box, click Add.

5) Type select HTTPS.

6) SSL Certificate , select the certificate you just created *. contoso.com , and then click OK.

Screenshot 2015 02 18 18 03 45

 Ours is *.iwebscrm15.com

CRM 2015 SSL

7) Click Close.

For the CRM 2015 binding site SSL certificate

This is in effect repeating the above process like you did for the default certificate, but using a different port (444 for example). This way you are binding the same certificate to the two websites in your IIS instance.

1)Open IIS Manager.

2) In the Connections panel, expand Sites , click CRM Web Site.

3) In the Actions pane, click Bindings.

4) In the Site Bindings dialog box, click Add.

5) Type select HTTPS.

6) SSL Certificate , select the certificate you just created *. contoso.com .

7) Port to select a different 443 (e.g. 444 ) and port number, and then click OK

 SSL CERT CRM 2015

IFD CRM 2015 CERT.png

8) Click Close.

 

DNS configuration

We are going to add a few DNS “A” records so that the records listed in point 1-4 below in DNS Goal are resolving correctly to the IP address of your CRM server.

There are two ways you can achieve the desired result. But first lets understand the desired result.

  1. We make the assumption that your server is running at least one static IP address.
  2. Because this is Internet Facing, that IP needs to be accessible to the world.
  3. That same IP can be used for access to your server both internally on the matching we are playing with, and externally form anyone on the net.
Lets Get Basic

Start a Command Prompt, and work out what your IP address of the server is.

Click START > RUN > CMD

Type IPCONFIG – Enter

Under the name: IPv4 Address is a number that looks like: 66.34.204.220

image

That is Your IP Address of the Server.

The DNS Goal

Make sure that when you PING xxx.domain.com that it points to that IP address. Both for the world and for you when you do that on your server.

(xxx is the sub domain that we are about to configure.)

To configure CRM, we need some sub domains to point to the server IP.

Adding records in DNS like this:

Screenshot 2014 07 05 19 28 02

  1. sts1.domain.com
  2. auth.domain.com
  3. dev.domain.com
  4. Your ORG name.  org.domain.com (Where ORG is the CRM deployment name of your organization or organizations), e.g.
  5. crm2015.iwebscrm15.com (We usually set up a dev environment with CRM2015 being the year of the version. Just something we select to do).
  6. adfs.domain.com (used for reference to the ADFS server)
  7. one for the root domain so that domain.com points to the same server. (This is for the ADFS logout URL)

CRM 2015 IFD DNS SETTINGS

We have two setup here: CRM and CRM2015. So we need to configure crm.iwebscrm15.com and crm2015.iwebscrm15.com (Not necessary but our choice for this instance).

Test DNS

You must be able to ping all of those names and get the correct server IP address. Both from computers on the internet, and from the server. At the command prompt, type “ping sts1.iwebscrm15.com” for example with our config. Ping them all to be sure you get them correct. 

Note: If you have added the DNS records, but still encounter name resolution problems, you can try running on the client ipconfig / flushdns to clean up the cache. You can also click the DNS server root and click CLEAR CACHE so that the server is responding with the latest updates.

image

Note: Don’t bother proceeding past this step if you cannot ping your sub domains internally and externally correctly.

 

Firewall configuration

You need to set the firewall to allow the CRM 2015 and the AD FS 3.0 port used by the incoming data stream. HTTPS (SSL) is the default port 443.

For Initial setup testing etc. We recommend just turning the thing off. Better start from a place where it does not muck you around, then turn it all back on after you are successful.

1) In Windows 2012 I can’t frigging work out how to find anything. Literally!  But most things you can search for. As is the case here if you search for “Firewall”. Select the firewall option:

Screenshot 2015 02 18 18 14 37

2) Select Turn Windows Firewall on or off

Screenshot 2015 02 18 18 16 04

4) Turn Off or On Firewall

Screenshot 2014 07 05 19 33 53

Just turn it all off for now. (Remember to come back, turn it on and allow access for the unusual port 444 that you configured earlier for the SSL on the CRM site. But for testing and setting up… the last things you want is to be banging your head agains a firewall.

Screenshot 2015 02 18 18 18 31

Configuration Claim-based authentication internal access

Configure the internal access Claim-based authentication requires the following steps:

  • Install and configure AD FS 3.0
  • Set Claims-based authentication configuration CRM 2015 server.
  • Set the Claims-based authentication configuration AD FS 3.0 server.
  • Test claims-based authentication within the access.

Install and configure ADFS 3.0

CRM 2015 with a variety of STS provider ( STS Provider ) together. This article uses Active Directory Federation Services (AD FS) 3.0 to provide a security token service (security token service ).

Note: AD FS 2.0 will be installed to the default site, so install AD FS 3.0 , you must have CRM 2015 installation in the new site. (Remember we said that earlier)

IIS Looks like this if it is correctly installed: image

If you only see the default website with CRM installed in that. Start AGAIN!

If you have it all correct at this point. Probably a good time to take a SnapShot (backup of the virtually system) and label it something you remember.

CRM 2015 Setup with Snapshots.png 

Install ADFS Server Role

From Server Manager – Add A Server role for: Active Directory Federation Services

Screenshot 2014 07 05 19 39 54 

Screenshot 2015 02 18 18 24 23

Screenshot 2015 02 18 18 24 53

Screenshot 2015 02 18 18 25 34

Click Install at the last step.

Screenshot 2015 02 18 18 26 20

After if Finishes: 

Configure the Fediration service on this server

Click the Configure the Federation Services on this server.

Configure AD FS 3.0

1 Click on Configure the federation service on this server.

2 In the AD FS 3.0 Management page , click AD FS 3.0 Federation Server Configuration Wizard .

3 In the Welcome page , select Create the first federation server in a federation server farm, and then click Next.

Screenshot 2014 07 05 19 43 52

4 Select next to continue with the current administrator (must be a domain admin).

Screenshot 2014 07 10 16 34 34

5 Choose your SSL certificate (the one we created and imported above i.e. *.iwebscrm15.com ) ,add a Federation Service name ( Selecting the second one for the dropdown in this instance iwebscrm15.com, don’t select the one with the wildcard in the name, so not the *.iwebscrm15.com for example.), then Select a Service Display Name for your business – selecting the one that is NOT starting with a *, then click Next.

CRM 105 ADFS Setup

6 Open PowerShell and run the following command: “Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)”

 Screenshot 2014 07 10 16 40 55

Screenshot 2015 02 18 18 42 53

If you don’t you will se the error: Group Managed Service Accounts are not available because the KDS Root Key has not been set.

7 We specified the Administrator account for the service account, as security is not our primary concern here with a Dev environment. You could and probably should use a defined account for a production environment.

