How to Set Up Microsoft CRM 2016 IFD on Windows 2012 R2 Server

How to Set Up Microsoft CRM 2016 IFD on Windows 2012 R2 Server

We already have a popular post for the configuration of IFD setup with CRM 2015, CRM 2013, CRM 2011. Now we are updating this post to support CRM 2016.

Microsoft have a compatibility listing for CRM 2016 here: https://support.microsoft.com/en-us/kb/3124955

The Development Setup

 Once again we are running this configuration as a test environment for development. As such we will be running, we are running the server on a Hyper V server. A single VM machine, that is running a fully patched version of:

  • Windows 2012 R2 SP2 64 Bit – (MSDN File: en_windows_server_2012_r2_x64_dvd_2707946
  • SQL 2014 R2 64 Bit – SQL Server 2014 Standard Edition x64 – (MSDN File: en_sql_server_2014_standard_edition_x64_dvd_3932034) – Patched to SP2
  • Microsoft Dynamics CRM Server 2016 – en_microsoft_dynamics_crm_server_2016_x86_x64_dvd_7171743
NOTE: The Domain we have used for setup with this dev server is: iwebscrm16.com You can substitute your domain in place throughout these step by step IFD instructions CRM 2016.

Getting Windows Server Ready

1. Install and Update Windows 2012 R2.

2. From the Server ManagerAdd Roles and Features

3. Role-Based or Feature-Based instilllation

Windows 2012 Install Roles

4. Select the Server from the Pool (usually the default option)

5. Scroll Down and Select Web Server IIS

Screenshot 2016 01 07 01 22 53

6. Add Features

Screenshot 2016 01 07 01 23 41

And .NET 3.5 Features

Screenshot 2016 01 07 06 38 25

7. Next / Next

8. under Web Server Roles (IIS) Use the default options, but add under Performance – Dynamic Content Compression

Dynamic Compression Install IIS

9. Next / Install

10. Update Window Server again as there is likely a restart update available. 

11. After Restart. Ensure that you turn off the IE enhanced security. It’s Crap and no one benefits from it. This is done in the Server Manager under Local Security.

Screenshot 2016 01 07 23 28 08

 

SQL 2014 Setup

1. First Up have the Windows Server Join the Domain you will be using.

2. Reboot and login with the domain admin account.

3. Start the SQL Install Disk

4. Click Instillation / New SQL Server Stand Alone

Screenshot 2016 01 07 06 24 23

5. Enter Product Key / Next

6. Agree to Terms / Next

7. use Microsoft Update / Next

8. Ignore the Windows Firewall Warning at this Stage

Screenshot 2016 01 07 06 26 41

9. Select SQL Server Feature Instillation / Next

10. Select: Database Engine Service / Full Text Indexing / Reporting Service Native / Management Tools Basic and Complete / Next

SQL Setup for MS CRM 2016

11. Leave Default Name

Screenshot 2016 01 07 11 58 41 

12. Server Configuration Default and Next

Screenshot 2016 01 07 12 13 33

13. Windows Authentication Mode / Add Current User (Remembering we are logged in as a Domain Admin domain/administrator)

Screenshot 2016 01 07 12 14 33

14. Install and Configure / Next

Screenshot 2016 01 07 12 16 22

15. Install

Screenshot 2016 01 07 12 17 11

16. After Completion, Check again for Windows Updates and Reboot. (At the time of writing this blog, the SP 1 for SQL 2014 will be installed if your install disks do not already have this. Like everything Microsoft, it’s not super reliable until they SP1 their product!).

 

Getting your Active Directory OU Ready

1. Login to your Active Directory Domain Controller as a Domain Administrator

2. Using the Active Directory Users and Computers, Select the Root and Create a new OU named something like Microsoft CRM 2016

Screenshot 2016 01 07 19 30 47

3. Log Out of the Active Directory Domain Server.

 

Installing CRM 2016

During the install, we were asked to install services associated with the services required for CRM 2016.

CRM 2015 Install Process

We Selected all options on install:

Screenshot 2015 02 12 14 57 24

Select “Create New Deployment” and enter theServer Name as the SQL server. Screenshot 2016 01 07 19 32 24

If you are not sure of the name, Right Click “This Computer” from the start menu, and select Properties:

Screenshot 2016 01 07 19 34 07

Browse to the OU we created in the Steps Above Getting the AD OU Ready, and select the OU we created there. “CRM 2016″

Screenshot 2016 01 07 19 36 25

We selected the default account for authority. Note that the blog referenced above suggests a dedicated account for security. As we are setting up a dev environment we did not bother with this.

CRM 2015 Security Account

IMPORTANT

Create a new Website with port 5555

CRM 2015 IFD Website 5555

As we intend to set up the Email Router service on this server later, we set this server “VSERVER06” in this instance as the server for email router service, or you can leave this blank.

Screenshot 2016 01 07 19 39 30

We set “CRM2016″ As the default initial test environment deployment.

CRM 2016 Setup IFD

Reporting Server defaulted to the server name/reportserver

Screenshot 2016 01 07 19 40 53

We received a few warnings about the install:

CRM 2015 Install Warnings

For a deployment that is more secure, the Microsoft Dynamics CRM Sandbox Processing Service should be run under a least-privileged domain user account that is not shared by other Microsoft Dynamics CRM services on this computer.

For a deployment that is more secure, the Microsoft Dynamics CRM VSS Writer Service should be run under a least-privileged domain user account that is not shared by other Microsoft Dynamics CRM services on this computer.

Data encryption will be active after the install or upgrade. We strongly recommend that you copy the organization encryption key and store it in a safe place. For more information, see http://go.microsoft.com/fwlink/?LinkId=316366.

The only one of real interest in our Dev environment would be the last item. making a backup of data encryption keys is always a good idea. 

Test First

Test that your CRM setup is working. Go to the local computer name (ours is vserver12) on the correct port: http://vserver12:5555

We called our Deployment of CRM – “CRM2016″ in the CRM Setup phase above, so the URL redirects to: http://vserver12:5555/CRM2016/main.aspx

Because we were were logged in as the server administrator, we were able to load, but may take some time to fire up the various server requirements.

Microsoft CRM 2016 Home Page

Apply a Wildcard SSL Certificate

In CRM, the accessing of deployments is handled by the sub domains. So if we call a deployment (known as organisation) “business1″ we will access that as: https://business1.domain.com:444 (note the the :444 will be because of how we set up Internet Facing Deployment.

For testing, we purchased a standard Wildcard SSL certificate that applied that to the IIS Server 

In our case we registered a test domain: iwebscrm16.com and set the SSL wildcard to: *.iwebscrm16.com and applied that cert to the server. The services we used for purchasing the wildcard certificate were starts.com who provide a very cost effective certificate services. Once authenticated, certificates are free to issue.

Application for a certificate

Here, I will be a wildcard certificate, for example, describes how to create a certificate:

1) Open IIS Manager

2) Click the server name in the main screen double click Server Certificates

3) In the right panel, click Create Certificate Request…

image

4) fill in the following diagram each column, click Next

image

5) Cryptographic Service Provider Properties page change the Bit Length to at least 2048 click Next.

Screenshot 2014 07 05 18 50 18

6) In the File Name page, enter C: \ req.txt , and then click Finish. (You can save it any place you like, with any name)

7) Open the certificate in Notepad, and copy the contents.

Screenshot 2014 07 05 18 53 05

This is the text that is pasted into the Start SSL Certificate request page to generate the certificate:

Screenshot 2014 07 05 18 55 03

8) After you finish generating the certificate text in StartSSL.com (Note that Start SSL is no longer an SSL certificate provider, we suggest ssl2buy.com) you get a bunch of code that looks similar to the request code. Copy that generated code

9) Paste the code back into a new Text / Notepad Document on the Web server, but call it something that ends in .cer  (not .txt). 

10) back to the IIS Manager, click No. 3)  Step graph Complete Certificate Request …

11) Select the the file you created at point 9 above to complete the request.

12) Click OK.
Note: We did get an error message: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
In this instance, it turned out to be a crappy Microsoft Error. After doing some research, we found that it was likely meaningless and the cert installed correctly. We rebooted the machine and logged in again, to find that the CERT was there installed as we wanted it to be.

Binding site for the default SSL certificate

1) Open IIS Manager.

