Tag Archives: CRM 2011

Microsoft CRM 2011 Defaults to Mobile Site /m

Microsoft CRM 2011 Defaults to Mobile Site /m

When hitting our CRM 2011 website after recent rollup updates, the website defaults to to a URL with a /m/  and shows a mobile site.

Microsoft CRM 2011 Mobile

The FIX

This is really simple.

When the site reformats to:  /m/defualt.aspx  Just replace that with /main.aspx

So this: https://acc.interactivewebs.com:444/m/default.aspx

Becomes: https://acc.interactivewebs.com:444/main.aspx

It’s that easy!

Microsoft CRM 2011.png

Microsoft CRM 2011 Exception message: ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry

Error

When attempting to login to an IFD (Internet Facing Deployment of CRM) you receive this error:

Event code: 3005 Event message: An unhandled exception has occurred. Event time: 10/06/2014 1:54:52 AM Event time (UTC): 9/06/2014 3:54:52 PM Event ID: 6da606a9a6794c2a8f504cc6b8b3be3e Event sequence: 2 Event occurrence: 1 Event detail code: 0  Application information:     Application domain: /LM/W3SVC/2/ROOT-1-130468028783689054     Trust level: Full     Application Virtual Path: /     Application Path: C:\Program Files\Microsoft Dynamics CRM\CRMWeb\     Machine name: VSERVER08  Process information:     Process ID: 1540     Process name: w3wp.exe     Account name: NT AUTHORITY\NETWORK SERVICE  Exception information:     Exception type: SecurityTokenException     Exception message: ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.   at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.CreateClaims(SamlSecurityToken samlSecurityToken)   at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)   at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)   at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)   at Microsoft.Crm.Authentication.Claims.CrmFederatedAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
  Request information:     Request URL: https://auth.interactivewebs.com:444/default.aspx     Request path: /default.aspx     User host address: 101.164.212.248     User:      Is authenticated: False     Authentication Type:      Thread account name: NT AUTHORITY\NETWORK SERVICE  Thread information:     Thread ID: 8     Thread account name: NT AUTHORITY\NETWORK SERVICE     Is impersonating: True     Stack trace:    at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.CreateClaims(SamlSecurityToken samlSecurityToken)   at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)   at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)   at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)   at Microsoft.Crm.Authentication.Claims.CrmFederatedAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)  Custom event details: 

The Problem

For unidentified problems, the ADFS authentication is failing and needs to be reset.

Solution:

Run the Deployment Manager with same certificate

These instructions are the last part of the instructions we have created for updating an out of date SSL certificate used in an IFD deployment. Basically we are following the same instructions, but skipping the step of replacing with a new SSL certificate. We are just running the deployment again against the same certificate. 

1. Run the CRM deployment manager:

image

2. Run the Configure Claims-based Authentication

image

Select the default settings.

image

image

Which should be the default from your IFD setup

But when you get to the Certificate, you need to select the new certificate.

image

image

Which should be visible from the list after importing it in the steps above.

3. Run the Configure Internet Facing Deployment action and just step though it with the default settings.

image

4. Restart the AD FS 2.0 Windows Service

image

Configure AD

Set the Service Communication Certificate

1. Start AD FS 2.0 Management

image

2. Expand certificates and select Set Service Communications Certificate

image

3. Select the new certificate that will be listed here.

image

Update Relying Party Trusts

1. From the AD FS 2.0 Management, Select your replying party trusts and update from the federation metadata one by one.

image

Update both listed. They will likely have a red cross before you do this.

Restart Services

Restart AD FS Service:

image

and restart IIS the usual way.

And you should be done. Login to your CRM IFD again and enjoy.

 

Microsoft CRM IFD SSL Certificate Renewal

Following on from our very popular IFD configuration for Microsoft CRM.

http://www.interactivewebs.com/blog/index.php/server-tips/microsoft-crm-2011-how-to-configure-ifd-hosted-setup/

The time will come around where you need to renew the SSL certificate for your CRM IFD configuration.

This will include the renewal of the SSL certificate as used by IIS and and ADFS. Couple of steps we followed based exactly on the configuration outlined in our above linked blog post.

Generate a new SSL Request.