ADFS Service Account

7 Create a database on this server using Windows Internal Database (we suggest using the SQL instance in the step below), click Next.

Screenshot 2014 07 10 16 43 30

Or use the local SQL instance etc if you have one. (Because we have SQL installed on this same server. We are using this SQL instance for the database host. 

Screenshot 2015 02 18 18 44 11

8 Review Options click Next

 

Screenshot 2015 02 18 18 49 339 Pre-requisits checklist, click Configure

Screenshot 2014 07 10 16 45 44

10 You should see a message that “This Server was successfully configured

Screenshot 2015 02 18 18 53 47

11 Close out the Instillation progress window

Screenshot 2015 02 18 18 54 07

Screenshot 2015 02 18 18 54 33

Verify the AD FS 3.0 is working

Follow the steps below to verify that the AD FS 3.0 is working :

1 Open Internet Explorer.

Under Internet Options

IE Options

Security / Local Intranet

Screenshot 2015 02 19 08 49 36

Sites / Advanced

IE Sites Advance

Add *.domain.com to the websites. In our case here we added: *.iwebscrm15.com

ADFS Local Intranet Sites

Close all this down when added.

2 Now we need browse to the the federation metadata in Internet explorer to test access is working. 

Use this URL below as an example to browse to your own server. Remembering that we set up a DNS entry earlier for “ADFS’ on your domain, thus you should be able to browse to the URL below replacing our domain name with yours and have it access the server we are configuring.

https://adfs.iwebscrm15.com/federationmetadata/2007-06/federationmetadata.xml (Replace your domain name in place of ours)

3. to ensure that no certificate associated with the warning appears, and you can view the certificate to be sure it is showing.

ADFS IFD CRM 2015 Test

Check the certificate is correct and working by clicking on the padlock looking thing and viewing certificate.

Screenshot 2015 02 19 09 00 40

 

Claims-based authentication configuration CRM 2015 server

After you install and configure the AD FS 3.0 , we need to configure the Claims-based authentication before setting CRM 2015 binding types and the root domain.

1 Open the CRM Deployment Manager.

CRM 2015 Deployment Manager Launch

2 In the Actions pane , click Properties .

CRM 2015 Internal CRM Settings

3 Click the Web Address page.

4 In the Binding Type , select HTTPS .

Screenshot 2014 07 10 17 09 07

5. You can most likely select Apply at this point, and the default internal address for the CRM will work fine. We however we had you created a new A record in the DNS for “internalcrm” and pointed it to this new server. This allows us to user a clear path for the internal URL.

6 For example, internalcrm.iwebscrm15.com:444 for our install. (you can use your own domain internalcrm.domain.com:444)
Note: We use the :444 as this is the HTTPS binding that we applied to the Microsoft Dynamics CRM Website in IIS

Screenshot 2015 02 19 18 18 28 

CRM 2015 Web Addresses

7 Click OK.

8 In the Deployment Manager console tree, right-click Microsoft Dynamics CRM, and then click Configure Claims-Based Authentication.

Screenshot 2014 07 10 17 59 37

9 Click Next on the Welcome page

10  On the Specify the security token service page, enter the Federation metadata URL, in our case because we setup a DNS record for “adfs” we are going to use that: https://adfs.iwebscrm15.com/federationmetadata/2007-06/federationmetadata.xml
Note: that this is the same URL we tested ADFS was set up correctly on in the steps above. Also note that the step of adding the domain to internal sites in the IE security settings that we did above is an important one! If you can’t hit that URL on the web browser of the server and get a clean XML defined page, then you deployment will not work.

CRM 2015 Claims Based Authentication

11 Click Next then select the certificate that we created perviously for the *.domain connection

CRM 2015 Claims Based Authentication

12 Select Next
Note: At this point it is possible to get an error something along the lines of “Encrypted Certificate Error”. This is implying that the account used to run CRM does not have access to the Private Key of the certificate being used. Skip forward to point 25 below, and add the service accounts that CRM is using to the private key of the certificate to be used. This will ensure that this next configuration step has access to the certificate. Then come back to this point and continue. 

Screenshot 2014 07 10 18 09 58

13 Select Apply (BUT – NOT FINISH)

Screenshot 2014 07 10 18 10 31

14 IMPORTANT – Click View Log File

Screenshot 2015 02 19 16 26 26

15 Scroll to the end, and Copy the URL from the bottom of the file.

Screenshot 2015 02 19 18 26 29

This will be used in the next configuration.
Note: that this is different to the URL used in step 4 above, as it represents the internal URL. Subtle but vital (and the cause of frustration the first 10 times we tried this). In our case the URL looked like this: https://internalcrm.iwebscrm15.com:444/FederationMetadata/2007-06/FederationMetadata.xml

16 Click Finish.

Set the CRM AppPool account and the Microsoft Dynamics CRM Encryption certificate.

17 Right Click the Start Button and select RUN

18 Type MMC and enter

Run MMC

19 Select File / Add/Remove Snap-in

Add Remove Snap-in

20 Select Certificates and Add

Add Certificates MMC

21 Select Computer Account

Computer Account

22 Local Computer is selected, so click Finish

Screenshot 2015 02 19 16 57 47

23 Expand the console tree / Personal / Click Certificates

Screenshot 2015 02 19 17 00 09

24 Right click the certificate we used for the CRM endpoint, and select All Tasks / Manage Private Keys

CRM IFD Manage Private Keys

25 Select Add

Screenshot 2015 02 19 17 04 11

26 Select Advanced

Screenshot 2015 02 19 17 11 47

27 Select Find Now

Screenshot 2015 02 19 17 12 34

28 Scroll Down and Find the NETWORK SERVICE Account

Network Service Account

29 Select OK / OK

Screenshot 2015 02 19 17 15 08

Ensuring that the NETWORK SERVICE has Read Access

Screenshot 2015 02 19 17 40 44

Note: We have used the NETWORK SERVICE account here because that is the one associated with the CRMAppPool used in IIS by default for the Microsoft Dynamics CRM Website that was automatically configured with the CRM setup.

Screenshot 2015 02 19 17 19 28

CRMAppPool

If you are using another account for running the application pool, then you should ensure that this account has access to the encryption certificate. Some details can be found here.

30 Validate that you can browse to the URL above. If you cannot view this in a browser, then have a look again at your permissions on the certificate in relation to the account on the application pool in IIS for CRM. Read above: Claims-based authentication configuration CRM 2015 server.

Screenshot 2015 02 19 18 24 33

Once you can browse this URL, you are done if it fails, then repeat the process till you can access the URL on the server in question. Note: Often it is confusion over the port :5555 that defaults in CRM Deployment Manager Web settings and the HTTPS Port :444 that we defined in the binding for the Microsoft CRM Dynamics Website. So double check that you have the correct port set in the Deployment Manager, then run the steps again following that setting.

