Category Archives: CRM

Microsoft CRM IFD SSL Certificate Renewal

Following on from our very popular IFD configuration for Microsoft CRM.

The time will come around where you need to renew the SSL certificate for your CRM IFD configuration.

This will include the renewal of the SSL certificate as used by IIS and and ADFS. Couple of steps we followed based exactly on the configuration outlined in our above linked blog post.

Generate a new SSL Request.

1. Open IIS Manager and click on server certificates.


2. Create certificate request


3. Fill in the data:

image Next

4. Change to 2048 Bit


5. Give it a name:


Finish and you are done.

Now Open the certificate text file and copy the text to your clip board, or use this with your certificate authority to issue you a new Wild Card Certificate. * is what we use.

To get the certificate we use a service called “” who allow you to issue certificates like this for 2 years for free once you are validated as a user.

Complete the Certificate Request

Once the new certificate has been issued to you you need to complete the request on IIS.

1. In IIS Manager click on Complete Certificate Request


2. Browse to the certificate from your issuer provider and give it a friendly name. We like to use a year in the name to help distinguish from the old one.


Finish the import.

Change the certificate used by IIS

1. Expand the two sites on the CRM server and click on Default Website first then Bindings / https



2. Select the new certificate that you just imported and click on OK


3. Repeat this process fro the Microsoft Dynamics CRM website


selecting the new certificate here and OK.

4. Restart IIS

Set Permissions on SSL Certificate

1.  Click Start, and then click Run.
2.  Type MMC.
3.  On the File menu, click  Add/Remove Snap-in.
4.  In the Available snap-ins list, select Certificates, and then click Add. The Certificates Snap-in Wizard starts.
5.  Select Computer account, and then click Next.
6.  Select Local computer: (the computer this console is running on), and then click Finish.
7.  Click OK.
8.  Expand Console Root\Certificates (Local Computer)\Personal\Certificates.
9.  Right-click Certificates, click All Tasks, and then click Import.

Step 2: Add to the ADFS service account the permissions to access the private key of the new certificate. To do this, follow these steps:

1.  With the local computer certificate store still open, select the certificate that was just imported.
2.  Right-click the certificate, click All Tasks, and then  click Manage Private Keys.
3.  Add the account that is running the ADFS Service, and then give the account at least read permissions. (for us this is the Network Service)

Run the Deployment Manager with new Certificate

1. Run the CRM deployment manager:


2. Run the Configure Claims-based Authentication


Select the default settings.



Which should be the default from your IFD setup

But when you get to the Certificate, you need to select the new certificate.



Which should be visible from the list after importing it in the steps above.

3. Run the Configure Internet Facing Deployment action and just step though it with the default settings.


4. Restart the AD FS 2.0 Windows Service


Configure AD

Set the Service Communication Certificate

1. Start AD FS 2.0 Management


2. Expand certificates and select Set Service Communications Certificate


3. Select the new certificate that will be listed here.


Update Relying Party Trusts

1. From the AD FS 2.0 Management, Select your replying party trusts and update from the federation metadata one by one.


Update both listed. They will likely have a red cross before you do this.

Restart Services

Restart AD FS Service:


and restart IIS the usual way.

And you should be done. Login to your CRM IFD again and enjoy.

Please feel free to link to / reference this blog. Comments welcome below.

CRM 2011 Email Router Setup and Settings

Often with the setup of CRM 2011. Users experience messages about Pending e-mail warning and sometimes email messages are not sending.

This can be especially frustrating as both the CRM email queuing and tracking system and the Email router application are terrible to help you understand exactly what is going on with your CRM e-mail.

We mentioned some of the issues we have experience here:

Here are some basic setup tips for email in Microsoft CRM 2011

1. Out of the box, CRM does not send email messages. You need to configure an application known as CRM 2011 Email Router to have email messages send.

2. You also need a working SMTP (email server) that is configured to allow the relay of email messages from email accounts at your domain name. This can be achieved with Amazon SES message service or your own servers. We can assist you setup Amazon SES if you need assistance with this.

3. You should install and configure your Email Router. Some notes to help you may include these:

Recommended email settings in CRM 2011

1. Out of the box. CRM will only be able to send email messages to leads, contacts, and accounts. Until you change this setting found in the Admin / System Settings in CRM.


2. Avoid delayed email messages in CRM by Approve Email Address. In the Administration / Users. Go into each user and approve the configured email address.


There is a view of users who are Pending Email address approval to help identify who is needing approval.


Also uncheck the option for Process emails only for approved users and process email only for approved queues. Administration / System Settings.



3. Configure users email settings to use the email router for outbound email messages. (optionally inbound configuration too).


Our recommendation is to set the outbound processing for the email router. This will allow emails generated by the crm system to be delivered right away via the email router. This also means that you do need to install and configure the email router.

The above settings can be set automatically for all users by the use of a simpler out of the box workflow that runs on create of new users.


4. The next setting is recommended. Knowing that email can be tracked in CRM with the outlook client:


Email messages can automatically be tracked too.


5. The all powerful features of creating contacts in CRM when and email address is not known.


This is a great way to automatically get more leads or contacts (depending on your business) in crm. And depending on your business can also be a great way to pollute your crm full of contacts or leads that you don’t want.

Troubleshooting Tips

To troubleshoot an E-mail Router outgoing profile configuration, follow these steps:

  1. Make sure that you follow the incoming profile configuration procedures in the E-mail Router Configuration Manager Help.
  2. For more information about how to configure an incoming profile, see the E-mail Router configuration information in the latest version of the Installing Guide that is included in the Microsoft Dynamics CRM 4.0 Implementation Guide.
  3. Refer to the following sections for information about how to resolve commonly encountered outgoing profile issues.

Test Access error

If there is a problem with your outgoing e-mail configuration, you may receive the following error message when you click Test Access on the E-mail Router Configuration Manager:

“Outgoing status: Failure – An error occurred while checking the connection to e-mail server EXSERVERNAME. The requested address is not valid in its context”

If you receive this message, follow these steps to troubleshoot the problem:

  1. Run a telnet command to verify that connectivity is functioning between the computer that is running CRM Router and the Exchange Server. For example, start the TELNET utility and enter the following command:TELNET EXSERVERNAME PORT
  2. Make sure that you have no antivirus services running on the Exchange Server computer that prevent connection by using port 25.
  3. For information about how to configure the SMTP server to allow relay messages from Microsoft Dynamics CRM, see KB article 915827.

E-mail error when message sent from the Web application

Symptom: When a user sends an e-mail message by using the Web application, the user might receive one of the following messages:

This message has not yet been submitted for delivery. 1 attempts have been made so far.

The message delivery failed. It must be resubmitted for any further processing.

Resolution: For information about how to resolve this issue, see KB article 915827.

Load Data error

When you click Load Data in the E-mail Router Configuration Manager, you receive the following error:

The E-mail Router Configuration Manager was unable to retrieve user and queue information from the Microsoft Dynamics CRM server. This may indicate that the Microsoft Dynamics CRM server is busy. Verify that URL ‘http://OrganizationName‘ is correct. Additionally, this problem can occur if the specified access credentials are insufficient. To try again, click Load Data. (The request failed with HTTP status 404: Not Found.)

To resolve this problem, follow these steps:

  1. Make sure that the user account that is running the E-mail Router Configuration Manager service is a member of the Active Directory PrivUserGroup security group.
  2. The account that is specified in the Access Credentials field on the General tab of the E-mail Router Configuration Manager must be a Microsoft Dynamics CRM administrative user. If the access credentials are set to Local System Account, the computer account must be a member of the Active Directory PrivUserGroup security group.
  3. Make sure that the URL is spelled correctly. The organization name in the URL field is case-sensitive and must be spelled exactly as it appears in the Microsoft Dynamics CRM server. To view the organization name as it appears in the Microsoft Dynamics CRM server, start the Web application. The organization name appears in the upper-right corner of the application window.
  4. The DeploymentProperties table may have incorrect values if you have modified the port or hostheaders on your Web site. To update the DeploymentProperties table see, KB article 950248.

Pending Email warning


On the Email Router, configure:

1. Check event view for Email Router related errros

2. Change the send email

3. Restart CRM email Router service

4. Reduce the pooling time and conneciton timeout



Automatically Resending Failed Email Messages

The Advanced find can be used to find email messages that have not sent. A workflow can also be created to resend messages automatically. However constant failures is going to indicate a problem some other place. So the use of this automatic workflow should not be introduced in place of fixing your sending issues.

Steps to create the workflow to re-send failed e-mails:

1. Create a new Workflow in CRM | Processes on the E-mail entity


2. Set the workflow to be Available to Run “As an on-demand process”, Change the scope to Organization and uncheck “Record is created”.  This will make the workflow available to run On-Demand, function for all e-mails in the organization and also not run when every time a new e-mail is created as we just want to use this when needed on specific e-mails.