1. Open IIS Manager and click on server certificates.

image

2. Create certificate request

image

3. Fill in the data:

image Next

4. Change to 2048 Bit

image

5. Give it a name:

image

Finish and you are done.

Now Open the certificate text file and copy the text to your clip board, or use this with your certificate authority to issue you a new Wild Card Certificate. *.interactivewebs.com is what we use.

To get the certificate we use a service called “startssl.com” who allow you to issue certificates like this for 2 years for free once you are validated as a user.

Complete the Certificate Request

Once the new certificate has been issued to you you need to complete the request on IIS.

1. In IIS Manager click on Complete Certificate Request

image

2. Browse to the certificate from your issuer provider and give it a friendly name. We like to use a year in the name to help distinguish from the old one.

image

Finish the import.

Change the certificate used by IIS

1. Expand the two sites on the CRM server and click on Default Website first then Bindings / https

image

Then EDIT

2. Select the new certificate that you just imported and click on OK

image

3. Repeat this process fro the Microsoft Dynamics CRM website

image

selecting the new certificate here and OK.

4. Restart IIS

Set Permissions on SSL Certificate

1.  Click Start, and then click Run.
2.  Type MMC.
3.  On the File menu, click  Add/Remove Snap-in.
4.  In the Available snap-ins list, select Certificates, and then click Add. The Certificates Snap-in Wizard starts.
5.  Select Computer account, and then click Next.
6.  Select Local computer: (the computer this console is running on), and then click Finish.
7.  Click OK.
8.  Expand Console Root\Certificates (Local Computer)\Personal\Certificates.
9.  Right-click Certificates, click All Tasks, and then click Import.

Step 2: Add to the ADFS service account the permissions to access the private key of the new certificate. To do this, follow these steps:

1.  With the local computer certificate store still open, select the certificate that was just imported.
2.  Right-click the certificate, click All Tasks, and then  click Manage Private Keys.
3.  Add the account that is running the ADFS Service, and then give the account at least read permissions. (for us this is the Network Service)

Run the Deployment Manager with new Certificate

1. Run the CRM deployment manager:

image

2. Run the Configure Claims-based Authentication

image

Select the default settings.

image

image

Which should be the default from your IFD setup

But when you get to the Certificate, you need to select the new certificate.

image

image

Which should be visible from the list after importing it in the steps above.

3. Run the Configure Internet Facing Deployment action and just step though it with the default settings.

image

4. Restart the AD FS 2.0 Windows Service

image

Configure AD

Set the Service Communication Certificate

1. Start AD FS 2.0 Management

image

2. Expand certificates and select Set Service Communications Certificate

image

3. Select the new certificate that will be listed here.

image

Update Relying Party Trusts

1. From the AD FS 2.0 Management, Select your replying party trusts and update from the federation metadata one by one.

image

Update both listed. They will likely have a red cross before you do this.

Restart Services

Restart AD FS Service:

image

and restart IIS the usual way.

And you should be done. Login to your CRM IFD again and enjoy.

Please feel free to link to / reference this blog. Comments welcome below.

CRM 2011 Email Router Setup and Settings

Often with the setup of CRM 2011. Users experience messages about Pending e-mail warning and sometimes email messages are not sending.

This can be especially frustrating as both the CRM email queuing and tracking system and the Email router application are terrible to help you understand exactly what is going on with your CRM e-mail.

We mentioned some of the issues we have experience here:

http://www.interactivewebs.com/blog/index.php/server-tips/crm-2011-email-router-problemsshes-a-fickle-bitch/

Here are some basic setup tips for email in Microsoft CRM 2011

1. Out of the box, CRM does not send email messages. You need to configure an application known as CRM 2011 Email Router to have email messages send.

2. You also need a working SMTP (email server) that is configured to allow the relay of email messages from email accounts at your domain name. This can be achieved with Amazon SES message service or your own servers. We can assist you setup Amazon SES if you need assistance with this.