Claims-based authentication configuration AD FS 3.0 server

After completion of the previous step, the next step we need AD FS 3.0 to add and configure the statement provider trust ( claims Provider trusts ) and the relying party trust ( Relying Party trusts ).

Configure claims provider trusts

Start AD FS 3.0 Management. In the Navigation Pane, expand Trust Relationships, and then click Claims Provider Trusts. Under Claims Provider Trusts, right-click Active Directory, and then click Edit Claims Rules.

Screenshot 2014 07 10 18 27 02


In the Rules Editor, click Add Rule, In the Claim rule template list, select the Send LDAP Attributes as Claims template, and then click Next

Screenshot 2014 07 10 18 27 33


Step10: Create the following rule

Claim rule name: UPN Claim Rule (or something descriptive)
Attribute store: Active Directory
LDAP Attribute: User Principal Name
Outgoing Claim Type: UPN

Screenshot 2014 07 10 18 34 58

Click Finish, and then click OK to close the Rules Editor

After you enable claims-based authentication, you must configure Dynamics CRM Server 2015 as a relying party to consume claims from AD FS 3.0 for authenticating internal claims access.

Start AD FS Management. On the Actions menu located in the right column, click Add Relying Party Trust. In the Add Relying Party Trust Wizard, click Start.

On the Select Data Source page, click Import data about the relying party published online or on a local network, and then type the URL you copied earlier from the log file during the creation of the CRM Claims Based Authentication. e.g. https://internalcrm.iwebscrm15.com:444/FederationMetadata/2007-06/FederationMetadata.xml

Screenshot 2014 07 10 18 38 23

On the Specify Display Name page, type a display name, such as CRM Claims Relying Party, and then click Next.

Screenshot 2014 07 10 18 40 57

Click Next on the multi-factor authentication options.

Screenshot 2014 07 10 18 41 35

On the Choose Issuance Authorisation Rules page, leave the Permit all users to access this relying party option selected, and then click Next.

Screenshot 2014 07 10 18 41 44

On the Ready to Add Trust page Click Next

Screenshot 2015 02 19 19 02 22

On Finish Page, click the checkbox option to Open the Edit Claim Rules, Next, and then click Close.

Screenshot 2015 02 19 19 04 59

The Rules Editor appears, click Add Rule. Otherwise, in the Relying Party Trusts list, right-click the relying party object that you created, click Edit Claims Rules, and then click Add Rule.

Screenshot 2014 07 10 18 42 52

In the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next.

Screenshot 2014 07 10 18 44 21

Create the following Rule #1
Claim rule name: Pass Through UPN (or something descriptive)
Incoming claim type: UPN
Pass through all claim values

Click Finish.

Screenshot 2014 07 10 18 44 59

Screenshot 2014 07 10 18 50 07

In the Rules Editor, click Add Rule, in the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next

Screenshot 2014 07 10 18 50 26

Create the following Rule #2

Claim rule name: Pass Through Primary SID (or something descriptive)
Incoming claim type: Primary SID
Pass through all claim values

Click Finish

Screenshot 2014 07 10 18 51 11

Screenshot 2014 07 10 18 51 23

In the Rules Editor, click Add Rule. In the Claim rule template list, select the Transform an Incoming Claim template, and then click Next.

Screenshot 2014 07 10 18 51 59

Create the following rule #3

Claim rule name: Transform Windows Account Name to Name (or something descriptive)
Incoming claiming type: Windows account name
Outgoing claim type: * Name
Pass through all claim values

Screenshot 2015 02 19 19 10 09

Click Finish, and when you have created all three rules, click OK to close the Rules Editor.

Screenshot 2014 07 10 18 53 20

Click OK

Enable Forms Authentication

AD FS in Windows Server 2012 R2, forms authentication is not enabled by default.

Open the AD FS management console and click Authentication Policies. Under Primary Authentication, Global Settings, Authentication Methods, click Edit.

Screenshot 2015 02 19 19 13 39

Under Intranet, enable (check) Forms Authentication

Screenshot 2014 08 02 18 06 40

So now we have claims setup for CRM.

Add the ADFS server to the Local intranet zone.

We previously added the *.domain.com or in our case, *.iwebscrm15.com to the Local intranet zone in Internet explorer on the server. If you have not done this you should do it now. Then:

1. Select the Advanced tab. Scroll down and verify that under Security Enable Integrated Windows Authentication is checked.

Screenshot 2015 02 19 19 37 22

2. Click OK to close the Internet Options dialog box.You will need to update the Local intranet zone on each client computer accessing Microsoft Dynamics CRM data internally. 

Specify the security token service

1 Open a command line tool .

2 Enter the following command : ( application, in your own environment, substitute the name of the name of the command line )

c: \> setspn -a http/sts1.iwebscrm15.com fserver4\VSERVER06

fserver4\VSERVER08 = the domain / machine name of the server.

Screenshot 2015 02 19 21 33 22

c: \> iisreset 

Configure Internet-Facing Deployment in CRM Deployment Manager.

1 Open the CRM Deployment Manager.

2 In the tree structure , right-click Microsoft Dynamics CRM , and then click Configure Internet-Facing Deployment.

Screenshot 2014 08 02 18 14 52

3 Click Next.

Screenshot 2014 08 02 18 15 20

4 Fill in the correct domain information for the Web Application

Thus we use:

  • Web Application Server Domain: iwebscrm15.com:444
  • Organization Web Service Domain: iwebscrm15.com:444
  • Web Service Discovery Domain: dev.iwebscrm15.com:444 
     Screenshot 2015 02 19 20 15 10

Leave the Default option for the Internet Facing Server Location

Screenshot 2015 02 19 20 17 15

System Checks work

Screenshot 2015 02 19 20 18 19

IFD Summary looks like this. Then Apply

Screenshot 2015 02 19 20 19 00

Finish

Screenshot 2015 02 19 20 19 41

9. Open a command line tool, run: iisreset

Screenshot 2015 02 19 22 11 38

 

ADFS Relying Party Trust for the IFD Endpoint

Effectively you are creating the third Relying party trust in your deployment and the second that you have manually set up at this point. We are doing this again as this is now for the IFD endpoint.

Step 1: Start AD FS Management. On the Actions menu located in the right column, click Add Relying Party Trust. In the Add Relying Party Trust Wizard, click Start.

image

Step 2: On the Select Data Source page, click Import data about the relying party published online or on a local network, and then type the URL to locate the federationmetadata.xml file. This federation metadata is created during IFD Setup.

