Blog

DNN – Change Permissions on a Page to Stop Users Being Able to Access The Page

To Stop users (Either members or visitors) from being able to access a page on the DNN Site.

Select Edit / Page Settings

Screenshot 2016 03 15 06 26 56

Select the Permissions Tab

Screenshot 2016 03 15 06 33 01

Uptick the All users View Settings. With no view pages permissions set. No users other than the Default Administrator settings will be able to visit the page.

Update Page

Note This hides the page from users in the menu too. Alternatively you can just hide the page from the menu, but still allow people how know where the page exists to still access it by following this post:http://www.interactivewebs.com/blog/index.php/general-tips/dnn-hide-a-page-from-the-menu/

 

Enable TLS 1.2 on Windows 2008 R2

Problem

How to enable TLS 1.2 on Windows Server 2008 R2?

Resolution

QuoVadis recommends enabling and using the TLS 1.2 protocol on your server.  TLS 1.2 has improvements over previous versions of the TLS and SSL protocol which will improve your level of security.  By default, Windows Server 2008 R2 does not have this feature enabled.  This KB article will describe the process to enable this.

 

    1. Start the registry editor by clicking on Start and Run. Type in “regedit” into the Run field (without quotations).

     

      1. Highlight Computer at the top of the registry tree.  Backup the registry first by clicking on File and then on Export.  Select a file location to save the registry file.


      Note:

           You will be editing the registry.  This could have detrimental effects on your computer if done incorrectly, so it is strongly advised to make a backup.



          1. Browse to the following registry key:
            HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

           

            1. Right click on the Protocols folder and select New and then Key from the drop-down menu. This will create new folder.  Rename this folder to TLS 1.2.

             

              1. Right click on the TLS 1.2 key and add two new keys underneath it.

               

                1. Rename the two new keys as:
                  • Client
                  • Server

                 

                  1. Right click on the Client key and select New and then DWORD (32-bit) Value from the drop-down list.

                   

                    1. Rename the DWORD to DisabledByDefault.

                     

                      1. Right-click the name DisabledByDefault and select Modify… from the drop-down menu.

                       

                        1. Ensure that the Value data field is set to 0 and the Base is Hexadecimal.  Click on OK.

                         

                          1. Create another DWORD for the Client key as you did in Step 7.

                           

                            1. Rename this second DWORD to Enabled.

                             

                              1. Right-click the name Enabled and select Modify… from the drop-down menu.

                               

                                1. Ensure that the Value data field is set to 1 and the Base is Hexadecimal. Click on OK.

                                 

                                  1. Repeat steps 7 to 14 for the Server key (by creating two DWORDs, DisabledByDefault and Enabled, and their values underneath the Server key).

                                   

                                  1. Reboot the server.

                                  Your server should now support TLS 1.2.

                                   

                                  Note: This article cannot be used on a Windows Server 2003 (IIS 6).  Windows Server 2003 does not support the TLS 1.2 protocol.

                                  Reverting Back

                                  If you make a mistake or something just isn’t right, you can revert back to your previous registry settings by opening the Registry Editor and importing the backup you made in step x.

                                  Microsoft.Crm.CrmException: Database having version 7.0.1.129 is not supported for upgraded Microsoft.Crm.CrmException: Database having version 7.0.1.129 is not supported for upgraded.

                                  When upgrading from CRM 2013 to CRM 2015 you get an error: Microsoft.Crm.CrmException: Database having version 7.0.1.129 is not supported for upgraded.

                                  Cause:

                                  This is usually because there is already a database that exists with the same ID. You will need to delete that Organisation in CRM deployment manager before upgrading the new organisation from the same name.

                                  CRM 2016 Import Upgrade from CRM 2015 Failure: Timeout expired

                                  CRM 2016 Import  Upgrade from CRM 2015 Failure: Timeout expired

                                  On attempting to upgrade a Microsoft CRM Dynamics 2015 Database to CRM 2016 (without service pack) you receive a Failure: Timeout expired. The timeout period elapsed prior to completion of the operation or the server is not responding..

                                  This happens at the System Check stage.

                                  There are a bunch of suggestions online from earlier releases of CRM like 4.0 etc suggesting that you may need to change the timeout settings on the settings with some DWord changes in the registry. In this case it is not the cause.

                                  Cause

                                  Microsoft has again released an initial version of their software with some significant bugs. The biggest of these being that you cannot import your CRM 2015 database to upgrade to CRM 2016 if it has a Full Text Catalogue. Something that is likely if you have been using the improved searching functions of CRM 2015.

                                  The Fix

                                  All care and no responsibility with this one. The prudent process would be to either upgrade an existing CRM 2015 environment in place, which form all reports will correctly update the CRM database in question to CRM 2016 without error. Alternatively you can wait the months that are likely required for Microsoft to get around to releasing a patch for this problem.

                                  1. Fresh on CRM 2016 SQL Server. Restore your backup of your CRM 2015 database.

                                  2. On the SQL manager, select the Database in question, and select “New Query” (our 2015 dates restore is CRM_MSCRM)

                                  CRM 2016 Upgrade from CRM 2015.png

                                   

                                  3. In the new Query window. Paste the following code and click Execute.

                                  declare @catid int

                                  select @catid=fulltext_catalog_id from sys.fulltext_catalogs wherename=‘CRMFullTextCatalog’

                                  declare c cursor for

                                   select sys.tables.name, sys.fulltext_indexes.unique_index_id from sys.fulltext_indexesinner join sys.tables on sys.fulltext_indexes.object_id = sys.tables.object_id wheresys.fulltext_indexes.fulltext_catalog_id=@catid

                                   open c

                                   declare @TableName varchar(200), @UniqueID as integer

                                   fetch next from c into @TableName, @UniqueID

                                   while @@fetch_status = 0

                                   begin

                                   declare d cursor for

                                   select sys.indexes.name, sys.tables.object_id from sys.tables inner join sys.indexeson sys.tables.object_id = sys.indexes.object_id where sys.tables.name=@TableName andsys.indexes.index_id = @UniqueID

                                   open d

                                   declare @KeyIndex varchar(200), @object_id as integer

                                   fetch next from d into @KeyIndex, @object_id

                                   if @@FETCH_STATUS <> 0 

                                   begin

                                   Print ‘Error with’ + @TableName

                                   end

                                   while @@fetch_status = 0

                                   begin

                                   BEGIN TRY

                                   Print ‘CREATE FULLTEXT INDEX ON [dbo].’+@TableName+‘ KEY INDEX [‘+@KeyIndex+‘] on([CRMFullTextCatalog]) WITH (CHANGE_TRACKING AUTO)’

                                   Print ‘GO’

                                   declare e cursor for

                                   select sys.columns.name from sys.columns inner join sys.fulltext_index_columns onsys.columns.object_id=sys.fulltext_index_columns.object_id andsys.columns.column_id=sys.fulltext_index_columns.column_id wheresys.columns.object_id=@object_id

                                   open e

                                   declare @ColumnName varchar(200)

                                   fetch next from e into @ColumnName

                                   while @@fetch_status = 0

                                   begin

                                   Print ‘ALTER FULLTEXT INDEX ON [dbo].’+@TableName+‘ Add (‘+@ColumnName+‘)’

                                   Print ‘GO’

                                   fetch next from e into @ColumnName

                                   end

                                   close e

                                   deallocate e

                                   END TRY

                                   BEGIN CATCH

                                   print ‘Error’ + @KeyIndex

                                   END CATCH

                                   fetch next from d into @KeyIndex, @object_id

                                   end

                                   close d

                                   deallocate d

                                   fetch next from c into @TableName, @UniqueID

                                   end

                                   close c

                                   deallocate c

                                  Like this:

                                  SQL Execute Query Key

                                  4. When the query executes successfully. Copy to the Clipboard all of the “Message” output in the bottom half of the screen to your clipboard.

                                  Screenshot 2016 01 21 10 09 54

                                  5. Now Expand the “Storage / Full Text Catalogues” section of the Database in question and select Properties.

                                  Screenshot 2016 01 21 10 11 52

                                  6. Select Table / Views

                                  Screenshot 2016 01 21 10 13 44

                                  7.Using the the little Left pointing arrow. Click it as many times as needed to move all the items on the right to the left. 

                                  Screenshot 2016 01 21 10 15 10

                                  Like this:

                                  CRM 2015 Upgrade to CRM 2016

                                  8. Once finished, select he Script Dropdown and select “Script Action to New Window” (or just click on OK both actions should work)

                                  Screenshot 2016 01 21 10 16 59

                                   

                                  You should see a Progress script Completed Successfully.

                                  Screenshot 2016 01 21 10 18 32

                                  9. Now Close all the Management for the SQL Server. This is Important.

                                  10. Upgrade your CRM database the normal way using the Microsoft Dynamics Deployment Manager / Organisations / Import Organisation 

                                  Screenshot 2016 01 21 10 21 03

                                  Skip through the steps here as you normally would Noticing that it no longer stalls on the recheck before upgrade.

                                  11. Once the upgrade has finished and you have your database imported and upgraded to CRM 2016, Open the SQL manager for the database in question again, and run a new query against the database as we did in step 3 above.

                                  This time however we are going to paste the output we captured to clipboard in step 4 above, and run that output as a script.

                                  Screenshot 2016 01 21 10 25 15

                                  Click Execute again. And you should be rebuilding the database indexes to a state that will function with the new CRM upgraded database.

                                  P.S. Microsoft. You suck balls at initial releases!

                                   Source: https://community.dynamics.com/crm/f/117/t/184508

                                  How to Set Up Microsoft CRM 2016 IFD on Windows 2012 R2 Server

                                  How to Set Up Microsoft CRM 2016 IFD on Windows 2012 R2 Server

                                  We already have a popular post for the configuration of IFD setup with CRM 2015, CRM 2013, CRM 2011. Now we are updating this post to support CRM 2016.

                                  Microsoft have a compatibility listing for CRM 2016 here: https://support.microsoft.com/en-us/kb/3124955

                                  The Development Setup

                                   Once again we are running this configuration as a test environment for development. As such we will be running, we are running the server on a Hyper V server. A single VM machine, that is running a fully patched version of:

                                  • Windows 2012 R2 SP2 64 Bit – (MSDN File: en_windows_server_2012_r2_x64_dvd_2707946
                                  • SQL 2014 R2 64 Bit – SQL Server 2014 Standard Edition x64 – (MSDN File: en_sql_server_2014_standard_edition_x64_dvd_3932034) – Patched to SP2
                                  • Microsoft Dynamics CRM Server 2016 – en_microsoft_dynamics_crm_server_2016_x86_x64_dvd_7171743
                                  NOTE: The Domain we have used for setup with this dev server is: iwebscrm16.com You can substitute your domain in place throughout these step by step IFD instructions CRM 2016.

                                  Getting Windows Server Ready

                                  1. Install and Update Windows 2012 R2.

                                  2. From the Server ManagerAdd Roles and Features

                                  3. Role-Based or Feature-Based instilllation

                                  Windows 2012 Install Roles

                                  4. Select the Server from the Pool (usually the default option)

                                  5. Scroll Down and Select Web Server IIS

                                  Screenshot 2016 01 07 01 22 53

                                  6. Add Features

                                  Screenshot 2016 01 07 01 23 41

                                  And .NET 3.5 Features

                                  Screenshot 2016 01 07 06 38 25

                                  7. Next / Next

                                  8. under Web Server Roles (IIS) Use the default options, but add under Performance – Dynamic Content Compression

                                  Dynamic Compression Install IIS

                                  9. Next / Install

                                  10. Update Window Server again as there is likely a restart update available. 

                                  11. After Restart. Ensure that you turn off the IE enhanced security. It’s Crap and no one benefits from it. This is done in the Server Manager under Local Security.

                                  Screenshot 2016 01 07 23 28 08

                                   

                                  SQL 2014 Setup

                                  1. First Up have the Windows Server Join the Domain you will be using.

                                  2. Reboot and login with the domain admin account.

                                  3. Start the SQL Install Disk

                                  4. Click Instillation / New SQL Server Stand Alone

                                  Screenshot 2016 01 07 06 24 23

                                  5. Enter Product Key / Next

                                  6. Agree to Terms / Next

                                  7. use Microsoft Update / Next

                                  8. Ignore the Windows Firewall Warning at this Stage

                                  Screenshot 2016 01 07 06 26 41

                                  9. Select SQL Server Feature Instillation / Next

                                  10. Select: Database Engine Service / Full Text Indexing / Reporting Service Native / Management Tools Basic and Complete / Next

                                  SQL Setup for MS CRM 2016

                                  11. Leave Default Name

                                  Screenshot 2016 01 07 11 58 41 

                                  12. Server Configuration Default and Next

                                  Screenshot 2016 01 07 12 13 33

                                  13. Windows Authentication Mode / Add Current User (Remembering we are logged in as a Domain Admin domain/administrator)

                                  Screenshot 2016 01 07 12 14 33

                                  14. Install and Configure / Next

                                  Screenshot 2016 01 07 12 16 22

                                  15. Install

                                  Screenshot 2016 01 07 12 17 11

                                  16. After Completion, Check again for Windows Updates and Reboot. (At the time of writing this blog, the SP 1 for SQL 2014 will be installed if your install disks do not already have this. Like everything Microsoft, it’s not super reliable until they SP1 their product!).

                                   

                                  Getting your Active Directory OU Ready

                                  1. Login to your Active Directory Domain Controller as a Domain Administrator

                                  2. Using the Active Directory Users and Computers, Select the Root and Create a new OU named something like Microsoft CRM 2016

                                  Screenshot 2016 01 07 19 30 47

                                  3. Log Out of the Active Directory Domain Server.

                                   

                                  Installing CRM 2016

                                  During the install, we were asked to install services associated with the services required for CRM 2016.

                                  CRM 2015 Install Process

                                  We Selected all options on install:

                                  Screenshot 2015 02 12 14 57 24

                                  Select “Create New Deployment” and enter theServer Name as the SQL server. Screenshot 2016 01 07 19 32 24

                                  If you are not sure of the name, Right Click “This Computer” from the start menu, and select Properties:

                                  Screenshot 2016 01 07 19 34 07

                                  Browse to the OU we created in the Steps Above Getting the AD OU Ready, and select the OU we created there. “CRM 2016″

                                  Screenshot 2016 01 07 19 36 25

                                  We selected the default account for authority. Note that the blog referenced above suggests a dedicated account for security. As we are setting up a dev environment we did not bother with this.

                                  CRM 2015 Security Account

                                  IMPORTANT

                                  Create a new Website with port 5555

                                  CRM 2015 IFD Website 5555

                                  As we intend to set up the Email Router service on this server later, we set this server “VSERVER06” in this instance as the server for email router service, or you can leave this blank.

                                  Screenshot 2016 01 07 19 39 30

                                  We set “CRM2016″ As the default initial test environment deployment.

                                  CRM 2016 Setup IFD

                                  Reporting Server defaulted to the server name/reportserver

                                  Screenshot 2016 01 07 19 40 53

                                  We received a few warnings about the install:

                                  CRM 2015 Install Warnings

                                  For a deployment that is more secure, the Microsoft Dynamics CRM Sandbox Processing Service should be run under a least-privileged domain user account that is not shared by other Microsoft Dynamics CRM services on this computer.

                                  For a deployment that is more secure, the Microsoft Dynamics CRM VSS Writer Service should be run under a least-privileged domain user account that is not shared by other Microsoft Dynamics CRM services on this computer.

                                  Data encryption will be active after the install or upgrade. We strongly recommend that you copy the organization encryption key and store it in a safe place. For more information, see http://go.microsoft.com/fwlink/?LinkId=316366.

                                  The only one of real interest in our Dev environment would be the last item. making a backup of data encryption keys is always a good idea. 

                                  Test First

                                  Test that your CRM setup is working. Go to the local computer name (ours is vserver12) on the correct port: http://vserver12:5555

                                  We called our Deployment of CRM – “CRM2016″ in the CRM Setup phase above, so the URL redirects to: http://vserver12:5555/CRM2016/main.aspx

                                  Because we were were logged in as the server administrator, we were able to load, but may take some time to fire up the various server requirements.

                                  Microsoft CRM 2016 Home Page

                                  Apply a Wildcard SSL Certificate

                                  In CRM, the accessing of deployments is handled by the sub domains. So if we call a deployment (known as organisation) “business1″ we will access that as: https://business1.domain.com:444 (note the the :444 will be because of how we set up Internet Facing Deployment.

                                  For testing, we purchased a standard Wildcard SSL certificate that applied that to the IIS Server 

                                  In our case we registered a test domain: iwebscrm16.com and set the SSL wildcard to: *.iwebscrm16.com and applied that cert to the server. The services we used for purchasing the wildcard certificate were starts.com who provide a very cost effective certificate services. Once authenticated, certificates are free to issue.

                                  Application for a certificate

                                  Here, I will be a wildcard certificate, for example, describes how to create a certificate:

                                  1) Open IIS Manager

                                  2) Click the server name in the main screen double click Server Certificates

                                  3) In the right panel, click Create Certificate Request…

                                  image

                                  4) fill in the following diagram each column, click Next

                                  image

                                  5) Cryptographic Service Provider Properties page change the Bit Length to at least 2048 click Next.