3. You should install and configure your Email Router. Some notes to help you may include these: http://www.interactivewebs.com/blog//?s=email+router

Recommended email settings in CRM 2011

1. Out of the box. CRM will only be able to send email messages to leads, contacts, and accounts. Until you change this setting found in the Admin / System Settings in CRM.

image

2. Avoid delayed email messages in CRM by Approve Email Address. In the Administration / Users. Go into each user and approve the configured email address.

image

There is a view of users who are Pending Email address approval to help identify who is needing approval.

image

Also uncheck the option for Process emails only for approved users and process email only for approved queues. Administration / System Settings.

image

 

3. Configure users email settings to use the email router for outbound email messages. (optionally inbound configuration too).

image

Our recommendation is to set the outbound processing for the email router. This will allow emails generated by the crm system to be delivered right away via the email router. This also means that you do need to install and configure the email router.

The above settings can be set automatically for all users by the use of a simpler out of the box workflow that runs on create of new users.

image

4. The next setting is recommended. Knowing that email can be tracked in CRM with the outlook client:

image

Email messages can automatically be tracked too.

image

5. The all powerful features of creating contacts in CRM when and email address is not known.

image

This is a great way to automatically get more leads or contacts (depending on your business) in crm. And depending on your business can also be a great way to pollute your crm full of contacts or leads that you don’t want.

Troubleshooting Tips

To troubleshoot an E-mail Router outgoing profile configuration, follow these steps:

  1. Make sure that you follow the incoming profile configuration procedures in the E-mail Router Configuration Manager Help.
  2. For more information about how to configure an incoming profile, see the E-mail Router configuration information in the latest version of the Installing Guide that is included in the Microsoft Dynamics CRM 4.0 Implementation Guide.
  3. Refer to the following sections for information about how to resolve commonly encountered outgoing profile issues.

Test Access error

If there is a problem with your outgoing e-mail configuration, you may receive the following error message when you click Test Access on the E-mail Router Configuration Manager:

“Outgoing status: Failure – An error occurred while checking the connection to e-mail server EXSERVERNAME. The requested address is not valid in its context”

If you receive this message, follow these steps to troubleshoot the problem:

  1. Run a telnet command to verify that connectivity is functioning between the computer that is running CRM Router and the Exchange Server. For example, start the TELNET utility and enter the following command:TELNET EXSERVERNAME PORT
  2. Make sure that you have no antivirus services running on the Exchange Server computer that prevent connection by using port 25.
  3. For information about how to configure the SMTP server to allow relay messages from Microsoft Dynamics CRM, see KB article 915827.

E-mail error when message sent from the Web application

Symptom: When a user sends an e-mail message by using the Web application, the user might receive one of the following messages:

This message has not yet been submitted for delivery. 1 attempts have been made so far.

The message delivery failed. It must be resubmitted for any further processing.

Resolution: For information about how to resolve this issue, see KB article 915827.

Load Data error

When you click Load Data in the E-mail Router Configuration Manager, you receive the following error:

The E-mail Router Configuration Manager was unable to retrieve user and queue information from the Microsoft Dynamics CRM server. This may indicate that the Microsoft Dynamics CRM server is busy. Verify that URL ‘http://OrganizationName‘ is correct. Additionally, this problem can occur if the specified access credentials are insufficient. To try again, click Load Data. (The request failed with HTTP status 404: Not Found.)

To resolve this problem, follow these steps:

  1. Make sure that the user account that is running the E-mail Router Configuration Manager service is a member of the Active Directory PrivUserGroup security group.
  2. The account that is specified in the Access Credentials field on the General tab of the E-mail Router Configuration Manager must be a Microsoft Dynamics CRM administrative user. If the access credentials are set to Local System Account, the computer account must be a member of the Active Directory PrivUserGroup security group.
  3. Make sure that the URL is spelled correctly. The organization name in the URL field is case-sensitive and must be spelled exactly as it appears in the Microsoft Dynamics CRM server. To view the organization name as it appears in the Microsoft Dynamics CRM server, start the Web application. The organization name appears in the upper-right corner of the application window.
  4. The DeploymentProperties table may have incorrect values if you have modified the port or hostheaders on your Web site. To update the DeploymentProperties table see, KB article 950248.