For example, https://auth.iwebscrm.com:444/FederationMetadata/2007-06/FederationMetadata.xml (Remember to replay your domain for ours)

Type this URL in your browser and verify that no certificate-related warnings appear.

Screenshot 2015 02 19 21 50 58

Step 3: On the Specify Display Name page, type a display name, such as CRM IFD Relying Party, and then click Next

image

Step4: On the Choose Issuance Authorization Rules page, leave the Permit all users to access this relying party option selected, and then click Next.

Screenshot 2015 02 19 21 51 44

Click Next

image

Screenshot 2015 02 19 21 52 25

Step 5: On the Ready to Add Trust page, click Next, and then click Close.

Step 6: If the Rules Editor appears, click Add Rule. Otherwise, in the Relying Party Trusts list, right-click the relying party object that you created, click Edit Claims Rules, and then click Add Rule

image

Step 7: In the Claim rule template list, select the Pass Through or Filter an Incoming Claimtemplate, and then click Next.

image

Step 8: Create the following rule#1

Claim rule name: Pass Through UPN (or something descriptive)

Incoming claim type: UPN

Pass through all claim values

Click Finish

image

Step 9: In the Rules Editor, click Add Rule, and in the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next

image

Step 10: Create the following rule#2

Claim rule name: Pass Through Primary SID (or something descriptive)

Incoming claim type: Primary SID

Pass through all claim values

Click Finish

image

Step 11: In the Rules Editor, click Add Rule. In the Claim rule template list, select the Transform an Incoming Claim template, and then click Next.

image

Step 12: Create the following rule #3

Claim rule name: Transform Windows Account Name to Name (or something descriptive)

Incoming claim type: Windows account name

Outgoing claim type: Name

Pass through all claim values

Click Finish, and when you have created all three rules, click OK to close the Rules Editor.

image

Now, you should see three Relying Party Trusts in the ADFS Trust Relationships.

Screenshot 2015 02 19 22 23 41


Test External Access to CRM 2015 with IFD

Now, you should use the claims certified external access CRM 2015 a. In IE the browser CRM 2015 external address (for example: https://crm2015.iwebscrm15.com:444/main.aspx ), you will see the following pages:

Screenshot 2015 02 19 22 20 28

Enter the user name password in the format “domain\username”  and pass. You should get in fine.

Additional Tasks for mex Endpoints – Services that connect to XRM

We found after following these instructions, that we could not write services that connected via the endpoint https://your.crm.dom:444/adfs/services/trust/mex. This is due to the CRM Sandbox service using port 808. The solution we applied what one that we wrote for CRM 2013, but is applicable here for CRM 2015: https://www.interactivewebs.com/blog/index.php/crm-2013/adfsservicestrustmex-returns-503-on-crm-2013-windows-2012-ifd-mex-endpoint-fix/ 

This should be done routinely as it will only pop it’s head up at a later date.

 

Turn the Firewall Back On

As you may expect, this is a rather important last step

1. Turn on all Firewall Settings as they were at the start

Screenshot 2015 02 19 22 50 17

2. Click Advanced Settings 

Screenshot 2015 02 19 22 51 06

3. Click Inbound Rules / New Rule

Screenshot 2015 02 19 22 52 22

4. Select Port / Next

Screenshot 2015 02 19 22 46 28

5. Select TCP and Specify Port 444

Screenshot 2015 02 19 22 46 54

6. Allow the Connection

Screenshot 2015 02 19 22 47 08

7. Domain, Private and Public all ticked.

Screenshot 2015 02 19 22 47 28

8. Give it a name like: CRM Port 444

Screenshot 2015 02 19 22 47 46

And you are about finished. Remember if in the future you are mucking with something and getting no place. Turn off the Firewall as a starting point. Banging heads with firewalls is a waste of time!

Remember to test access again externally!

 

Your Feedback and Our Services

Please post a comment or note if you have anything to add about these notes. We welcome feedback that helps us improve them.

If you have a need for CRM 2015 Developer Services, we offer professional services and support for CRM 2015. This includes upgrade services for upgrading from any of the past CRM releases to new ones. We also write custom plugin solutions and are specialists with advanced web services and portals that connect to CRM for many applications. http://www.interactivewebs.com/crm

 

 

 

CRM 2013 splash screen crash on Setup DVD / ISO

CRM 2013 splash screen crash on Setup DVD / ISO

After so many years, with the Splash screen crash of CRM 2011, the boys at Microsoft have not bothered to fix that problem. You start the screen

Screenshot 2014 08 03 00 16 22

Then before long you see this.

Screenshot 2014 08 03 00 17 03

Search around the net, and you find a bunch of old data relating to CRM 2011 and the same problem. Some suggestions are to uninstall various version of IE (The worlds Words Browser) or other similar crap. Not really much help when you are on a Windows 2012 R2 server with the newest release of CRM install ISO. Note: This is the sort of stuff I hope the new CEO will fix one day!

Other Solutions incorrectly reference the files to install from.

The Solution

These are the correct locations for CRM 2013:

  • Install Microsoft Dynamics CRM Server[Drive]:\Server\amd64\SetupServer.exe
  • Install Microsoft Dynamics CRM Report Authoring Extension[Drive]:\BIDSExtensions\i386\SetupBIGSExtensions.exe
  • Install Microsoft Dynamics CRM Reporting Extensions[Drive]:\Server\amd64\SrsDataConnector\SetupSrsDataConnector.exe
  • Install Microsoft Dynamics CRM for Outlookx86: [Drive]:\Client\i386\SetupClient.exex64: [Drive]:\Client\amd64\SetupClient.exe
  • Install Microsoft Dynamics CRM Email Routerx86: [Drive]:\EmailRouter\i386\SetupEmailRouter.exex64: [Drive]:\EmailRouter\amd64\SetupEmailRouter.exe

Microsoft CRM 2011 How to Configure IFD Hosted Setup

Screenshot 2014-07-05 15.44.06Like many, we have struggled to configure Microsoft CRM 2011 as an Internet Facing Deployment. There is quite a bit of disjointed and some what typical Microsoft “junk” on how to set this up.

So after reading the White Papers, blogs and YouTube videos on the topic, I figured I would need notes for myself as much as anything. This is mostly because I am yet to find one single example that covered the setup I was after. That being:

Single Server

On an existing domain

Running true IFD ready for customer access.

The last point it telling, as all the Microsoft examples give a self generated SSL cert, that really is an example of a DEV environment only. We want to test the “real deal”, and don’t mind spending a few $ on a real Certificate to see this in a true working environment.

If you need support upgrading Microsoft CRM 4.0 to CRM 2011 or CRM 2013, then contact InteractiveWebs CRM team.