2) In the Connections panel, expand Sites , click Default Web Site.

3) In the Actions pane, click Bindings.

image

4) In the Site Bindings dialog box, click Add.

5) Type select HTTPS.

6) SSL Certificate , select the certificate you just created *. contoso.com , and then click OK.

Screenshot 2015 02 18 18 03 45

 Ours is *.iwebscrm15.com

CRM 2015 SSL

7) Click Close.

For the CRM 2016 binding site SSL certificate

This is in effect repeating the above process like you did for the default certificate, but using a different port (444 for example). This way you are binding the same certificate to the two websites in your IIS instance.

1)Open IIS Manager.

2) In the Connections panel, expand Sites , click CRM Web Site.

3) In the Actions pane, click Bindings.

4) In the Site Bindings dialog box, click Add.

5) Type select HTTPS.

6) SSL Certificate , select the certificate you just created *. contoso.com .

7) Port to select a different 443 (e.g. 444 ) and port number, and then click OK

 SSL CERT CRM 2015

IFD CRM 2015 CERT.png

8) Click Close.

DNS configuration

We are going to add a few DNS “A” records so that the records listed in point 1-4 below in DNS Goal are resolving correctly to the IP address of your CRM server.

There are two ways you can achieve the desired result. But first lets understand the desired result.

  1. We make the assumption that your server is running at least one static IP address.
  2. Because this is Internet Facing, that IP needs to be accessible to the world.
  3. That same IP can be used for access to your server both internally on the matching we are playing with, and externally form anyone on the net.
Lets Get Basic

Start a Command Prompt, and work out what your IP address of the server is.

Click START > RUN > CMD

Type IPCONFIG – Enter

Under the name: IPv4 Address is a number that looks like: 66.34.204.220

image

That is Your IP Address of the Server.

The DNS Goal

Make sure that when you PING xxx.domain.com that it points to that IP address. Both for the world and for you when you do that on your server.

(xxx is the sub domain that we are about to configure.)

To configure CRM, we need some sub domains to point to the server IP.
Adding records in DNS like this:

Screenshot 2014 07 05 19 28 02

  1. sts1.domain.com
  2. auth.domain.com
  3. dev.domain.com
  4. internalcrm.domain.com
  5. Your ORG name.  org.domain.com (Where ORG is the CRM deployment name of your organization or organizations), e.g.
  6. crm2016.iwebscrm16.com (We usually set up a dev environment with CRM2016 being the year of the version. Just something we select to do).
  7. adfs.domain.com (used for reference to the ADFS server)
  8. one for the root domain so that domain.com points to the same server. (This is for the ADFS logout URL)

CRM 2015 IFD DNS SETTINGS

We have two setup here: CRM and CRM2016. So we need to configure crm.iwebscrm16.com and crm2016.iwebscrm16.com (Not necessary but our choice for this instance).

DNS The Easy Way!

The really easy way to solve all this (now we have explained the background) is to simply create a * A record that points to the machine we are using to set up the CRM system.

Test DNS

You must be able to ping all of those names and get the correct server IP address. Both from computers on the internet, and from the server. At the command prompt, type “ping sts1.iwebscrm15.com” for example with our config. Ping them all to be sure you get them correct. 

Note: If you have added the DNS records, but still encounter name resolution problems, you can try running on the client ipconfig / flushdns to clean up the cache. You can also click the DNS server root and click CLEAR CACHE so that the server is responding with the latest updates.

image

Note: Don’t bother proceeding past this step if you cannot ping your sub domains internally and externally correctly.

 

Firewall configuration

You need to set the firewall to allow the CRM 2013 and the AD FS 3.0 port used by the incoming data stream. HTTPS (SSL) is the default port 443.

For Initial setup testing etc. We recommend just turning the thing off. Better start from a place where it does not muck you around, then turn it all back on after you are successful.

1) In Windows 2012 I can’t frigging work out how to find anything. Literally!  But most things you can search for. As is the case here if you search for “Firewall”. Select the firewall option:

Screenshot 2015 02 18 18 14 37

2) Select Turn Windows Firewall on or off

Screenshot 2015 02 18 18 16 04

4) Turn Off or On Firewall

Screenshot 2014 07 05 19 33 53

Just turn it all off for now. (Remember to come back, turn it on and allow access for the unusual port 444 that you configured earlier for the SSL on the CRM site. But for testing and setting up… the last things you want is to be banging your head agains a firewall.

Screenshot 2015 02 18 18 18 31

Snapshots

Just a reminder that at this point we have been keeping snapshots on our Hyper-V environment to allow us to fail back to a location and try again. This is really useful for the setup of something like this that has a lot of moving parts.

CRM 2016 Snapshots

Configuration Claim-based authentication internal access

Configure the internal access Claim-based authentication requires the following steps:

  • Install and configure AD FS 3.0
  • Set Claims-based authentication configuration CRM 2016 server.
  • Set the Claims-based authentication configuration AD FS 3.0 server.
  • Test claims-based authentication within the access.

Install and configure ADFS 3.0

This article uses Active Directory Federation Services (AD FS) 3.0 to provide a security token service (security token service or STS ).

Note: AD FS 3.0 will be installed to the default site, so install AD FS 3.0 , you must have CRM 2016 installation in the new site. (Remember we said that earlier)

IIS Looks like this if it is correctly installed: image

If you only see the default website with CRM installed in that. Start AGAIN! – We are working with the process as shown here.

Install ADFS Server Role

From Server Manager – Add A Server role for: Active Directory Federation Services

Screenshot 2014 07 05 19 39 54 

Screenshot 2015 02 18 18 24 23

Screenshot 2015 02 18 18 24 53

Screenshot 2015 02 18 18 25 34

Click Install at the last step.

Screenshot 2015 02 18 18 26 20

After if Finishes: 

Configure the Fediration service on this server

Click the Configure the Federation Services on this server.

Configure AD FS 3.0

1 Click on Configure the federation service on this server.

2 In the AD FS 3.0 Management page , click AD FS 3.0 Federation Server Configuration Wizard .

3 In the Welcome page , select Create the first federation server in a federation server farm, and then click Next.

Screenshot 2014 07 05 19 43 52

4 Select next to continue with the current administrator (must be a domain admin).

Screenshot 2014 07 10 16 34 34

5 Choose your SSL certificate (the one we created and imported above i.e. *.iwebscrm15.com ) ,add a Federation Service name ( Selecting the second one for the dropdown in this instance iwebscrm15.com, don’t select the one with the wildcard in the name, so not the *.iwebscrm15.com for example.), then Select a Service Display Name for your business – selecting the one that is NOT starting with a *, then click Next.

ADFS Setup with CRM 2016

6 Open PowerShell and run the following command: “Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)”

 Screenshot 2014 07 10 16 40 55

Screenshot 2015 02 18 18 42 53

If you don’t you will se the error: Group Managed Service Accounts are not available because the KDS Root Key has not been set.

7 We specified the Administrator account for the service account, as security is not our primary concern here with a Dev environment. You could and probably should use a defined account for a production environment.

ADFS Service Account

7 Create a database on this server using Windows Internal Database (or you can use SQL instance in the step below), click Next.

Screenshot 2014 07 10 16 43 30

Or use the local SQL instance etc if you have one. (Because we have SQL installed on this same server. We are using this SQL instance for the database host. 

ADFS SQL Database

Note that this will create two new databases in SQL.

ADFS SQL Databases 

8 Review Options click Next

Screenshot 2015 02 18 18 49 33

9 Pre-requisits checklist, click Configure

Screenshot 2014 07 10 16 45 44

10 You should see a message that “This Server was successfully configured

Screenshot 2015 02 18 18 53 47

11 Close out the Instillation progress window

Screenshot 2015 02 18 18 54 07

Screenshot 2015 02 18 18 54 33

Verify the AD FS 3.0 is working

Follow the steps below to verify that the AD FS 3.0 is working :

1 Open Internet Explorer.

Under Internet Options

IE Options

Security / Local Intranet

Screenshot 2015 02 19 08 49 36

Sites / Advanced

IE Sites Advance

Add *.domain.com to the websites. In our case here we added: *.iwebscrm16.com

Screenshot 2016 01 08 12 29 46

Close all this down when added.