                                  Screenshot 2014 07 05 18 50 18

                                  6) In the File Name page, enter C: \ req.txt , and then click Finish. (You can save it any place you like, with any name)

                                  7) Open the certificate in Notepad, and copy the contents.

                                  Screenshot 2014 07 05 18 53 05

                                  This is the text that is pasted into the Start SSL Certificate request page to generate the certificate:

                                  Screenshot 2014 07 05 18 55 03

                                  8) After you finish generating the certificate text in StartSSL.com (Note that Start SSL is no longer an SSL certificate provider, we suggest ssl2buy.com) you get a bunch of code that looks similar to the request code. Copy that generated code

                                  9) Paste the code back into a new Text / Notepad Document on the Web server, but call it something that ends in .cer  (not .txt). 

                                  10) back to the IIS Manager, click No. 3)  Step graph Complete Certificate Request …

                                  11) Select the the file you created at point 9 above to complete the request.

                                  12) Click OK.
                                  Note: We did get an error message: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
                                  In this instance, it turned out to be a crappy Microsoft Error. After doing some research, we found that it was likely meaningless and the cert installed correctly. We rebooted the machine and logged in again, to find that the CERT was there installed as we wanted it to be.

                                  Binding site for the default SSL certificate

                                  1) Open IIS Manager.

                                  2) In the Connections panel, expand Sites , click Default Web Site.

                                  3) In the Actions pane, click Bindings.

                                  image

                                  4) In the Site Bindings dialog box, click Add.

                                  5) Type select HTTPS.

                                  6) SSL Certificate , select the certificate you just created *. contoso.com , and then click OK.

                                  Screenshot 2015 02 18 18 03 45

                                   Ours is *.iwebscrm15.com

                                  CRM 2015 SSL

                                  7) Click Close.

                                  For the CRM 2016 binding site SSL certificate

                                  This is in effect repeating the above process like you did for the default certificate, but using a different port (444 for example). This way you are binding the same certificate to the two websites in your IIS instance.

                                  1)Open IIS Manager.

                                  2) In the Connections panel, expand Sites , click CRM Web Site.

                                  3) In the Actions pane, click Bindings.

                                  4) In the Site Bindings dialog box, click Add.

                                  5) Type select HTTPS.

                                  6) SSL Certificate , select the certificate you just created *. contoso.com .

                                  7) Port to select a different 443 (e.g. 444 ) and port number, and then click OK

                                   SSL CERT CRM 2015

                                  IFD CRM 2015 CERT.png

                                  8) Click Close.

                                  DNS configuration

                                  We are going to add a few DNS “A” records so that the records listed in point 1-4 below in DNS Goal are resolving correctly to the IP address of your CRM server.

                                  There are two ways you can achieve the desired result. But first lets understand the desired result.

                                  1. We make the assumption that your server is running at least one static IP address.
                                  2. Because this is Internet Facing, that IP needs to be accessible to the world.
                                  3. That same IP can be used for access to your server both internally on the matching we are playing with, and externally form anyone on the net.
                                  Lets Get Basic

                                  Start a Command Prompt, and work out what your IP address of the server is.

                                  Click START > RUN > CMD

                                  Type IPCONFIG – Enter

                                  Under the name: IPv4 Address is a number that looks like: 66.34.204.220

                                  image

                                  That is Your IP Address of the Server.

                                  The DNS Goal

                                  Make sure that when you PING xxx.domain.com that it points to that IP address. Both for the world and for you when you do that on your server.

                                  (xxx is the sub domain that we are about to configure.)

                                  To configure CRM, we need some sub domains to point to the server IP.
                                  Adding records in DNS like this:

                                  Screenshot 2014 07 05 19 28 02

                                  1. sts1.domain.com
                                  2. auth.domain.com
                                  3. dev.domain.com
                                  4. internalcrm.domain.com
                                  5. Your ORG name.  org.domain.com (Where ORG is the CRM deployment name of your organization or organizations), e.g.
                                  6. crm2016.iwebscrm16.com (We usually set up a dev environment with CRM2016 being the year of the version. Just something we select to do).
                                  7. adfs.domain.com (used for reference to the ADFS server)
                                  8. one for the root domain so that domain.com points to the same server. (This is for the ADFS logout URL)

                                  CRM 2015 IFD DNS SETTINGS

                                  We have two setup here: CRM and CRM2016. So we need to configure crm.iwebscrm16.com and crm2016.iwebscrm16.com (Not necessary but our choice for this instance).

                                  DNS The Easy Way!

                                  The really easy way to solve all this (now we have explained the background) is to simply create a * A record that points to the machine we are using to set up the CRM system.

                                  Test DNS

                                  You must be able to ping all of those names and get the correct server IP address. Both from computers on the internet, and from the server. At the command prompt, type “ping sts1.iwebscrm15.com” for example with our config. Ping them all to be sure you get them correct. 

                                  Note: If you have added the DNS records, but still encounter name resolution problems, you can try running on the client ipconfig / flushdns to clean up the cache. You can also click the DNS server root and click CLEAR CACHE so that the server is responding with the latest updates.

                                  image

                                  Note: Don’t bother proceeding past this step if you cannot ping your sub domains internally and externally correctly.

                                   

                                  Firewall configuration

                                  You need to set the firewall to allow the CRM 2013 and the AD FS 3.0 port used by the incoming data stream. HTTPS (SSL) is the default port 443.

                                  For Initial setup testing etc. We recommend just turning the thing off. Better start from a place where it does not muck you around, then turn it all back on after you are successful.

                                  1) In Windows 2012 I can’t frigging work out how to find anything. Literally!  But most things you can search for. As is the case here if you search for “Firewall”. Select the firewall option:

                                  Screenshot 2015 02 18 18 14 37

                                  2) Select Turn Windows Firewall on or off

                                  Screenshot 2015 02 18 18 16 04

                                  4) Turn Off or On Firewall

                                  Screenshot 2014 07 05 19 33 53

                                  Just turn it all off for now. (Remember to come back, turn it on and allow access for the unusual port 444 that you configured earlier for the SSL on the CRM site. But for testing and setting up… the last things you want is to be banging your head agains a firewall.

                                  Screenshot 2015 02 18 18 18 31

                                  Snapshots

                                  Just a reminder that at this point we have been keeping snapshots on our Hyper-V environment to allow us to fail back to a location and try again. This is really useful for the setup of something like this that has a lot of moving parts.

                                  CRM 2016 Snapshots

                                  Configuration Claim-based authentication internal access

                                  Configure the internal access Claim-based authentication requires the following steps:

                                  • Install and configure AD FS 3.0
                                  • Set Claims-based authentication configuration CRM 2016 server.
                                  • Set the Claims-based authentication configuration AD FS 3.0 server.
                                  • Test claims-based authentication within the access.

                                  Install and configure ADFS 3.0

                                  This article uses Active Directory Federation Services (AD FS) 3.0 to provide a security token service (security token service or STS ).

                                  Note: AD FS 3.0 will be installed to the default site, so install AD FS 3.0 , you must have CRM 2016 installation in the new site. (Remember we said that earlier)

                                  IIS Looks like this if it is correctly installed: image

                                  If you only see the default website with CRM installed in that. Start AGAIN! – We are working with the process as shown here.

                                  Install ADFS Server Role

                                  From Server Manager – Add A Server role for: Active Directory Federation Services

                                  Screenshot 2014 07 05 19 39 54 

                                  Screenshot 2015 02 18 18 24 23

                                  Screenshot 2015 02 18 18 24 53

                                  Screenshot 2015 02 18 18 25 34

                                  Click Install at the last step.

                                  Screenshot 2015 02 18 18 26 20

                                  After if Finishes: 

                                  Configure the Fediration service on this server

                                  Click the Configure the Federation Services on this server.

                                  Configure AD FS 3.0

                                  1 Click on Configure the federation service on this server.

                                  2 In the AD FS 3.0 Management page , click AD FS 3.0 Federation Server Configuration Wizard .

                                  3 In the Welcome page , select Create the first federation server in a federation server farm, and then click Next.

                                  Screenshot 2014 07 05 19 43 52

                                  4 Select next to continue with the current administrator (must be a domain admin).

                                  Screenshot 2014 07 10 16 34 34

                                  5 Choose your SSL certificate (the one we created and imported above i.e. *.iwebscrm15.com ) ,add a Federation Service name ( Selecting the second one for the dropdown in this instance iwebscrm15.com, don’t select the one with the wildcard in the name, so not the *.iwebscrm15.com for example.), then Select a Service Display Name for your business – selecting the one that is NOT starting with a *, then click Next.

                                  ADFS Setup with CRM 2016

                                  6 Open PowerShell and run the following command: “Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)”

                                   Screenshot 2014 07 10 16 40 55

                                  Screenshot 2015 02 18 18 42 53

                                  If you don’t you will se the error: Group Managed Service Accounts are not available because the KDS Root Key has not been set.

                                  7 We specified the Administrator account for the service account, as security is not our primary concern here with a Dev environment. You could and probably should use a defined account for a production environment.

                                  ADFS Service Account

                                  7 Create a database on this server using Windows Internal Database (or you can use SQL instance in the step below), click Next.

                                  Screenshot 2014 07 10 16 43 30

                                  Or use the local SQL instance etc if you have one. (Because we have SQL installed on this same server. We are using this SQL instance for the database host. 

                                  ADFS SQL Database

                                  Note that this will create two new databases in SQL.

                                  ADFS SQL Databases 

                                  8 Review Options click Next

                                  Screenshot 2015 02 18 18 49 33

                                  9 Pre-requisits checklist, click Configure

                                  Screenshot 2014 07 10 16 45 44

                                  10 You should see a message that “This Server was successfully configured

                                  Screenshot 2015 02 18 18 53 47

                                  11 Close out the Instillation progress window

                                  Screenshot 2015 02 18 18 54 07

                                  Screenshot 2015 02 18 18 54 33

                                  Verify the AD FS 3.0 is working

                                  Follow the steps below to verify that the AD FS 3.0 is working :

                                  1 Open Internet Explorer.

                                  Under Internet Options

                                  IE Options

                                  Security / Local Intranet

                                  Screenshot 2015 02 19 08 49 36

                                  Sites / Advanced

                                  IE Sites Advance

                                  Add *.domain.com to the websites. In our case here we added: *.iwebscrm16.com

                                  Screenshot 2016 01 08 12 29 46

                                  Close all this down when added.

                                  2 Now we need browse to the the federation metadata in Internet explorer to test access is working. 

                                  Use this URL below as an example to browse to your own server. Remembering that we set up a DNS entry earlier for “ADFS’ on your domain, thus you should be able to browse to the URL below replacing our domain name with yours and have it access the server we are configuring.

                                  • https://adfs.iwebscrm16.com/federationmetadata/2007-06/federationmetadata.xml

                                  (Replace your domain name in place of ours iwebs16.com)

                                  3. to ensure that no certificate associated with the warning appears, and you can view the certificate to be sure it is showing.

                                  Screenshot 2016 01 08 12 34 21

                                  Check the certificate is correct and working by clicking on the padlock looking thing and viewing certificate.

                                  Screenshot 2016 01 08 12 34 59 

                                  Take another Snapshot!

                                  Claims-based authentication configuration CRM 2016 server

                                  After you install and configure the AD FS 3.0 , we need to configure the Claims-based authentication before setting CRM 2016 binding types and the root domain.

                                  1 Open the CRM Deployment Manager.
                                  CRM 2016 Deployment Manager

                                  2 In the Actions pane , click Properties .

                                  3 Click the Web Address page.

                                  4 In the Binding Type , select HTTPS .

                                  Screenshot 2014 07 10 17 09 07

                                  CRM 2017 hsttps

                                  5. Change the Server name to the internalcrm.domain.com:444 format. In our case here. internalcrm.iwebscrm16.com:444

                                  CRM 2016 IFD

                                  6. Then Apply

                                  7. Then OK to close

                                  8 In the Deployment Manager console tree, right-click Microsoft Dynamics CRM, and then click Configure Claims-Based Authentication.

                                  Screenshot 2014 07 10 17 59 37

                                  9 Click Next on the Welcome page

                                  10  On the Specify the security token service page, enter the Federation metadata URL, in our case because we setup a DNS record for “adfs” we are going to use that: https://adfs.iwebscrm16.com/federationmetadata/2007-06/federationmetadata.xml 
                                  Note: that this is the same URL we tested ADFS was set up correctly on in the steps above. Also note that the step of adding the domain to internal sites in the IE security settings that we did above is an important one! If you can’t hit that URL on the web browser of the server and get a clean XML defined page, then you deployment will not work.

                                  CRM 2015 Claims Based Authentication

                                  11 Click Next then select the certificate that we created perviously for the *.domain connection

                                  CRM 2016 Certificate

                                  12 Select Next
                                  Note: At this point it is possible to get an error something along the lines of “Encrypted Certificate Error”. This is implying that the account used to run CRM does not have access to the Private Key of the certificate being used. Skip forward to point 25 below, and add the service accounts that CRM is using to the private key of the certificate to be used. This will ensure that this next configuration step has access to the certificate. Then come back to this point and continue. 

                                  Screenshot 2014 07 10 18 09 58

                                  13 Select Apply (BUT – NOT FINISH)

                                  Screenshot 2014 07 10 18 10 31

                                  14 IMPORTANT – Click View Log File

                                  Screenshot 2016 01 08 13 06 25

                                  15 Scroll to the end, and Copy the URL from the bottom of the file.

                                  CRM 2016 Internal Federation Metadata URL

                                  This will be used in the next configuration. 
                                  Note: that this is different to the URL used in step 4 above, as it represents the internal URL. Subtle but vital (and the cause of frustration the first 10 times we tried this). In our case the URL looked like this: https://internalcrm.iwebscrm16.com:444/FederationMetadata/2007-06/FederationMetadata.xml

                                  16 Click Finish.

                                  Set the CRM AppPool account and the Microsoft Dynamics CRM Encryption certificate.

                                  17 Right Click the Start Button and select RUN

                                  18 Type MMC and enter

                                  Run MMC

                                  19 Select File / Add/Remove Snap-in

                                  Add Remove Snap-in

                                  20 Select Certificates and Add

                                  Add Certificates MMC

                                  21 Select Computer Account

                                  Computer Account

                                  22 Local Computer is selected, so click Finish

                                  Screenshot 2015 02 19 16 57 47

                                  23 Expand the console tree / Personal / Click Certificates

                                  Screenshot 2015 02 19 17 00 09

                                  24 Right click the certificate we used for the CRM endpoint, and select All Tasks / Manage Private Keys

                                  CRM IFD Manage Private Keys

                                  25 Select Add

                                  Screenshot 2015 02 19 17 04 11

                                  Note here: If you do not have the “adfssrv and drs” accounts listed, you will have problems. The solution though is to do this at this point:

                                  Open Powershell as Administrator and run: dir Cert:\LocalMachine\My\

                                  Screenshot 2017 12 06 10 57 53

                                   Then using the thumbprint of the Certificate related to this install, run the following command again in Powershell: Set-AdfsSslCertificate -Thumbprint19A0100267EB5D2FC0132260995F6D38C40EBEA1

                                  This will add the two above mentioned accounts to the security of the certificate. This we found in one setup was not automatically done and caused us a large headache. 

                                  26 Select Advanced

                                  Screenshot 2015 02 19 17 11 47

                                  27 Select Find Now

                                  Screenshot 2015 02 19 17 12 34

                                  28 Scroll Down and Find the NETWORK SERVICE Account

                                  Network Service Account

                                  29 Select OK / OK

                                  Screenshot 2015 02 19 17 15 08

                                  Ensuring that the NETWORK SERVICE has Read Access

                                  Screenshot 2015 02 19 17 40 44

                                  Note: We have used the NETWORK SERVICE account here because that is the one associated with the CRMAppPool used in IIS by default for the Microsoft Dynamics CRM Website that was automatically configured with the CRM setup.

                                  Screenshot 2015 02 19 17 19 28

                                  CRMAppPool

                                  If you are using another account for running the application pool, then you should ensure that this account has access to the encryption certificate. Some details can be found here.

                                  30 Validate that you can browse to the URL above. If you cannot view this in a browser, then have a look again at your permissions on the certificate in relation to the account on the application pool in IIS for CRM. Read above: Claims-based authentication configuration CRM 2016 server.

                                  The URL Above that we are checking is the one from the View Log step, that we said to copy.

                                  Screenshot 2015 02 19 18 24 33

                                  Once you can browse this URL, you are done if it fails, then repeat the process till you can access the URL on the server in question. Note: Often it is confusion over the port :5555 that defaults in CRM Deployment Manager Web settings and the HTTPS Port :444 that we defined in the binding for the Microsoft CRM Dynamics Website. So double check that you have the correct port set in the Deployment Manager, then run the steps again following that setting.

                                  Checkpoint the Hyper-V at this point.

                                   

                                  Claims-based authentication configuration AD FS 3.0 server

                                  Start AD FS 3.0 Management. In the Navigation Pane, expand Trust Relationships, and then click Claims Provider Trusts. Under Claims Provider Trusts, right-click Active Directory, and then click Edit Claims Rules.