The Existing Setup

Because this is a test environment, we are running the server on a Hyper V server. A single VM machine, that is running a fully patched version of:

  • Windows 2008 R2 SP1 64 Bit
  • SQL 2008 R2 64 Bit
  • Microsoft CRM 2011 64 Bit

Interesting enough, something that always takes me 15 min, it ensuring I download the correct version of the ISO files from MSDN. I get it that I am somewhat lame, but if you get a wrong version you can waste a load of time and energy later.

image

With a list looking like this it can be painful. Anyway, these are the files we used for install:

image

For those who care, the VM was set to run with 6000 MB ram, and fold out to use more.

image

Importantly

When we setup CRM, we selected the option to NOT use the default website, but configure a new one with the default settings of port 5555. This is necessary as you will see later.

 

Backup First

In all things Microsoft world, it is vital what you establish a working point to avoid unnecessarily installing things all over again. To get things working we have started fresh over 4 times.

Hyper V is great for this, as we just stopped the server, and made a copy of the VHD file. Then when it is time to start all over, it is just a matter of restoring from copy/backup.

 

Test First

Test that your CRM setup is working. Go to the local computer name (ours is VSERVER08) on the correct port: http://vserver08:5555

We called our Deployment of CRM – “CRM2011” So the URL redirects to: http://vserver08:5555/CRM2011/main.aspx

and after being prompted for login, we are in and testing.

image

Apply a Wildcard SSL Certificate

In CRM, the accessing of deployments is handled by the sub domains. So if we call a deployment “business1” we will access that as:  https://business1.domain.com

For testing, we purchased a standard Wildcard SSL certificate that applied that to the IIS7 server.

We will let you work out that bundle of joy, but a few tips.

1. Godaddy was about as cheap as you find on the net.

2. Setup involves creating a certificate request from within IIS, then pasting that text into the online providers order system. They then generate the certificates that you then import back into IIS and the server.

3.

Application for a certificate

Here, I will be a wildcard certificate, for example, describes how to create a certificate:

1) Open IIS Manager

2) Click the server name in the main screen double click Server Certificates

3) In the right panel, click Create Certificate Request…

image

4) fill in the following diagram each column, click Next

image

5) Cryptographic Service Provider Properties page to keep the default, click Next.

6) In the File Name page, enter C: \ req.txt , and then click Finish.

7) Run cmd , run

certreq-submit -attrib “CertificateTemplate: WebServer” C: \ req.txt

8) Select the CA , click OK.

9) the certificate is stored as C: \ Wildcard.cer . ( 7-9 can also be in the CA to complete)

10) back to the IIS Manager, click No. 3)  Step graph Complete Certificate Request …

11) Select the C: \ Wildcard.cer , Friendly name named *. contoso.com , of course, you can take a different name.

12) Click OK.

13) so that we completed the wildcard certificate request.

 

Additional SSL Certificate Imports

1) RUN MMC at the start / search

2) Select File / Add Remove Snapin – Select Certificates – ADD

image

Computer Account

image NEXT / Finish

3) Expand the first two folders, and Right Click on the Certificates Folder and select: All Tasks /  Import.

4) Browse to your wildcard SSL certificate file, and import that into the Personal and Trusted Root Certification Authorities.

image

 

Ensure that you

 

Binding site for the default SSL certificate

1) Open IIS Manager.

2) In the Connections panel, expand Sites , click Default Web Site.

3) In the Actions pane, click Bindings.

image

4) In the Site Bindings dialog box, click Add.

5) Type select HTTPS.

6) SSL Certificate , select the certificate you just created *. contoso.com , and then click OK.

image Ours is interactivewebs.com

7) Click Close.

8) Repeat for the Personal certificate folder.

 

For the CRM 2011 binding site SSL certificate

1) Open IIS Manager.

2) In the Connections panel, expand Sites , click CRM Web Site.

3) In the Actions pane, click Bindings.

4) In the Site Bindings dialog box, click Add.

5) Type select HTTPS.

6) SSL Certificate , select the certificate you just created *. contoso.com .

7) Port to select a different 443 (e.g. 444 ) and port number, and then click OK

8) Click Close.

 

DNS configuration

For MS CRM 2011 configuration Claims-based authentication, you need the DNS to add some records to make CRM 2011 for each breakpoint can be resolved correctly.

There are two ways you can achieve the desired result. But first lets understand the desired result.

  1. We make the assumption that your server is running at least one static IP address.
  2. Because this is Internet Facing, that IP needs to be accessible to the world.
  3. That same IP can be used for access to your server both internally on the matching we are playing with, and externally form anyone on the net.
Lets Get Basic

Start a Command Prompt, and work out what your IP address of the server is.

Click START > RUN > CMD

Type IPCONFIG – Enter

Under the name: IPv4 Address is a number that looks like: 66.34.204.220

image

That is Your IP Address of the Server.

The DNS Goal

Make sure that when you PING xxx.domain.com that it points to that IP address. Both for the world and for you when you do that on your server.

(xxx is the sub domain that we are about to configure.)

To configure CRM, we need some sub domains to point to the server IP.

  1. sts.domain.com
  2. auth.domain.com
  3. dev.domain.com
  4. Your ORG name.  org.domain.com (Where ORG is the CRM deployment name of your organization or organizations), e.g.

image

We have two setup here: CRM and CRM2011. So we need to configure crm.interactivewebs.com and crm2011.interactivewebs.com.

Hosting Your Own DNS

If you host your own Domain Name Server (DNS) and you host the domain name that you are using to setup IFD. Then configuring an A record for the above mentioned sub domains is easy.

START > Administrative Tools > DNS

Find your Domain Name

Right Click and select NEW HOST A

image

image

Add an A record that points to your servers IP address.

Repeat this process for all of the above mentioned sub domains. auth, sts1, dev, and your own organization names.

Test DNS

You must be able to ping all of those names and get the correct server IP address. Both from computers on the internet, and from the server.

Note: If you have added the DNS records, but still encounter name resolution problems, you can try running on the client ipconfig / flushdns to clean up the cache. You can also click the DNS server root and click CLEAR CACHE so that the server is responding with the latest updates.

image

Note: Don’t bother proceeding past this step if you cannot ping your sub domains internally and externally correctly.

 

Firewall configuration

You need to set the firewall to allow the CRM 2011 and the AD FS 2.0 port used by the incoming data stream. HTTPS (SSL) is the default port 443.

For Initial setup testing etc. We recommend just turning the thing off. Better start from a place where it does not muck you around, then turn it all back on after you are successful.

image

 

Configuration Claim-based authentication internal access

Configure the internal access Claim-based authentication requires the following steps:

  • Install and configure AD FS 2.0 .
  • Set Claims-based authentication configuration CRM 2011 server.
  • Set the Claims-based authentication configuration AD FS 2.0 server.
  • Test claims-based authentication within the access.