2 Now we need browse to the the federation metadata in Internet explorer to test access is working. 

Use this URL below as an example to browse to your own server. Remembering that we set up a DNS entry earlier for “ADFS’ on your domain, thus you should be able to browse to the URL below replacing our domain name with yours and have it access the server we are configuring.

  • https://adfs.iwebscrm16.com/federationmetadata/2007-06/federationmetadata.xml

(Replace your domain name in place of ours iwebs16.com)

3. to ensure that no certificate associated with the warning appears, and you can view the certificate to be sure it is showing.

Screenshot 2016 01 08 12 34 21

Check the certificate is correct and working by clicking on the padlock looking thing and viewing certificate.

Screenshot 2016 01 08 12 34 59 

Take another Snapshot!

Claims-based authentication configuration CRM 2016 server

After you install and configure the AD FS 3.0 , we need to configure the Claims-based authentication before setting CRM 2016 binding types and the root domain.

1 Open the CRM Deployment Manager.
CRM 2016 Deployment Manager

2 In the Actions pane , click Properties .

3 Click the Web Address page.

4 In the Binding Type , select HTTPS .

Screenshot 2014 07 10 17 09 07

CRM 2017 hsttps

5. Change the Server name to the internalcrm.domain.com:444 format. In our case here. internalcrm.iwebscrm16.com:444

CRM 2016 IFD

6. Then Apply

7. Then OK to close

8 In the Deployment Manager console tree, right-click Microsoft Dynamics CRM, and then click Configure Claims-Based Authentication.

Screenshot 2014 07 10 17 59 37

9 Click Next on the Welcome page

10  On the Specify the security token service page, enter the Federation metadata URL, in our case because we setup a DNS record for “adfs” we are going to use that: https://adfs.iwebscrm16.com/federationmetadata/2007-06/federationmetadata.xml 
Note: that this is the same URL we tested ADFS was set up correctly on in the steps above. Also note that the step of adding the domain to internal sites in the IE security settings that we did above is an important one! If you can’t hit that URL on the web browser of the server and get a clean XML defined page, then you deployment will not work.

CRM 2015 Claims Based Authentication

11 Click Next then select the certificate that we created perviously for the *.domain connection

CRM 2016 Certificate

12 Select Next
Note: At this point it is possible to get an error something along the lines of “Encrypted Certificate Error”. This is implying that the account used to run CRM does not have access to the Private Key of the certificate being used. Skip forward to point 25 below, and add the service accounts that CRM is using to the private key of the certificate to be used. This will ensure that this next configuration step has access to the certificate. Then come back to this point and continue. 

Screenshot 2014 07 10 18 09 58

13 Select Apply (BUT – NOT FINISH)

Screenshot 2014 07 10 18 10 31

14 IMPORTANT – Click View Log File

Screenshot 2016 01 08 13 06 25

15 Scroll to the end, and Copy the URL from the bottom of the file.

CRM 2016 Internal Federation Metadata URL

This will be used in the next configuration. 
Note: that this is different to the URL used in step 4 above, as it represents the internal URL. Subtle but vital (and the cause of frustration the first 10 times we tried this). In our case the URL looked like this: https://internalcrm.iwebscrm16.com:444/FederationMetadata/2007-06/FederationMetadata.xml

16 Click Finish.

Set the CRM AppPool account and the Microsoft Dynamics CRM Encryption certificate.

17 Right Click the Start Button and select RUN

18 Type MMC and enter

Run MMC

19 Select File / Add/Remove Snap-in

Add Remove Snap-in

20 Select Certificates and Add

Add Certificates MMC

21 Select Computer Account

Computer Account

22 Local Computer is selected, so click Finish

Screenshot 2015 02 19 16 57 47

23 Expand the console tree / Personal / Click Certificates

Screenshot 2015 02 19 17 00 09

24 Right click the certificate we used for the CRM endpoint, and select All Tasks / Manage Private Keys

CRM IFD Manage Private Keys

25 Select Add

Screenshot 2015 02 19 17 04 11

Note here: If you do not have the “adfssrv and drs” accounts listed, you will have problems. The solution though is to do this at this point:

Open Powershell as Administrator and run: dir Cert:\LocalMachine\My\

Screenshot 2017 12 06 10 57 53

 Then using the thumbprint of the Certificate related to this install, run the following command again in Powershell: Set-AdfsAlternateTlsClientBinding -Thumbprint19A0100267EB5D2FC0132260995F6D38C40EBEA1

This will add the two above mentioned accounts to the security of the certificate. This we found in one setup was not automatically done and caused us a large headache. 

26 Select Advanced

Screenshot 2015 02 19 17 11 47

27 Select Find Now

Screenshot 2015 02 19 17 12 34

28 Scroll Down and Find the NETWORK SERVICE Account

Network Service Account

29 Select OK / OK

Screenshot 2015 02 19 17 15 08

Ensuring that the NETWORK SERVICE has Read Access

Screenshot 2015 02 19 17 40 44

Note: We have used the NETWORK SERVICE account here because that is the one associated with the CRMAppPool used in IIS by default for the Microsoft Dynamics CRM Website that was automatically configured with the CRM setup.

Screenshot 2015 02 19 17 19 28

CRMAppPool

If you are using another account for running the application pool, then you should ensure that this account has access to the encryption certificate. Some details can be found here.

30 Validate that you can browse to the URL above. If you cannot view this in a browser, then have a look again at your permissions on the certificate in relation to the account on the application pool in IIS for CRM. Read above: Claims-based authentication configuration CRM 2016 server.

The URL Above that we are checking is the one from the View Log step, that we said to copy.

Screenshot 2015 02 19 18 24 33

Once you can browse this URL, you are done if it fails, then repeat the process till you can access the URL on the server in question. Note: Often it is confusion over the port :5555 that defaults in CRM Deployment Manager Web settings and the HTTPS Port :444 that we defined in the binding for the Microsoft CRM Dynamics Website. So double check that you have the correct port set in the Deployment Manager, then run the steps again following that setting.

Checkpoint the Hyper-V at this point.

 

Claims-based authentication configuration AD FS 3.0 server

Start AD FS 3.0 Management. In the Navigation Pane, expand Trust Relationships, and then click Claims Provider Trusts. Under Claims Provider Trusts, right-click Active Directory, and then click Edit Claims Rules.

Screenshot 2016 01 08 13 15 35

Screenshot 2014 07 10 18 27 02

 

In the Rules Editor, click Add Rule, In the Claim rule template list, select the Send LDAP Attributes as Claims template, and then click Next

Screenshot 2014 07 10 18 27 33

 

Step10: Create the following rule

Claim rule name: UPN Claim Rule (or something descriptive)
Attribute store: Active Directory
LDAP Attribute: User Principal Name
Outgoing Claim Type: UPN

Screenshot 2014 07 10 18 34 58

Click Finish, and then click OK to close the Rules Editor

After you enable claims-based authentication, you must configure Dynamics CRM Server 2016 as a relying party to consume claims from AD FS 3.0 for authenticating internal claims access.

Add Relying Party Trusts to AD FS

Start AD FS Management. Select Trust Relationships / Relying Party Trusts. Then On the Actions menu located in the right column, click Add Relying Party Trust. In the Add Relying Party Trust Wizard, click Start.

AD FS Relying Party Trust

On the Select Data Source page, click Import data about the relying party published online or on a local network, and then type the URL you copied earlier from the log file during the creation of the CRM Claims Based Authentication. e.g. https://internalcrm.iwebscrm16.com:444/FederationMetadata/2007-06/FederationMetadata.xml – Note it is probably still open in your browser in the background.

Screenshot 2016 01 08 13 21 41

On the Specify Display Name page, type a display name, such as CRM Claims Relying Party, and then click Next.

Screenshot 2014 07 10 18 40 57

Click Next on the multi-factor authentication options.

Screenshot 2014 07 10 18 41 35

On the Choose Issuance Authorisation Rules page, leave the Permit all users to access this relying party option selected, and then click Next.

Screenshot 2014 07 10 18 41 44

On the Ready to Add Trust page Click Next

CRM 2016 Relying Party Trust

On Finish Page, click the checkbox option to Open the Edit Claim Rules, Next, and then click Close.