                                  Screenshot 2016 01 08 13 15 35

                                  Screenshot 2014 07 10 18 27 02

                                   

                                  In the Rules Editor, click Add Rule, In the Claim rule template list, select the Send LDAP Attributes as Claims template, and then click Next

                                  Screenshot 2014 07 10 18 27 33

                                   

                                  Step10: Create the following rule

                                  Claim rule name: UPN Claim Rule (or something descriptive)
                                  Attribute store: Active Directory
                                  LDAP Attribute: User Principal Name
                                  Outgoing Claim Type: UPN

                                  Screenshot 2014 07 10 18 34 58

                                  Click Finish, and then click OK to close the Rules Editor

                                  After you enable claims-based authentication, you must configure Dynamics CRM Server 2016 as a relying party to consume claims from AD FS 3.0 for authenticating internal claims access.

                                  Add Relying Party Trusts to AD FS

                                  Start AD FS Management. Select Trust Relationships / Relying Party Trusts. Then On the Actions menu located in the right column, click Add Relying Party Trust. In the Add Relying Party Trust Wizard, click Start.

                                  AD FS Relying Party Trust

                                  On the Select Data Source page, click Import data about the relying party published online or on a local network, and then type the URL you copied earlier from the log file during the creation of the CRM Claims Based Authentication. e.g. https://internalcrm.iwebscrm16.com:444/FederationMetadata/2007-06/FederationMetadata.xml – Note it is probably still open in your browser in the background.

                                  Screenshot 2016 01 08 13 21 41

                                  On the Specify Display Name page, type a display name, such as CRM Claims Relying Party, and then click Next.

                                  Screenshot 2014 07 10 18 40 57

                                  Click Next on the multi-factor authentication options.

                                  Screenshot 2014 07 10 18 41 35

                                  On the Choose Issuance Authorisation Rules page, leave the Permit all users to access this relying party option selected, and then click Next.

                                  Screenshot 2014 07 10 18 41 44

                                  On the Ready to Add Trust page Click Next

                                  CRM 2016 Relying Party Trust

                                  On Finish Page, click the checkbox option to Open the Edit Claim Rules, Next, and then click Close.

                                  Screenshot 2015 02 19 19 04 59

                                  The Rules Editor appears, click Add Rule. Otherwise, in the Relying Party Trusts list, right-click the relying party object that you created, click Edit Claims Rules, and then click Add Rule.

                                  Screenshot 2014 07 10 18 42 52

                                  In the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next.

                                  Screenshot 2014 07 10 18 44 21

                                  Create the following Rule #1
                                  Claim rule name: Pass Through UPN (or something descriptive)
                                  Incoming claim type: UPN
                                  Pass through all claim values

                                  Click Finish.

                                  Screenshot 2014 07 10 18 44 59

                                  Screenshot 2014 07 10 18 50 07

                                  In the Rules Editor, click Add Rule, in the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next

                                  Screenshot 2014 07 10 18 50 26

                                  Create the following Rule #2

                                  Claim rule name: Pass Through Primary SID (or something descriptive)
                                  Incoming claim type: Primary SID
                                  Pass through all claim values

                                  Click Finish

                                  Screenshot 2014 07 10 18 51 11

                                  Screenshot 2014 07 10 18 51 23

                                  In the Rules Editor, click Add Rule. In the Claim rule template list, select the Transform an Incoming Claim template, and then click Next.

                                  Screenshot 2014 07 10 18 51 59

                                  Create the following rule #3

                                  Claim rule name: Transform Windows Account Name to Name (or something descriptive)
                                  Incoming claiming type: Windows account name
                                  Outgoing claim type: Name
                                  Pass through all claim values

                                  Screenshot 2016 01 11 20 20 17

                                  Click Finish, and when you have created all three rules, click OK to close the Rules Editor.

                                  Screenshot 2014 07 10 18 53 20

                                  Click OK

                                  Enable Forms Authentication

                                  AD FS in Windows Server 2012 R2, forms authentication is not enabled by default.

                                  Open the AD FS management console and click Authentication PoliciesUnder Primary Authentication, Global Settings , Authentication Methods, click Edit.

                                  Screenshot 2015 02 19 19 13 39

                                  Under Intranet, enable (check) Forms Authentication

                                  Screenshot 2014 08 02 18 06 40

                                  So now we have claims setup for CRM.

                                  Add the ADFS server to the Local intranet zone.

                                  We previously added the *.domain.com or in our case, *.iwebscrm16.com to the Local intranet zone in Internet explorer on the server. If you have not done this you should do it now. Then:

                                  1. Open Internet Options Select the Advanced tab. Scroll down and verify that under Security Enable Integrated Windows Authentication is checked.

                                  Screenshot 2015 02 19 19 37 22

                                  2. Click OK to close the Internet Options dialog box.You will need to update the Local intranet zone on each client computer accessing Microsoft Dynamics CRM data internally. 

                                  Specify the security token service

                                  1 Open a command line tool .

                                  2 Enter the following command : ( application, in your own environment, substitute the name of the name of the command line )

                                  setspn -a http/sts1.iwebscrm16.com fserver4\VSERVER40”  

                                  – Note – remove the “ “

                                  fserver4\VSERVER12 = the domain / machine name of the server.

                                  Screenshot 2015 02 19 21 33 22

                                  c: \> iisreset 

                                  Probably good to do a Snapshot again!

                                  Configure Internet-Facing Deployment in CRM Deployment Manager.

                                  1 Open the CRM Deployment Manager.

                                  2 In the tree structure , right-click Microsoft Dynamics CRM , and then click Configure Internet-Facing Deployment.

                                  Screenshot 2014 08 02 18 14 52

                                  3 Click Next.

                                  Screenshot 2014 08 02 18 15 20

                                  4 Fill in the correct domain information for the Web Application

                                  Thus we use:

                                  • Web Application Server Domain: iwebscrm16.com:444
                                  • Organization Web Service Domain: iwebscrm16.com:444
                                  • Web Service Discovery Domain: dev.iwebscrm16.com:444 Screenshot 2016 01 10 14 38 59

                                  Leave the Default option for the Internet Facing Server Location

                                  Screenshot 2016 01 10 14 39 32

                                  System Checks work

                                  Screenshot 2015 02 19 20 18 19

                                  IFD Summary looks like this. Then Apply

                                  Screenshot 2016 01 10 14 40 02

                                  Finish

                                  Screenshot 2015 02 19 20 19 41

                                  9. Open a command line tool, run: iisreset

                                  Screenshot 2015 02 19 22 11 38

                                   

                                  ADFS Relying Party Trust for the IFD Endpoint

                                  Effectively you are creating the third Relying party trust in your deployment and the second that you have manually set up at this point. We are doing this again as this is now for the IFD endpoint.

                                  Step 1: Start AD FS Management. On the Actions menu located in the right column, click Add Relying Party Trust. In the Add Relying Party Trust Wizard, click Start.Screenshot 2016 11 21 13 47 57

                                  Step 2: On the Select Data Source page, click Import data about the relying party published online or on a local network, and then type the URL to locate the federationmetadata.xml file. This federation metadata is created during IFD Setup.

                                  For example, https://auth.iwebscrm16.com:444/FederationMetadata/2007-06/FederationMetadata.xml (Remember to replace your domain for ours)

                                  Type this URL in your browser and verify that no certificate-related warnings appear.

                                  Screenshot 2016 01 10 14 45 48

                                  Step 3: On the Specify Display Name page, type a display name, such as CRM IFD Relying Party, and then click Next

                                  Screenshot 2016 11 21 13 39 52

                                  Step4: On the Choose Issuance Authorization Rules page, leave the Permit all users to access this relying party option selected, and then click Next.

                                  Screenshot 2015 02 19 21 51 44

                                  Click Next

                                  Screenshot 2016 11 21 13 49 04

                                  Screenshot 2015 02 19 21 52 25

                                  Step 5: On the Ready to Add Trust page, click Next, and then click Close.

                                  Step 6: If the Rules Editor appears, click Add Rule. Otherwise, in the Relying Party Trusts list, right-click the relying party object that you created, click Edit Claims Rules, and then click Add Rule

                                  Screenshot 2016 11 21 13 49 53

                                  Step 7: In the Claim rule template list, select the Pass Through or Filter an Incoming Claimtemplate, and then click Next.

                                  Screenshot 2016 11 21 13 54 38

                                  Step 8: Create the following rule#1

                                  Claim rule name: Pass Through UPN (or something descriptive)

                                  Incoming claim type: UPN

                                  Pass through all claim values

                                  Click Finish

                                  Screenshot 2016 11 21 13 55 24

                                  Step 9: In the Rules Editor, click Add Rule, and in the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next

                                  Screenshot 2016 11 21 13 56 06

                                  Step 10: Create the following rule#2

                                  Claim rule name: Pass Through Primary SID (or something descriptive)

                                  Incoming claim type: Primary SID

                                  Pass through all claim values

                                  Click Finish

                                  Screenshot 2016 11 21 13 56 49

                                  Step 11: In the Rules Editor, click Add Rule. In the Claim rule template list, select the Transform an Incoming Claim template, and then click Next.

                                  Screenshot 2016 11 21 13 58 18

                                  Step 12: Create the following rule #3

                                  Claim rule name: Transform Windows Account Name to Name (or something descriptive)

                                  Incoming claim type: Windows account name

                                  Outgoing claim type: Name

                                  Pass through all claim values

                                  Click Finish, and when you have created all three rules, click OK to close the Rules Editor.

                                  Screenshot 2016 01 11 20 19 11

                                  Now, you should see three Relying Party Trusts in the ADFS Trust Relationships.

                                  Screenshot 2015 02 19 22 23 41

                                  Step 13 – Change Port

                                  Open Powershell and run this command

                                  Set-ADFSProperties –nettcpport 809


                                  Screenshot 2016 01 11 19 58 17

                                  Restart the ADFS in Services

                                  Restart ADFS

                                  Restart IIS in CMD

                                  iisreset

                                  IISRESET

                                  Browse to the URL: https://sts1.iwebscrm16.com/adfs/services/trust/mex  (replacing the iwebscrm16.com with your domain). You should be abel to hit this URL and get a result looking like this:

                                  adfs services trust mex

                                   

                                  Test External Access to CRM 2016 with IFD

                                  Now, you should use the claims certified external access CRM 2016 a. In IE the browser CRM 2016 external address (for example: https://crm2016.iwebscrm16.com:444/main.aspx ), you should have success with login.

                                  Screenshot 2016 01 11 19 21 09

                                  CRM 2016 Login Default Page

                                  Problems We Encountered

                                  While developing this blog post we encountered many small errors along the way. We have reverted to CheckPoints and fixed the instructions to allow you to avoid them. One thing we would say is that when resolving errors, it is most likely associated with the AD FS IFD login. When this happens, the AD FS Event Log is your best friend. Hit the Event ID errors up in google and resolve as best you can. Checkpoints are also your friend here!

                                   

                                  Turn the Firewall Back On

                                  As you may expect, this is a rather important last step

                                  1. Turn on all Firewall Settings as they were at the start

                                  Screenshot 2015 02 19 22 50 17

                                  2. Click Advanced Settings 

                                  Screenshot 2015 02 19 22 51 06

                                  3. Click Inbound Rules / New Rule

                                  Screenshot 2015 02 19 22 52 22

                                  4. Select Port / Next

                                  Screenshot 2015 02 19 22 46 28

                                  5. Select TCP and Specify Port 444

                                  Screenshot 2015 02 19 22 46 54

                                  6. Allow the Connection

                                  Screenshot 2015 02 19 22 47 08

                                  7. Domain, Private and Public all ticked.

                                  Screenshot 2015 02 19 22 47 28

                                  8. Give it a name like: CRM Port 444

                                  Screenshot 2015 02 19 22 47 46

                                  And you are about finished. Remember if in the future you are mucking with something and getting no place. Turn off the Firewall as a starting point. Banging heads with firewalls is a waste of time!

                                  Remember to test access again externally!

                                   

                                  Your Feedback and Our Services

                                  Please post a comment or note if you have anything to add about these notes. We welcome feedback that helps us improve them.

                                  If you have a need for CRM 2016 Developer Services, we offer professional services and support for CRM 2016. This includes upgrade services for upgrading from any of the past CRM releases to new ones. We also write custom plugin solutions and are specialists with advanced web services and portals that connect to CRM for many applications. http://www.interactivewebs.com/crm and websites.

                                   

                                   

                                   

                                  The trust relationship between this workstation and the primary domain failed Hyper-V Server

                                  The trust relationship between this workstation and the primary domain failed

                                  When playing around with some Hyper-V servers that have been inactive for some time, we received an error:

                                  Screenshot 2016 01 05 19 31 45

                                  The cause of this is due to the fact that Active Directory is doing a lot more than simple user name and password storage. We found that a Hyper-V system that remains off for some time, then is turned on again can suffer this. The reason for this has to do with the way that some applications use the Active Directory. Take Exchange Server, for example. Exchange Server stores messages in a mailbox database residing on a mailbox server. However, this is the only significant data that is stored locally on Exchange Server. All of the Exchange Server configuration data is stored within the Active Directory. In fact, it is possible to completely rebuild a failed Exchange Server from scratch (aside from the mailbox database) simply by making use of the configuration data that is stored in the Active Directory.

                                  The suggestion by some other blogs is to: simply reset the computer account. To do so, open the Active Directory Users and Computers console and select the Computers container. Right click on the computer that you are having trouble with. Select the Reset Account command from the shortcut menu, as shown in Figure 2. When you do, you will see a prompt asking you if you are sure that you want to reset the computer account.  Click Yes and the computer account will be reset.

                                  NewImage

                                  This is perfectly safe to do, but is not likely to resolve the issue.

                                  The Fix

                                  1. Log into the server in question using the non domain admin account.

                                  2. Open the Power Shell and run the command:

                                  $credential = Get-Credential

                                  (When prompted, you need to enter the domain administrator account and name.)

                                  3. Then run the command: 

                                  Reset-ComputerMachinePassword -Server ClosestDomainControllerNameHere

                                  (Replacing the “ClosestDomainControllerNameHere” with your domain AD domain. domain.com for example.)

                                  After running this you should be good to login.

                                  CRM 2013 IFD Setup with ADFS 3.0 on Windows 2012 R2 Hosted Setup

                                  We already have a popular post for the configuration of IFD setup with CRM 2011, and recently we updated this blog to support CRM 2015 here: 

                                  http://www.interactivewebs.com/blog/index.php/crm/how-to-set-up-crm-2015-ifd-on-windows-2012-and-adfs-3-0/

                                  Many of you may find that better for setting up CRM 2013 than this blog, as the data is mostly exactly the same as this blog, but some of the order of things is better described.

                                  Upgrading from CRM 2011 to CRM 2013 and need help? InteractiveWebs offer professional Microsoft CRM Upgrade Services and Support.

                                  The Existing Setup

                                  Because this is a test environment, we are running the server on a Hyper V server. A single VM machine, that is running a fully patched version of:

                                  • Windows 2012 R2 SP2 64 Bit – (MSDN File: en_windows_server_2012_r2_x64_dvd_2707946
                                  • SQL 2012 R2 64 Bit – (MSDN File: en_sql_server_2012_standard_edition_with_service_pack_2_x64_dvd_4351706)
                                  • Microsoft CRM 2013 64 Bit – (MSDN File: en_microsoft_dynamics_crm_server_2013_sp1_x86_and_x64_4330464)

                                  How to Install CRM 2013

                                  We pretty much followed a combination of these instructions: http://blogs.msdn.com/b/niran_belliappa/archive/2013/11/05/step-by-step-installing-dynamics-crm-2013-on-windows-server-2012.aspx

                                  But we needed some additional steps for the ADFS 3.0. They are mentioned below.

                                  We then Patched the Server to latest updates, then ran SP1 for CRM 2103. http://support.microsoft.com/kb/2941390

                                  Importantly

                                  When we setup CRM, we selected the option to NOT use the default website, but configure a new one with the default settings of port 5555. This is necessary as you will see later.

                                  Backup First

                                  In all things Microsoft world, it is vital what you establish a working point to avoid unnecessarily installing things all over again. To get things working we have started fresh over 4 times.

                                  Hyper V is great for this, as we just stopped the server, and made a copy of the VHD file. Then when it is time to start all over, it is just a matter of restoring from copy/backup.

                                  Test First

                                  Test that your CRM setup is working. Go to the local computer name (ours is VSERVER07) on the correct port: http://vserver07:5555

                                  We called our Deployment of CRM – “CRM2013″ So the URL redirects to: http://vserver07:5555/CRM2013/main.aspx

                                  and after being prompted for login, we are in and testing.

                                  Screenshot 2014 07 05 16 16 21

                                   

                                  Apply a Wildcard SSL Certificate

                                  In CRM, the accessing of deployments is handled by the sub domains. So if we call a deployment “business1″ we will access that as: https://business1.domain.com

                                  For testing, we purchased a standard Wildcard SSL certificate that applied that to the IIS7 server.

                                  We uses Start SSL who provide cheap as you find on the net (free) but requires you to jump through a LOT of hoops to get familiar with issuing certificates.

                                  Application for a certificate

                                  Here, I will be a wildcard certificate, for example, describes how to create a certificate:

                                  1) Open IIS Manager

                                  2) Click the server name in the main screen double click Server Certificates

                                  3) In the right panel, click Create Certificate Request…

                                  image

                                  4) fill in the following diagram each column, click Next

                                  image

                                  5) Cryptographic Service Provider Properties page change the Bit Length to 2048 click Next.