Install and configure AD FS 2.0

CRM 2011 with a variety of STS provider ( STS Provider ) together. This article uses Active Directory Federation Services (AD FS) 2.0 to provide a security token service (security token service ).

Note: AD FS 2.0 will be installed to the default site, so install AD FS 2.0 , you must have CRM 2011 installation in the new site. (Remember we said that earlier)

IIS Looks like this if it is correctly installed: image

If you only see the default website with CRM installed in that. Start AGAIN!

 

Download the AD FS 2.0

From the following link to download the AD FS 2.0

Active Directory Federation Services 2.0 RTW( http://go.microsoft.com/fwlink/?LinkID=204237 ).

 

Install AD FS 2.0

In the installation wizard, select the federation server role installed, for more information refer to

Install the AD FS 2.0 Software( http://go.microsoft.com/fwlink/?LinkId=192792 ).

Configure AD FS 2.0

1 in the AD FS 2.0 server, click Start , then click AD FS 2.0 Management .

2 In the AD FS 2.0 Management page , click AD FS 2.0 Federation Server Configuration Wizard .

image

3 In the Welcome page , select Create a new Federation Service , and then click Next.

image

4 In the Select Deployment Type page , select Stand-alone Federation Server , and then click Next.

image

5 Choose your SSL certificate (the choice of a certificate created *. contoso.com ) ,add a Federation Service name ( for example , sts1.contoso.com), and then click Next.

image

Note: Only you as the AD FS 2.0 sites when using the wildcard certificate, only need to add the Federation Service name.

6 Summary page, click Next.

image

7 Click Close to close the AD FS 2.0 Configuration Wizard.

image

Note: If you have not added ( sts1.contoso.com ) to add DNS records, then do it now.

 

Verify the AD FS 2.0 is working

Follow the steps below to verify that the AD FS 2.0 is working :

1 Open Internet Explorer.

2 Enter the federation metadata of the URL , for example:

https://sts1.contoso.com/federationmetadata/2007-06/federationmetadata.xml

3. to ensure that no certificate associated with the warning appears.

image

 

Claims-based authentication configuration CRM 2011server

After you install and configure the AD FS 2.0 , we need to configure the Claims-based authentication before setting CRM 2011 binding types ( Binding type ) and the root domain (root Domains) .

According to the following steps to set up CRM 2011 bound for the HTTPS and configure the root domain address :

1 Open the CRM Deployment Manager.

2 In the Actions pane , click Properties .

image

3 Click the Web Address page .

4 In the Binding Type , select HTTPS .

5. Ensure that the network address for the binding CRM 2011 site SSL certificate and SSL ports. Because you configured for internal access to Claims-based authentication, so the address of the host for the root domain name. Port number must IIS in CRM 2011 is set in the port the same site.

6 For example, *. contoso.com wildcard certificate, you can useinternalcrm.contoso.com: 444 as the network address.

image

7 Click OK .

Note: If the CRM Outlook client configuration using the old binding value, then the need to be updated to use the new value. + Make sure you have a DNS entry for: internalcrm.

From the CRM 2011 is passed to the AD FS 2.0 of Claims data you need to use the Claims-Based Authentication Configuration Wizard (described below) specified in the certificate for encryption. Therefore, CRM Web application CRMAppPool account must have read the certificate’s private key encryption ( Read ) permissions.According to the following steps to give this permission:

1 in CRM 2011 server , run the Microsoft Management Console (Start => Run MMC).

2 Click Files => Add / Remove Snap-in …

3 left panel, select Certificates , click Add to add to the right panel.

4 In the pop-up window, select Computer account .

5 next page, select Local Computer , click Finish .

6 Click OK .

7 Expand the Certificates ( Local Computer ) => Personal, select Certificates .

8. In the middle panel, right-click you will be in the Claims-Based Authentication Configuration Wizard to specify the encryption certificate (in this case *. contoso.com ), click All Tasks => Manage Private Keys.

9 Click Add , add CRMAppPool account (if you are using Network Service , select the account directly), and then give Read permissions.

image

Note: You can use IIS Manager to view CRMAppPool what account to use. In the Connections panel , click Application Pools , and then see CRMAppPool under Identity .

image

10 Click OK .

 

Configure Claims-Based Authentication

Below, we setup Claims-Based Authentication Configuration Wizard ( Configure Claims-Based Authentication Wizard ) to configure the Claims-Based Authentication. To learn how PowerShell to configure Claims-Based Authentication, refer to the English original.

1) Open the Deployment Manager.

2) on the left navigation panel, right-click Microsoft Dynamics CRM , and then click Configure Claims-Based Authentication.

image

3) click Next.

image

4) In the Specify the security token service page , enter the Federation metadata URL, such as

https://sts1.interactivewebs.com/federationmetadata/2007-06/federationmetadata.xml

image

Note: The data is usually in the AD FS 2.0 website. Can this URL copied into IE to seeFederation metadata , to ensure that this is the correct URL . Using IE to access the URL can not have a certificate-related warnings (Ignore that crap!)

image

5) Click Next .

6) In the Specify the encryption certificate page , click on Select…

7) select a certificate, where we choose *.interactivewebs.com.

image

image

8) This certificate is used to encrypt the transmitted AD FS 2.0 authentication security token service security token.

Note: Microsoft Dynamics CRM service account must have the private key encryption certificate Read permission.

10 Click Next . Claims-Based Authentication Configuration Wizard validates the token and certificate you specified.

image

11 In the System Checks page, if the test passed, click Next .

12 In the Review your selections and then click Apply page , just to confirm the input, and then click Apply .

image

13. On this page, note which of the URL , because then, you will use this URL to add a trusted party ( Relying Party ) to the security token service.

image

image

14 IMPORTANT – Click View Log File

15 Scroll to the end, and Copy the URL from the bottom of the file.

image– This will be used in the next configuration. Note that this is different to the URL used in step 4 above, as it represents the internal URL. Subtle but vital (and the cause of frustration the first 10 times we tried this).

16 Click Finish.

17 Validate that you can browse to the URL above. If you cannot view this in a browser, then have a look again at your permissions on the certificate in relation to the account on the application pool in IIS for CRM. Read above: Claims-based authentication configuration CRM 2011server.

18. Once you can browse this URL, you are done here.

 

Claims-based authentication configuration AD FS 2.0server

After completion of the previous step, the next step we need AD FS 2.0 to add and configure the statement provider trust ( claims Provider trusts ) and the relying party trust ( Relying Party trusts ).