Pending Email warning

image

On the Email Router, configure:

1. Check event view for Email Router related errros

2. Change the send email

3. Restart CRM email Router service

4. Reduce the pooling time and conneciton timeout

image

 

Automatically Resending Failed Email Messages

The Advanced find can be used to find email messages that have not sent. A workflow can also be created to resend messages automatically. However constant failures is going to indicate a problem some other place. So the use of this automatic workflow should not be introduced in place of fixing your sending issues.

Steps to create the workflow to re-send failed e-mails:

1. Create a new Workflow in CRM | Processes on the E-mail entity

image

2. Set the workflow to be Available to Run “As an on-demand process”, Change the scope to Organization and uncheck “Record is created”.  This will make the workflow available to run On-Demand, function for all e-mails in the organization and also not run when every time a new e-mail is created as we just want to use this when needed on specific e-mails.

image

3. Click “Add Step” and choose “Change Status”

image

4. Set the E-mail to a status of “Pending Send”

image

5. Click Save and then Activate in the toolbar.  Click ”OK” to the message to confirm you want to Activate the workflow and then click “Close” on the workflow.

image

Advanced Find to see how many e-mails are in a failed status:

1. Open Advanced Find by clicking the “Advanced Find” button in the CRM ribbon

image

2. Select “E-mail Messages” in the Look For option set and then select “Status Reason” and set it equal to “Failed”. Then click the Results button in the Advanced Find ribbon.

image

3. You can refine the results using the filter criteria from here as well in case you do not want to re-send all of the e-mails. Once you are done, multi-select the e-mails you want to re-send and then click the “Run Workflow” button in the CRM ribbon.

4. Select the e-mail workflow that you created using the steps above and click OK.

The workflow will then run and change the status of all the e-mails you had selected back to “Pending Send”.  This is an asynchronous process, so it may take a few minutes depending on your current asynchronous workload in CRM.  Then the CRM e-mail router will process them again and send them out through SMTP as expected.

Still Need Help?

Here at InteractiveWebs we know how terrible this component of Microsoft CRM is. Actually, in our opinion, it is difficulties like these that really shows Microsoft is not at all interested in giving it’s customers a good experience. Much of the multitude of steps and better monitoring could be fixed with very little effort from Microsoft, yet after years of CRM, much remains the same.

In any case, if you need paid administration assistance to get your email working on your CRM system, be it Cloud Microsoft Hosted, IFD, or On Premises, we are available. Please contact us at: http://www.interactivewebs.com by submitting a support ticket.

Download Rollup 12 for Microsoft Dynamics CRM 2011 is Available–Finally

Reposted: Today the update Rollup 12 for Microsoft CRM 2011 (CRM 2011 Polaris on premises) is available for download at this location:

Download

http://www.microsoft.com/en-us/download/details.aspx?id=36229

 

This update is the long awaited one that is doing the UI update that will add the support for multiple browsers apart from Internet Explorer.

The image above depicts the functionality included in Polaris. I will now touch upon some of the key ones in a little more detail, hopefully in plain English!

  • Flow User Experience – this is a whole new UX development approach for CRM to remove the number of screen pops that occur during a standard process. In the case of Polaris, Lead and Opportunity and Case management processes will be included. It is important to note that this feature will be turned off for existing online customers, but can be opted into and for new online customer post the release this will be on by default but can be turned off. Flow UX will not be configurable for any other entity other than the Lead, Opportunity and Case in the first release. In the Q2 2013 we would expect that this will be more configurable for custom entities. This is a big step forward on UX development and cements the user experience expected on mobile devices
  • Browser Flexibility - This will enable CRM to be run on a number of browsers including Safari on the IPAD.

  • Yammer Integration – Tighter integration between CRM and Yammer beyond the current embed functionality. This will enable features such as Like, Follow, visible from within CRM or Yammer and the ability to do global search from yammer to CRM. Yammer will become the future Activity Feeds.  Aligned to this was the recent announcement of pricing plan changes that can be found here https://www.yammer.com/about/pricing/ making it very affordable to organisations to adopt.
  • Skype integration – As per my previous blog this is a great new feature and will change the way we communicate with our customers from within CRM.
  • Bing Maps – The updated new UX will include native integration to Bing Maps for Contacts and Accounts for free.
  • Pre Defined sales and Service processes – So what is this? Well rather than you telling your partner your processes, your partner will be able to present a best of breed sales process as a starting point from which you can edit and tweak. This will save time in deployment and provide a greater starting point than just rich functionality to configure.
  • Enhanced Complex Deal Management – Microsoft Dynamics CRM will provide additional capabilities to track and manage stakeholders, competitors and pursuit teams for leads, opportunities, contacts and accounts via the new UX capability.