3. Click “Add Step” and choose “Change Status”


4. Set the E-mail to a status of “Pending Send”


5. Click Save and then Activate in the toolbar.  Click ”OK” to the message to confirm you want to Activate the workflow and then click “Close” on the workflow.


Advanced Find to see how many e-mails are in a failed status:

1. Open Advanced Find by clicking the “Advanced Find” button in the CRM ribbon


2. Select “E-mail Messages” in the Look For option set and then select “Status Reason” and set it equal to “Failed”. Then click the Results button in the Advanced Find ribbon.


3. You can refine the results using the filter criteria from here as well in case you do not want to re-send all of the e-mails. Once you are done, multi-select the e-mails you want to re-send and then click the “Run Workflow” button in the CRM ribbon.

4. Select the e-mail workflow that you created using the steps above and click OK.

The workflow will then run and change the status of all the e-mails you had selected back to “Pending Send”.  This is an asynchronous process, so it may take a few minutes depending on your current asynchronous workload in CRM.  Then the CRM e-mail router will process them again and send them out through SMTP as expected.

Still Need Help?

Here at InteractiveWebs we know how terrible this component of Microsoft CRM is. Actually, in our opinion, it is difficulties like these that really shows Microsoft is not at all interested in giving it’s customers a good experience. Much of the multitude of steps and better monitoring could be fixed with very little effort from Microsoft, yet after years of CRM, much remains the same.

In any case, if you need paid administration assistance to get your email working on your CRM system, be it Cloud Microsoft Hosted, IFD, or On Premises, we are available. Please contact us at: by submitting a support ticket.

Download Rollup 12 for Microsoft Dynamics CRM 2011 is Available–Finally

Reposted: Today the update Rollup 12 for Microsoft CRM 2011 (CRM 2011 Polaris on premises) is available for download at this location:



This update is the long awaited one that is doing the UI update that will add the support for multiple browsers apart from Internet Explorer.

The image above depicts the functionality included in Polaris. I will now touch upon some of the key ones in a little more detail, hopefully in plain English!

  • Flow User Experience – this is a whole new UX development approach for CRM to remove the number of screen pops that occur during a standard process. In the case of Polaris, Lead and Opportunity and Case management processes will be included. It is important to note that this feature will be turned off for existing online customers, but can be opted into and for new online customer post the release this will be on by default but can be turned off. Flow UX will not be configurable for any other entity other than the Lead, Opportunity and Case in the first release. In the Q2 2013 we would expect that this will be more configurable for custom entities. This is a big step forward on UX development and cements the user experience expected on mobile devices
  • Browser Flexibility - This will enable CRM to be run on a number of browsers including Safari on the IPAD.

  • Yammer Integration – Tighter integration between CRM and Yammer beyond the current embed functionality. This will enable features such as Like, Follow, visible from within CRM or Yammer and the ability to do global search from yammer to CRM. Yammer will become the future Activity Feeds.  Aligned to this was the recent announcement of pricing plan changes that can be found here making it very affordable to organisations to adopt.
  • Skype integration – As per my previous blog this is a great new feature and will change the way we communicate with our customers from within CRM.
  • Bing Maps – The updated new UX will include native integration to Bing Maps for Contacts and Accounts for free.
  • Pre Defined sales and Service processes – So what is this? Well rather than you telling your partner your processes, your partner will be able to present a best of breed sales process as a starting point from which you can edit and tweak. This will save time in deployment and provide a greater starting point than just rich functionality to configure.
  • Enhanced Complex Deal Management – Microsoft Dynamics CRM will provide additional capabilities to track and manage stakeholders, competitors and pursuit teams for leads, opportunities, contacts and accounts via the new UX capability.

Where did it go? Update 16/01/2013

Microsoft Dynamics CRM 2011 Update Rollup 12 (UR12), which was readied for availability on January 10 and made available on January 12, has been withdrawn by Microsoft, citing ” an issue that could potentially impact a customer’s database”.

Writing in a blog post on the Microsoft Dynamics community site, CVP for Dynamics CRM Bob Stutz explained that an issue discovered in the “UR12 Server bits” could impact customer databases, so the software download was removed from the Microsoft Download Center.
A new version of UR12 will be made available within the week, according to Stutz.
Dynamics CRM forum members discussed the missing server software for UR 12 on Friday, January 11.  One person notes that she downloaded it on the 9th, discovered issues, and saw that it had been pulled down soon after:

“I grabbed the server component around 10:00 PM eastern on the 9th, and they pulled it down about an hour later. I installed it in my environment and it had a few bugs, maybe MS pulled it down and are frantically fixing?”

Another forum member puzzled over the lack of communication on the missing software:
“Seems wierd [sic] that they were there one moment and gone the next.  Always amazes me that there’s multiple posts when it’s released, but nothing but silence when it gets pulled.  SImilar to UR 10 and UR 11 which both had V2′s (and niether [sic] of which were really fixed).”
This is not the first update rollup to be withdrawn because of undiscovered issues.  UR10 had to be re-released in October 2012 due to several issues.  UR11 was similarly re-released several days after the original due to user-reported issues.

Stutz’s blog post does not elaborate on the problems, but Stutz acknowledges that another consecutive withdrawn update to Dynamics CRM hurts the product’s QA and release processes. He concludes with an assurance: “We have taken measures to improve our engineering processes and methodologies going forward, and we take your feedback very seriously. We apologize for any inconvenience this has caused.”

Import KB Articles from Microsoft CRM to Zendesk


Zendesk KB Import Tool / Sync

We have created a tool that allows the importing of Microsoft CRM (IFD) into your Zendesk setup.


The simple tool will look at your Microsoft CRM 2011 Articles (also known as KB articles) and draw them into your Zendesk support portal.

This is powerful if you have an existing CRM system with useful client data that you wish to expose to your support portal as a way of helping your customers find answers to their questions before they directly lodge a support ticket.

Additionally, the tool is smart enough to remove duplications. So if you run it against more than one instance of CRM, you can import KB articles without the fear of duplicating up on KB articles.

At the Zendesk end, the KB articles import something like this:


From original articles in CRM like this:




We have at this stage only release a version that runs as a Windows installable program, and connects to an IFD deployment of CRM. This is because we don’t anticipate a huge demand for the tool, and the only need we had was for this type of setup.

We are releasing the Source Code for the program, so that others can update it to their needs. Alternatively we would be happy charge a small amount to customize it to other particular needs.

In the near future we are going to update the tool to convert WordPress posts into Zendesk Knowledge Base Articles.

Please feel free to give feedback and or ask questions on what you would like to see in this too.

CRM 2011 Rollup 10 Invalid Argument Error

CRM 2011 Rollup 10 Killed My CRM


After installing CRM 2011 Rollup 10 (not 9 as that is MIA) you receive an Invalid Argument messages as per the image above. This happens after you login to an IFD deployment.

For all we know it may happen on the CRM on premises but we have not managed to test that.

You may also have a CRM Platform Trace Error:

Crm Exception: Message: A non valid page number was received: 0, ErrorCode: –2147220989

CRM’s Fetch Throttling abilities have been disabled or modified from the default values.
Re-enable CRM’s default Fetch Throttling settings.

The solution

1. START | RUN | “regedit” | OK

2. Locate and select the registry subkey: HKEY_LOCAL_MACHINESoftwareMicrosoftMSCRM


Change the value on: TurnOffFetchThrottling

to 0


In fact if you find either MaxRowsPerPage or the TurnOffFetchThrottling registry keys set them both to 0 or delete them.

3. START | RUN | “iisreset” | OK

(This will restart IIS)

Login to CRM and you should be good to go.

AD FS certificate rollover CRM 2011

You find that you can’t logon to your CRM 2011 IFD deployment that you have configured around 12 months earlier.


SERVER Log Error show: 1309

Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 9/07/2012 12:09:59 PM
Event time (UTC): 9/07/2012 2:09:59 AM
Event ID: 50c7c9d7c3ba4b839bca7c72b9edf410
Event sequence: 51779
Event occurrence: 11
Event detail code: 0
Application information:
    Application domain: /LM/W3SVC/2/ROOT-1-129862684501956875
    Trust level: Full
    Application Virtual Path: /
    Application Path: C:\Program Files\Microsoft Dynamics CRM\CRMWeb\
    Machine name: VSERVER08
Process information:
    Process ID: 3208
    Process name: w3wp.exe
Exception information:
    Exception type: SecurityTokenException
    Exception message: ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.
   at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.CreateClaims(SamlSecurityToken samlSecurityToken)
   at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)
   at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)
   at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)
   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
   at Microsoft.Crm.Authentication.Claims.CrmFederatedAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Request information:
    Request URL:
    Request path: /default.aspx
    User host address:
    User: FSERVER4\Administrator
    Is authenticated: True
    Authentication Type: Negotiate
    Thread account name: NT AUTHORITY\NETWORK SERVICE
Thread information:
    Thread ID: 15
    Thread account name: NT AUTHORITY\NETWORK SERVICE
    Is impersonating: True
    Stack trace:    at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.CreateClaims(SamlSecurityToken samlSecurityToken)
   at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)
   at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)
   at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)
   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
   at Microsoft.Crm.Authentication.Claims.CrmFederatedAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Custom event details:

And you find an error in the login attempt that gives you a 401 error.

ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.


The likely cause is that the ADFS certificate rollover has happened. Basically the self issued certificate that is used and configured as part of your IFD setup with CRM and AD FS has issued a new certificate around 1 week before the expiry of the old one.

If you start the SD SF services and look under:

Service >> Certificates

You will notice a primary and secondary certificate.


The Fix

Basically the certificate automatically rolls over to a new one and ADFS won’t authenticate any more. Here are the steps that seem to fix this issue:

  1. Open windows Powershell as administrator (right click runas)image
  2. Run the following commands:
  3. add-pssnapin Microsoft.adfs.powershell
  4. set-adfsproperties -autocertificaterollover $true
  5. update-adfscertificate -urgent
  6. Run the CRM deployment manager
  7. Run through Configure Claims-Based Authentication Wizard (no changes)
  8. Run through Configure Internet-Facing Deployment Wizard (no changes)
  9. Restart the adfs service
    From a Command Prompt “cmd” Type
    net stop adfssrv
    start adfssrv
  10. Restart the Microsoft Asynchronous processing service
    From Services Windows
    Click the Restart Icon while the Service is selected
  11. run an iisreset from the elevated command prompt
    Start RUN “cmd”

From here you should be good to go.

If you need assistance with CRM IFD setup see this post:

NOTE: In our case, the running through of the authentication wizard had defaulted the names back to the server name. We needed to manually put in the address correctly as per the setup of the IFD explained in the link above.


Event ID 17137 from source MSSQL$MICROSOFT##SSEE


Cleaning up the Event Log

On a system running the CRM 2011 IFD as described here:

You may notice in the Event Log some errors that look like:

The description for Event ID 17137 from source MSSQL$MICROSOFT##SSEE cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:


The specified resource type cannot be found in the image file

The Solution

1) Open SQL server management studio.

2) Connect to \\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query


3) Right-click on the database AdfsArtifactStore and select “Properties”

4) Click on the Options page

5) Set “Auto close” to False

CRM Anywhere – CRM Q2 CY 2012 Service Update Now Live


CRM Anywhere Q2 CY 2012 Service Update Now Live


Microsoft CRM 2012 – CRM Anywhere Q2 2012


Preview some upcoming features in Q2 "R8" such as mobility, BI and Analytics enhancements from Reuben Krippner a MSFT Technical Product Management Lead in this video.

One of the most talked about improvements in CRM Anywhere is the introduction of a new mobility component dubbed Microsoft Dynamics CRM Mobile.

Cross-Browser Support

Microsoft Dynamics CRM Mobile isn’t the only reason Microsoft is calling the coming update CRM Anywhere. Users of CRM Online 2011 will now be able to access the application using the following browser versions (see below).

Understanding the importance of CRM Anywhere

To understand why this is so important for CRM Online 2011, let’s turn to a few third-party statistics on browser usage around the world. The following table compiles several different studies for easy comparison.

Understanding the importance of CRM Anywhere

You should notice that while Internet Explorer is definitely in the lead, other browsers remain popular. Since users of Firefox, Chrome, and Safari cannot use CRM Online 2011 now, CRM Anywhere will literally double the potential user base of CRM Online 2011.

CRM Anywhere

Are you beginning to understand why Microsoft named its latest update CRM Anywhere? CRM Online 2011, already a versatile application, is being fully extended to mobile devices and all major browsers! When you include the social-media enhancements, you start to see why we think CRM Anywhere is so important.

When CRM Anywhere is released, you will be able to download it either through Windows Update, or at the Microsoft Download Center. Stay tuned here and we’ll provide you with all of the information you need to update when the time comes.

Multiple browser support

  • IE on Windows 7
  • Safari 5.11 + on Mac OSX and iPad 2
  • Firefox 6+
  • Chrome 13.x

Enhanced Activity Feeds

  • Builds on current foundation
  • Adds Likes/Dislikes
  • Improved filtering of activity feeds

It sounds like this release will still only expose Dynamics CRM records on the activity feeds “wall”, but that the Q4 2012 Service Update will extend this to external communities.

new features and improvements in SQL 2012

If you’re attending Convergence you’ll probably want to attend some of the sessions on this important topic.

  • Performance improvements
  • Next-gen BI with Power View (Crescent)
  • Pre-defined Power Pivot models for CRM
  • Pre-defined Power View reports
  • Available on marketplace as a Microsoft Labs solution

Microsoft CRM 2011 and Custom Silverlight Development

imageI noticed a question today on a Microsoft Dynamics CRM discussion site asking

“is there anyone who is not trying to sell me their product, that has done something interesting with CRM and Silverlight?”

Well yes there is…

InteractiveWebs have done several interesting projects with Silverlight as an interface to Microsoft CRM.

One of the most interesting of these is a Silverlight membership login system for a grain trading company based in Australia. The business is an organisation that trades produce in a similar way to how shares are traded in the stock market. The difference being that the commodity being traded has been grown by “growers” (farmers) and represents the produce that their farm has for sale in the open grain trade market.

Interestingly, Microsoft CRM is being used entirely for the backend management of this trading. This is quite complex in it’s design as you can imagine would be the case if you were running a stock exchange using CRM.

Entities are being used to track the bidding for sales and purchasing of hundreds of different qualities of different grains, at different locations over an entire country.

Of note to the Silverlight interface, is the fact that there are an ever increasing number of records within this system in the order of 65,000,000 records of some CRM Entities.


About the Silverlight Interface

In it’s simplest function, the Silverlight interface is a membership system.


Allowing users to login and manage the buying and selling of commodities. Very similar to how users of a Stockbroking system would login and buy and sell their shares. But of course the user data is all being driven from a CRM backend running CRM 2011 with IFD.

The membership login is using custom attributes within CRM Contacts to authenticate and allow login.

Once logged in the user can modify personal details that are saved back to the CRM Contact entity.


Data is retrieved live using XRM to interface with CRM on the fly. Silverlight gives a clean and robust interface for users.


Other Types of Data Retrieval

Just like with the sale of share, there is some paperwork generated with the buying and selling of commodities. Broker Notes, Freight Invoices, and Monthly trade Statements are example of just a few. Originally the thought was to interface with a Microsoft SharePoint server to store the related .PDF documents generated for these items. Instead we took the simpler approach of attaching the .PDF documents to the relevant records in the custom entities that are used to track each trade.

This data is simply stored as CRM Notes with Attached Files (.pdf) to the custom Entities.

Then in the Silverlight interface we allow users to open (on the fly) these notes and attached .pdf files to view the “paperwork” associated with each sale.


Summary data is presented that is referencing custom attribute data, and able to be exported live from Silverlight to Excel.


Or clicking on the PDF icon, will open the associated attached note from CRM and open the .pdf record live.

Example of PDF data.


Creating CRM Records from Silverlight with XRM

Growers of commodities can create new stock records, listing the gran they have, quality, quantity, location etc in a simple user interface.


Listing too the price they wish to achieve in order to sell the produce.

Doing this creates a new record in a custom Entity in CRM directly, and this data is used in the bidding and selling process.

The data is available to Silverlight users in their record of stock.

Similar in concept to a statement of shares for a stock market trader.


Where is Gets Cool

So far, these are reasonably simple interfaces using XRM to CRM. Reading, writing, opening attached files etc. Where it gets interesting is in some real time graphing that we do to show bids on stocks / commodities.

For this we are needing to access tens of thousands of records that represent different bids for different commodities and work out on the fly the best or highest bid, and show that to the client in a fast loading graph.


This is where Silverlight and some cleaver XRM calls to some cleaver processes in CRM delivers a great result.

With the great graphing tools in Silverlight, the graph draws in real time and animates the loading of data. It has a full screen mode:


And is really a great use of Silverlight for this particular task.


Best of All it Runs Out of Browser

One of the features we built on this interface is the ability to “Run Out of Browser”. So the client can right click the interface and select to “Install to this computer”.


This adds the project to an Out of Browser Silverlight experience that can be launched as any other application or program from your computer.


This feature of Silverlight can run on a Mac or PC, and delivers an experience for end users that is very similar to having a membership program installed on your computer.