                                  Screenshot 2014 07 05 18 50 18

                                  6) In the File Name page, enter C: \ req.txt , and then click Finish. (You can save it any place you like, with any name)

                                  7) Open the certificate in Notepad, and copy the contents.

                                  Screenshot 2014 07 05 18 53 05

                                  This is the text that is pasted into the Start SSL Certificate request page to generate the certificate:

                                  Screenshot 2014 07 05 18 55 03

                                  8) After you finish generating the certificate text in StartSSL.com you get a bunch of code that looks similar to the request code. Copy that generated code

                                  9) Paste the code back into a new Text / Notepad Document on the Web server, but call it something that ends in .cer  (not .txt).

                                  10) back to the IIS Manager, click No. 3)  Step graph Complete Certificate Request …

                                  11) Select the the file you created at point 9 above to complete the request.

                                  12) Click OK.

                                  So that we completed the wildcard certificate request, and import of the new .CER certificate, ready for use.

                                  Binding site for the default SSL certificate

                                  1) Open IIS Manager.

                                  2) In the Connections panel, expand Sites , click Default Web Site.

                                  3) In the Actions pane, click Bindings.

                                  image

                                  4) In the Site Bindings dialog box, click Add.

                                  5) Type select HTTPS.

                                  6) SSL Certificate , select the certificate you just created *. contoso.com , and then click OK.

                                  image Ours is interactivewebs.com

                                  7) Click Close.

                                  For the CRM 2013 binding site SSL certificate

                                  This is in effect repeating the above process like you did for the default certificate, but using a different port (444 for example).

                                  1)Open IIS Manager.

                                  2) In the Connections panel, expand Sites , click CRM Web Site.

                                  3) In the Actions pane, click Bindings.

                                  4) In the Site Bindings dialog box, click Add.

                                  5) Type select HTTPS.

                                  6) SSL Certificate , select the certificate you just created *. contoso.com .

                                  7) Port to select a different 443 (e.g. 444 ) and port number, and then click OK

                                   Screenshot 2014 07 05 19 22 30

                                  8) Click Close.

                                  DNS configuration

                                  We are going to add a few DNS “A” records so that the records listed in point 1-4 below in DNS Goal are resolving correctly to the IP address of your CRM server.

                                  There are two ways you can achieve the desired result. But first lets understand the desired result.

                                  1. We make the assumption that your server is running at least one static IP address.
                                  2. Because this is Internet Facing, that IP needs to be accessible to the world.
                                  3. That same IP can be used for access to your server both internally on the matching we are playing with, and externally form anyone on the net.
                                  Lets Get Basic

                                  Start a Command Prompt, and work out what your IP address of the server is.

                                  Click START > RUN > CMD

                                  Type IPCONFIG – Enter

                                  Under the name: IPv4 Address is a number that looks like: 66.34.204.220

                                  image

                                  That is Your IP Address of the Server.

                                  The DNS Goal

                                  Make sure that when you PING xxx.domain.com that it points to that IP address. Both for the world and for you when you do that on your server.

                                  (xxx is the sub domain that we are about to configure.)

                                  To configure CRM, we need some sub domains to point to the server IP.

                                  Adding records in DNS like this:

                                  Screenshot 2014 07 05 19 28 02

                                  1. sts1.domain.com
                                  2. auth.domain.com
                                  3. dev.domain.com
                                  4. Your ORG name.  org.domain.com (Where ORG is the CRM deployment name of your organization or organizations), e.g.
                                  5. internalcrm.domain.com (used later for internal definition of the CRM server access).
                                  6. adfs.domain.com (used for reference to the ADFS server)
                                  7. one for the root domain so that domain.com points to the same server. (This is for the ADFS logout URL)

                                  Screenshot 2014 07 10 18 04 02

                                  We have two setup here: CRM and CRM2013. So we need to configure crm.iwebscrm.com and crm2013.iwebscrm.com.

                                  Test DNS

                                  You must be able to ping all of those names and get the correct server IP address. Both from computers on the internet, and from the server.

                                  Note: If you have added the DNS records, but still encounter name resolution problems, you can try running on the client ipconfig / flushdns to clean up the cache. You can also click the DNS server root and click CLEAR CACHE so that the server is responding with the latest updates.

                                  image

                                  Note: Don’t bother proceeding past this step if you cannot ping your sub domains internally and externally correctly.

                                  Firewall configuration

                                  You need to set the firewall to allow the CRM 2013 and the AD FS 2.0 port used by the incoming data stream. HTTPS (SSL) is the default port 443.

                                  For Initial setup testing etc. We recommend just turning the thing off. Better start from a place where it does not muck you around, then turn it all back on after you are successful.

                                  1) Control Panel

                                  2) Search Firewall

                                  3) Check Firewall Status

                                  4) Turn Off or On Firewall

                                  Screenshot 2014 07 05 19 33 53

                                  Just turn it all off for now. (Remember to come back, turn it on and allow access for the unusual port 444 that you configured earlier for the SSL on the CRM site.

                                  Configuration Claim-based authentication internal access

                                  Configure the internal access Claim-based authentication requires the following steps:

                                  • Install and configure AD FS 3.0
                                  • Set Claims-based authentication configuration CRM 2013 server.
                                  • Set the Claims-based authentication configuration AD FS 3.0 server.
                                  • Test claims-based authentication within the access.

                                  Install and configure ADFS 3.0

                                  CRM 2013 with a variety of STS provider ( STS Provider ) together. This article uses Active Directory Federation Services (AD FS) 3.0 to provide a security token service (security token service ).

                                  Note: AD FS 2.0 will be installed to the default site, so install AD FS 3.0 , you must have CRM 2013 installation in the new site. (Remember we said that earlier)

                                  IIS Looks like this if it is correctly installed: image

                                  If you only see the default website with CRM installed in that. Start AGAIN!

                                  Install ADFS Server Role

                                  From Server Manager – Add A Server role for: Active Directory Federation Services

                                  Screenshot 2014 07 05 19 39 54

                                  After if Finishes:

                                  Screenshot 2014 07 05 19 41 52

                                  Click the Configure the Federation Services on this server.

                                  Configure AD FS 3.0

                                  1 Click on Configure the federation service on this server.

                                  2 In the AD FS 3.0 Management page , click AD FS 3.0 Federation Server Configuration Wizard .

                                  3 In the Welcome page , select Create the first federation server in a federation server farm, and then click Next.

                                  Screenshot 2014 07 05 19 43 52

                                  4 Select next to continue with the current administrator (must be a domain admin).

                                  Screenshot 2014 07 10 16 34 34

                                  5 Choose your SSL certificate (the choice of a certificate created *.domain.com ) ,add a Federation Service name ( for example , sts1.contoso.com), and Select a Service Display Name for your business – selecting the one that is NOT starting with a *, then click Next.

                                  Screenshot 2014 07 10 16 36 32

                                  6 Open PowerShell and run the following command: “Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)”

                                   Screenshot 2014 07 10 16 40 55

                                  If you don’t you will se the error: Group Managed Service Accounts are not available because the KDS Root Key has not been set.

                                  7 Create a database on this server using Windows Internal Database, click Next.

                                  Screenshot 2014 07 10 16 43 30

                                  Or use the local SQL instance etc if you have one.

                                  Screenshot 2014 07 31 22 00 47

                                  8 Review Options click Next

                                  Screenshot 2014 07 10 16 44 45

                                  9 Pre-requisits checklist, click Configure

                                  Screenshot 2014 07 10 16 45 44

                                  10 You should see a message that “This Server was successfully configured

                                  Verify the AD FS 3.0 is working

                                  Follow the steps below to verify that the AD FS 3.0 is working :

                                  1 Open Internet Explorer.

                                  2 Enter the federation metadata of the URL , for example:

                                  https://adfs.iwebscrm.com/federationmetadata/2007-06/federationmetadata.xml

                                  (Where sts1.contoso.com represents the DNS A record we setup earlier.  sts1.yourdomainname.com)

                                  3. to ensure that no certificate associated with the warning appears, and you can view the certificate to be sure it is showing.

                                  Screenshot 2014 07 31 18 22 17Screenshot 2014 07 31 18 23 18

                                  Claims-based authentication configuration CRM 2013 server

                                  After you install and configure the AD FS 3.0 , we need to configure the Claims-based authentication before setting CRM 2013 binding types ( Binding type ) and the root domain (root Domains) .

                                  Following these steps to set up CRM 2013 bound for the HTTPS and configure the root domain address :

                                  1 Open the CRM Deployment Manager.

                                  2 In the Actions pane , click Properties .

                                  Screenshot 2014 07 10 17 07 03

                                  3 Click the Web Address page.

                                  4 In the Binding Type , select HTTPS .

                                  Screenshot 2014 07 10 17 09 07

                                  5. You can most likely select Apply at this point, and the default internal address for the CRM will work fine. We however created a new A record in the DNS for “internalcrm” and pointed it to this new server. This allows us to user a clear path for the internal URL.

                                  6 For example, *. contoso.com wildcard certificate, you can useinternalcrm.contoso.com:444 as the network address.

                                  Screenshot 2016 01 10 22 03 10

                                  7 Click OK.

                                  8 In the Deployment Manager console tree, right-click Microsoft Dynamics CRM, and then click Configure Claims-Based Authentication.

                                  Screenshot 2014 07 10 17 59 37

                                  9 Click Next on the Welcome page

                                  10  On the Specify the security token service page, enter the Federation metadata URL, such as https://adfs.fabrikam.com/federationmetadata/2007-06/federationmetadata.xml. In our case because we setup a DNS record for “adfs” we are going to use that: https://adfs.iwebscrm.com/federationmetadata/2007-06/federationmetadata.xml

                                  Screenshot 2014 07 10 18 08 28

                                  11 Click Next then select the certificate that we created perviously for the *.domain connection

                                  Screenshot 2014 07 10 18 07 28

                                  12 Select Next 

                                  Screenshot 2014 07 10 18 09 58

                                  13 Select Apply then Finish

                                  Screenshot 2014 07 10 18 10 31

                                  Screenshot 2014 07 10 18 11 45

                                  14 IMPORTANT – Click View Log File

                                  15 Scroll to the end, and Copy the URL from the bottom of the file.

                                  image– This will be used in the next configuration. Note that this is different to the URL used in step 4 above, as it represents the internal URL. Subtle but vital (and the cause of frustration the first 10 times we tried this). In our case the URL looked like this: https://adfs.iwebscrm.com/federationmetadata/2007-06/federationmetadata.xml

                                  16 Click Finish.

                                  17 Validate that you can browse to the URL above. If you cannot view this in a browser, then have a look again at your permissions on the certificate in relation to the account on the application pool in IIS for CRM. Read above: Claims-based authentication configuration CRM 2013server.

                                  18. Once you can browse this URL, you are done here.

                                  Claims-based authentication configuration AD FS 3.0 server

                                  After completion of the previous step, the next step we need AD FS 3.0 to add and configure the statement provider trust ( claims Provider trusts ) and the relying party trust ( Relying Party trusts ).

                                  Configure claims provider trusts

                                  Start AD FS 3.0 Management. In the Navigation Pane, expand Trust Relationships, and then click Claims Provider Trusts. Under Claims Provider Trusts, right-click Active Directory, and then click Edit Claims Rules.

                                  Screenshot 2014 07 10 18 27 02

                                   

                                  In the Rules Editor, click Add Rule, In the Claim rule template list, select the Send LDAP Attributes as Claims template, and then click Next

                                  Screenshot 2014 07 10 18 27 33

                                   

                                  Step10: Create the following rule

                                  Claim rule name: UPN Claim Rule (or something descriptive) Attribute store: Active Directory LDAP Attribute: User Principal Name Outgoing Claim Type: UPN

                                  Screenshot 2014 07 10 18 34 58

                                  Click Finish, and then click OK to close the Rules Editor

                                  After you enable claims-based authentication, you must configure Dynamics CRM Server 2013 as a relying party to consume claims from AD FS 3.0 for authenticating internal claims access.

                                  Start AD FS Management. On the Actions menu located in the right column, click Add Relying Party Trust. In the Add Relying Party Trust Wizard, click Start.

                                  On the Select Data Source page, click Import data about the relying party published online or on a local network, and then type the URL you copied earlier from the log file. So that will be https://internalcrm.domain.com/FederationMetadata/2007-06/FederationMetadata.xml. This is the same internalcrm A recored that we checked earlier in the process.

                                  Screenshot 2014 07 10 18 38 23

                                  On the Specify Display Name page, type a display name, such as CRM Claims Relying Party, and then click Next.

                                  Screenshot 2014 07 10 18 40 57

                                  Click Next on the multi-factor authentication options.

                                  Screenshot 2014 07 10 18 41 35

                                  On the Choose Issuance Authorisation Rules page, leave the Permit all users to access this relying party option selected, and then click Next.

                                  Screenshot 2014 07 10 18 41 44

                                  On the Ready to Add Trust page, click the checkbox option to Open the Edit Claim Rules, Next, and then click Close.

                                  Screenshot 2014 07 10 18 42 10

                                  The Rules Editor appears, click Add Rule. Otherwise, in the Relying Party Trusts list, right-click the relying party object that you created, click Edit Claims Rules, and then click Add Rule.

                                  Screenshot 2014 07 10 18 42 52

                                  In the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next.

                                  Screenshot 2014 07 10 18 44 21

                                  Create the following Rule #1 Claim rule name: Pass Through UPN (or something descriptive) Incoming claim type: UPN Pass through all claim values

                                  Click Finish.

                                  Screenshot 2014 07 10 18 44 59

                                  Screenshot 2014 07 10 18 50 07

                                  In the Rules Editor, click Add Rule, in the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next

                                  Screenshot 2014 07 10 18 50 26

                                  Create the following Rule #2

                                  Claim rule name: Pass Through Primary SID (or something descriptive) Incoming claim type: Primary SID Pass through all claim values

                                  Click Finish

                                  Screenshot 2014 07 10 18 51 11

                                  Screenshot 2014 07 10 18 51 23

                                  In the Rules Editor, click Add Rule. In the Claim rule template list, select the Transform an Incoming Claim template, and then click Next.

                                  Screenshot 2014 07 10 18 51 59

                                  Create the following rule #3

                                  Claim rule name: Transform Windows Account Name to Name (or something descriptive) Incoming claiming type: Windows account name Outgoing claim type: Name Pass through all claim values

                                  Screenshot 2014 07 10 18 53 05

                                  Click Finish, and when you have created all three rules, click OK to close the Rules Editor.

                                  Screenshot 2014 07 10 18 53 20

                                  So now we have claims setup for CRM.

                                  ADFS 3.0 Extra Steps

                                  To say these steps are “fucking important” is to under estimate the value I place in the 2 weeks it took me to resolve the ADFS 3.0.

                                  Enable Forms Authentication

                                  AD FS in Windows Server 2012 R2, forms authentication is not enabled by default.

                                  1. Log on to the AD FS server as an administrator.

                                  2. Open the AD FS management console and click Authentication Policies.

                                  3. Under Primary Authentication, Global Settings, Authentication Methods, click Edit.

                                  4. Under Intranet, enable (check) Forms Authentication.

                                  Screenshot 2014 08 02 18 06 40

                                   

                                  Add the ADFS server to the Local intranet zone.

                                  1. In Internet Explorer, click Tools, and then click Internet Options.

                                  2. Click the Security tab, click the Local intranet zone, and then click Sites.

                                  3. Click Advanced.

                                  4. In Add this website to the zone, type the URL for your AD FS server, for example, https://sts1.contoso.com.

                                  5. Click Add, click Close, and then click OK. 

                                  6. Select the Advanced tab. Scroll down and verify that under Security Enable Integrated Windows Authentication is checked.

                                  7. Click OK to close the Internet Options dialog box.You will need to update the Local intranet zone on each client computer accessing Microsoft Dynamics CRM data internally. To use Group Policy to push this setting to all domain-joined internal client computers do the following.

                                   

                                  Test claims-based authentication within the access

                                  You should now be able to use the claims certified to the internal access CRM 2013

                                  1 Open the Deployment Manager.

                                  2 Expand the Deployment Manager node , and then click onOrganizations .

                                  3 Right-click your organization , and then click Browse . so you can open the CRM web page of ( for example:https://internalcrm.contoso.com:444 ).

                                  image

                                  Screenshot 2014 08 02 18 10 57

                                  Trouble Shooting

                                  If the CRM web page can not be displayed, then run the following iisreset and then try again.

                                  image

                                  If the CRM web page still does not show, then you may need to setup AD FS 3.0 server setup a SPN (Service Principal Name) . Re-run the Claims-Based Authentication Wizard, and then browse to the Specify the security token service page, note the AD FS 3.0 server in the Federation metadata URL in the name. (In this case sts1.interactivewebs.com )

                                  http://blogs.msdn.com/b/crm/archive/2009/08/06/configuring-service-principal-names.aspx

                                  image

                                  1 Open a command line tool .

                                  2 Enter the following command : ( application, in your own environment, substitute the name of the name of the command line )

                                  c: \> setspn -a http/sts1.interactivewebs.com fserver4\VSERVER08$

                                  fserver4\VSERVER08 = the domain and machine name of the server.

                                  image

                                  c: \> iisreset

                                  3 and then re-access the Microsoft Dynamics CRM Server 2013 site, so you should be able to successfully access to the CRM 2013 Web page.