Where did it go? Update 16/01/2013

Microsoft Dynamics CRM 2011 Update Rollup 12 (UR12), which was readied for availability on January 10 and made available on January 12, has been withdrawn by Microsoft, citing ” an issue that could potentially impact a customer’s database”.

Writing in a blog post on the Microsoft Dynamics community site, CVP for Dynamics CRM Bob Stutz explained that an issue discovered in the “UR12 Server bits” could impact customer databases, so the software download was removed from the Microsoft Download Center.
A new version of UR12 will be made available within the week, according to Stutz.
Dynamics CRM forum members discussed the missing server software for UR 12 on Friday, January 11.  One person notes that she downloaded it on the 9th, discovered issues, and saw that it had been pulled down soon after:

“I grabbed the server component around 10:00 PM eastern on the 9th, and they pulled it down about an hour later. I installed it in my environment and it had a few bugs, maybe MS pulled it down and are frantically fixing?”

Another forum member puzzled over the lack of communication on the missing software:
“Seems wierd [sic] that they were there one moment and gone the next.  Always amazes me that there’s multiple posts when it’s released, but nothing but silence when it gets pulled.  SImilar to UR 10 and UR 11 which both had V2’s (and niether [sic] of which were really fixed).”
This is not the first update rollup to be withdrawn because of undiscovered issues.  UR10 had to be re-released in October 2012 due to several issues.  UR11 was similarly re-released several days after the original due to user-reported issues.

Stutz’s blog post does not elaborate on the problems, but Stutz acknowledges that another consecutive withdrawn update to Dynamics CRM hurts the product’s QA and release processes. He concludes with an assurance: “We have taken measures to improve our engineering processes and methodologies going forward, and we take your feedback very seriously. We apologize for any inconvenience this has caused.”

CRM 2011 Rollup 10 Invalid Argument Error

CRM 2011 Rollup 10 Killed My CRM

image

After installing CRM 2011 Rollup 10 (not 9 as that is MIA) you receive an Invalid Argument messages as per the image above. This happens after you login to an IFD deployment.

For all we know it may happen on the CRM on premises but we have not managed to test that.

You may also have a CRM Platform Trace Error:

Crm Exception: Message: A non valid page number was received: 0, ErrorCode: –2147220989

CRM’s Fetch Throttling abilities have been disabled or modified from the default values.
Re-enable CRM’s default Fetch Throttling settings.

The solution

1. START | RUN | “regedit” | OK

2. Locate and select the registry subkey: HKEY_LOCAL_MACHINESoftwareMicrosoftMSCRM

image

Change the value on: TurnOffFetchThrottling

to 0

image

In fact if you find either MaxRowsPerPage or the TurnOffFetchThrottling registry keys set them both to 0 or delete them.

3. START | RUN | “iisreset” | OK

(This will restart IIS)

Login to CRM and you should be good to go.

AD FS certificate rollover CRM 2011

You find that you can’t logon to your CRM 2011 IFD deployment that you have configured around 12 months earlier.

image

SERVER Log Error show: 1309

Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 9/07/2012 12:09:59 PM
Event time (UTC): 9/07/2012 2:09:59 AM
Event ID: 50c7c9d7c3ba4b839bca7c72b9edf410
Event sequence: 51779
Event occurrence: 11
Event detail code: 0
 
Application information:
    Application domain: /LM/W3SVC/2/ROOT-1-129862684501956875
    Trust level: Full
    Application Virtual Path: /
    Application Path: C:\Program Files\Microsoft Dynamics CRM\CRMWeb\
    Machine name: VSERVER08
 
Process information:
    Process ID: 3208
    Process name: w3wp.exe
    Account name: NT AUTHORITY\NETWORK SERVICE
 