The project will auto update if we modify the web based source version with a new release automatically.  The client is promoted with a messaging saying the program will close to update, then opens with the new version automatically. Truly using the best experience that Silverlight has to offer.

Uninstalling the out of browser app is as simple as a right click in the app, and selecting from a dropdown “Remove this application”.


Kind of like a windows 8 experience with any pc.


Thoughts on this and Silverlight for Microsoft CRM.

Silverlight… ahhh what to say about Silverlight….. where to start.

1. We drank the Kool Aid. Microsoft told us how great Silverlight would be, how it would segregate the design team from the development team and deliver the benefits of keeping people within their specializations.

2. We spend years of time investing in Silverlight development. We get it, we can work with it and we can do amazing things with it. This and other cool projects including a MS Pivot interface to DotNetNuke and Microsoft CRM data.

MS Pivot and CRM –

3. We kicked it’s butt. We were able to deliver anything we wanted using Silverlight and made it interface with a multitude of data sources at multiple times using XRM and other web services to pull data from both CRM and other data sources.


And after all that… I can say with some authority. Silverlight is dead!

We get it, we can do it, we hate it and we regret the time we wasted after Microsoft mislead us into their Silverlight sphere.

Microsoft Silverlight Evangelist – We drank the Kool Aid

Silverlight never came close to delivering on any of the promises that Microsoft made about it.

It is tricky to develop in, it is poorly supported by even Microsoft, design tools are definitely lacking greatly, the development experience was a mine field of poorly documents bugs and broken features that required time and commitment to untangle the crap that Microsoft produced.

It was amazing to us how many things we were doing and solving that literally no one else was talking about. We felt like the first team walking on the Silverlight moon at every step of the way.

The end result is something that we are proud of. There are some cool features that we think make the project example above shine. But for all the time, and trouble invested to deliver it, it is just not worth it!

If looking at this and other similar projects again, we would use other technology to more quickly develop a very similar experience. There quite simply is nothing in Silverlight in interfacing with CRM that we can do easier other ways.

Final Thoughts

So there you have it. A good example of Silverlight with CRM, and the reason why we would suggest you use other technology yourself.

And check out that Silverlight Pivot link above. It is actually very cool too in what it does and how it does it. We have rigged this to work against any internet facing CRM environment including the Microsoft Hosted CRM.


Contact Us for CRM Development

We wrote this to help someone asking for a non commercial plug for a Silverlight in CRM example. We hope the above meets the requirement of that… but we are a development and CRM business, so we need to mention that if you need some cleaver interfacing with CRM. Then please contact us here

We have other examples to show too.

Disable SSL 2.0 IIS 7 Windows 2008 64bit with CRM 2011 for PCI Compliance

PCI Failure

Today we received notification during a PCI compliance check that our Microsoft CRM 2011 server was not PCI Compliant.


The cause of the lack of compliance was due to the server accepting connections via an SSL v 2.0 protocol.

Synopsis : The remote service encrypts traffic using a protocol with known
weaknesses . Description : The remote service accepts connections encrypted
using S S L 2.0, which reportedly suffers from several cryptographic flaws and has
been deprecated for several years . An attacker may be able to exploit these
issues to conduct man-in-the-middle attacks or decrypt communications between
the affected service and clients . See also :

Download File – ZipSource

Solution: Consult the application’s documentation to dis able S S L 2.0 and us e
S S L 3.0 or TLS 1.0 instead. Risk Factor: Medium / CVS S Bas e S core : 2

Perhaps not the worlds biggest deal, as the SSL certificates in place are using the SSL 3.0 however we needed to remove the V2.0 for compliance with PCI.

The solution turned out to be no so easy… Mostly due to the fact that we are using a 64bit Windows 2008 server and Microsoft have only appeared to provide details on fixing 32 bit servers to remove SSL v2.

We did manage to get there and this is what we had to do

Remove SSL v2

You need to run the following commands at a command prompt on the server:

REG ADD “HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Server” /v Enabled /t REG_DWORD /d 0 /f
REG ADD “HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Client” /v Enabled /t REG_DWORD /d 0 /f
REG ADD “HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 3.0\Server” /v Enabled /t REG_DWORD /d 1 /f
REG ADD “HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 3.0\Client” /v Enabled /t REG_DWORD /d 1 /f
REG ADD “HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.0\Server” /v Enabled /t REG_DWORD /d 1 /f
REG ADD “HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.0\Client” /v Enabled /t REG_DWORD /d 1 /f

We created a batch file to make this easier.

You can download the file here, and extract the batch file. Then double click the file called: “DisableSSLv264bit.bat”.

Then Reboot the server.

Download File - DisableSSLv264bit

All it will do is run the above commands and in the registry it will add:


and similar sets to enable SSL v3 and disable SSL v2.

Then you can use a free test service here:


to check that you are disabled.

A failure like this:


indicates something did not take correctly.

If you are using a 32 bit version of windows. (Not possible with CRM 2011) but possible otherwise, then you can use the Microsoft tool here:

CRM 2011 Server Error 404 – File or directory not found

Cannot Access CRM 2011 site 404

Something strange that we have encountered with CRM 2011 is a 404 – File or directory not found error.

What is particularly strange about this one is that the error happens from IE 9 on one computer, but the same URL and site loads correctly with another browser on another computer AND loads correctly to the authentication screens on the same computer but with a different browser.

Go figure right!



Microsoft show it as:


So what is the Solution?

We tried a number of things that did not work, and we will not bother to list them all, but interesting the clearing the browser history and cache etc does not fix it but is needed to fix it.

1. Clear history and cache in the browser:

2. Close the Browser entirely

3. Navigate to C:\Windows\Temp and delete everything in that directory.

4. From this screen, got to browser history settings:

Then View Files:


5. Takes you to this location: C:\Users\XXUSERXX\AppData\Local\Microsoft\Windows\Temporary Internet Files

6. Close Outlook and IE.

7. Delete Everything in that folder that it will allow you to delete. Some files are in use and not able to be deleted.

8. Start IE, and away you go.. you should be able to access the site again.


IE really does suck as a browser, it is a real same and the worst thing about CRM 2011 is that they make you use this junk browser.

Your session in Microsoft Dynamics CRM is about to expire. CRM 2011 Extend Session Time


Sick of seeing the message “Your session in Microsoft Dynamics CRM is about to expire. To continue working, you must sin in again.” and would like to extend the session time so as not to bother you as often?

This is quite easy with an IFD setup of CRM 2011. We have an IFD configuration and setup that we use to test settings and some of our CRM Portal – Linking to DotNetNuke on.

Taking the server as configured as described here:

We ended up with an ADFS Relying Party Trust that is named “CRM IFD Relaying Party”


This is the name we must use in the Windows PowerShell program to make the necessary changes.

To Extend the Auto Logout of IFD CRM 2011

1. Start Windows PowerShell



2. Copy and Paste the following command into PowerShell and hit enter (you can right click to paste):

Add-PSSnapin Microsoft.Adfs.PowerShell 


3. Check you have the correct name of the Relying party trust by typing the following:

Get-ADFSRelyingPartyTrust -Name "relying_party"

Where you replace “replying_party” with the name of your relying party trust. In our case we would use:

Get-ADFSRelyingPartyTrust -Name "CRM IFD Relaying Party"

You should see a bunch of junk, indicating that you have the correct name:



4. Now type the following command:

Set-ADFSRelyingPartyTrust -Targetname "relying_party" -TokenLifetime 480

Where you replace the “relying_party” with the name of your relying party. Again in our case we would use:

Set-ADFSRelyingPartyTrust -Targetname "CRM IFD Relaying Party" -TokenLifetime 480

Note that the 480 is in minutes. You can change that value up or down as required.


We chose to use 24 hours for example.

That’s all there is to it. Close the PowerShell and you are done.

CRM 2011 XRM Performance Problem IIS Dynamic Compression

Microsoft CRM 2011 allows XRM services that use application/soap+xml content type.

When you install Microsoft CRM 2011 in an IFD / hosted environment, it is smart enough to automatically configure IIS gzip compression on the website.


What it does not do, is configure the


file to compress XRM calls out of the CRM database.

In a test we were performing for an update to our Microsoft CRM 2011 Portal technology, we found that retrieving a list of around 20,000 items returned a 19 MB data package without gzip dynamic compression. Not huge but pretty big! What amazed us was that after enabling dynamic compression on the XRM data, this reduced from 19 MB to 890 KB, a huge performance improvement!

We also noticed that the Microsoft Hosted CRM 2011 service already has this compression enabled, so we figured if it is good enough for them, then we should give it a shot.

How to Enable XRM gzip Compression in IIS

Navigate to: C:\Windows\System32\Inetsrv\Config\applicationHost.config

and open it in your favourite editor.