Screenshot 2015 02 19 19 04 59

The Rules Editor appears, click Add Rule. Otherwise, in the Relying Party Trusts list, right-click the relying party object that you created, click Edit Claims Rules, and then click Add Rule.

Screenshot 2014 07 10 18 42 52

In the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next.

Screenshot 2014 07 10 18 44 21

Create the following Rule #1
Claim rule name: Pass Through UPN (or something descriptive)
Incoming claim type: UPN
Pass through all claim values

Click Finish.

Screenshot 2014 07 10 18 44 59

Screenshot 2014 07 10 18 50 07

In the Rules Editor, click Add Rule, in the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next

Screenshot 2014 07 10 18 50 26

Create the following Rule #2

Claim rule name: Pass Through Primary SID (or something descriptive)
Incoming claim type: Primary SID
Pass through all claim values

Click Finish

Screenshot 2014 07 10 18 51 11

Screenshot 2014 07 10 18 51 23

In the Rules Editor, click Add Rule. In the Claim rule template list, select the Transform an Incoming Claim template, and then click Next.

Screenshot 2014 07 10 18 51 59

Create the following rule #3

Claim rule name: Transform Windows Account Name to Name (or something descriptive)
Incoming claiming type: Windows account name
Outgoing claim type: Name
Pass through all claim values

Screenshot 2016 01 11 20 20 17

Click Finish, and when you have created all three rules, click OK to close the Rules Editor.

Screenshot 2014 07 10 18 53 20

Click OK

Enable Forms Authentication

AD FS in Windows Server 2012 R2, forms authentication is not enabled by default.

Open the AD FS management console and click Authentication PoliciesUnder Primary Authentication, Global Settings , Authentication Methods, click Edit.

Screenshot 2015 02 19 19 13 39

Under Intranet, enable (check) Forms Authentication

Screenshot 2014 08 02 18 06 40

So now we have claims setup for CRM.

Add the ADFS server to the Local intranet zone.

We previously added the *.domain.com or in our case, *.iwebscrm16.com to the Local intranet zone in Internet explorer on the server. If you have not done this you should do it now. Then:

1. Open Internet Options Select the Advanced tab. Scroll down and verify that under Security Enable Integrated Windows Authentication is checked.

Screenshot 2015 02 19 19 37 22

2. Click OK to close the Internet Options dialog box.You will need to update the Local intranet zone on each client computer accessing Microsoft Dynamics CRM data internally. 

Specify the security token service

1 Open a command line tool .

2 Enter the following command : ( application, in your own environment, substitute the name of the name of the command line )

setspn -a http/sts1.iwebscrm16.com fserver4\VSERVER40”  

– Note – remove the “ “

fserver4\VSERVER12 = the domain / machine name of the server.

Screenshot 2015 02 19 21 33 22

c: \> iisreset 

Probably good to do a Snapshot again!

Configure Internet-Facing Deployment in CRM Deployment Manager.

1 Open the CRM Deployment Manager.

2 In the tree structure , right-click Microsoft Dynamics CRM , and then click Configure Internet-Facing Deployment.

Screenshot 2014 08 02 18 14 52

3 Click Next.

Screenshot 2014 08 02 18 15 20

4 Fill in the correct domain information for the Web Application

Thus we use:

  • Web Application Server Domain: iwebscrm16.com:444
  • Organization Web Service Domain: iwebscrm16.com:444
  • Web Service Discovery Domain: dev.iwebscrm16.com:444 Screenshot 2016 01 10 14 38 59

Leave the Default option for the Internet Facing Server Location

Screenshot 2016 01 10 14 39 32

System Checks work

Screenshot 2015 02 19 20 18 19

IFD Summary looks like this. Then Apply

Screenshot 2016 01 10 14 40 02

Finish

Screenshot 2015 02 19 20 19 41

9. Open a command line tool, run: iisreset

Screenshot 2015 02 19 22 11 38

 

ADFS Relying Party Trust for the IFD Endpoint

Effectively you are creating the third Relying party trust in your deployment and the second that you have manually set up at this point. We are doing this again as this is now for the IFD endpoint.

Step 1: Start AD FS Management. On the Actions menu located in the right column, click Add Relying Party Trust. In the Add Relying Party Trust Wizard, click Start.Screenshot 2016 11 21 13 47 57

Step 2: On the Select Data Source page, click Import data about the relying party published online or on a local network, and then type the URL to locate the federationmetadata.xml file. This federation metadata is created during IFD Setup.

For example, https://auth.iwebscrm16.com:444/FederationMetadata/2007-06/FederationMetadata.xml (Remember to replace your domain for ours)

Type this URL in your browser and verify that no certificate-related warnings appear.

Screenshot 2016 01 10 14 45 48

Step 3: On the Specify Display Name page, type a display name, such as CRM IFD Relying Party, and then click Next

Screenshot 2016 11 21 13 39 52

Step4: On the Choose Issuance Authorization Rules page, leave the Permit all users to access this relying party option selected, and then click Next.

Screenshot 2015 02 19 21 51 44

Click Next

Screenshot 2016 11 21 13 49 04

Screenshot 2015 02 19 21 52 25

Step 5: On the Ready to Add Trust page, click Next, and then click Close.

Step 6: If the Rules Editor appears, click Add Rule. Otherwise, in the Relying Party Trusts list, right-click the relying party object that you created, click Edit Claims Rules, and then click Add Rule

Screenshot 2016 11 21 13 49 53

Step 7: In the Claim rule template list, select the Pass Through or Filter an Incoming Claimtemplate, and then click Next.

Screenshot 2016 11 21 13 54 38

Step 8: Create the following rule#1

Claim rule name: Pass Through UPN (or something descriptive)

Incoming claim type: UPN

Pass through all claim values

Click Finish

Screenshot 2016 11 21 13 55 24

Step 9: In the Rules Editor, click Add Rule, and in the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next

Screenshot 2016 11 21 13 56 06

Step 10: Create the following rule#2

Claim rule name: Pass Through Primary SID (or something descriptive)

Incoming claim type: Primary SID

Pass through all claim values

Click Finish

Screenshot 2016 11 21 13 56 49

Step 11: In the Rules Editor, click Add Rule. In the Claim rule template list, select the Transform an Incoming Claim template, and then click Next.

Screenshot 2016 11 21 13 58 18

Step 12: Create the following rule #3

Claim rule name: Transform Windows Account Name to Name (or something descriptive)

Incoming claim type: Windows account name

Outgoing claim type: Name

Pass through all claim values

Click Finish, and when you have created all three rules, click OK to close the Rules Editor.

Screenshot 2016 01 11 20 19 11

Now, you should see three Relying Party Trusts in the ADFS Trust Relationships.

Screenshot 2015 02 19 22 23 41

Step 13 – Change Port

Open Powershell and run this command

Set-ADFSProperties –nettcpport 809


Screenshot 2016 01 11 19 58 17

Restart the ADFS in Services

Restart ADFS

Restart IIS in CMD

iisreset

IISRESET

Browse to the URL: https://sts1.iwebscrm16.com/adfs/services/trust/mex  (replacing the iwebscrm16.com with your domain). You should be abel to hit this URL and get a result looking like this:

adfs services trust mex

 

Test External Access to CRM 2016 with IFD

Now, you should use the claims certified external access CRM 2016 a. In IE the browser CRM 2016 external address (for example: https://crm2016.iwebscrm16.com:444/main.aspx ), you should have success with login.

Screenshot 2016 01 11 19 21 09

CRM 2016 Login Default Page

Problems We Encountered

While developing this blog post we encountered many small errors along the way. We have reverted to CheckPoints and fixed the instructions to allow you to avoid them. One thing we would say is that when resolving errors, it is most likely associated with the AD FS IFD login. When this happens, the AD FS Event Log is your best friend. Hit the Event ID errors up in google and resolve as best you can. Checkpoints are also your friend here!

 

Turn the Firewall Back On

As you may expect, this is a rather important last step

1. Turn on all Firewall Settings as they were at the start

Screenshot 2015 02 19 22 50 17

2. Click Advanced Settings 

Screenshot 2015 02 19 22 51 06

3. Click Inbound Rules / New Rule

Screenshot 2015 02 19 22 52 22

4. Select Port / Next

Screenshot 2015 02 19 22 46 28

5. Select TCP and Specify Port 444

Screenshot 2015 02 19 22 46 54

6. Allow the Connection

Screenshot 2015 02 19 22 47 08

7. Domain, Private and Public all ticked.

Screenshot 2015 02 19 22 47 28

8. Give it a name like: CRM Port 444

Screenshot 2015 02 19 22 47 46

And you are about finished. Remember if in the future you are mucking with something and getting no place. Turn off the Firewall as a starting point. Banging heads with firewalls is a waste of time!