                                  http://technet.microsoft.com/en-us/library/gg188614.aspx

                                  If you receive ADFS – sts1 errors.

                                  There was a problem accessing the site. Try to browse to the site again. If the problem persists, contact the administrator of this site and provide the reference number to identify the problem. Reference number: xxx

                                  And or if you look in your log files under ADFS 2.0 You will see errors like this.

                                  image

                                  In our case, this was because we used the external Metadata URL and not the Internal URL that we should have copied from the “View Log File” When configuring the Claims Based Authentication. Step 14 in the section above.

                                  image

                                  image

                                  Note the difference between this:

                                  https://internalcrm.interactivewebs15.com:444/FederationMetadata/2007-06/FederationMetadata.xml

                                  and the original meta data check we did with:

                                  https://sts1.interactivewebs15.com/federationmetadata/2007-06/federationmetadata.xml

                                  We incorrectly figured it would be pulling the same XML data. It does NOT!

                                  Configuration Claim-based authentication external access

                                  Open to the CRM 2013 Data Claims-based authentication of external access, you need to do the following steps:

                                  1 complete contents of the previous section: Configuring Claim-based authentication- internal access.

                                  2 for the IFD configuration CRM 2013 server.

                                  3 for the IFD configuration AD FS 3.0 server.

                                  4 Test claims-based authentication external access.

                                  The IFD configuration CRM 2013 server

                                  When opening Claims certified internal access, you can open by IFD external claims visited. The following describes using the IFDConfiguration Wizard to configure, if you want to learn how to use PowerShell to be configured, refer to the English original.

                                  1 Open the Deployment Manager.

                                  2 In the tree structure , right-click Microsoft Dynamics CRM , and then click Configure Internet-Facing Deployment.

                                  Screenshot 2014 08 02 18 14 52

                                  3 Click Next.

                                  Screenshot 2014 08 02 18 15 20

                                  4 Fill in the correct domain information for the Web Application, Org, and Discovery Web services. Remembering here that in our case: *.interactivewebs.com was the name of the wildcard certificate used, and that PORT 444 was the port we configured for the CRM Web Instance in the bindings for IIS.

                                  Thus we use:

                                  • Web Application Server Domain: interactivewebs.com:444
                                  • Organization Web Service Domain: interactivewebs.com:444
                                  • Web Service Discovery Domain: dev.interactivewebs.com:444

                                  Note – Enter the domain name, rather than the server name .

                                  • If the CRM installed on the same server or servers are installed in the same domain, then the Web Application Server Domain and Organization Web Service Domain should be the same .
                                  • Web Service Discovery Domain must be a Web Application Server Domain as a subdomain like the  “dev.” that we setup in DNS earlier.
                                  • domain name must be on the SSL certificate name

                                  Domain examples :

                                  • Web Application Server Domain: contoso.com: 444
                                  • Organization Web Service Domain: contoso.com: 444
                                  • Web Service Discovery Domain: dev.contoso.com: 444

                                  Screenshot 2014 08 02 18 16 57

                                  For more information on the website, please refer to Install Microsoft Dynamics CRM Server 2013 on multiple computers(http://go.microsoft.com/fwlink/?LinkID=199532 )

                                  5 In the Enter the external domain where your Internet-facing servers are located input box , enter for your internet to CRM 2013 server located outside the domain of information, and then click Next.

                                  Screenshot 2014 08 02 18 18 00

                                  You must specify the domain specified in the previous step Web Application Server Domain sub-domains . default , will be “auth.” added to the Web Application Server Domain before.

                                  Domain examples :

                                  • External Domain: auth.contoso.com: 444

                                  6 In the System Checks page , if there is no problem, click Next.

                                  Screenshot 2014 08 02 18 18 43

                                  7 In Review your selections and then click Apply page , confirm your input , and then click Apply.

                                  Screenshot 2014 08 02 18 19 12

                                  8 Click Finish .

                                  Screenshot 2014 08 02 18 19 37

                                  9. Open a command line tool, run: iisreset

                                  The IFD configuration AD FS 3.0 server

                                  After you have enabled IFD on the Microsoft Dynamics CRM Server 2013 you will need to create a relying party for the IFD endpoint on the AD FS server. (Steps below are from the MSDN Blog.

                                  Step6: Start AD FS Management. On the Actions menu located in the right column, click Add Relying Party Trust. In the Add Relying Party Trust Wizard, click Start.

                                  image

                                  Step7: On the Select Data Source page, click Import data about the relying party published online or on a local network, and then type the URL to locate the federationmetadata.xml file. This federation metadata is created during IFD Setup.

                                  For example, https://auth.fabrikam.com/FederationMetadata/2007-06/FederationMetadata.xml.

                                  Type this URL in your browser and verify that no certificate-related warnings appear.

                                  image

                                  Step8: On the Specify Display Name page, type a display name, such as CRM IFD Relying Party, and then click Next

                                  image

                                  Step9: On the Choose Issuance Authorization Rules page, leave the Permit all users to access this relying party option selected, and then click Next.

                                  image

                                  Step10: On the Ready to Add Trust page, click Next, and then click Close.

                                  image

                                  Step11: If the Rules Editor appears, click Add Rule. Otherwise, in the Relying Party Trusts list, right-click the relying party object that you created, click Edit Claims Rules, and then click Add Rule

                                  image

                                  Step12: In the Claim rule template list, select the Pass Through or Filter an Incoming Claimtemplate, and then click Next.

                                  image

                                  Step13: Create the following rule#1

                                  Claim rule name: Pass Through UPN (or something descriptive)

                                  Incoming claim type: UPN

                                  Pass through all claim values

                                  Click Finish

                                  image

                                  Step14: In the Rules Editor, click Add Rule, and in the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next

                                  image

                                  Step15: Create the following rule#2

                                  Claim rule name: Pass Through Primary SID (or something descriptive)

                                  Incoming claim type: Primary SID

                                  Pass through all claim values

                                  Click Finish

                                  image

                                  Step16: In the Rules Editor, click Add Rule. In the Claim rule template list, select the Transform an Incoming Claim template, and then click Next.

                                  image

                                  Step17: Create the following rule #3

                                  Claim rule name: Transform Windows Account Name to Name (or something descriptive)

                                  Incoming claim type: Windows account name

                                  Outgoing claim type: * Name  (Note that “* Name”  without the “” is required to be typed)

                                  Pass through all claim values

                                  Click Finish, and when you have created all three rules, click OK to close the Rules Editor.

                                  image

                                  Test claims-based authentication to access external

                                  Now, you should use the claims certified external access CRM 2013 a. In IE the browser CRM 2013 external address (for example: https://org.contoso.com:444 ), you will see the following pages:

                                  Screenshot 2014 08 02 18 24 18

                                  Enter the user name password, log CRM 2013.

                                  Screenshot 2014 08 29 01 02 28

                                  Fix the MEX Endpoint

                                  When you browse externally to the URL: https://sts1.iwebscrm.com/adfs/services/trust/mex

                                  Where “sts1.yourorg.com” replaces ours… you should see an XML endpoint return. We found that after setup of CRM 2013 in the above mentioned environment there was a conflict with the Sandbox port 808 and this caused the failure of the service, giving a 503 error for /adfs/services/trust/mex

                                  The solution is simple: Run the following command in PowerShell

                                  Set-ADFSProperties –nettcpport 809

                                  Then restart ADFS from the Services, or restart the server. Reference: http://www.interactivewebs.com/blog/index.php/crm-2013/adfsservicestrustmex-returns-503-on-crm-2013-windows-2012-ifd-mex-endpoint-fix/

                                   

                                  Microsoft CRM IFD Event 364 and 111 in ADFS

                                  Microsoft CRM IFD Event ID 364 and 111

                                  We got the ADFS login screen as expected, but on trying to login we received an error:

                                  • Activity ID: 00000000-0000-0000-0400-0080020000f4
                                  • Relying party: CRM IFD Relying Party

                                  Screenshot 2016 01 11 19 45 56

                                  Associate with two errors in the ADFS Event Log.

                                  Event ID: 111

                                  Additional Data 
                                  Exception details: 
                                  System.ArgumentException: ID4216: The ClaimType ‘* Name’ must be of format ‘namespace’/’name’.
                                  Parameter name: claimType
                                  at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
                                  at Microsoft.IdentityModel.Threading.TypedAsyncResult`1.End(IAsyncResult result)
                                  at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.EndIssue(IAsyncResult result)
                                  at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet)

                                   Event ID: 364

                                  Encountered error during federation passive request.

                                  Additional Data

                                  Protocol Name: 
                                  wsfed

                                  Relying Party: 
                                  https://crm2016.iwebscrm16.com:444/

                                  Exception details: 
                                  Microsoft.IdentityServer.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. —> System.ArgumentException: ID4216: The ClaimType ‘* Name’ must be of format ‘namespace’/’name’.
                                  Parameter name: claimType
                                  at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
                                  at Microsoft.IdentityModel.Threading.TypedAsyncResult`1.End(IAsyncResult result)
                                  at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.EndIssue(IAsyncResult result)
                                  at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet)
                                  at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1& identityClaimCollection)
                                  at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestBearerToken(MSISRequestSecurityToken signInRequest, Uri& replyTo, IList`1& identityClaimCollection)
                                  at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, SecurityToken deviceSecurityToken, String desiredTokenType, WrappedHttpListenerContext httpContext, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, MSISSession& session)
                                  at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.BuildSignInResponseCoreWithSerializedToken(MSISSignInRequestMessage wsFederationPassiveRequest, WrappedHttpListenerContext context, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
                                  at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.BuildSignInResponseCoreWithSecurityToken(WSFederationSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
                                  at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.BuildSignInResponse(WSFederationSignInContext federationPassiveContext, SecurityToken securityToken, SecurityToken deviceSecurityToken)
                                  — End of inner exception stack trace —
                                  at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.BuildSignInResponse(WSFederationSignInContext federationPassiveContext, SecurityToken securityToken, SecurityToken deviceSecurityToken)
                                  at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.Process(ProtocolContext context)
                                  at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
                                  at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

                                  System.ArgumentException: ID4216: The ClaimType ‘* Name’ must be of format ‘namespace’/’name’.
                                  Parameter name: claimType
                                  at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
                                  at Microsoft.IdentityModel.Threading.TypedAsyncResult`1.End(IAsyncResult result)
                                  at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.EndIssue(IAsyncResult result)
                                  at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet)
                                  at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1& identityClaimCollection)
                                  at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestBearerToken(MSISRequestSecurityToken signInRequest, Uri& replyTo, IList`1& identityClaimCollection)
                                  at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, SecurityToken deviceSecurityToken, String desiredTokenType, WrappedHttpListenerContext httpContext, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, MSISSession& session)
                                  at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.BuildSignInResponseCoreWithSerializedToken(MSISSignInRequestMessage wsFederationPassiveRequest, WrappedHttpListenerContext context, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
                                  at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.BuildSignInResponseCoreWithSecurityToken(WSFederationSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
                                  at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.BuildSignInResponse(WSFederationSignInContext federationPassiveContext, SecurityToken securityToken, SecurityToken deviceSecurityToken)

                                  ADFS EVENT 111

                                  The Fix: 

                                  This was caused because we initially had the Transform of Windows Account Name to Name was initially set as * Name rather than just Name. So we updated it (and the instructions above to allow people to not experience this problem.

                                  Update the Relying Party Trusts / Edit Claim Rules / Transform Windows Account Name to Name – Change the name value form * Name to Name

                                  Name to Name

                                  Restart ADFS Service and IIS. And you should resolve these errors.

                                  Microsoft CRM Restore Database Failed Only Enterprise edition of SQL Server supports partitioning

                                  Upgrading from CRM 2011 to CRM 2013 you cannot restore SQL on a Non Enterprise Server

                                  An exception occurred while executing a Transact-SQL statement or batch. (Microsoft.SqlServer.ConnectionInfo)Database ‘Org_MSCRM’ cannot be started in this edition of SQL Server because it contains a partition function ‘AuditPFN’. Only Enterprise edition of SQL Server supports partitioning. Database ‘Org_MSCRM’ cannot be started because some of the database functionality is not available in the current edition of SQL Server. (Microsoft SQL Server, Error: 905)

                                  CAUSE

                                  When Microsoft Dynamics CRM 2011 is installed using a Microsoft SQL Server Enterprise edition, a partition is created for the auditing functionality of Dynamics CRM 2011. The AuditBase table uses partitioning which is only available for Microsoft SQL Server Enterprise.RESOLUTIONUse the following Steps and Script to remove the partitioning. The following script recreates all the indexes on the Primary partition and then drops the partition.
                                  Be sure to have a database backup of the ‘Org_MSCRM’ before performing the following steps. 

                                  Fix

                                  1. Restore the ‘Org_MSCRM’ database to a Microsoft SQL Server Enterprise edition. It is recommended to backup and restore the database instead of running the script on the production database.

                                  2. Run the following script against the restored database.

                                   

                                  IF EXISTS (SELECT name FROM sys.partition_schemes WHERE name='AuditPScheme') BEGIN SELECT CASE WHEN ind.type != 1 THEN 'DROP INDEX [dbo].[AuditBase].' + QUOTENAME(ind.name) + ' ' ELSE ' ' END + 'CREATE ' + CASE is_unique WHEN 1 THEN 'UNIQUE ' ELSE '' END + ind.type_desc + ' INDEX ' + QUOTENAME(ind.name COLLATE SQL_Latin1_General_CP1_CI_AS ) + ' ON [dbo].' + QUOTENAME(OBJECT_NAME(object_id)) + ' (' + REVERSE(SUBSTRING(REVERSE(( SELECT name + CASE WHEN sc.is_descending_key = 1 THEN ' DESC' ELSE ' ASC' END + ',' FROM sys.index_columns sc JOIN sys.columns c ON sc.object_id = c.object_id AND sc.column_id = c.column_id WHERE OBJECT_NAME(sc.object_id) = 'AuditBase' AND sc.object_id = ind.object_id AND sc.index_id = ind.index_id ORDER BY index_column_id ASC FOR XML PATH('') )), 2, 8000)) + ')' + CASE WHEN ind.type = 1 THEN ' WITH (DROP_EXISTING = ON) ON [PRIMARY]' ELSE ' ' END as Script INTO #indexesScript FROM sys.indexes ind JOIN sys.partition_schemes ps on ind.data_space_id=ps.data_space_id WHERE OBJECT_NAME(object_id) = 'AuditBase' AND ps.name = 'AuditPScheme' AND is_unique_constraint = 0 SELECT * FROM #indexesScript DECLARE @recreateScript nvarchar(max) DECLARE indScript CURSOR FOR SELECT Script FROM #indexesScript OPEN indScript FETCH NEXT FROM indScript INTO @recreateScript WHILE @@FETCH_STATUS = 0 BEGIN BEGIN TRANSACTION t1 Execute sp_executesql @recreateScript IF @@ERROR > 0 BEGIN ROLLBACK TRAN t1 declare @message varchar(max) set @message = 'Audit history recreate index failed. SQL: ' + @recreateScript RAISERROR (@message, 10,1) END ELSE BEGIN COMMIT TRAN END FETCH NEXT FROM indScript INTO @recreateScript END DROP PARTITION SCHEME AuditPScheme DROP PARTITION FUNCTION AuditPFN CLOSE indScript DEALLOCATE indScript DROP TABLE #indexesScript END

                                   

                                  3. Once the script is complete you can backup the database and now you should be able to restore the database to a Microsoft SQL Server Standard edition.

                                  Update ADFS SSL Certificates Microsoft CRM 2013 2015 and 2016 IFD

                                  How to Update SSL Certificates for AD FS 3.0 in CRM IFD

                                  Introduction

                                  Microsoft Dynamics CRM can be configured to use SSL (Secure Sockets Layer). For this to work, an SSL certificate is required.

                                  Certificates can be purchased from certificate providers and will expire after a certain period of time. Once this time has elapsed, Microsoft Dynamics CRM will no longer work until the certificate is updated.

                                  This article describes the process to update the certificate for Microsoft Dynamics CRM

                                  Installing the new certificate

                                  You will need to import your certificate into the local certificate store on each CRM server that uses web services, and the AD FS server if claims-based authentication is enabled.

                                  CertificateStore

                                  Instructions on how to import a certificate can be obtained from your certificate provider.

                                  Note: Problems may occur if you do not remove the old certificate.

                                  Add permission to the certificate

                                  It is necessary to grant specific permissions to the certificate to allow service accounts access.

                                  Manage Private Keys

                                  The following steps show how to add permissions to the certificate.

                                  1. Open the Certificate Console on the server.
                                  2. Check out the Microsoft Wiki for help
                                  3. Navigate to (Local Computer) > Personal > Certificates
                                  4. Right click the new certificate. Go to All Tasks > Manage Private Keys
                                  5. Add following permissions
                                    • AD FS Server: CRMAppPool Account = “Read”
                                    • AD FS Server: ADFSAppPool Account = “Full”
                                    • CRM Server: CRMAppPool Account = “Read”
                                    • In our case we were using the NETWORK SERVICE account and need to add the Read permissions
                                       Screenshot 2016 07 07 23 39 44

                                  Update IIS (Internet Information Services) to use the new certificate

                                  On the Microsoft Dynamics CRM website, the certificate bindings will need to be updated.