Search for the Section: “<httpCompression directory=”

And in that section you will probably find an entry that looks like this:

<add mimeType="application/x-javascript" enabled="true" />

Below that, add the following:

<add mimeType="application/soap+xml" enabled="true" />

So the file looks like this:


Note: We are making the assumption that you are on Windows 2008, and that CRM 2011 was successfully installed, and that this in turn enabled IIS compression on the Microsoft CRM website.

These steps should massively improve data access to CRM using XRM calls.

Turn off Microsoft CRM 2011 5000 limit on data retrieval via SDK

With CRM 4.0 and Microsoft CRM 2011 there is a default limit for the number items that can be retrieved when making various types of web service calls into the CRM.

Typically this limit is set to 5000 but with some types of calls it will return 7000. In any case, the process to remove the limit and set it to 20,000 is very easy.

On the server running CRM

  1. Click Start, click Run, type regedit in the Open box, and then click OK.
  2. Locate and then select the following registry subkey:HKEY_LOCAL_MACHINE\Software\Microsoft\MSCRM
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type TurnOffFetchThrottling, and then press ENTER.
  5. Right-click TurnOffFetchThrottling, and then click Modify.
  6. Type a number other than 0 in the Value data box, and then click OK.
    Note Step 6 lets you retrieve the number of records specified in the Count attribute of your fetch statement.
  7. On the File menu, click Exit.

How to stop – Only secure content is displayed in IE9 message


If you use IE9, you must be familiar with this message: “Only secure content is displayed.”


This kind of messages are implemented by Microsoft because they want to inform you that you are about to access some unsecured content on a website. This is actually a security purpose message. Unfortunately, this kind of messages are more often annoying or unnecessary than useful. Internet explorer show this message when the same website page contain both secured and unsecured content: in this way, some unsecured scripts may have access to secured data on that page. Same thing happens when you play a game (unsecured scripts) on Facebook and want to publish that game information on your wall (secured action).

1. Launch Internet Explorer.
2. Go to Tools -> Internet Options.

Then, navigate to Security tab.

3. Click on “Custom level” button.

4. Search for “Display mixed content” under Miscellaneous section. Change it to enable.

Select Yes and that’s all.

CRM 2011 Email Router Problems–She’s a Fickle Bitch

CRM 2011 Email Router Problems–She’s a Fickle Bitch

imageSince we published an extensive set of step by step instructions on how to setup CRM 2011 as an Internet Facing Deployment IFD.

We have continued on to find a few issues with the Email Router Tool that are probably worth sharing.

The Tool Does Not Connect to Exchange 2010 like the CRM 4.0 tool.

We had a previous test environment that included CRM 4.0 and the well patched Email Router Tool. It was talking nicely to Exchange Server 2010 using the Exchange Web Service URL:

In our instance the HTTPS was configured with an service signed certificate that was a trusted provider. In other words. We purchase an expensive certificate and used that for testing a real world deployment. No self signed junk.

That all hummed nicely, but we find that in CRM 2011, the Email Router Incoming Settings, using the same settings are worked in 4.0 fails.


Name: FirstName Last Name
Incoming Status: Failure – No results were found.


Note: It is worth noting that after you import an Organization into CRM 2011 from CRM 4.0 that all the user credentials in each users CRM E-mail setting for user defined access:


have the wrong passwords. They need to be reset.


We have not fixed this yet!

Try as we may, and generally we know what we are doing with this stuff, we have not as yet found a solution. We tried heaps of things, from opening up Non SSL access to the Exchange Server to running REG EDITS on the CRM server. Nothing as yet!

We can verify that the URL can be hit from the CRM server (Where the Email Router Resides) and that the return of information is the same as it was for CRM 4.0 Email Router.

We also have verified that the Error Changes once user pass words are made invalid.

Incoming Status: Failure – The remote Microsoft Exchange e-mail server returned the error “(401) Unauthorized”. Verify that you have permission to connect to the mailbox. The request failed with HTTP status 401: Unauthorized.


Indicating that it is authenticating correctly.

We have deployed Rollup 2 at this time, and really are starting to think it is a bug. So we are about to get the BIG Microsoft Involved with a support ticket. Will let you know how that works out.


One Big Problem

We did not think a lot of the issue, and left our test Environment sitting doing a few things that included a DotNetNuke integration that was running some automatic billing processes from web service calls into CRM. This generated email messages in CRM that needed to be sent, and naturally the email router would have sorted that.

Again, we thought nothing of that.

We also noted that huge amounts of memory were being allocated toward the CRM test server in Hyper-V. Like 12-14 GB. That that was high, being that it was a SQL server and website in essence. Memory sits nicely at around 3-4 GB if things are working well.

What we have since discovered is that with the invalid inbound CRM – Exchange access, the CRM Email Router service consumed huge amounts of memory (Over 48 GB if allowed), and also bogged down process time to the point that nothing else ran on the server.

She’s a Fickle Bitch! and obviously there is a memory leak of epic proportions there some place.

The solution, was to remove the invalid Inbound Rule while we sort out what the heck is going on with the program.

Stay Tuned….


After much mucking around, we found our problem.

In our instance the Default Global Address List had us listed, but our mailbox was tied to another custom address list, that was not listing our address correctly due to a typo. The access to the GA was being blocked by custom security settings.

This comes back to the same post above. Although nothing to do with the check box about  “Hide from Exchange address lists” – we were in effect being hidden from the address list that mattered.

CRM 2011 IFD Multi-Tenency Migration Tips


Today we posted a blog about How to configure IFD Hosted Setup in CRM 2011

Following on from that we tested the migration from CRM 4.0 hosted CRM instillations to the newly configured test environment for CRM 2011.

We ran into a few problems (and a few things we did not know) and thought others may benefit from this.

CRM Migration

The process was reasonably simple for us and for that reason we will just list the steps.

  1. Backup the CRM 4.0 database to file.
  2. On the new CRM 2011 SQL server, perform a normal SQL database restore from the backup file.
  3. Use the CRM 2011 deployment tool to “Import and Organisation”. Specifying the obvious settings for the database selection and user mapping. (In our case, we were on the same domain, so user mapping was easy).

All this worked well, but there were a few problems when we went to browse the new Org from outside the server. In other words, using the IFD to access the org.

Internally the org was accessible with  but external access:  failed.

The Problems

First one

Was simple but only because we have seen it before. Originally we had accessed the org from our IE 9 browser with and accessed the CRM 4.0 IFD. Actually we used it for over a year.

Now we wanted to use the new IFD on CRM 2011, but on the same browser. We found when going to: that the browser was not even rendering the request for user name and pass that we expected:

The IE failure gave no message or indication of why. Basically a 404 failure to hit anything useful.

Yet in another “real browser” (not IE) we could at least get prompted for user and pass info.

The Cause

IE really sucks with clearing old data. The delete all / clear cache / remove cookies appears on the outset to dump everything, but it does not. In our case, it cached something from the previous connection to CRM 4.0 that was killing our access. We then also deleted data in “C:\Windows\Temp”  Can’t explain what the cause is… I would just rather put it down to the fact that IE 9 “blow chunks” (big ones).

The solution is to manually navigate to the Temporary Internet Files directory under Windows, and manually delete everything you find in there. That fixes the page rendering issue.
More information here:

The Second One

Second, we entered a user name and pass, and received a message:

There was a problem accessing the site. Try to browse to the site again. If the problem persists, contact the administrator of this site and provide the reference number to identify the problem. Reference number: numbers

There was a matching set of AD FS 2.0 Event Logs that looked like this:


A token request was received for a relying party identified by the key ‘’, but the request could not be fulfilled because the key does not identify any known relying party trust.

This request failed.

User Action
If this key represents a URI for which a token should be issued, verify that its prefix matches the relying party trust that is configured in the AD FS configuration database.


Encountered error during federation passive request.

Additional Data

Exception details:
Microsoft.IdentityServer.Web.InvalidScopeException: MSIS7007: The requested relying party trust ‘’ is unspecified or unsupported. If a relying party trust was specified, it is possible that you do not have permission to access the trust relying party. Contact your administrator for details.
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, Uri& replyTo)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, MSISSession& session)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSerializedToken(String signOnToken, WSFederationMessage incomingMessage)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSecurityToken(SecurityToken securityToken, WSFederationMessage incomingMessage)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseForProtocolRequest(FederationPassiveContext federationPassiveContext, SecurityToken securityToken)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponse(SecurityToken securityToken)

The solution

An easy one, but something we did not know. With CRM 2011 in IFD. Each time you add an org, you need to update your Relying Party Trusts from Federation Metadata. Big words that mean…

  1. Open AD FS Management Tool
  2. Expand Trust Relationships
  3. Click on Relying Party Trusts
  4. Click on you IFD Trust, Right Click and Select Update From Federation Metadata


I have no idea why this is not automatically updated every time the service starts, or even every time the service is called upon….