Remember to test access again externally!

 

Your Feedback and Our Services

Please post a comment or note if you have anything to add about these notes. We welcome feedback that helps us improve them.

If you have a need for CRM 2016 Developer Services, we offer professional services and support for CRM 2016. This includes upgrade services for upgrading from any of the past CRM releases to new ones. We also write custom plugin solutions and are specialists with advanced web services and portals that connect to CRM for many applications. http://www.interactivewebs.com/crm and websites.

 

 

 

Update ADFS SSL Certificates Microsoft CRM 2013 2015 and 2016 IFD

How to Update SSL Certificates for AD FS 3.0 in CRM IFD

Introduction

Microsoft Dynamics CRM can be configured to use SSL (Secure Sockets Layer). For this to work, an SSL certificate is required.

Certificates can be purchased from certificate providers and will expire after a certain period of time. Once this time has elapsed, Microsoft Dynamics CRM will no longer work until the certificate is updated.

This article describes the process to update the certificate for Microsoft Dynamics CRM

Installing the new certificate

You will need to import your certificate into the local certificate store on each CRM server that uses web services, and the AD FS server if claims-based authentication is enabled.

CertificateStore

Instructions on how to import a certificate can be obtained from your certificate provider.

Note: Problems may occur if you do not remove the old certificate.

Add permission to the certificate

It is necessary to grant specific permissions to the certificate to allow service accounts access.

Manage Private Keys

The following steps show how to add permissions to the certificate.

  1. Open the Certificate Console on the server.
  2. Check out the Microsoft Wiki for help
  3. Navigate to (Local Computer) > Personal > Certificates
  4. Right click the new certificate. Go to All Tasks > Manage Private Keys
  5. Add following permissions
    • AD FS Server: CRMAppPool Account = “Read”
    • AD FS Server: ADFSAppPool Account = “Full”
    • CRM Server: CRMAppPool Account = “Read”
    • In our case we were using the NETWORK SERVICE account and need to add the Read permissions
       Screenshot 2016 07 07 23 39 44

Update IIS (Internet Information Services) to use the new certificate

On the Microsoft Dynamics CRM website, the certificate bindings will need to be updated.

IIS Select Certificate

The following steps show how to bind the new certificate using IIS 8.

  1. Log on to the Microsoft Dynamics CRM Server.
  2. Open IIS.
  3. Locate the Microsoft Dynamics CRM website.
  4. Right click the website and click Edit Bindings.
  5. Select HTTPS and click Edit….
  6. Select the new certificate and click OK to save the settings.
  7. Close all open windows.

Reconfigure Claims-Based Authentication

The Microsoft Dynamics CRM application will need to be updated to use the new certificate.

Claims Setting

The following steps show how to reconfigure claims-based authentication.

  1. Open Deployment Manager
  2. Click Configure Claims-Based Authentication to open the wizard
  3. Click Next on the Welcome page
  4. Click Next on the Token Service page
  5. Select the new certificate on the Select Certificate page
  6. Click Next to complete the configuration

Update AD FS (Active Directory Federation Services)

In AD FS, the Service Communication certificate will need to be updated.

ADFS Certificate

The following steps show how to update the Service Communication certificate in AD FS 2.0.

  1. Open AD FS 2.0
  2. Navigate to AD FS 2.0 > Service > Certificates
  3. Click Set Service Communications Certificate
  4. Select the certificate and click OK

Update Relying Party Trusts

The Relying Party Trusts in the AD FS Management needs to be checked that the Relying Party Trusts are not showing an ! next to the listed Claims Relying Party Trust and the IFD Relying Party.

If they are, or even just to be safe. Click on each separately and the “Update from Federation Meta Data”

Screenshot 2016 07 07 23 43 26

Once these have both been updated you can move onto the last task.

Final Tasks

To finish the process, all affected services will need to be restarted.

IISRESET

The following steps should be completed once the certificate has been updated.  It may also be necessary to follow these steps if problems occur during any of the previous tasks.

  • Perform an IISRESET on each server
  • Restart the AD FS service on AD FS server
  • Update Relying Party metadata
    1. Open AD FS 2.0
    2. Navigate to AD FS 2.0 > Trust Relationships > Relying Party Trusts
    3. Right click each relying party and select Update from Federation Metadata
    4. Click Update

ADFS Server on Windows 2012 R2 – AddressThe e-mail address of the userGiven NameThe given name of the userName

Setting up an ADFS 3.0 Server on Windows 2012 R2

On testing the setup, you receive an error that looks like this:

dkYfAUMU0yl74SE4kki4WC2wzYiQ2c5ea3sOz/KMfAk=f1EHPUY2buvcksrq2PV4Jzz1gPzqqsJLte1AgpTWwtQ0MnKMgzgVQ5OTSTcElWugzU4m3nZFOz0OmR9nUd/KaKasgnv0kxKO7SjuQ09VTtcIblHBwr/sRe13Q5pb6LeWC17g5/STWC4JMy9MjQzk97WvBLtNjlV77tijW9EK5XTQAuUqyXfbZsPuMw9hLZ7YBEEWB8SEmopUHWVGcVYAEjl3eFk+jqbPmL71K9OdlBM0l0BuzK9vr1rppjBHKUoWP7nuhiY9oohaVkktUA4pI9DhWhMwVhGx3Yr8VYyZtI65LfeIyyz2MzEhcxuzkaxory4VQdxn4af4r534mP5W5w==MIIC2DCCAcCgAwIBAgIQfjdRsjCXc75E99PlMFiDijANBgkqhkiG9w0BAQsFADAoMSYwJAYDVQQDEx1BREZTIFNpZ25pbmcgLSBpd2Vic2NybTE1LmNvbTAeFw0xNTAyMTgwNzQ3NTRaFw0xNjAyMTgwNzQ3NTRaMCgxJjAkBgNVBAMTHUFERlMgU2lnbmluZyAtIGl3ZWJzY3JtMTUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuThBgpEQ0IeqKWmaVdlY4idGsd7E/PiPdggk9Ol+wA/bYSSth4sHPOe2DWFu+IkgqaCKfZdCN6aI8TmQbfPjcqwlJSGqws2EFO/TULpbu/x1AwYV6J++BhpFD0iPbFPuypqGgC423+Z6RjP/99wU4tu5GtxvUD2L8iuW9AtXnZJy6MFDLmITVTWCzFQnPC7lGjY1mQ/XZXmidgq0f29qK1mvqGuwGT/BhQO1woj6O95gPhF3ZCMqW6h6ma0LjJhj1dR36NIs0k0sseUUjGbfOF81WZPm7e/HaDUJTF4ox51VIrf+Z7+HpUBCesYwFXhyCvYq6TIvY5NTkRWCKQ97mQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBl4L7NIWBeoeQRJg9RlkDzs2stg7Q+tZ6tminURNOC8ch0vhITbCq60uKXBzXn9LTHex1iXNlyZwI5YGXbw9pBsybDPDFxtyBGAwi/EX8Y0xe7ePGs7jNaGDMywFofP61g64HIAey6YjvKYFPxMqZmDBrzIhNnZ44f/o07TTOCdZJkqh5L/Qjilzfw2bwVg3uGaFthrn1LkL9xB82kuuXYW1QWe37Y9Gwf57qTQo56S44pxBB8loKn4hkNaRdKCgNCH7Ary3uLmmaFP/ETucAkIcy9Y/wr+TEzDVvGkRqCaWLUKeOumc+p026Jv3r/ba4Iq2njfat/pNv+dRIqt/PKMIIC3jCCAcagAwIBAgIQFOgcyJdf6pRLRqk+kAcU1zANBgkqhkiG9w0BAQsFADArMSkwJwYDVQQDEyBBREZTIEVuY3J5cHRpb24gLSBpd2Vic2NybTE1LmNvbTAeFw0xNTAyMTgwNzQ3NTVaFw0xNjAyMTgwNzQ3NTVaMCsxKTAnBgNVBAMTIEFERlMgRW5jcnlwdGlvbiAtIGl3ZWJzY3JtMTUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA539QwHAojXm5lcKoRAAe3yoOQxCbItjkgWsomRat9/E9o+tpszADLfO6KcyIwmxMdcN1mIPzEUzW/Fc5biMGCK2jSNCKN9HXiABUXJcRa+iZ7RN7eFdmKcLXRWaAeqb/l0icuSqbKxxCb3gFnQUxpRar7gZmS6xrnz0MBkRI7LXD/Mp6kU0VnfAMHQf33Wt1LXf/+w+l9V78o5b95OylPleRA6dplNfv60GLemmXY45VTpPlBDV0gFBrkYgmg7DPhR0U3MY1RYuUAsWx3htY7S4oNTEbl96Hyel6UPWiqaZFeeN+3aujABohgHM0vVVndswyxe2pnMZtieWJ+pP8yQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDjfiC4cMQ353SjBRAtbSH6hJ9zZ97yvguVNELyHojSUmi6VEHT6OWsntFWxPsGZvJ0Oq34KM4ZSrnq5QhrB4QuB26RLSw1yR9jBtZMTy/fGm4X25wczPCoZbkrySktPtyCVC3xJw6MKlwcZNGF/zOwoqjeY015Z4CGJsBijtd7MSBf+6ijAcGYdxC1bumB3vfsJ9bu1eVu9QRpDQm78zXpw/LBMj68RfiXz50WRlALa+ca7NqeVIKcSYx20JaSAoe6y1tWlAPVieGDpaXzpKFQ/fF1wIHjdc3euNeKAX/eaV56vCuBG4kwAjSSrawwt/nZ4nflpKVC8RLNgobeaDnTE-Mail AddressThe e-mail address of the userGiven NameThe given name of the userNameThe unique name of the userUPNThe user principal name (UPN) of the userCommon NameThe common name of the userAD FS 1.x E-Mail AddressThe e-mail address of the user when interoperating with AD FS 1.1 or AD FS 1.0GroupA group that the user is a member ofAD FS 1.x UPNThe UPN of the user when interoperating with AD FS 1.1 or AD FS 1.0RoleA role that the user hasSurnameThe surname of the userPPIDThe private identifier of the userName IDThe SAML name identifier of the userAuthentication time stampUsed to display the time and date that the user was authenticatedAuthentication methodThe method used to authenticate the userDeny only group SIDThe deny-only group SID of the userDeny only primary SIDThe deny-only primary SID of the userDeny only primary group SIDThe deny-only primary group SID of the userGroup SIDThe group SID of the userPrimary group SIDThe primary group SID of the userPrimary SIDThe primary SID of the userWindows account nameThe domain account name of the user in the form of domain\userIs Registered UserUser is registered to use this deviceDevice IdentifierIdentifier of the deviceDevice Registration IdentifierIdentifier for Device RegistrationDevice Registration DisplayNameDisplay name of Device RegistrationDevice OS typeOS type of the deviceDevice OS VersionOS version of the deviceIs Managed DeviceDevice is managed by a management serviceForwarded Client IPIP address of the userClient ApplicationType of the Client ApplicationClient User AgentDevice type the client is using to access the applicationClient IPIP address of the clientEndpoint PathAbsolute Endpoint path which can be used to determine active versus passive clientsProxyDNS name of the federation server proxy that passed the requestApplication IdentifierIdentifier for the Relying PartyApplication policiesApplication policies of the certificateAuthority Key IdentifierThe Authority Key Identifier extension of the certificate that signed an issued certificateBasic ConstraintOne of the basic constraints of the certificateEnhanced Key UsageDescribes one of the enhanced key usages of the certificateIssuerThe name of the certificate authority that issued the X.509 certificateIssuer NameThe distinguished name of the certificate issuerKey UsageOne of the key usages of the certificateNot AfterDate in local time after which a certificate is no longer validNot BeforeThe date in local time on which a certificate becomes validCertificate PoliciesThe policies under which the certificate has been issuedPublic KeyPublic Key of the certificateCertificate Raw DataThe raw data of the certificateSubject Alternative NameOne of the alternative names of the certificateSerial NumberThe serial number of a certificateSignature AlgorithmThe algorithm used to create the signature of a certificateSubjectThe subject from the certificateSubject Key IdentifierDescribes the subject key identifier of the certificateSubject NameThe subject distinguished name from a certificateV2 Template NameThe name of the version 2 certificate template used when issuing or renewing a certificate. The extension is Microsoft specific.V1 Template NameThe name of the version 1 certificate template used when issuing or renewing a certificate. The extension is Microsoft specific.ThumbprintThumbprint of the certificateX.509 VersionThe X.509 format version of a certificateInside Corporate NetworkUsed to indicate if a request originated inside corporate networkPassword Expiration TimeUsed to display the time when the password expiresPassword Expiration DaysUsed to display the number of days to password expiryUpdate Password URLUsed to display the web address of update password serviceAuthentication Methods ReferencesUsed to indicate all authentication methods used to authenticate the userClient Request IDIdentifier for a user sessionAlternate Login IDAlternate login ID of the user 

https://iwebscrm15.com/adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256

https://iwebscrm15.com/adfs/services/trust/2005/issuedtokenmixedsymmetricbasic256

https://iwebscrm15.com/adfs/services/trust/13/issuedtokenmixedasymmetricbasic256

https://iwebscrm15.com/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256

https://iwebscrm15.com/adfs/ls/

http://iwebscrm15.com/adfs/services/trust

https://iwebscrm15.com/adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256