Exception information:
    Exception type: SecurityTokenException
    Exception message: ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.
   at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.CreateClaims(SamlSecurityToken samlSecurityToken)
   at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)
   at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)
   at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)
   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
   at Microsoft.Crm.Authentication.Claims.CrmFederatedAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

 
 
Request information:
    Request URL: https://auth.interactivewebs.com:444/default.aspx
    Request path: /default.aspx
    User host address: 124.189.39.157
    User: FSERVER4\Administrator
    Is authenticated: True
    Authentication Type: Negotiate
    Thread account name: NT AUTHORITY\NETWORK SERVICE
 
Thread information:
    Thread ID: 15
    Thread account name: NT AUTHORITY\NETWORK SERVICE
    Is impersonating: True
    Stack trace:    at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.CreateClaims(SamlSecurityToken samlSecurityToken)
   at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)
   at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)
   at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)
   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
   at Microsoft.Crm.Authentication.Claims.CrmFederatedAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
 
 
Custom event details:

And you find an error in the login attempt that gives you a 401 error.

ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.

Cause

The likely cause is that the ADFS certificate rollover has happened. Basically the self issued certificate that is used and configured as part of your IFD setup with CRM and AD FS has issued a new certificate around 1 week before the expiry of the old one.

If you start the SD SF services and look under:

Service >> Certificates

You will notice a primary and secondary certificate.

image

The Fix

Basically the certificate automatically rolls over to a new one and ADFS won’t authenticate any more. Here are the steps that seem to fix this issue:

  1. Open windows Powershell as administrator (right click runas)image
  2. Run the following commands:
  3. add-pssnapin Microsoft.adfs.powershell
  4. set-adfsproperties -autocertificaterollover $true
  5. update-adfscertificate -urgent
  6. Run the CRM deployment manager
    image
  7. Run through Configure Claims-Based Authentication Wizard (no changes)
  8. Run through Configure Internet-Facing Deployment Wizard (no changes)
  9. Restart the adfs service
    From a Command Prompt “cmd” Type
    net stop adfssrv
    then
    net
    start adfssrv
  10. Restart the Microsoft Asynchronous processing service
    From Services Windows
    Click the Restart Icon while the Service is selected
    image
  11. run an iisreset from the elevated command prompt
    Start RUN “cmd”
    iisreset

From here you should be good to go.

If you need assistance with CRM IFD setup see this post: http://www.interactivewebs.com/blog/index.php/server-tips/microsoft-crm-2011-how-to-configure-ifd-hosted-setup/

NOTE: In our case, the running through of the authentication wizard had defaulted the names back to the server name. We needed to manually put in the address correctly as per the setup of the IFD explained in the link above.

 

Event ID 17137 from source MSSQL$MICROSOFT##SSEE

 

Cleaning up the Event Log

On a system running the CRM 2011 IFD as described here: http://www.interactivewebs.com/blog/index.php/server-tips/microsoft-crm-2011-how-to-configure-ifd-hosted-setup/

You may notice in the Event Log some errors that look like:

The description for Event ID 17137 from source MSSQL$MICROSOFT##SSEE cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

AdfsArtifactStore

The specified resource type cannot be found in the image file

The Solution

1) Open SQL server management studio.

2) Connect to \\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query

image

3) Right-click on the database AdfsArtifactStore and select “Properties”

4) Click on the Options page

5) Set “Auto close” to False

CRM Anywhere – CRM Q2 CY 2012 Service Update Now Live

image

CRM Anywhere Q2 CY 2012 Service Update Now Live

 

Microsoft CRM 2012 – CRM Anywhere Q2 2012

 

Preview some upcoming features in Q2 "R8" such as mobility, BI and Analytics enhancements from Reuben Krippner a MSFT Technical Product Management Lead in this video.

One of the most talked about improvements in CRM Anywhere is the introduction of a new mobility component dubbed Microsoft Dynamics CRM Mobile.

Cross-Browser Support

Microsoft Dynamics CRM Mobile isn’t the only reason Microsoft is calling the coming update CRM Anywhere. Users of CRM Online 2011 will now be able to access the application using the following browser versions (see below).

Understanding the importance of CRM Anywhere

To understand why this is so important for CRM Online 2011, let’s turn to a few third-party statistics on browser usage around the world. The following table compiles several different studies for easy comparison.