In any case, that fixed the issue and we are on our way for testing our CRM – DotNetNuke integration suite with CRM 2011 and DotNetNuke 6.0. Wish us luck.

Microsoft CRM 2011 How to Configure IFD Hosted Setup

Like many, we have struggled to configure Microsoft CRM 2011 as an Internet Facing Deployment. There is quite a bit of disjointed and some what typical Microsoft “junk” on how to set this up.

So after reading the White Papers, blogs and YouTube videos on the topic, I figured I would need notes for myself as much as anything. This is mostly because I am yet to find one single example that covered the setup I was after. That being:

Single Server

On an existing domain

Running true IFD ready for customer access.

The last point it telling, as all the Microsoft examples give a self generated SSL cert, that really is an example of a DEV environment only. We want to test the “real deal”, and don’t mind spending a few $ on a real Certificate to see this in a true working environment.

The Existing Setup

Because this is a test environment, we are running the server on a Hyper V server. A single VM machine, that is running a fully patched version of:

  • Windows 2008 R2 SP1 64 Bit
  • SQL 2008 R2 64 Bit
  • Microsoft CRM 2011 64 Bit

Interesting enough, something that always takes me 15 min, it ensuring I download the correct version of the ISO files from MSDN. I get it that I am somewhat lame, but if you get a wrong version you can waste a load of time and energy later.


With a list looking like this it can be painful. Anyway, these are the files we used for install:


For those who care, the VM was set to run with 6000 MB ram, and fold out to use more.



When we setup CRM, we selected the option to NOT use the default website, but configure a new one with the default settings of port 5555. This is necessary as you will see later.


Backup First

In all things Microsoft world, it is vital what you establish a working point to avoid unnecessarily installing things all over again. To get things working we have started fresh over 4 times.

Hyper V is great for this, as we just stopped the server, and made a copy of the VHD file. Then when it is time to start all over, it is just a matter of restoring from copy/backup.


Test First

Test that your CRM setup is working. Go to the local computer name (ours is VSERVER08) on the correct port: http://vserver08:5555

We called our Deployment of CRM – “CRM2011″ So the URL redirects to: http://vserver08:5555/CRM2011/main.aspx

and after being prompted for login, we are in and testing.


Apply a Wildcard SSL Certificate

In CRM, the accessing of deployments is handled by the sub domains. So if we call a deployment “business1″ we will access that as:

For testing, we purchased a standard Wildcard SSL certificate that applied that to the IIS7 server.

We will let you work out that bundle of joy, but a few tips.

1. Godaddy was about as cheap as you find on the net.

2. Setup involves creating a certificate request from within IIS, then pasting that text into the online providers order system. They then generate the certificates that you then import back into IIS and the server.


Application for a certificate

Here, I will be a wildcard certificate, for example, describes how to create a certificate:

1) Open IIS Manager

2) Click the server name in the main screen double click Server Certificates

3) In the right panel, click Create Certificate Request…


4) fill in the following diagram each column, click Next


5) Cryptographic Service Provider Properties page to keep the default, click Next.

6) In the File Name page, enter C: \ req.txt , and then click Finish.

7) Run cmd , run

certreq-submit -attrib “CertificateTemplate: WebServer” C: \ req.txt

8) Select the CA , click OK.

9) the certificate is stored as C: \ Wildcard.cer . ( 7-9 can also be in the CA to complete)

10) back to the IIS Manager, click No. 3)  Step graph Complete Certificate Request …

11) Select the C: \ Wildcard.cer , Friendly name named *. , of course, you can take a different name.

12) Click OK.

13) so that we completed the wildcard certificate request.


Additional SSL Certificate Imports

1) RUN MMC at the start / search

2) Select File / Add Remove Snapin – Select Certificates – ADD


Computer Account

image NEXT / Finish

3) Expand the first two folders, and Right Click on the Certificates Folder and select: All Tasks /  Import.

4) Browse to your wildcard SSL certificate file, and import that into the Personal and Trusted Root Certification Authorities.



Ensure that you


Binding site for the default SSL certificate

1) Open IIS Manager.

2) In the Connections panel, expand Sites , click Default Web Site.

3) In the Actions pane, click Bindings.


4) In the Site Bindings dialog box, click Add.

5) Type select HTTPS.

6) SSL Certificate , select the certificate you just created *. , and then click OK.

image Ours is

7) Click Close.

8) Repeat for the Personal certificate folder.


For the CRM 2011 binding site SSL certificate

1) Open IIS Manager.

2) In the Connections panel, expand Sites , click CRM Web Site.

3) In the Actions pane, click Bindings.

4) In the Site Bindings dialog box, click Add.

5) Type select HTTPS.

6) SSL Certificate , select the certificate you just created *. .

7) Port to select a different 443 (e.g. 444 ) and port number, and then click OK

8) Click Close.


DNS configuration

For MS CRM 2011 configuration Claims-based authentication, you need the DNS to add some records to make CRM 2011 for each breakpoint can be resolved correctly.

There are two ways you can achieve the desired result. But first lets understand the desired result.

  1. We make the assumption that your server is running at least one static IP address.
  2. Because this is Internet Facing, that IP needs to be accessible to the world.
  3. That same IP can be used for access to your server both internally on the matching we are playing with, and externally form anyone on the net.
Lets Get Basic

Start a Command Prompt, and work out what your IP address of the server is.


Type IPCONFIG – Enter

Under the name: IPv4 Address is a number that looks like:


That is Your IP Address of the Server.

The DNS Goal

Make sure that when you PING that it points to that IP address. Both for the world and for you when you do that on your server.

(xxx is the sub domain that we are about to configure.)

To configure CRM, we need some sub domains to point to the server IP.

  4. Your ORG name. (Where ORG is the CRM deployment name of your organization or organizations), e.g.


We have two setup here: CRM and CRM2011. So we need to configure and

Hosting Your Own DNS

If you host your own Domain Name Server (DNS) and you host the domain name that you are using to setup IFD. Then configuring an A record for the above mentioned sub domains is easy.

START > Administrative Tools > DNS

Find your Domain Name

Right Click and select NEW HOST A



Add an A record that points to your servers IP address.

Repeat this process for all of the above mentioned sub domains. auth, sts1, dev, and your own organization names.

Test DNS

You must be able to ping all of those names and get the correct server IP address. Both from computers on the internet, and from the server.

Note: If you have added the DNS records, but still encounter name resolution problems, you can try running on the client ipconfig / flushdns to clean up the cache. You can also click the DNS server root and click CLEAR CACHE so that the server is responding with the latest updates.


Note: Don’t bother proceeding past this step if you cannot ping your sub domains internally and externally correctly.


Firewall configuration

You need to set the firewall to allow the CRM 2011 and the AD FS 2.0 port used by the incoming data stream. HTTPS (SSL) is the default port 443.

For Initial setup testing etc. We recommend just turning the thing off. Better start from a place where it does not muck you around, then turn it all back on after you are successful.



Configuration Claim-based authentication -internal access

Configure the internal access Claim-based authentication requires the following steps:

  • Install and configure AD FS 2.0 .
  • Set Claims-based authentication configuration CRM 2011 server.
  • Set the Claims-based authentication configuration AD FS 2.0 server.
  • Test claims-based authentication within the access.

Install and configure AD FS 2.0

CRM 2011 with a variety of STS provider ( STS Provider ) together. This article uses Active Directory Federation Services (AD FS) 2.0 to provide a security token service (security token service ).

Note: AD FS 2.0 will be installed to the default site, so install AD FS 2.0 , you must have CRM 2011 installation in the new site. (Remember we said that earlier)

IIS Looks like this if it is correctly installed: image

If you only see the default website with CRM installed in that. Start AGAIN!


Download the AD FS 2.0

From the following link to download the AD FS 2.0

Active Directory Federation Services 2.0 RTW( ).


Install AD FS 2.0

In the installation wizard, select the federation server role installed, for more information refer to

Install the AD FS 2.0 Software( ).

Configure AD FS 2.0

1 in the AD FS 2.0 server, click Start , then click AD FS 2.0 Management .

2 In the AD FS 2.0 Management page , click AD FS 2.0 Federation Server Configuration Wizard .


3 In the Welcome page , select Create a new Federation Service , and then click Next.


4 In the Select Deployment Type page , select Stand-alone Federation Server , and then click Next.


5 Choose your SSL certificate (the choice of a certificate created *. ) ,add a Federation Service name ( for example ,, and then click Next.


Note: Only you as the AD FS 2.0 sites when using the wildcard certificate, only need to add the Federation Service name.

6 Summary page, click Next.


7 Click Close to close the AD FS 2.0 Configuration Wizard.


Note: If you have not added ( ) to add DNS records, then do it now.