https://iwebscrm15.com/adfs/ls/

MIIC2DCCAcCgAwIBAgIQfjdRsjCXc75E99PlMFiDijANBgkqhkiG9w0BAQsFADAoMSYwJAYDVQQDEx1BREZTIFNpZ25pbmcgLSBpd2Vic2NybTE1LmNvbTAeFw0xNTAyMTgwNzQ3NTRaFw0xNjAyMTgwNzQ3NTRaMCgxJjAkBgNVBAMTHUFERlMgU2lnbmluZyAtIGl3ZWJzY3JtMTUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuThBgpEQ0IeqKWmaVdlY4idGsd7E/PiPdggk9Ol+wA/bYSSth4sHPOe2DWFu+IkgqaCKfZdCN6aI8TmQbfPjcqwlJSGqws2EFO/TULpbu/x1AwYV6J++BhpFD0iPbFPuypqGgC423+Z6RjP/99wU4tu5GtxvUD2L8iuW9AtXnZJy6MFDLmITVTWCzFQnPC7lGjY1mQ/XZXmidgq0f29qK1mvqGuwGT/BhQO1woj6O95gPhF3ZCMqW6h6ma0LjJhj1dR36NIs0k0sseUUjGbfOF81WZPm7e/HaDUJTF4ox51VIrf+Z7+HpUBCesYwFXhyCvYq6TIvY5NTkRWCKQ97mQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBl4L7NIWBeoeQRJg9RlkDzs2stg7Q+tZ6tminURNOC8ch0vhITbCq60uKXBzXn9LTHex1iXNlyZwI5YGXbw9pBsybDPDFxtyBGAwi/EX8Y0xe7ePGs7jNaGDMywFofP61g64HIAey6YjvKYFPxMqZmDBrzIhNnZ44f/o07TTOCdZJkqh5L/Qjilzfw2bwVg3uGaFthrn1LkL9xB82kuuXYW1QWe37Y9Gwf57qTQo56S44pxBB8loKn4hkNaRdKCgNCH7Ary3uLmmaFP/ETucAkIcy9Y/wr+TEzDVvGkRqCaWLUKeOumc+p026Jv3r/ba4Iq2njfat/pNv+dRIqt/PKE-Mail AddressThe e-mail address of the userGiven NameThe given name of the userNameThe unique name of the userUPNThe user principal name (UPN) of the userCommon NameThe common name of the userAD FS 1.x E-Mail AddressThe e-mail address of the user when interoperating with AD FS 1.1 or AD FS 1.0GroupA group that the user is a member ofAD FS 1.x UPNThe UPN of the user when interoperating with AD FS 1.1 or AD FS 1.0RoleA role that the user hasSurnameThe surname of the userPPIDThe private identifier of the userName IDThe SAML name identifier of the userAuthentication time stampUsed to display the time and date that the user was authenticatedAuthentication methodThe method used to authenticate the userDeny only group SIDThe deny-only group SID of the userDeny only primary SIDThe deny-only primary SID of the userDeny only primary group SIDThe deny-only primary group SID of the userGroup SIDThe group SID of the userPrimary group SIDThe primary group SID of the userPrimary SIDThe primary SID of the userWindows account nameThe domain account name of the user in the form of domain\userIs Registered UserUser is registered to use this deviceDevice IdentifierIdentifier of the deviceDevice Registration IdentifierIdentifier for Device RegistrationDevice Registration DisplayNameDisplay name of Device RegistrationDevice OS typeOS type of the deviceDevice OS VersionOS version of the deviceIs Managed DeviceDevice is managed by a management serviceForwarded Client IPIP address of the userClient ApplicationType of the Client ApplicationClient User AgentDevice type the client is using to access the applicationClient IPIP address of the clientEndpoint PathAbsolute Endpoint path which can be used to determine active versus passive clientsProxyDNS name of the federation server proxy that passed the requestApplication IdentifierIdentifier for the Relying PartyApplication policiesApplication policies of the certificateAuthority Key IdentifierThe Authority Key Identifier extension of the certificate that signed an issued certificateBasic ConstraintOne of the basic constraints of the certificateEnhanced Key UsageDescribes one of the enhanced key usages of the certificateIssuerThe name of the certificate authority that issued the X.509 certificateIssuer NameThe distinguished name of the certificate issuerKey UsageOne of the key usages of the certificateNot AfterDate in local time after which a certificate is no longer validNot BeforeThe date in local time on which a certificate becomes validCertificate PoliciesThe policies under which the certificate has been issuedPublic KeyPublic Key of the certificateCertificate Raw DataThe raw data of the certificateSubject Alternative NameOne of the alternative names of the certificateSerial NumberThe serial number of a certificateSignature AlgorithmThe algorithm used to create the signature of a certificateSubjectThe subject from the certificateSubject Key IdentifierDescribes the subject key identifier of the certificateSubject NameThe subject distinguished name from a certificateV2 Template NameThe name of the version 2 certificate template used when issuing or renewing a certificate. The extension is Microsoft specific.V1 Template NameThe name of the version 1 certificate template used when issuing or renewing a certificate. The extension is Microsoft specific.ThumbprintThumbprint of the certificateX.509 VersionThe X.509 format version of a certificateInside Corporate NetworkUsed to indicate if a request originated inside corporate networkPassword Expiration TimeUsed to display the time when the password expiresPassword Expiration DaysUsed to display the number of days to password expiryUpdate Password URLUsed to display the web address of update password serviceAuthentication Methods ReferencesUsed to indicate all authentication methods used to authenticate the userClient Request IDIdentifier for a user sessionAlternate Login IDAlternate login ID of the user 

https://iwebscrm15.com/adfs/services/trust/2005/certificatemixed

https://iwebscrm15.com/adfs/services/trust/mex

https://iwebscrm15.com/adfs/ls/

MIIC3jCCAcagAwIBAgIQFOgcyJdf6pRLRqk+kAcU1zANBgkqhkiG9w0BAQsFADArMSkwJwYDVQQDEyBBREZTIEVuY3J5cHRpb24gLSBpd2Vic2NybTE1LmNvbTAeFw0xNTAyMTgwNzQ3NTVaFw0xNjAyMTgwNzQ3NTVaMCsxKTAnBgNVBAMTIEFERlMgRW5jcnlwdGlvbiAtIGl3ZWJzY3JtMTUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA539QwHAojXm5lcKoRAAe3yoOQxCbItjkgWsomRat9/E9o+tpszADLfO6KcyIwmxMdcN1mIPzEUzW/Fc5biMGCK2jSNCKN9HXiABUXJcRa+iZ7RN7eFdmKcLXRWaAeqb/l0icuSqbKxxCb3gFnQUxpRar7gZmS6xrnz0MBkRI7LXD/Mp6kU0VnfAMHQf33Wt1LXf/+w+l9V78o5b95OylPleRA6dplNfv60GLemmXY45VTpPlBDV0gFBrkYgmg7DPhR0U3MY1RYuUAsWx3htY7S4oNTEbl96Hyel6UPWiqaZFeeN+3aujABohgHM0vVVndswyxe2pnMZtieWJ+pP8yQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDjfiC4cMQ353SjBRAtbSH6hJ9zZ97yvguVNELyHojSUmi6VEHT6OWsntFWxPsGZvJ0Oq34KM4ZSrnq5QhrB4QuB26RLSw1yR9jBtZMTy/fGm4X25wczPCoZbkrySktPtyCVC3xJw6MKlwcZNGF/zOwoqjeY015Z4CGJsBijtd7MSBf+6ijAcGYdxC1bumB3vfsJ9bu1eVu9QRpDQm78zXpw/LBMj68RfiXz50WRlALa+ca7NqeVIKcSYx20JaSAoe6y1tWlAPVieGDpaXzpKFQ/fF1wIHjdc3euNeKAX/eaV56vCuBG4kwAjSSrawwt/nZ4nflpKVC8RLNgobeaDnTMIIC2DCCAcCgAwIBAgIQfjdRsjCXc75E99PlMFiDijANBgkqhkiG9w0BAQsFADAoMSYwJAYDVQQDEx1BREZTIFNpZ25pbmcgLSBpd2Vic2NybTE1LmNvbTAeFw0xNTAyMTgwNzQ3NTRaFw0xNjAyMTgwNzQ3NTRaMCgxJjAkBgNVBAMTHUFERlMgU2lnbmluZyAtIGl3ZWJzY3JtMTUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuThBgpEQ0IeqKWmaVdlY4idGsd7E/PiPdggk9Ol+wA/bYSSth4sHPOe2DWFu+IkgqaCKfZdCN6aI8TmQbfPjcqwlJSGqws2EFO/TULpbu/x1AwYV6J++BhpFD0iPbFPuypqGgC423+Z6RjP/99wU4tu5GtxvUD2L8iuW9AtXnZJy6MFDLmITVTWCzFQnPC7lGjY1mQ/XZXmidgq0f29qK1mvqGuwGT/BhQO1woj6O95gPhF3ZCMqW6h6ma0LjJhj1dR36NIs0k0sseUUjGbfOF81WZPm7e/HaDUJTF4ox51VIrf+Z7+HpUBCesYwFXhyCvYq6TIvY5NTkRWCKQ97mQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBl4L7NIWBeoeQRJg9RlkDzs2stg7Q+tZ6tminURNOC8ch0vhITbCq60uKXBzXn9LTHex1iXNlyZwI5YGXbw9pBsybDPDFxtyBGAwi/EX8Y0xe7ePGs7jNaGDMywFofP61g64HIAey6YjvKYFPxMqZmDBrzIhNnZ44f/o07TTOCdZJkqh5L/Qjilzfw2bwVg3uGaFthrn1LkL9xB82kuuXYW1QWe37Y9Gwf57qTQo56S44pxBB8loKn4hkNaRdKCgNCH7Ary3uLmmaFP/ETucAkIcy9Y/wr+TEzDVvGkRqCaWLUKeOumc+p026Jv3r/ba4Iq2njfat/pNv+dRIqt/PKurn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressurn:oasis:names:tc:SAML:2.0:nameid-format:persistenturn:oasis:names:tc:SAML:2.0:nameid-format:transientMIIC3jCCAcagAwIBAgIQFOgcyJdf6pRLRqk+kAcU1zANBgkqhkiG9w0BAQsFADArMSkwJwYDVQQDEyBBREZTIEVuY3J5cHRpb24gLSBpd2Vic2NybTE1LmNvbTAeFw0xNTAyMTgwNzQ3NTVaFw0xNjAyMTgwNzQ3NTVaMCsxKTAnBgNVBAMTIEFERlMgRW5jcnlwdGlvbiAtIGl3ZWJzY3JtMTUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA539QwHAojXm5lcKoRAAe3yoOQxCbItjkgWsomRat9/E9o+tpszADLfO6KcyIwmxMdcN1mIPzEUzW/Fc5biMGCK2jSNCKN9HXiABUXJcRa+iZ7RN7eFdmKcLXRWaAeqb/l0icuSqbKxxCb3gFnQUxpRar7gZmS6xrnz0MBkRI7LXD/Mp6kU0VnfAMHQf33Wt1LXf/+w+l9V78o5b95OylPleRA6dplNfv60GLemmXY45VTpPlBDV0gFBrkYgmg7DPhR0U3MY1RYuUAsWx3htY7S4oNTEbl96Hyel6UPWiqaZFeeN+3aujABohgHM0vVVndswyxe2pnMZtieWJ+pP8yQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDjfiC4cMQ353SjBRAtbSH6hJ9zZ97yvguVNELyHojSUmi6VEHT6OWsntFWxPsGZvJ0Oq34KM4ZSrnq5QhrB4QuB26RLSw1yR9jBtZMTy/fGm4X25wczPCoZbkrySktPtyCVC3xJw6MKlwcZNGF/zOwoqjeY015Z4CGJsBijtd7MSBf+6ijAcGYdxC1bumB3vfsJ9bu1eVu9QRpDQm78zXpw/LBMj68RfiXz50WRlALa+ca7NqeVIKcSYx20JaSAoe6y1tWlAPVieGDpaXzpKFQ/fF1wIHjdc3euNeKAX/eaV56vCuBG4kwAjSSrawwt/nZ4nflpKVC8RLNgobeaDnTMIIC2DCCAcCgAwIBAgIQfjdRsjCXc75E99PlMFiDijANBgkqhkiG9w0BAQsFADAoMSYwJAYDVQQDEx1BREZTIFNpZ25pbmcgLSBpd2Vic2NybTE1LmNvbTAeFw0xNTAyMTgwNzQ3NTRaFw0xNjAyMTgwNzQ3NTRaMCgxJjAkBgNVBAMTHUFERlMgU2lnbmluZyAtIGl3ZWJzY3JtMTUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuThBgpEQ0IeqKWmaVdlY4idGsd7E/PiPdggk9Ol+wA/bYSSth4sHPOe2DWFu+IkgqaCKfZdCN6aI8TmQbfPjcqwlJSGqws2EFO/TULpbu/x1AwYV6J++BhpFD0iPbFPuypqGgC423+Z6RjP/99wU4tu5GtxvUD2L8iuW9AtXnZJy6MFDLmITVTWCzFQnPC7lGjY1mQ/XZXmidgq0f29qK1mvqGuwGT/BhQO1woj6O95gPhF3ZCMqW6h6ma0LjJhj1dR36NIs0k0sseUUjGbfOF81WZPm7e/HaDUJTF4ox51VIrf+Z7+HpUBCesYwFXhyCvYq6TIvY5NTkRWCKQ97mQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBl4L7NIWBeoeQRJg9RlkDzs2stg7Q+tZ6tminURNOC8ch0vhITbCq60uKXBzXn9LTHex1iXNlyZwI5YGXbw9pBsybDPDFxtyBGAwi/EX8Y0xe7ePGs7jNaGDMywFofP61g64HIAey6YjvKYFPxMqZmDBrzIhNnZ44f/o07TTOCdZJkqh5L/Qjilzfw2bwVg3uGaFthrn1LkL9xB82kuuXYW1QWe37Y9Gwf57qTQo56S44pxBB8loKn4hkNaRdKCgNCH7Ary3uLmmaFP/ETucAkIcy9Y/wr+TEzDVvGkRqCaWLUKeOumc+p026Jv3r/ba4Iq2njfat/pNv+dRIqt/PKurn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressurn:oasis:names:tc:SAML:2.0:nameid-format:persistenturn:oasis:names:tc:SAML:2.0:nameid-format:transient