Configure claims provider trusts

You need to add a claims rule come from Active Directory to obtain user ‘s UPN (user principal name) and then as a UPN delivered to MS CRM . Follow these steps to configure the AD FS 2.0 to UPN LDAP attribute as a claim is sent to the relying party ( Relying Party ):

1 installed in the AD FS 2.0 on the server , open AD FS 2.0 Management.

2 In the Navigation Pane , expand the Trust Relationships , and then click the Claims Provider Trusts.

3 In the Claims Provider Trusts under , right-click Active Directory , and then click Edit Claims Rules.

image

4 in the Rules Editor , click Add Rule.

image

5. In Claim rule template list , select the Send LDAP Attributes as Claims template ,and then click Next.

image

6 Create the following rule:

  • Claim rule name: UPN Claim Rule ( or other descriptive name )

· Add the following mapping:

  • Attribute Store: Active Directory
  • LDAP Attribute: User Principal Name
  • Outgoing Claim Type: UPN image

7 Click Finish , then click OK close the Rules Editor.

 

Configuration relying party trusts

In the open claims-based authentication, you must ensure CRM 2011 server configured as a relying party to use from the AD FS 2.0 statement to internal access claims certification.

1 Open AD FS 2.0 Management.

2 In the Actions menu, click Add Relying Party Trust.

image

3 In the Add Relying Party Trust Wizard , click Start.

image

4 In the Select Data Source page , click Import Data about the Relying Party Online or published on a local Network , enter the positioning federation metadata.xml file URL.

image

Federation metadata is set Claims when created. Use Claims-Based Authentication Configuration Wizard. The URL used here is IMPORTANT – Read point 14 in the above section. It is the URL retrieved from the VIEW LOG FILE That we did when  from configuration of Claims Based Authentication:  In this case

image

https://internalcrm.interactivewebs.com:444/FederationMetadata/2007-06/FederationMetadata.xml

Note: Ensure that no certificate-related warnings appear when hitting the URL.

5 Click Next .

6 In the Specify Display Name page , enter a display name, such as CRM Claims Relying Party , and then click Next.

image

7 In the Choose Issuance Authorization Rules page , choose Permit All users to access this Relying Party , and then click Next.

image

8 In the Ready to Add Trust page , click Next , then click Close .

9. When the Rule Editor appears , click Add Rule . Otherwise , the Relying Party Trusts list , right-click you create a relying party objects, click the Edit Claims Rules , and then click Add Rule.

image

10. In Claim rule template list , select the Pass Through or Filter an Incoming Claim template, and then click Next.

image

11 create the following rule:

· Claim rule name: Pass Through UPN ( or other descriptive name )

· Add the following mapping:

  • Incoming claim type: UPN
  • Pass through All claim values

image

12 Click Finish .

13 In the Rule Editor , click Add Rule , in Claim rule template list , select the Pass Through or Filter an Incoming Claim template , and then click Next :

· Claim rule name: Pass Through Primary SID ( or other descriptive name )

· Add the following mapping:

  •      Incoming claim type: Primary SID
  •      Pass through All claim values

image

14 Click Finish .

15 In the Rule Editor , click Add Rule

16. In Claim rule template list , select the Transform an Incoming Claim template , and then click Next.

image

17 create the following rule:

· Claim rule name: Transform Windows Account Name to Name ( or other descriptive name )

  • Incoming claim type: Windows account name
  • Outgoing claim type: Name
  • Pass through All claim values

image

18 Click Finish , to create a good three rule later , click OK close the Rule Editor

image

 

 

Test claims-based authentication within the access

You should now be able to use the claims certified to the internal access CRM 2011 a

1 Open the Deployment Manager.

2 Expand the Deployment Manager node , and then click on Organizations .

3 Right-click your organization , and then click Browse . so you can open the CRM web page of ( for example: https://internalcrm.contoso.com:444 ).

image

Trouble Shooting

If the CRM web page can not be displayed, then run the following iisreset and then try again.

image

If the CRM web page still does not show, then you may need to setup AD FS 2.0 server setup a SPN (Service Principal Name) . Re-run the Claims-Based Authentication Wizard, and then browse to the Specify the security token service page, note the AD FS 2.0 server in the Federation metadata URL in the name. (In this case sts1.interactivewebs.com )

http://blogs.msdn.com/b/crm/archive/2009/08/06/configuring-service-principal-names.aspx

image

1 Open a command line tool .

2 Enter the following command : ( application, in your own environment, substitute the name of the name of the command line )

c: \> setspn -a http/sts1.interactivewebs.com fserver4\VSERVER08$

fserver4\VSERVER08 = the domain and machine name of the server.

image

c: \> iisreset

3 and then re-access the Microsoft Dynamics CRM Server 2011 site, so you should be able to successfully access to the CRM 2011 Web page.

http://technet.microsoft.com/en-us/library/gg188614.aspx

If you receive ADFS – sts1 errors.

There was a problem accessing the site. Try to browse to the site again.
If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.
Reference number: xxx

And or if you look in your log files under ADFS 2.0 You will see errors like this.

image

In our case, this was because we used the external Metadata URL and not the Internal URL that we should have copied from the “View Log File” When configuring the Claims Based Authentication. Step 14 in the section above.

image

image

Note the difference between this:

https://internalcrm.interactivewebs.com:444/FederationMetadata/2007-06/FederationMetadata.xml

and the original meta data check we did with:

https://sts1.interactivewebs.com/federationmetadata/2007-06/federationmetadata.xml

We incorrectly figured it would be pulling the same XML data. It does NOT!

 

Configuration Claim-based authentication external access

Open to the CRM 2011 Data Claims-based authentication of external access, you need to do the following steps:

1 complete contents of the previous section: Configuring Claim-based authentication- internal access.

2 for the IFD configuration CRM 2011 server.

3 for the IFD configuration AD FS 2.0 server.

4 Test claims-based authentication external access.

The IFD configuration CRM 2011 server

When opening Claims certified internal access, you can open by IFD external claims visited. The following describes using the IFD Configuration Wizard to configure, if you want to learn how to use PowerShell to be configured, refer to the English original.

1 Open the Deployment Manager.

2 In the tree structure , right-click Microsoft Dynamics CRM , and then click Configure Internet-Facing Deployment.

image

3 Click Next.

image

4 Fill in the correct domain information for the Web Application, Org, and Discovery Web services. Remembering here that in our case: *.interactivewebs.com was the name of the wildcard certificate used, and that PORT 444 was the port we configured for the CRM Web Instance in the bindings for IIS.