Verify the AD FS 2.0 is working

Follow the steps below to verify that the AD FS 2.0 is working :

1 Open Internet Explorer.

2 Enter the federation metadata of the URL , for example:

3. to ensure that no certificate associated with the warning appears.



Claims-based authentication configuration CRM 2011server

After you install and configure the AD FS 2.0 , we need to configure the Claims-based authentication before setting CRM 2011 binding types ( Binding type ) and the root domain (root Domains) .

According to the following steps to set up CRM 2011 bound for the HTTPS and configure the root domain address :

1 Open the CRM Deployment Manager.

2 In the Actions pane , click Properties .


3 Click the Web Address page .

4 In the Binding Type , select HTTPS .

5. Ensure that the network address for the binding CRM 2011 site SSL certificate and SSL ports. Because you configured for internal access to Claims-based authentication, so the address of the host for the root domain name. Port number must IIS in CRM 2011 is set in the port the same site.

6 For example, *. wildcard certificate, you can 444 as the network address.


7 Click OK .

Note: If the CRM Outlook client configuration using the old binding value, then the need to be updated to use the new value. + Make sure you have a DNS entry for: internalcrm.

From the CRM 2011 is passed to the AD FS 2.0 of Claims data you need to use the Claims-Based Authentication Configuration Wizard (described below) specified in the certificate for encryption. Therefore, CRM Web application CRMAppPool account must have read the certificate’s private key encryption ( Read ) permissions.According to the following steps to give this permission:

1 in CRM 2011 server , run the Microsoft Management Console (Start => Run MMC).

2 Click Files => Add / Remove Snap-in …

3 left panel, select Certificates , click Add to add to the right panel.

4 In the pop-up window, select Computer account .

5 next page, select Local Computer , click Finish .

6 Click OK .

7 Expand the Certificates ( Local Computer ) => Personal, select Certificates .

8. In the middle panel, right-click you will be in the Claims-Based Authentication Configuration Wizard to specify the encryption certificate (in this case *. ), click All Tasks => Manage Private Keys.

9 Click Add , add CRMAppPool account (if you are using Network Service , select the account directly), and then give Read permissions.


Note: You can use IIS Manager to view CRMAppPool what account to use. In the Connections panel , click Application Pools , and then see CRMAppPool under Identity .


10 Click OK .


Configure Claims-Based Authentication

Below, we setup Claims-Based Authentication Configuration Wizard ( Configure Claims-Based Authentication Wizard ) to configure the Claims-Based Authentication. To learn how PowerShell to configure Claims-Based Authentication, refer to the English original.

1) Open the Deployment Manager.

2) on the left navigation panel, right-click Microsoft Dynamics CRM , and then click Configure Claims-Based Authentication.


3) click Next.


4) In the Specify the security token service page , enter the Federation metadata URL, such as


Note: The data is usually in the AD FS 2.0 website. Can this URL copied into IE to seeFederation metadata , to ensure that this is the correct URL . Using IE to access the URL can not have a certificate-related warnings (Ignore that crap!)


5) Click Next .

6) In the Specify the encryption certificate page , click on Select…

7) select a certificate, where we choose *



8) This certificate is used to encrypt the transmitted AD FS 2.0 authentication security token service security token.

Note: Microsoft Dynamics CRM service account must have the private key encryption certificate Read permission.

10 Click Next . Claims-Based Authentication Configuration Wizard validates the token and certificate you specified.


11 In the System Checks page, if the test passed, click Next .

12 In the Review your selections and then click Apply page , just to confirm the input, and then click Apply .


13. On this page, note which of the URL , because then, you will use this URL to add a trusted party ( Relying Party ) to the security token service.



14 IMPORTANT – Click View Log File

15 Scroll to the end, and Copy the URL from the bottom of the file.

image- This will be used in the next configuration. Note that this is different to the URL used in step 4 above, as it represents the internal URL. Subtle but vital (and the cause of frustration the first 10 times we tried this).

16 Click Finish.

17 Validate that you can browse to the URL above. If you cannot view this in a browser, then have a look again at your permissions on the certificate in relation to the account on the application pool in IIS for CRM. Read above: Claims-based authentication configuration CRM 2011server.

18. Once you can browse this URL, you are done here.


Claims-based authentication configuration AD FS 2.0server

After completion of the previous step, the next step we need AD FS 2.0 to add and configure the statement provider trust ( claims Provider trusts ) and the relying party trust ( Relying Party trusts ).

Configure claims provider trusts

You need to add a claims rule come from Active Directory to obtain user ‘s UPN (user principal name) and then as a UPN delivered to MS CRM . Follow these steps to configure the AD FS 2.0 to UPN LDAP attribute as a claim is sent to the relying party ( Relying Party ):

1 installed in the AD FS 2.0 on the server , open AD FS 2.0 Management.

2 In the Navigation Pane , expand the Trust Relationships , and then click the Claims Provider Trusts.

3 In the Claims Provider Trusts under , right-click Active Directory , and then click Edit Claims Rules.


4 in the Rules Editor , click Add Rule.


5. In Claim rule template list , select the Send LDAP Attributes as Claims template ,and then click Next.


6 Create the following rule:

  • Claim rule name: UPN Claim Rule ( or other descriptive name )

· Add the following mapping:

  • Attribute Store: Active Directory
  • LDAP Attribute: User Principal Name
  • Outgoing Claim Type: UPN image

7 Click Finish , then click OK close the Rules Editor.


Configuration relying party trusts

In the open claims-based authentication, you must ensure CRM 2011 server configured as a relying party to use from the AD FS 2.0 statement to internal access claims certification.

1 Open AD FS 2.0 Management.

2 In the Actions menu, click Add Relying Party Trust.


3 In the Add Relying Party Trust Wizard , click Start.


4 In the Select Data Source page , click Import Data about the Relying Party Online or published on a local Network , enter the positioning federation metadata.xml file URL.


Federation metadata is set Claims when created. Use Claims-Based Authentication Configuration Wizard. The URL used here is IMPORTANT – Read point 14 in the above section. It is the URL retrieved from the VIEW LOG FILE That we did when  from configuration of Claims Based Authentication:  In this case


Note: Ensure that no certificate-related warnings appear when hitting the URL.

5 Click Next .

6 In the Specify Display Name page , enter a display name, such as CRM Claims Relying Party , and then click Next.


7 In the Choose Issuance Authorization Rules page , choose Permit All users to access this Relying Party , and then click Next.


8 In the Ready to Add Trust page , click Next , then click Close .

9. When the Rule Editor appears , click Add Rule . Otherwise , the Relying Party Trusts list , right-click you create a relying party objects, click the Edit Claims Rules , and then click Add Rule.


10. In Claim rule template list , select the Pass Through or Filter an Incoming Claim template, and then click Next.


11 create the following rule:

· Claim rule name: Pass Through UPN ( or other descriptive name )

· Add the following mapping:

  • Incoming claim type: UPN
  • Pass through All claim values


12 Click Finish .

13 In the Rule Editor , click Add Rule , in Claim rule template list , select the Pass Through or Filter an Incoming Claim template , and then click Next :

· Claim rule name: Pass Through Primary SID ( or other descriptive name )

· Add the following mapping:

  •      Incoming claim type: Primary SID
  •      Pass through All claim values


14 Click Finish .

15 In the Rule Editor , click Add Rule

16. In Claim rule template list , select the Transform an Incoming Claim template , and then click Next.


17 create the following rule:

· Claim rule name: Transform Windows Account Name to Name ( or other descriptive name )

  • Incoming claim type: Windows account name
  • Outgoing claim type: Name
  • Pass through All claim values


18 Click Finish , to create a good three rule later , click OK close the Rule Editor




Test claims-based authentication within the access

You should now be able to use the claims certified to the internal access CRM 2011 a

1 Open the Deployment Manager.

2 Expand the Deployment Manager node , and then click on Organizations .

3 Right-click your organization , and then click Browse . so you can open the CRM web page of ( for example: ).


Trouble Shooting

If the CRM web page can not be displayed, then run the following iisreset and then try again.


If the CRM web page still does not show, then you may need to setup AD FS 2.0 server setup a SPN (Service Principal Name) . Re-run the Claims-Based Authentication Wizard, and then browse to the Specify the security token service page, note the AD FS 2.0 server in the Federation metadata URL in the name. (In this case )


1 Open a command line tool .

2 Enter the following command : ( application, in your own environment, substitute the name of the name of the command line )

c: \> setspn -a http/ fserver4\VSERVER08$

fserver4\VSERVER08 = the domain and machine name of the server.


c: \> iisreset

3 and then re-access the Microsoft Dynamics CRM Server 2011 site, so you should be able to successfully access to the CRM 2011 Web page.

If you receive ADFS – sts1 errors.

There was a problem accessing the site. Try to browse to the site again.
If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.
Reference number: xxx

And or if you look in your log files under ADFS 2.0 You will see errors like this.