                                  IIS Select Certificate

                                  The following steps show how to bind the new certificate using IIS 8.

                                  1. Log on to the Microsoft Dynamics CRM Server.
                                  2. Open IIS.
                                  3. Locate the Microsoft Dynamics CRM website.
                                  4. Right click the website and click Edit Bindings.
                                  5. Select HTTPS and click Edit….
                                  6. Select the new certificate and click OK to save the settings.
                                  7. Close all open windows.

                                  Reconfigure Claims-Based Authentication

                                  The Microsoft Dynamics CRM application will need to be updated to use the new certificate.

                                  Claims Setting

                                  The following steps show how to reconfigure claims-based authentication.

                                  1. Open Deployment Manager
                                  2. Click Configure Claims-Based Authentication to open the wizard
                                  3. Click Next on the Welcome page
                                  4. Click Next on the Token Service page
                                  5. Select the new certificate on the Select Certificate page
                                  6. Click Next to complete the configuration

                                  Update AD FS (Active Directory Federation Services)

                                  In AD FS, the Service Communication certificate will need to be updated.

                                  ADFS Certificate

                                  The following steps show how to update the Service Communication certificate in AD FS 2.0.

                                  1. Open AD FS 2.0
                                  2. Navigate to AD FS 2.0 > Service > Certificates
                                  3. Click Set Service Communications Certificate
                                  4. Select the certificate and click OK

                                  Update Relying Party Trusts

                                  The Relying Party Trusts in the AD FS Management needs to be checked that the Relying Party Trusts are not showing an ! next to the listed Claims Relying Party Trust and the IFD Relying Party.

                                  If they are, or even just to be safe. Click on each separately and the “Update from Federation Meta Data”

                                  Screenshot 2016 07 07 23 43 26

                                  Once these have both been updated you can move onto the last task.

                                  Final Tasks

                                  To finish the process, all affected services will need to be restarted.

                                  IISRESET

                                  The following steps should be completed once the certificate has been updated.  It may also be necessary to follow these steps if problems occur during any of the previous tasks.

                                  • Perform an IISRESET on each server
                                  • Restart the AD FS service on AD FS server
                                  • Update Relying Party metadata
                                    1. Open AD FS 2.0
                                    2. Navigate to AD FS 2.0 > Trust Relationships > Relying Party Trusts
                                    3. Right click each relying party and select Update from Federation Metadata
                                    4. Click Update

                                  Microsoft CRM 2013 or 2015 Event ID 1309 ADFS IFD Resolution

                                  When attempting to login to an IFD deployment of CRM 2013 or 2015 you receive an event Error: 1309 looking like this:

                                  Event code: 3005
                                  Event message: An unhandled exception has occurred.
                                  Event time: 7/01/2016 12:08:14 AM
                                  Event time (UTC): 6/01/2016 1:08:14 PM
                                  Event ID: 0daeff15a8f24e939623db80c40522d5
                                  Event sequence: 3
                                  Event occurrence: 2
                                  Event detail code: 0

                                  Application information:
                                  Application domain: /LM/W3SVC/2/ROOT-1-130965592186041416
                                  Trust level: Full
                                  Application Virtual Path: /
                                  Application Path: C:\Program Files\Microsoft Dynamics CRM\CRMWeb\
                                  Machine name: VSERVER07

                                  Process information:
                                  Process ID: 2300
                                  Process name: w3wp.exe
                                  Account name: NT AUTHORITY\NETWORK SERVICE

                                  Exception information:
                                  Exception type: SecurityTokenException
                                  Exception message: ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.
                                  at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.CreateClaims(SamlSecurityToken samlSecurityToken)
                                  at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)
                                  at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)
                                  at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)
                                  at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
                                  at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
                                  at Microsoft.Crm.Authentication.Claims.CrmFederatedAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
                                  at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
                                  at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

                                  Request information:
                                  Request URL: https://auth.iwebscrm.com:444/default.aspx
                                  Request path: /default.aspx
                                  User host address: 58.175.75.97
                                  User:
                                  Is authenticated: False
                                  Authentication Type:
                                  Thread account name: NT AUTHORITY\NETWORK SERVICE

                                  Thread information:
                                  Thread ID: 29
                                  Thread account name: NT AUTHORITY\NETWORK SERVICE
                                  Is impersonating: True
                                  Stack trace: at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.CreateClaims(SamlSecurityToken samlSecurityToken)
                                  at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)
                                  at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)
                                  at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)
                                  at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
                                  at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
                                  at Microsoft.Crm.Authentication.Claims.CrmFederatedAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
                                  at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
                                  at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

                                  UPDATE

                                  On later version of CRM like CRM 2016 SP1 and using ADFS 3. This error appeared differently. We blogged this here: http://www.interactivewebs.com/blog/index.php/crm/microsoft-crm-ifd-the-ssl-certificate-does-not-contain-all-upn-suffix-values-that-exist-in-the-enterprise-cannot-login/

                                  The cause

                                  This is likely happening after updating the ADFS Token Signing Certificates in an IFD deployment of Microsoft CRM Server. In our case we had recently updated the ADFS signing certificate using the PowerShell command:

                                  Update-AdfsCertificate -CertificateType Token-Decrypting -Urgent
                                  Update-AdfsCertificate -CertificateType Token-Signing -UrgentSet-ADFSProperties -AutoCertificateRollover $false 

                                  After doing that we found that the IFD deployment would not allow login to the CRM server for external users, with the above error being logged.

                                  The Fix

                                  Microsoft Dynamics CRM error: The issuer of the security token was not recognized by the IssuerNameRegistry – Solved

                                  “The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.”
                                  Or…

                                  adfs1

                                  If your Microsoft Dynamics CRM users are seeing the above errors when attempting to log-in, you may have an ADFS Certificate issue. ADFS generates new certificates about a month prior to certificate expiration, however, Dynamics CRM does not recognize them until you take a few steps to resolve the issue.

                                  To locate your ADFS Certificates, navigate to the ADFS Console. Under “Service”, click on “Certificates”, where you will find a Primary and Secondary certificate. If the current date is close to the date of your Primary certificate “Effective Date”, it’s safe to assume that this is the underlying issue.

                                  adfs2

                                  To resolve this issue:

                                  1. Navigate to the ADFS Console >> Trust Relationships >> Relying Party Trusts.
                                  2. Right click on the trust and select “Update from Federation Metadata…”
                                  a. If there are two trusts, do them both. This may be a case where you have one for Internal and External.

                                  adfs3

                                  3. Open Command Prompt. Be sure to right-click and “Run as Administrator”.
                                  a. From within CMD, type “iisreset”.

                                  adfs4

                                  4. Open “Services” and restart the “ADFS” service.

                                  adfs5

                                  a. If ADFS does not start, be sure to check the “Windows Internal Database” service and make sure it is started, and then try restarting the ADFS service.

                                  If these initial steps do not resolve your issue for any reason, continue with the following steps below:

                                  5. Navigate to “CRM Deployment Manager”.
                                  a. Run “Configure Claims-Based Authentication” wizard, upper right hand corner.
                                  b. Click “Next” all the way through the wizard, nothing needs to be changed here.

                                  adfs6

                                  6. Run “Configure Internet Facing Deployment” wizard.
                                  a. Click “Next” all the way through the wizard, nothing needs to be changed here either.

                                  adfs7

                                  7. Now, perform Steps 1-4 again as outlined above.
                                  a. Update Federation Metadata
                                  b. IISReset
                                  c. Restart ADFS Service

                                  Your users should be able to log-in to Dynamics CRM again. I hope you find this helpful and that it resolved your issue.

                                  Moving Active Directory AD to a New Domain Controller DC

                                  Since I don’t have to do this very often, but always seem to forget how to transfer the Schema Masterand Domain Naming Master, I decided to write it down, when it came up again as I transferred all the roles to my Windows 2012 server.

                                  The following three FSMO roles can be migrated from Active Directory Users and Computers. Right mouse click on the domain and select Operations Masters. There is one tab for each of the three FSMO roles:

                                  PDC
                                  RID Pool Manager
                                  Infrastructure Master

                                  The following FSMO role can be transfered from Active Directory Domains and Trusts. Right mouse click on Active Directory Domains and Trusts, and select Operations Master.:

                                  Domain Naming Master

                                  For the Schema Master FSMO role, you first need to register a dll by executing the following command (Note: This only needs to be done once from an elevated command prompt.):

                                  c:\> regsvr32 schmmgmt.dll

                                  Then, you can add the Active Directory Schema Snap-In to a Microsoft Management Console (MMC). With the Snap-In added, ensure that the targeted domain controller is the one that you want to transfer the Schema Master role to. To change it, right mouse click on Active Directory Schema, under Console Root, and select Change Active Directory Domain Controller.. to select the domain controler you want to transfer the role to. Once that is done, right mouse click on Active Directory Schema, and select Operations Master to change the role.

                                  If you do not have a different domain controller targeted, you will get the following message:

                                  The current Active Directory Domain Controller is the Operations Master. To transfer the Operations Master to a different DC, you need to target Active Directory Schema to that DC.

                                  And when you switch the target domain controller, you get the following, which is okay for what we want to do.:

                                  Active Directory Schema snap-in is not connected to the schema operations master. You will not be able to permform any changes. Schema modification can only be made on the schema FSMO holder.

                                  Fatal error: Cannot redeclare wpb_getImageBySize() (previously declared in plugins/js_composer/include/helpers/helpers.php

                                  WPBakery Install Receives the Error: fatal error: Cannot redeclare wpb_getImageBySize() 

                                  Fatal error: Cannot redeclare wpb_getImageBySize() (previously declared in /srv/www/vhosts/www.busybooks.com/wp-content/themes/busybooks/wpbakery/js_composer/composer/lib/helpers.php:15) in /srv/www/vhosts/www.website.com/wp-content/plugins/js_composer/include/helpers/helpers.phpon line 111

                                  When installing the WPBakery plugin you receive the above error after trying to activate the plugin. 

                                  The Fix

                                  The issue is easily fixed by installing one of the default themes from WordPress. Activating it. Then returning to the plugins and activating the WPBakery Visual Composer.

                                  DNN (dotnetnuke) Active Forum Module Control Panel a critical error has occurred

                                  Error when opening the DNN Active Forum Module Control Panel

                                  When you attempt to open the forum module Control Panel, you receive a.net load error that says a critical error has occurred. Upon looking at the log files for the website within DNN, you’ll notice that the related error message looks something like this.

                                  bsoluteURL:/Default.aspx
                                  DefaultDataProvider:DotNetNuke.Data.SqlDataProvider, DotNetNuke
                                  ExceptionGUID:1012073d-d31d-4a73-a051-31478c9de05d
                                  AssemblyVersion:7.4.0
                                  PortalId:0
                                  UserId:3429
                                  TabId:107
                                  RawUrl:/Resources/Forum/ctl/EDIT/mid/506
                                  Referrer:http://website.com.au/Resources/Forum
                                  UserAgent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.6.3 (KHTML, like Gecko) Version/8.0.6 Safari/600.6.3
                                  ExceptionHash:eUa1nHF8hNveOCQzqX0zOg==
                                  Message:Object reference not set to an instance of an object.
                                  StackTrace:
                                  InnerMessage:Object reference not set to an instance of an object.
                                  InnerStackTrace:
                                  at DotNetNuke.Modules.ActiveForums.Controls.Callback.OnLoad(EventArgs e)
                                  at System.Web.UI.Control.LoadRecursive()
                                  at System.Web.UI.Control.LoadRecursive()
                                  at System.Web.UI.Control.LoadRecursive()
                                  at System.Web.UI.Control.LoadRecursive()
                                  at System.Web.UI.Control.LoadRecursive()
                                  at System.Web.UI.Control.LoadRecursive()
                                  at System.Web.UI.Control.LoadRecursive()
                                  at System.Web.UI.Control.LoadRecursive()
                                  at System.Web.UI.Control.LoadRecursive()
                                  at System.Web.UI.Control.LoadRecursive()
                                  at System.Web.UI.Control.LoadRecursive()
                                  at System.Web.UI.Control.LoadRecursive()
                                  at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
                                  Source:
                                  FileName:
                                  FileLineNumber:0
                                  FileColumnNumber:0
                                  Method:
                                  Server Name: SERVERNAME

                                   

                                  The Fix

                                  It is good practice to ensure that you have the latest version of the DotNetNuke forum module on your website. Especially if you are using the later versions of DNN.  Currently the module project has been moved into an open source project on GitHub. The latest version can be found here: https://github.com/ActiveForums/ActiveForums

                                   

                                   fixing the error

                                   you need to ensure that the web.config file also includes the following reference.

                                          <section name=”cryptography” requirePermission=”false” type=”DotNetNuke.Framework.Providers.ProviderConfigurationHandler, DotNetNuke” />

                                   

                                   

                                      <cryptography defaultProvider=”CoreCryptographyProvider”>

                                        <providers>

                                          <clear />

                                          <add name=”CoreCryptographyProvider” type=”DotNetNuke.Services.Cryptography.CoreCryptographyProvider, DotNetNuke” providerPath=”~\Providers\CryptographyProviders\CoreCryptographyProvider\” />

                                        </providers>

                                      </cryptography>


                                   Take note of where this is found in the web can feed file below.

                                  Screenshot 2015 06 27 17 13 53

                                   

                                   

                                  Google Analytics API Access V3

                                  Accessing your Google Analytic Data via API

                                  To allow a third party module or application to view and display your Google Analytics data for your website. You need to get a few things organised.

                                  1. You need to have a Google Analytic account with your website registered.

                                  Go to: http://www.google.com/analytics/   and follow their instructions to set up your URL under an account that you can manage and access with Admin permissions. We are not going to go through these steps here as it is a given that you will have this. Seek help from Google if you can’t manage.

                                   

                                  2. Set up an API for your Google Analytics Account at the Google Developers Portal.

                                  Go to: https://developers.google.com/  and login with your account.

                                  To get started using Google Analytics API, you need to first create or select a project in the Google Developers Console and enable the API. Using this link guides you through the process and activates the Google Analytics API automatically.

                                  Alternatively, you can activate the Google Analytics API yourself in the Developers Console by doing the following:

                                  1. Go to the Google Developers Console.
                                  2. Select a project, or create a new one.
                                  3. In the sidebar on the left, expand APIs & auth. Next, click APIs. Select the Enabled APIs link in the API section to see a list of all your enabled APIs. Make sure that the Google Analytics API is on the list of enabled APIs. If you have not enabled it, select the API from the list of APIs, then select the Enable API button for the API.
                                     Screenshot 2015 07 07 00 53 20
                                  4. In the sidebar on the left, select Credentials.
                                     Screenshot 2015 07 07 00 54 06

                                  In either case, you end up on the Credentials page and can create your project’s credentials from here.

                                  Create a client ID

                                  From the Credentials page, click Create new Client ID under the OAuth heading to create your OAuth 2.0 credentials.

                                  1. For the APPLICATION TYPE select Service account.
                                  2. Click Create Client ID.
                                  3. For the KEY TYPE select P12 key. (The system will download a .P12 file. You will need this file to upload to the module)
                                  4. A dialog box appears. To proceed, click Okay, got it.

                                   

                                  3. Add service account to Google Analytics account

                                  The newly created service account will have an email address, <projectId>-<uniqueId>@developer.gserviceaccount.com; Use this email address to add a user to the Google analytics account you want to access via the API. For this tutorial only Read & Analyzepermissions are needed.

                                  Select User Management (in the Analytics Admin)

                                  Screenshot 2015 07 07 00 49 39

                                  Enter the weird email address from the API credentials step above to give Read & Analyze permissions.

                                  Screenshot 2015 07 07 00 51 16

                                   

                                  In Summary

                                  1. You have created a Google Developer Account.
                                  2. Created an API and Given Permission to “Analytics API”
                                  3. You have Downloaded a P12 Credentials file.
                                  4. You have Authorised the associated weird google email address from the P12 account to have read permissions on your Analytics Account.

                                  If you get all that right, then the module we use, will work to access your Google Analytics data from within your module.

                                   

                                  Zendesk to CRM 2015 and Microsoft Dynamics 365 Integration

                                  Installing the Zendesk to CRM 2015 or Dynamics 365 integration

                                  These instruction have been updated from the Zendesk instructions provided here: https://support.zendesk.com/hc/en-us/articles/203660156-Zendesk-for-Microsoft-Dynamics-CRM-Part-1-Installing-the-Zendesk-for-Microsoft-Dynamics-CRM-as-a-module-in-Microsoft-Dynamics-CRM

                                   

                                  They use a combination of the original processes that Zendesk have created originally for CRM 2011 and that worked on Pre SP1 versions of CRM 2013. The packages referenced have been update by InteractiveWebs to work with CRM 2013 Post SP1 and CRM 2015 (technically all versions but we recommend post SP 0.1)

                                   

                                  Instillation of the CRM Solution

                                  Install the CRM Managed Solution as you would any other CRM solution.