Thus we use:

  • Web Application Server Domain: interactivewebs.com:444
  • Organization Web Service Domain: interactivewebs.com:444
  • Web Service Discovery Domain: dev.interactivewebs.com:444 image

Note – Enter the domain name, rather than the server name .

  • If the CRM installed on the same server or servers are installed in the same domain, then the Web Application Server Domain and Organization Web Service Domain should be the same .
  • Web Service Discovery Domain must be a Web Application Server Domain as a subdomain like the  “dev.” that we setup in DNS earlier.
  • domain name must be on the SSL certificate name

Domain examples :

  • Web Application Server Domain: contoso.com: 444
  • Organization Web Service Domain: contoso.com: 444
  • Web Service Discovery Domain: dev.contoso.com: 444

For more information on the website, please refer to Install Microsoft Dynamics CRM Server 2011 on multiple computers( http://go.microsoft.com/fwlink/?LinkID=199532 )

5 In the Enter the external domain where your Internet-facing servers are located input box , enter for your internet to CRM 2011 server located outside the domain of information, and then click Next .

image

You must specify the domain specified in the previous step Web Application Server Domain sub-domains . default , will be “auth.” added to the Web Application Server Domain before.

Domain examples :

  • External Domain: auth.contoso.com: 444

6 In the System Checks page , if there is no problem, click Next.

image

7 In Review your selections and then click Apply page , confirm your input , and then click Apply.

image

8 Click Finish .

image

9. Open a command line tool, run: iisreset

 

The IFD configuration AD FS 2.0 server

To open CRM 2011 on the IFD , you need to add AD FS 2.0 server for the IFD to create a relying party endpoints. Follow these steps:

1 open AD FS 2.0 Management .

2 In the Actions menu, click Add Relying Party Trust.

image

3 In the Add Relying Party Trust Wizard , click Start .

4 In the Select Data Source page , click Import Data about the Relying Party Online or published on a local Network , enter the positioning federation metadata.xml file URL.

Note – This is almost the same URL as we used previously, but has the .auth sub domain that we used in point 4 above. For use the Federation metadata is configured IFD when created. In this case https://auth.interactivewebs.com:444/FederationMetadata/2007-06/FederationMetadata.xml .

Check in your browser the URL, to ensure that no certificate-related warnings appear.

image

5 Click Next.

6 In the Specify Display Name page , enter the display name , such as CRM IFD Relying Party , and then click Next.

image

7 In the Choose Issuance Authorization Rules page , select the Permit all users to access this relying party options , and then click Next.

image

8 In the Ready to Add Trust page , click Next , then click Close .

9. If the Rule Editor appears , click Add Rule. Otherwise , the Relying Party Trusts list ,right-click you create a relying party objects, click the Edit Claims Rules, and then click Add Rule.

image

10. In Claim rule template list , select the Pass Through or Filter an Incoming Claim template, and then click Next.

image

11 create the following rule:

· Claim rule name: Pass Through UPN ( or other descriptive name )

· Add the following mapping:

  •     Incoming claim type: UPN
  •     Pass through All claim values image

12 Click Finish .

13 In the Rule Editor , click Add Rule , in Claim rule template list , select the Pass Through or Filter an Incoming Claim template , and then click Next :

· Claim rule name: Pass Through Primary SID ( or other descriptive name )

· Add the following mapping:

  •     Incoming claim type: Primary SID
  •     Pass through All claim values image

14 Click Finish .

15 in the Rules Editor , click Add Rule ,

16. In Claim rule template list , select the Transform an Incoming Claim template , and then click Next .

17 create the following rule:

· Claim rule name: Transform Windows Account Name to Name ( or other descriptive name )

  •     Incoming claim type: Windows account name
  •     Outgoing claim type: Name
  •     Pass through All claim values

 

18 Click Finish , you have created three rule later , climageick OK close the Rule Editor .

Test claims-based authentication to access external

Now, you should use the claims certified external access CRM 2011 a. In IE the browser CRM 2011 external address (for example: https://org.contoso.com:444 ), you will see the following pages:

Enter the user name password, log CRM 2011.

 

Final Notes

An additional log cleanup step here.

Like anything Microsoft, this was not easy. It took us over 10 attempts drawing on over a dozen resources to get this worked out. For us, the main tripping points related the the meta data URL’s used in configuring the endpoints. Our fault, but it also appears to be a common error to other administrators on the net.

To Microsoft – you documentation sucks badly! If I never read another White Paper it will be too soon!

Thanks to – Jackie Chen (Chen Pan) Your blog was GOLD!

Also Look at these Updates

Look for our other posts on Email Router Configurations. “is a fickle bitch!”

AD FS certificate rollover CRM 2011

CRM 2011 Rollup 10 Invalid Argument Error

Client found response content type of ”, but expected ‘text/xml’.

Today we experienced ‘another’ issue with the Microsoft CRM 4.0 Email Router Configuration Manager. Like many of the other issues with the E-mail router tool, we only noticed when we stopped receiving email association icons in outlook.

Normally for us this has ended up being the problem with the Configuration Manager xml configuration files, and has required us to restore them from backup in line with the Official MS fix.

Unusually today the error lay elsewhere. With a test of the User and Queue access, we were receiving a message that looked like this:

  • Client found response content type of ”, but expected ‘text/xml’.
  • With an Event Log Entry Event ID: 0

  • #26090 – An error occurred while opening mailbox email@domain.com System.InvalidOperationException: Client found response content type of ”, but expected ‘text/xml’.
    The request failed with an empty response.
       at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
       at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
       at Microsoft.Crm.Tools.Email.Providers.ExchangeServiceBinding.GetFolder(GetFolderType GetFolder1)
       at Microsoft.Crm.Tools.Email.Providers.ExchangeWSConnector.OpenMailbox()
       at Microsoft.Crm.Tools.Email.Providers.ExchangePollingMailboxProvider.InitExchangeConnector()
       at Microsoft.Crm.Tools.Email.Providers.ExchangePollingMailboxProvider.OpenMailbox()
       at Microsoft.Crm.Tools.Email.Providers.CrmPollingMailboxProvider.Run()

image

The long and the short is that we are using Microsoft Exchange Server 2010

With an Email Router Configuration setup for the Rollup 9 supporting Exchange 2010 with Windows Authentication. The URL for the location of the exchange server in the Profile tool looks like this:

https://server/EWS/Exchange.asmx

Hitting that URL should normally reveal some XML data about the email box being interrogated:

image

While the CRM Router Service was in error, the URL returned a blank result. This indicated that the Exchange Server 2010 service was at fault. The short term solution was to reboot the Exchange Server. We are yet to track down the exact cause.

Bottom Line… Errors like this appear to be pointing to invalid data return from the Exchange Mail Server.

Digg This