In our case, this was because we used the external Metadata URL and not the Internal URL that we should have copied from the “View Log File” When configuring the Claims Based Authentication. Step 14 in the section above.



Note the difference between this:

and the original meta data check we did with:

We incorrectly figured it would be pulling the same XML data. It does NOT!


Configuration Claim-based authentication -external access

Open to the CRM 2011 Data Claims-based authentication of external access, you need to do the following steps:

1 complete contents of the previous section: Configuring Claim-based authentication- internal access.

2 for the IFD configuration CRM 2011 server.

3 for the IFD configuration AD FS 2.0 server.

4 Test claims-based authentication external access.

The IFD configuration CRM 2011 server

When opening Claims certified internal access, you can open by IFD external claims visited. The following describes using the IFD Configuration Wizard to configure, if you want to learn how to use PowerShell to be configured, refer to the English original.

1 Open the Deployment Manager.

2 In the tree structure , right-click Microsoft Dynamics CRM , and then click Configure Internet-Facing Deployment.


3 Click Next.


4 Fill in the correct domain information for the Web Application, Org, and Discovery Web services. Remembering here that in our case: * was the name of the wildcard certificate used, and that PORT 444 was the port we configured for the CRM Web Instance in the bindings for IIS.

Thus we use:

  • Web Application Server Domain:
  • Organization Web Service Domain:
  • Web Service Discovery Domain: image

Note – Enter the domain name, rather than the server name .

  • If the CRM installed on the same server or servers are installed in the same domain, then the Web Application Server Domain and Organization Web Service Domain should be the same .
  • Web Service Discovery Domain must be a Web Application Server Domain as a subdomain like the  “dev.” that we setup in DNS earlier.
  • domain name must be on the SSL certificate name

Domain examples :

  • Web Application Server Domain: 444
  • Organization Web Service Domain: 444
  • Web Service Discovery Domain: 444

For more information on the website, please refer to Install Microsoft Dynamics CRM Server 2011 on multiple computers( )

5 In the Enter the external domain where your Internet-facing servers are located input box , enter for your internet to CRM 2011 server located outside the domain of information, and then click Next .


You must specify the domain specified in the previous step Web Application Server Domain sub-domains . default , will be “auth.” added to the Web Application Server Domain before.

Domain examples :

  • External Domain: 444

6 In the System Checks page , if there is no problem, click Next.


7 In Review your selections and then click Apply page , confirm your input , and then click Apply.


8 Click Finish .


9. Open a command line tool, run: iisreset


The IFD configuration AD FS 2.0 server

To open CRM 2011 on the IFD , you need to add AD FS 2.0 server for the IFD to create a relying party endpoints. Follow these steps:

1 open AD FS 2.0 Management .

2 In the Actions menu, click Add Relying Party Trust.


3 In the Add Relying Party Trust Wizard , click Start .

4 In the Select Data Source page , click Import Data about the Relying Party Online or published on a local Network , enter the positioning federation metadata.xml file URL.

Note – This is almost the same URL as we used previously, but has the .auth sub domain that we used in point 4 above. For use the Federation metadata is configured IFD when created. In this case .

Check in your browser the URL, to ensure that no certificate-related warnings appear.


5 Click Next.

6 In the Specify Display Name page , enter the display name , such as CRM IFD Relying Party , and then click Next.


7 In the Choose Issuance Authorization Rules page , select the Permit all users to access this relying party options , and then click Next.


8 In the Ready to Add Trust page , click Next , then click Close .

9. If the Rule Editor appears , click Add Rule. Otherwise , the Relying Party Trusts list ,right-click you create a relying party objects, click the Edit Claims Rules, and then click Add Rule.


10. In Claim rule template list , select the Pass Through or Filter an Incoming Claim template, and then click Next.


11 create the following rule:

· Claim rule name: Pass Through UPN ( or other descriptive name )

· Add the following mapping:

  •     Incoming claim type: UPN
  •     Pass through All claim values image

12 Click Finish .

13 In the Rule Editor , click Add Rule , in Claim rule template list , select the Pass Through or Filter an Incoming Claim template , and then click Next :

· Claim rule name: Pass Through Primary SID ( or other descriptive name )

· Add the following mapping:

  •     Incoming claim type: Primary SID
  •     Pass through All claim values image

14 Click Finish .

15 in the Rules Editor , click Add Rule ,

16. In Claim rule template list , select the Transform an Incoming Claim template , and then click Next .

17 create the following rule:

· Claim rule name: Transform Windows Account Name to Name ( or other descriptive name )

  •     Incoming claim type: Windows account name
  •     Outgoing claim type: Name
  •     Pass through All claim values


18 Click Finish , you have created three rule later , climageick OK close the Rule Editor .

Test claims-based authentication to access external

Now, you should use the claims certified external access CRM 2011 a. In IE the browser CRM 2011 external address (for example: ), you will see the following pages:

Enter the user name password, log CRM 2011.


Final Notes

An additional log cleanup step here.

Like anything Microsoft, this was not easy. It took us over 10 attempts drawing on over a dozen resources to get this worked out. For us, the main tripping points related the the meta data URL’s used in configuring the endpoints. Our fault, but it also appears to be a common error to other administrators on the net.

To Microsoft – you documentation sucks badly! If I never read another White Paper it will be too soon!

Thanks to – Jackie Chen (Chen Pan) Your blog was GOLD!

Also Look at these Updates

Look for our other posts on Email Router Configurations. “is a fickle bitch!”

AD FS certificate rollover CRM 2011

CRM 2011 Rollup 10 Invalid Argument Error

Client found response content type of ”, but expected ‘text/xml’.

Today we experienced ‘another’ issue with the Microsoft CRM 4.0 Email Router Configuration Manager. Like many of the other issues with the E-mail router tool, we only noticed when we stopped receiving email association icons in outlook.

Normally for us this has ended up being the problem with the Configuration Manager xml configuration files, and has required us to restore them from backup in line with the Official MS fix.

Unusually today the error lay elsewhere. With a test of the User and Queue access, we were receiving a message that looked like this:

  • Client found response content type of ”, but expected ‘text/xml’.
  • With an Event Log Entry Event ID: 0

  • #26090 – An error occurred while opening mailbox System.InvalidOperationException: Client found response content type of ”, but expected ‘text/xml’.
    The request failed with an empty response.
       at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
       at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
       at Microsoft.Crm.Tools.Email.Providers.ExchangeServiceBinding.GetFolder(GetFolderType GetFolder1)
       at Microsoft.Crm.Tools.Email.Providers.ExchangeWSConnector.OpenMailbox()
       at Microsoft.Crm.Tools.Email.Providers.ExchangePollingMailboxProvider.InitExchangeConnector()
       at Microsoft.Crm.Tools.Email.Providers.ExchangePollingMailboxProvider.OpenMailbox()
       at Microsoft.Crm.Tools.Email.Providers.CrmPollingMailboxProvider.Run()


The long and the short is that we are using Microsoft Exchange Server 2010

With an Email Router Configuration setup for the Rollup 9 supporting Exchange 2010 with Windows Authentication. The URL for the location of the exchange server in the Profile tool looks like this:


Hitting that URL should normally reveal some XML data about the email box being interrogated:


While the CRM Router Service was in error, the URL returned a blank result. This indicated that the Exchange Server 2010 service was at fault. The short term solution was to reboot the Exchange Server. We are yet to track down the exact cause.

Bottom Line… Errors like this appear to be pointing to invalid data return from the Exchange Mail Server.

Digg This

CRM 4.0 Internet explorer has blocked this site from using an ActiveX control in an unsafe manner.

You may have noticed if you connect to a MS CRM 4.0 server after installing Rollup 7 or later, (including rollup 9), that you get a message:

Internet explorer has blocked this site from using an ActiveX control in an unsafe manner.

The cause of this problem is listed in this MS KB:

The long and the short of it is a known problem in a situation where you have an established relationship with a CRM server using the Outlook plug in. If you then connect to another CRM server that has had the Rollup 7.0 installed, you will get the error message.

Now the official Microsoft Solution to this problem is this: Note You can safely ignore this message and allow blocked content.

Go Microsoft. Yet another totally inadequate solution to a known problem!

What they should have said was this:

1. In IE click tools / Internet Options

2. Click the Security Tab / Trusted Sites

3. Click Sites then Add the url of the CRM site giving the message.

4. Click Close (not ok, or save as you might expect, but close).

5. Click Custom Level

6. Select Enable next tot he “Initialize and script ActiveX controls not marked as safe fro scripting.

7. OK / OK

If you refresh the browser the nasty annoying message is gone for good. This is a client side solution, and not a particularly good one, but hay; I don’t make this mess, just navigate a path around it!

Digg This