                                  Download the managed solution for CRM 2015 https://www.dropbox.com/s/0rhlgnxcwz9s4yh/ZendeskDynamicsCRMConnector_2_0_0_2_managed.zip?dl=0

                                  In CRM Navigate to SETTINGS / SOLUTIONS

                                  Click on Import

                                  Screenshot 2015 06 18 17 45 23

                                  Chose File

                                  Screenshot 2015 06 18 17 47 09

                                   

                                  Select the Managed CRM package – Click Next

                                  Screenshot 2015 06 18 17 49 51

                                  Click Next

                                  Screenshot 2015 06 18 17 51 30

                                   

                                  Leave the Enable any SDK ticked, and click on Import

                                  Screenshot 2015 06 19 23 39 37

                                   

                                  Allow the Import to take place

                                  Screenshot 2015 06 19 23 40 43

                                   

                                  Click on Close

                                  Screenshot 2015 06 19 23 42 16

                                   

                                  On Completion, Click “Publish All Customisations”.

                                  Screenshot 2015 06 19 23 43 04

                                   

                                  Update Security Roles

                                  In the CRM menu, select Settings / Security

                                  Screenshot 2015 06 19 23 45 15

                                   

                                  Select the User that you wish to use to bring in Zendesk Integration Items. We are using in this example the Administrator account, but it could be anyones account.

                                  Then with the account loaded, select the additional item dropdown menu to the far right of the top level menu, selecting Manage Roles

                                  Screenshot 2015 06 19 23 48 51

                                   

                                  Select Zendesk Administrator

                                  Screenshot 2015 06 19 23 50 18

                                  There is also a Zendesk Read configuration setting. The Zendesk support site has details on how this can be used.

                                   

                                   

                                   

                                  Screenshot 2015 06 19 23 47 22

                                  Double Click on that name to load the account.

                                   

                                  Configure Entity Mapping

                                  In your browser, click on Refresh to reload the CRM page, and in turn the top level menu that has been updated after import for the Zendesk Solution.

                                  In the CRM system, select Settings / Zen Entity Mappings

                                  Screenshot 2015 06 19 23 54 49

                                   

                                  Click + New

                                  Screenshot 2015 06 19 23 55 47

                                   

                                  The most typical setups are things like on a “Contact” entity, match the Zendesk ticket requester with the email address on the “Contact” record. But what if you wanted to match of the “Full Name” field instead in both systems?  Now you can by utilizing entity mappings.

                                   

                                  • Select the following items

                                    • Entity Name – This is the Microsoft Dynamics entity that you want the mapping applied to.
                                    • Zendesk Object – This is where you can select which object from Zendesk you’d like to pick your field from.
                                    • Zendesk Field – This will populate with values depending on your selection from Zendesk Object.
                                    • Entity Field – This is a list of fields associated to the selected Entity Name.  Pick which field you want to match to the Zendesk Field.Click “Save” to store the mapping. 
                                  • Click the ZD Entity Mapping tile to return to the page. 
                                  • Repeat steps 1-5 if you wish to add more mappings for additional Entities..

                                   

                                  Here’s a list of the most common types of mappings:

                                   

                                  • Account/Organization Entity
                                    • Entity Name: “Account” or “Organization”
                                    • Zendesk Object: Organization
                                    • Zendesk Field: Name
                                    • Entity Field: Account Name
                                    • Contact/Lead Entity
                                      • Entity Name: “Contact” or “Lead”
                                      • Zendesk Object: User
                                      • Zendesk Field: EmailAddress
                                      • Entity Field: EmailAddress 1


                                   

                                  Configure Zendesk Settings Page

                                  In CRM Navigate to Settings / ZD Settings (Note that this one is not the ZD Personal Settings Menu Item).

                                  NOTE – This works best in Chrome – We found troubles with IE and Safari (not our work)!

                                   

                                  Screenshot 2015 06 20 00 11 05

                                  You now need to set up your Zendesk credentials so that the system can authenticate to the appropriate Zendesk instance.

                                  To do so, navigate to Settings, then locate the Zendesk Settings->Settings title and click the title.

                                  You will be presented with 4 sections:

                                  • Ticket view defaults  – global default settings for ticket views in the Zendesk ticket panel. 
                                    This sets the defaults at the account level, but can be overwritten by individual preferences by each user.
                                  • Filtering – sets the default values for filters in the Zendesk ticket panel.
                                  • Sorting – sets the default sort order for tickets in the Zendesk ticket panel.
                                  • Authentication – enter your Zendesk subdomain (make sure you specify HTTP vs. HTTPS if you have SSL enabled) and login credentials (you need administrator credentials). 
                                    This gives your Microsoft Dynamics CRM users read-only access to available tickets. To create or edit tickets from Microsoft Dynamics CRM, your Dynamics users must have a Zendesk license, and they will need to enter their own credentials (explained later in this article).  
                                  • Mapped record types – enables you to modify the data elements that display in a Zendesk user profile when a ticket is loaded. 
                                    You can choose from LeadContact, and Account. All fields are available, including custom fields.
                                  • Ticket-to-case mapping – identifies data items that should be mapped from standard Zendesk ticket fields into Microsoft Dynamics CRM cases. 
                                    The three Zendesk fields that are supported are StatusPriority, and Type.

                                   

                                  Add Zendesk Ticket Grid

                                  Now you are ready to add the Zendesk ticketing panel to any of the entity pages that you’ve configured mappings for. You need to repeat the steps below for each entity type you want the ticketing grid displayed on.

                                  1. In Microsoft Dynamics, navigate to the first entity where you want to add the ticketing grid. 
                                    For this example, we’ll refer to a Contact record.
                                  2. Select any contact in your list and navigate to the Form Editor.
                                  • In Dynamics 2015, highlight the More (…) tab(1) and select the option for Form(2) to start the form editor.Form2013-1.png
                                  • In Dynamics 2011, navigate to the Customize (1) tab and click on Form (2)Form2011-1.png
                                  • In the Form Editor, click the Insert tab (1), then click the Web Resource button (2).Form2013-2.png
                                  • In the Add Web Resource page, click the magnifying glass next to Web resource to find the Zendesk ticket grid (zd_/Pages/TicketGrid/TicketGrid.html).Form2013-3.png
                                  • In the next page, select the check box next to zd_/Pages/TicketGrid/TicketGrid.html, then click OK.
                                  • Back in the Add Web Resource dialog box you should see zd_/Pages/TicketGrid/TicketGrid.html in the Web resource field. Enter a Name and Label you can easily recognize (consider naming it Zendesk Ticket Panel). Check the box for Pass record object-type code and unique identifier as parameters.  
                                    Form2013-4.png
                                    Click OK. 
                                  • ou now have a Zendesk ticket panel in the form layout that you can drag anywhere you’d like on the page. You can even create a special subsection for it if you’d like.
                                  • After you place the panel, navigate to the Home tab, click Save, then click Publish
                                  • Refresh the contact page you had open and you should see the new Zendesk ticket panel where you placed it!  Form2013-5.png
                                  •  Repeat these steps for any other entities you have created mappings for.

                                   

                                  Configuring InteractiiveWebs Zendesk to CRM 2015 or Dynamics 365 Web Service

                                  Next you need to enable your CRM instance to use the InteractiveWebs Web Service that will connect Zendesk to your CRM instance either in the cloud, IFD or on premises.

                                  If you have an IFD instance or a Microsoft Hosted Cloud

                                  instance of CRM then go here: http://www.interactivewebs.com/Admin/Zendesk/tabid/3566/Default.aspx

                                  If you have never registered with InteractieWebs then click on “Subscribe Now”

                                   Screenshot 2015 06 20 19 08 05

                                  Fill in the form with the following details.

                                  Username: Select a user name to use with our website.

                                  Password: Select a password to use on our website

                                  Email: Be sure to use a valid email address. We will not share or spam you, but for services we need this to be accurate.

                                  First Name: Your First Name

                                  Last Name: Your Last Name

                                  CRM Address: This is the address of your CRM server in the following format: e.g.. https://contoso.hostedcrm.com:444/  You type “contoso.hostedcrm.com” (without the  “ “ ).

                                  CRM Organization: You administrator can help with this, but in the example above it is “contoso” and is usually the word before the domain of your hosting environment.

                                  You can contact us on the help link at the bottom of the page if you are not sure what you should type here.

                                  Screenshot 2015 06 20 19 15 01

                                   

                                  If you have an on premises CRM solution

                                  you will need a custom version of the web service to host on your own servers. Contact us at our website: http://www.interactivewebs.com/ContactUs/tabid/55/Default.aspx

                                  and advise that you are after a custom web service for Zendesk to CRM 2015 integration. Advise us of:

                                  1. The URL you use to access your CRM internally.

                                  2. The Organisation name you use in CRM.

                                  We can then provide you with a custom web service for $200 one off fee with no expiry date on the web service.

                                   

                                  Zendesk Setup – Display of CRM Data

                                  It is possible to display the user data from Microsoft CRM in the Zendesk tickets. To do this:

                                  1. In Zendesk select Admin

                                  2. Select Apps / Market Place and search the words – “Microsoft Dynamics”

                                  3. Install the App – Microsoft Dynamics

                                  Screenshot 2015 09 15 04 27 23

                                  Under Manage – you should see the app installed:

                                  Screenshot 2015 09 15 04 28 09

                                  Installing this will allow you to select the “User Data Lookup” Feature that is explained in the next section below.

                                  Screenshot 2015 09 15 04 29 03 – Found in the Extensions / CRM in Zendesk.

                                   

                                  Setup Zendesk Settings

                                  Now you will need to set up the Zendesk side of the integration.

                                  To do this, you login to your Zendesk interface and Admin / Extensions 

                                  Screenshot 2015 06 21 09 12 10

                                  In Extensions you select CRM

                                  Select Microsoft Dynamics CRM 2011 (For all versions of CRM including Dynamics 365)

                                  Screenshot 2015 09 15 04 30 17

                                  Select your hosting type

                                  Screenshot 2015 09 15 04 30 36

                                  If you have IFD or Microsoft Cloud Hosted Solution, select Cloud or IFD respectively

                                  FOR CRM versions before Dynamics 365 (up to CRM 2016 pre SP1)

                                  For the Web Service (having subscribed to the service) put in:

                                  https://zendesk.interactivewebs.com  (note that this will only work if you have subscribed)

                                  Screenshot 2015 09 15 04 31 03

                                  For Dynamics 365 (or CRM versions after CRM 2016 SP1)

                                  Because the SDK was updated for Dynamics 365 we have created a web service URL unique for later versions of Dynamics 365. Use the

                                  URL: https://zendesk365.interactivewebs.com (note that this will only work if you have subscribed)

                                   

                                  If you have an on-premise then select that and put in the URL of your web service that was supplied to you after contact InteractiveWebs for a custom solution.

                                  All the other data for that page is per the instructions and help provided by Zendesk in their help pages found here: 

                                  https://support.zendesk.com/hc/en-us/articles/203660186-Zendesk-for-Microsoft-Dynamics-CRM-Part-3-Setting-up-the-Zendesk-App-and-Ticket-to-Case

                                   

                                   

                                  Support

                                  If you have problems or questions, please feel free to contact us at: http://www.interactivewebs.com – We have a range of other integration products, including website to CRM integrations for forms, billing, kb, support and more.

                                   

                                   

                                  DNN Blog Module 404 Error on Reading Post

                                  When using DNN Blog Module you receive 404 page cannot be found error

                                  The symptoms of this are fairly easy. When you click on the Read more link or the title of a blog that would normally take you to the full article of the blog. The page instead displays a 404 error.

                                  DNN Blog 404

                                   If you explore the URL you will find that the URL references the blog title something like this: http://canopi.com.au/Blog/Post/355/Single-Server-Sign-On-SSO-Part-1 

                                   take note that the URL does not end with the .aspx

                                   

                                  The Cause

                                  The URL of the blog post is being rewritten through the friendly URL settings within the later versions of DNN.

                                   DNN Friendly URL Settings

                                   the friendly URL settings can be found within: HOST /  ADVANCED SETTINGS / FRIENDLY URL SETTINGS

                                   and by default in the later versions of DNN are enabled.  The problem arises when the web.config file is missing a setting for the advanced URL rewriting.

                                   

                                   The Fix

                                   the fix is very easy and involves editing  the web.config file.

                                  1. Take a backup of the web.config file for your site
                                  2. Open the web.config file, and search for ‘urlformat’. You should find this in the section, like this:


                                  <add name="DNNFriendlyUrl" type="DotNetNuke.Services.Url.FriendlyUrl.DNNFriendlyUrlProvider, DotNetNuke.HttpModules" includePageName="true" regexMatch="[^a-zA-Z0-9 _-]" urlFormat="humanfriendly" />

                                   

                                  3. Change the urlFormat value to ‘advanced’, like this:


                                  <add name="DNNFriendlyUrl" type="DotNetNuke.Services.Url.FriendlyUrl.DNNFriendlyUrlProvider, DotNetNuke.HttpModules" includePageName="true" regexMatch="[^a-zA-Z0-9 _-]" urlFormat="advanced" />

                                  Microsoft CRM Solution Import Fields that are not valid were specified for the entity

                                  While importing a solution to CRM 2011, CRM 2013, or CRM 2015 you receive an error 

                                  Fields that are not valid were specified for the entity

                                   

                                  The Cause

                                  The cause of this is likely that one of the attributes that you are importing (from a dev environment) already exists in the CRM instance, but with a different attribute.

                                  For Example:

                                  • In your Live Environment
                                  • Within Accounts, you create a new attribute called “Friendly Cusomter” and mark it TEXT 
                                  • Publish and all is well and good.
                                  • In you Dev Environment
                                  • Within Accounts, you create a new attribute called “Friendly Customer” and make it a PICK LIST

                                   

                                  in other words, the same name for the attribute, but a different kind of field.

                                  Then try to export from DEV and import to LIVE. You get the error.

                                   

                                  The solution

                                  You have to remove the conflicting fields from the destination (live in the example above) CRM system.

                                  Microsoft gives you some help here, in the form of an XML dump file. What you need to do is open that file in something like DreamWeaver that has the ability to apply “Source Formatting”. This makes the file pretty to read. 

                                  From

                                  Ugly XML Dump file from CRM.png

                                  To

                                  CRM xml dump file in DreamWeaver.png

                                  Then do a search for the text “errortext” and start clicking next / next till you get to some text with an attribute and an error message. 

                                  In our case:

                                  Screenshot 2015 04 29 21 52 24

                                  <Cell ss:StyleID=”s137″ name=”ErrorText”>
                                  <Data ss:Type=”String”>Attribute new_leasecustomer is a Picklist, but a Boolean type was specified.</Data>
                                  </Cell>

                                  This gives the name of the attribute at fault.

                                  <Cell ss:StyleID=”s137″ name=”ErrorText”>
                                  <Data ss:Type=”String”>Attribute new_leasecustomer is a Picklist, but a Boolean type was specified.</Data>
                                  </Cell>

                                  And the error on the import will tell you the Entity that it failed the import on. Again in this case it was the ACCOUNT entity.

                                  So we just removed that attribute from any forms and views, then deleted the attribute (be sure that your live data is not relying on data entered here by users as you will loose it). Publish the entity. Then test the import again. 

                                  CRM 2015 2013 find Dependencies for Managed Solution

                                  How to Delete a Managed Solution in CRM 2013 or CRM 2015

                                  Sometimes when you try to delete a managed Solution, there is an error message about the dependancies of the solution being in use.

                                  CRM Cannot Delete Component

                                  When you download the log file, you see some typical Microsoft Crap that really does nothing to help you.

                                  Screenshot 2015 04 12 16 02 08

                                  The only thing it does is to tell you that you can’t delete the component because it is being used in this case by two other components.

                                  Now the hard part is finding the components that are using it.

                                   

                                  Finding the Referenced Dependencies CRM 2015 Components

                                  1. Work out the Solution Name. Navigate to CRM / Settings / Solutions – and read the exact Name of the Solution to be deleted. In this case it was “ZendeskCRM2011Connector

                                  Deleting CRM Managed Solution

                                   

                                  2. Login to your CRM Server and open the SQL database that matches the Organisation name being used in CRM.

                                  3. Execute an SQL query against that database that reads.

                                  select
                                  SolutionId
                                  from
                                  Solution
                                  where
                                  UniqueName
                                  =’Name of your Solution

                                  (Replacing the Name of Your Solution) with the exact name of your solution, So in our case:

                                  select
                                  SolutionId
                                  from
                                  Solution
                                  where
                                  UniqueName
                                  =’ZendeskCRM2011Connector’

                                  And it executes to give:

                                  CRM Find GUID for Managed Soltuon

                                  This gives you the GUID of the managed solution in the results area. In our example it is the: 3AC85885-F78B-47A3-BAB5-F8DE569B4EDD number at the bottom.

                                  4. Now navigate to the following URL: 

                                  https://YOUR CRM URL/tools/dependency/dependencyviewdialog.aspx?objectid=GUID&objecttype=7100&operationtype=dependenciesforuninstall

                                   

                                  Replacing the “YOUR CRM URL” with the URL to your own CRM system.  and replace the GUID with the GUID retrieved from step 3 above. Thus the URL may look like this: 

                                  https://crm.iwebscrm15.com:444/tools/dependency/dependencyviewdialog.aspx?objectid=3AC85885-F78B-47A3-BAB5-F8DE569B4EDD&objecttype=7100&operationtype=dependenciesforuninstall

                                   

                                  It will show a page that looks like this: 

                                  Show Solution Dependencies CRM 2015

                                   

                                  Which you can use to help you work out what to edit to remove the dependencies and delete the solution.