Understanding the importance of CRM Anywhere

You should notice that while Internet Explorer is definitely in the lead, other browsers remain popular. Since users of Firefox, Chrome, and Safari cannot use CRM Online 2011 now, CRM Anywhere will literally double the potential user base of CRM Online 2011.

CRM Anywhere

Are you beginning to understand why Microsoft named its latest update CRM Anywhere? CRM Online 2011, already a versatile application, is being fully extended to mobile devices and all major browsers! When you include the social-media enhancements, you start to see why we think CRM Anywhere is so important.

When CRM Anywhere is released, you will be able to download it either through Windows Update, or at the Microsoft Download Center. Stay tuned here and we’ll provide you with all of the information you need to update when the time comes.

Multiple browser support

  • IE on Windows 7
  • Safari 5.11 + on Mac OSX and iPad 2
  • Firefox 6+
  • Chrome 13.x

Enhanced Activity Feeds

  • Builds on current foundation
  • Adds Likes/Dislikes
  • Improved filtering of activity feeds

It sounds like this release will still only expose Dynamics CRM records on the activity feeds “wall”, but that the Q4 2012 Service Update will extend this to external communities.

new features and improvements in SQL 2012

If you’re attending Convergence you’ll probably want to attend some of the sessions on this important topic.

  • Performance improvements
  • Next-gen BI with Power View (Crescent)
  • Pre-defined Power Pivot models for CRM
  • Pre-defined Power View reports
  • Available on marketplace as a Microsoft Labs solution

Disable SSL 2.0 IIS 7 Windows 2008 64bit with CRM 2011 for PCI Compliance

PCI Failure

Today we received notification during a PCI compliance check that our Microsoft CRM 2011 server was not PCI Compliant.

image

The cause of the lack of compliance was due to the server accepting connections via an SSL v 2.0 protocol.

Synopsis : The remote service encrypts traffic using a protocol with known
weaknesses . Description : The remote service accepts connections encrypted
using S S L 2.0, which reportedly suffers from several cryptographic flaws and has
been deprecated for several years . An attacker may be able to exploit these
issues to conduct man-in-the-middle attacks or decrypt communications between
the affected service and clients . See also : http://www.schneier.com/p

Download File – ZipSource

aper-ssl.pdf
Solution: Consult the application’s documentation to dis able S S L 2.0 and us e
S S L 3.0 or TLS 1.0 instead. Risk Factor: Medium / CVS S Bas e S core : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)

Perhaps not the worlds biggest deal, as the SSL certificates in place are using the SSL 3.0 however we needed to remove the V2.0 for compliance with PCI.

The solution turned out to be no so easy… Mostly due to the fact that we are using a 64bit Windows 2008 server and Microsoft have only appeared to provide details on fixing 32 bit servers to remove SSL v2.

We did manage to get there and this is what we had to do

Remove SSL v2

You need to run the following commands at a command prompt on the server:

REG ADD “HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Server” /v Enabled /t REG_DWORD /d 0 /f
REG ADD “HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Client” /v Enabled /t REG_DWORD /d 0 /f
REG ADD “HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 3.0\Server” /v Enabled /t REG_DWORD /d 1 /f
REG ADD “HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 3.0\Client” /v Enabled /t REG_DWORD /d 1 /f
REG ADD “HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.0\Server” /v Enabled /t REG_DWORD /d 1 /f
REG ADD “HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.0\Client” /v Enabled /t REG_DWORD /d 1 /f

We created a batch file to make this easier.

You can download the file here, and extract the batch file. Then double click the file called: “DisableSSLv264bit.bat”.

Then Reboot the server.

Download File – DisableSSLv264bit

All it will do is run the above commands and in the registry it will add:

image

and similar sets to enable SSL v3 and disable SSL v2.

Then you can use a free test service here:

image

to check that you are disabled.

A failure like this: http://foundeo.com/products/iis-weak-ssl-ciphers/test.cfm

image

indicates something did not take correctly.

If you are using a 32 bit version of windows. (Not possible with CRM 2011) but possible otherwise, then you can use the Microsoft tool here: http://support.microsoft.com/kb/187498/en-us