When you find this

Typically when you test at a URL that looks like this: https://adfs.iwebscrm15.com/federationmetadata/2007-06/federationmetadata.xml (With you domain name in it)

Solution:

On Internet Explorer / Internet Options / Local Intranet / Sites

Add the domain name with a wild card to your safe sites:

IE Safe Sites

Advance

Ie Safe Sites Advance

Adding the *.domain.com  to the safe sites list

*.domain.com Safe Sites.png

Add 

Now hitting the URL to test: https://sts.iwebscrm15.com/federationmetadata/2007-06/federationmetadata.xml

Gives a better result and expected result

ADFS 3.0 Test Results

AD FS certificate rollover CRM 2011

You find that you can’t logon to your CRM 2011 IFD deployment that you have configured around 12 months earlier.

image

In the browser you may see:

HTTP Error 401 - Unauthorized: Access is denied

<html><body><p>
An error has occurred. 
<br/><br/>
Try this action again. If the problem continues, check the Microsoft Dynamics CRM Community for solutions or contact your organization&#39;s Microsoft Dynamics CRM Administrator. Finally, you can contact Microsoft Support.
</p></body></html>
 
Looking at the server log may show:

SERVER Log Error show: 1309

Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 9/07/2012 12:09:59 PM
Event time (UTC): 9/07/2012 2:09:59 AM
Event ID: 50c7c9d7c3ba4b839bca7c72b9edf410
Event sequence: 51779
Event occurrence: 11
Event detail code: 0
 
Application information:
    Application domain: /LM/W3SVC/2/ROOT-1-129862684501956875
    Trust level: Full
    Application Virtual Path: /
    Application Path: C:\Program Files\Microsoft Dynamics CRM\CRMWeb\
    Machine name: VSERVER08
 
Process information:
    Process ID: 3208
    Process name: w3wp.exe
    Account name: NT AUTHORITY\NETWORK SERVICE
 
Exception information:
    Exception type: SecurityTokenException
    Exception message: ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.
   at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.CreateClaims(SamlSecurityToken samlSecurityToken)
   at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)
   at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)
   at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)
   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
   at Microsoft.Crm.Authentication.Claims.CrmFederatedAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

 
 
Request information:
    Request URL: https://auth.interactivewebs.com:444/default.aspx
    Request path: /default.aspx
    User host address: 124.189.39.157
    User: FSERVER4\Administrator
    Is authenticated: True
    Authentication Type: Negotiate
    Thread account name: NT AUTHORITY\NETWORK SERVICE
 
Thread information:
    Thread ID: 15
    Thread account name: NT AUTHORITY\NETWORK SERVICE
    Is impersonating: True
    Stack trace:    at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.CreateClaims(SamlSecurityToken samlSecurityToken)
   at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)
   at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)
   at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)
   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
   at Microsoft.Crm.Authentication.Claims.CrmFederatedAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
 
 
Custom event details:

And you find an error in the login attempt that gives you a 401 error.

ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.

Cause

The likely cause is that the ADFS certificate rollover has happened. Basically the self issued certificate that is used and configured as part of your IFD setup with CRM and AD FS has issued a new certificate around 1 week before the expiry of the old one.

If you start the SD SF services and look under:

Service >> Certificates

You will notice a primary and secondary certificate.

image

The Fix

Basically the certificate automatically rolls over to a new one and ADFS won’t authenticate any more. Here are the steps that seem to fix this issue:

  1. Open windows Powershell as administrator (right click runas)image
  2. Run the following commands:
  3. add-pssnapin Microsoft.adfs.powershell
  4. set-adfsproperties -autocertificaterollover $true
  5. update-adfscertificate -urgent
  6. Run the CRM deployment manager
    image
  7. Run through Configure Claims-Based Authentication Wizard (no changes)
  8. Run through Configure Internet-Facing Deployment Wizard (no changes)
  9. Restart the adfs service
    From a Command Prompt “cmd” Type
    net stop adfssrv
    then
    net
    start adfssrv
  10. Restart the Microsoft Asynchronous processing service
    From Services Windows
    Click the Restart Icon while the Service is selected
    image
  11. run an iisreset from the elevated command prompt
    Start RUN “cmd”
    iisreset

From here you should be good to go.

If you need assistance with CRM IFD setup see this post: http://www.interactivewebs.com/blog/index.php/server-tips/microsoft-crm-2011-how-to-configure-ifd-hosted-setup/

NOTE: In our case, the running through of the authentication wizard had defaulted the names back to the server name. We needed to manually put in the address correctly as per the setup of the IFD explained in the link above.