                                  Thanks Microsoft for making something so easy so hard!

                                   

                                   

                                  Setting up CRM 2015 on Windows 2012 R2 and SQL 2014 Stand Alone

                                  Setting up CRM 2015 on a New Virtual Windows 2012 R2 with SQL 2014

                                  Install the Following Components

                                  • Services
                                  1. Indexing Service (Windows Search Service
                                  2. IIS Admin
                                  3. World Wide Web Publishing
                                  • Windows Data Access Components MDAC 6.0
                                  • Microsoft ASP.NET

                                   

                                  Windows Search Service

                                  The following method is use to install the Windows Search Service on Windows 2012 R2. The search feature is launched form the Server Manger (which will start by default as login as an administrator).

                                  Click Add Roles and Features

                                  Windows 2012 Add Roles and Features

                                   

                                  Next

                                  Screenshot 2015 03 22 16 15 03

                                   

                                  Next

                                  Screenshot 2015 03 22 16 15 42

                                   

                                  Next

                                  Screenshot 2015 03 22 16 16 41

                                   

                                  Next (without selecting anything)

                                  Screenshot 2015 03 22 16 17 44

                                   

                                  With the Features, select Windows Search ServiceNext

                                  Screenshot 2015 03 22 16 19 46

                                   

                                  Select Install

                                  Windows Search Service Feature

                                   

                                  Select Close

                                  Screenshot 2015 03 22 16 22 15

                                   

                                  Run through the process again 

                                  Click Add Roles and Features

                                  Windows 2012 Add Roles and Features

                                   

                                  Next

                                  Screenshot 2015 03 22 16 15 03

                                   

                                  Next

                                  Screenshot 2015 03 22 16 15 42

                                   

                                  Next

                                  Screenshot 2015 03 22 16 16 41

                                   

                                  Next (without selecting anything)

                                  Screenshot 2015 03 22 16 17 44

                                   

                                  This time select the Web Server (IIS)

                                  Screenshot 2015 03 23 18 09 39

                                  When prompted select Add Features

                                  Screenshot 2015 03 23 18 08 42

                                  Select Next

                                  Screenshot 2015 03 23 18 13 00

                                  Next

                                  Screenshot 2015 03 23 18 13 15

                                  Next

                                  Screenshot 2015 03 23 18 13 19

                                  Next

                                  Screenshot 2015 03 23 18 13 36

                                  Close

                                   

                                  Installing SQL Server

                                  When installing the SQL server, the required features are almost the default features with the following two ticks.

                                  1. Database Engine Service

                                  2. Full-Text and Semantic Extractions for Search

                                   CRM 2013 SQL 2012 Requirements

                                   

                                  Additional IIS Feature to Add for IIS

                                  CRM will work much better with IIS Dynamic Compression. The install this you follow the normal Roles and Features install, and find the section for:

                                  Web Server Role (IIS)

                                  Second option: Under Server Manager click Add roles and features       

                                  • Click Next for Role-based or featured-based installation       
                                  • Select Server Roles       
                                  • Expand Web Server (IIS) role     
                                  •  Under Performance check the option for Dynamic Content Compression

                                  IIS Dynamic Compression Feature

                                  Click Next

                                  This ensures that you can enable dynamic compression after install to ensure that performance is best.

                                   

                                   

                                   

                                   

                                   

                                   

                                  CRM 2015 Extend Auto Logout Time in IFD

                                  CRM 2015 and CRM 2016 IFD will Automatically Logout the user with a Message:

                                  Your session in Microsoft Dynamics CRM is about to expire. To continue working, you must sin in again.

                                  CRM 2015 Auto Logout

                                  By Default this setting is 60 minutes, and the message will pop up around 20 minutes before logout.

                                  Any unsaved changes will be lost as your session ends.

                                   

                                  The Fix

                                  To extend the automatic logout time in CRM 2015, we must extend the time set in ADFS 3.0 using the PowerShell command. First we need to know the name that was used to set up the Relying Party Trust in ADFS.

                                  1. Open Server Manager and from the Tools menu select ADFS Management

                                  ADFS Management

                                  2. in AD FS management, open Relying Party Trusts and find the Display name for the CRM IFD Relying Party Trust

                                  Screenshot 2015 04 03 17 30 58

                                  In this case, we have called the Relying Party Trust – “CRM IFD Relying Party” as we keep things simple when we create things. Using the exact name for the title of the trust as we created it. But really it could be anything. One distinguishing feature is that the URL identifier is going to be optioning to the URL that displays in the browser window when you are in the process of login into your IFD CRM.

                                  3. Start PowerShell

                                  Screenshot 2015 04 03 17 35 57

                                  4.  Check you have the correct name of the Relying Party Trust by typing the following command.

                                  Get-ADFSRelyingPartyTrust -Name "relying_party"

                                  Where you replace the “relying_party” with the name you identified in Step 2 above. In our case the command will be: 

                                  Get-ADFSRelyingPartyTrust -Name “CRM IFD Relying Party

                                   

                                  The result should look something like this if you get it correct.

                                  Screenshot 2015 04 03 17 40 02

                                  5. Not type the command to set the time you want to set for Auto Logout.

                                  Set-ADFSRelyingPartyTrust -Targetname “CRM IFD Relying Party“ -TokenLifetime 720

                                  (Again replacing the “CRM IFD Relying Party” with the name used on your system.)

                                  Note: The 720 is time in minutes. 12 Hours in this case. You can change the value up and down as liked.

                                  Set-ADFSRelyingPartyTrust -Targetname “CRM IFD Relying Party“ -TokenLifetime 720

                                  Screenshot 2015 04 03 17 43 47

                                  6. Close out the PowerShell and you are done.

                                  SQL 2014 'Agent XPs' componet is turned off when accessing Maintenance Plans

                                  When trying to create a Maintenance Plan you get an error: 

                                  ‘Agent XPs’ component is turned off as part of the security configuration for this server. A system administrator can enable the use of ‘Agent XPs’ by using sp_configure. For more information about enabling ‘Agent XPs’ see “Surface Area Configuration” in SQL Server Books Online. (Object Explorer)

                                  Screenshot 2015 04 01 14 39 39

                                  Details of the error are:

                                  ===================================

                                  Cannot show requested dialog.

                                  ===================================

                                  Unable to execute requested command.

                                  ——————————
                                  Program Location:

                                  at Microsoft.SqlServer.Management.UI.VSIntegration.ObjectExplorer.ToolMenuItemHelper.OnCreateAndShowForm(IServiceProvider sp, XmlDocument doc)
                                  at Microsoft.SqlServer.Management.SqlMgmt.RunningFormsTable.RunningFormsTableImpl.ThreadStarter.StartThread()

                                  ===================================

                                  ‘Agent XPs’ component is turned off as part of the security configuration for this server. A system administrator can enable the use of ‘Agent XPs’ by using sp_configure. For more information about enabling ‘Agent XPs’, see “Surface Area Configuration” in SQL Server Books Online. (Microsoft.SqlServer.Management.MaintenancePlanWizard)

                                  ——————————
                                  Program Location:

                                  at Microsoft.SqlServer.Management.MaintenancePlanWizard.MaintenancePlanWizardForm.LoadData()
                                  at Microsoft.SqlServer.Management.MaintenancePlanWizard.MaintenancePlanWizardForm..ctor(XmlDocument doc, IServiceProvider serviceProvider)

                                   

                                  The Cause

                                  This is caused because the “SQL Server Agent” is not running.

                                  By default, this service is set to start manually. This is normal after a fresh install.

                                   

                                  The Solution

                                  1. Open SQL Server Configuration Manager

                                  2. Start the service for SQL Server Agent.

                                  SQL Server Agent

                                  3. Right click the service and select Properties

                                  Screenshot 2015 04 01 14 43 29

                                  4. Click the Service tab and change the start mode to Automatic

                                  Screenshot 2015 04 01 14 43 48

                                  That’s it! 

                                   

                                   

                                  CRM 2015 IFD Adding a New Organization Additional Steps

                                  Error when attempting to login to a New Organisation in CRM 2015 IFD

                                  When attempting to login to a newly configured Organisation you may receive an error looking like this.

                                  Screenshot 2015 03 28 18 43 05 

                                               An error occurred
                                  An error occurred. Contact your administrator for more information.

                                   

                                  • Activity ID: 00000000-0000-0000-1400-0080010000ff
                                  • Error time: Sat, 28 Mar 2015 07:37:45 GMT

                                   

                                  The Cause

                                  Because IFD (Internet Facing Deployment) uses the AD FS Authentication it requires an additional step after using the CRM Deployment Manager to setup a new Organisation to then register at login with the AD FS setup.

                                  Basically it is saying that you have set up the org, but not gin figured the authentication login settings in AD FS.

                                   

                                  The Fix

                                  1. Open AD FS Mananagement

                                  Screenshot 2015 03 28 18 46 58 

                                  2. Click on AD FS / Trust Relationships / Relying Party Trusts and local your CRM IFD Relying Party Trust associated with the IFD Authentication.

                                  Screenshot 2015 03 28 18 49 52 

                                  3. Highlight it, and select Update Federation Metadata

                                   Screenshot 2015 03 28 18 50 30

                                  4. Update

                                  Screenshot 2015 03 28 19 04 29 

                                  And you are done!

                                  You should now be able to login to the CRM server without getting the error message, and with no need to reset IIS or any other services.

                                   

                                   

                                   

                                  CRM 2015 Reporting Extension Setup Error The SQL Server Reporting Services account is a local user and is not supported

                                  Error Message installing CRM 2015 Reporting Extensions

                                  When installing Microsoft Dynamics CRM Reporting Extension Setup you receive an error message: The SQL Server Reporting Services account is a local user and is not supported. This is during the System Checks.

                                  SQL 2014 CRM 2015 Reporting Extension Setup Error.png

                                  In our instance this was with MS CRM 2015 on SQL 2014 on the same server in a test environment.

                                  The Solution

                                  The fix is easy.

                                  1. Open the SQL 2014 Reporting service configuration Manager

                                  Screenshot 2015 03 28 17 56 17

                                  2. Connect to your Server.

                                  Screenshot 2015 03 28 17 57 04

                                  3. Select the Service Account

                                  Screenshot 2015 03 28 17 57 37

                                  4. Select the Local System account and apply with the appropriate security levels.

                                  Screenshot 2015 03 28 17 58 25

                                  That’s about it. Run the setup process again and you should be good to go.

                                  Windows 2012 R2 C:\Program Files (x86)\PHP\v5.6\php-cgi.exe – The FastCGI process exited unexpectedly PHP

                                  The FastCGI process exited unexpectedly – Trying to run PHP on IIS 8.0

                                  This problem has been talked about extensively around the forums, but no one is being clear on how to fix the problem. The issue first appeared after installing new Windows 2012 R2 Release.  after using  the Windows Web platform installer 5.0 to install  the framework PHP 5.6.0 and I might add when we tested on PHP 5.5 .11, a simple test page return the error: C:\Program Files (x86)\PHP\v5.6\php-cgi.exe – The FastCGI process exited unexpectedly

                                  The Solution

                                  You need to install the: Visual C++ Redistributable for Visual Studio 2012 Update 4  32-bit version.  and it should be noted that even if your operating system is a 64-bit operating system, you must install the 32-bit version  as PHP does not run in 64 bit.

                                   A download link is here: http://www.microsoft.com/en-us/download/details.aspx?id=30679

                                  Select the download button

                                  FastCGI Process exited unexpectedly

                                   

                                  Select the 32 bit version or x86

                                  Screenshot 2015 03 23 00 36 43

                                  Screenshot 2015 03 23 00 37 01

                                   

                                  You are done!

                                  Screenshot 2015 03 23 00 37 10

                                  Test your PHP and you should be good to go.

                                  Windows 2012 Turn off Password Complexity

                                  How to disable (turn off) the default Windows 2012 Administrator Complexity

                                  1. Open the Administrative Tool

                                  Windows 2012 Password Complexity.png

                                  2. This places you in the Administrative Tools section. Select Local Security Policy.

                                  Windows 2012 Password Local Security Policy.png

                                  3. Change the password Must Meet Complex Requirements option to Disabled.

                                  In a Domain Environment, for an Active Directory Domain Server.

                                    • In the Server Manager click on Tools and from the drop down click Group Policy Management
                                    • Expand Forrest >> Domains >> Your Domain Controller.
                                      NOTE: There are some steps in the comments that some have made, that advise of additional steps at this point. Try without, but if you fail… have a look in the comments.
                                    • Right click on the Default Domain Policy and click on the Edit from the context menu.
                                    • Now Expand Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy
                                    • Double-click on the Passwords Must Meet Complexity Requirements option in the right pane.
                                    • Select Disabled  under define this policy setting:
                                    • Click Apply then OK all the way out and close the GPO window.
                                  • In order to refresh the policy type the following command: “gpupdate /force”  in the CMD window and click ENTER.

                                  CRM 2015 Improve Outlook Client Performance Issue WFC Compression

                                  CRM 2015 Outlook Performance

                                  After installing the Microsoft CRM 2015  and client, you may notice that the connection over the internet is slow and not as desired. One likely reason for this is that WCF communication is not compressed, and the outlook client is using that to talk to the CRM server.

                                  Assuming that your current environment is configured correctly with Windows 2012 R2 and IFD, then you can simply update the server to support WCF compression and improve performance for CRM 2015 and outlook.

                                  Enable compression by manually updating the ApplicationHost.Config

                                  1. On the CRM Server Navigate to: C:\Windows\System32\Inetsrv\Config\applicationHost.config and open it with notepad.

                                  Screenshot 2015 03 20 23 03 14

                                  Screenshot 2015 03 20 23 03 29

                                  2. Search for the Section: “<dynamicTypes>” and in that section you should fine an entry that looks like this:  
                                  <add mimeType=”application/x-javascript” enabled=”true” /> 

                                  Screenshot 2015 03 20 23 04 15

                                  3.  Below that, add the following line:  
                                  <add mimeType=”application/soap+xml; charset=utf-8″ enabled=”true” /> 

                                  Screenshot 2015 03 20 23 04 40

                                  4. Save the file and reset IIS for the setting to take effect.

                                  Screenshot 2015 03 20 23 04 53

                                  CRM 2013 Improve Outlook Client Performance Issue WFC Compression

                                  CRM 2013 Outlook Performance

                                  After installing the Microsoft CRM 2013  and client, you may notice that the connection over the internet is slow and not as desired. One likely reason for this is that WCF communication is not compressed, and the outlook client is using that to talk to the CRM server.

                                  Assuming that your current environment is configured correctly with Windows 2012 R2 and IFD, then you can simply update the server to support WCF compression and improve performance for CRM 2013 and outlook.

                                  Enable compression by manually updating the ApplicationHost.Config

                                  1. On the CRM Server Navigate to: C:\Windows\System32\Inetsrv\Config\applicationHost.config and open it with notepad.

                                  Screenshot 2015 03 20 23 03 14

                                  Screenshot 2015 03 20 23 03 29

                                  2. Search for the Section: “<dynamicTypes>” and in that section you should fine an entry that looks like this:  
                                  <add mimeType=”application/x-javascript” enabled=”true” /> 

                                  Screenshot 2015 03 20 23 04 15

                                  3.  Below that, add the following line:  
                                  <add mimeType=”application/soap+xml; charset=utf-8″ enabled=”true” /> 

                                  Screenshot 2015 03 20 23 04 40

                                  4. Save the file and reset IIS for the setting to take effect.

                                  Screenshot 2015 03 20 23 04 53

                                  The e-mail address for one or more recipients is either blank or not a valid e-mail address

                                  The message cannot be sent to all selected recipients. 

                                  When running a workflow / process in Microsoft CRM, you receive a message that looks like this:

                                  The e-mail address for one or more recipients is either blank or not a valid e-mail address

                                  The e-mail address for one or more recipients is either blank or not a valid e-mail address

                                  The Cause

                                  This error message is a little misleading as it points to an email address problem. As the title of the error suggests, the problem could be from:

                                  1. A blank email address.

                                  2. An email address with an error, such as a “.” at the end of it: email@addresss.com.

                                  3. The more likely one is that the contact or account record associated with the flow has a setting to 

                                  MS CRM e-mail do not allow

                                  E-mail Do Not Allow.

                                  This setting will prevent any workflows in CRM from running and sending email messages.

                                  The Solution

                                  The fix is easy… just change the setting back to allow. Then save the associated record.

                                  You then need to restart the stalled process or workflow.

                                  Screenshot 2015 03 17 15 24 13

                                  CRM Resume Workflow

                                  Windows 2012 R2 Remote Desktop Enabled Cannot RDP Connect

                                  Windows 2012 RDP Remote Desktop Enabled but you Cannot Connect

                                  You find that after you enable the Windows 2012 RDP or Remote Desktop Connection features to allow you to remote desktop into your new server, you are still unable to connect to the server.

                                  The Cause

                                  By default on new installs of Windows 2012 R2 the server firewall is enabled for TCP IP on Remote Desktop User Mode In TCP-IP.

                                  The Fix

                                  Enable the rule that permits access through the Windows Firewall.

                                  1. Search for Firewall and open “Windows Firewall and Advanced Security”.

                                  2. Find the rule “Remote Desktop – User Mode TCP-in” and ENABLE Rule

                                  Windows 2012 Remote Desktop Firewall Rule