CRM 2015

Get-CrmSetting : The term 'Get-CrmSetting' is not recognized as the name of a cmdlet

Problem

While trying to run the OAuth provider setup in Microsoft Dynamics CRM, to configure among other things the Post-instillation setup to allow connectivity by devices and applications. I was banging my head on a problem following the instructions:

Configure the OAuth provider

 

Follow these steps to configure the OAuth provider in Microsoft Dynamics 365.

  1. Log on to the Microsoft Dynamics 365 server as an administrator.

  2. In a Windows PowerShell console window, run the following script.

     
    $ClaimsSettings = Get-CrmSetting -SettingType OAuthClaimsSettings
    $ClaimsSettings.Enabled = $true
    Set-CrmSetting -Setting $ClaimsSettings
    
Found on this page: https://msdn.microsoft.com/en-us/library/hh699726.aspx#BKMK_WS2012R2 
 
I was getting in the Power Shell: 
PS C:\Users\administrator.FSERVER4> $ClaimsSettings = Get-CrmSetting -SettingType OAuthClaimsSettings

Get-CrmSetting : The term ‘Get-CrmSetting’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if
a path was included, verify that the path is correct and try again.
At line:1 char:19
+ $ClaimsSettings = Get-CrmSetting -SettingType OAuthClaimsSettings
+ ~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-CrmSetting:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

Driving me nuts!

 

The Fix

Turns out from these instructions found here: https://msdn.microsoft.com/en-us/library/dn531010.aspx

That an additional step is required:

Dynamics 365 server setup

 

To configure the Dynamics 365 server to enable federated claims, follow these steps.

Configure claims settings

  1. Log on as administrator on the Dynamics 365 server that hosts the deployment service role and open a Windows PowerShell command window.

  2. Add the Dynamics 365Windows PowerShell snap-in (Microsoft.Crm.PowerShell.dll). More information: TechNet: Administer the deployment using Windows PowerShell

     
    Add-PSSnapin Microsoft.Crm.PowerShell
    
  3. Enter the following Windows PowerShell commands.

     
    $ClaimsSettings = Get-CrmSetting -SettingType OAuthClaimsSettings
    $ClaimsSettings.Enabled = $true
    Set-CrmSetting -Setting $ClaimsSettings
    
 Note the step 2: 

Add-PSSnapin Microsoft.Crm.PowerShell

Now it works!

Screenshot 2017 01 10 14 36 47

Microsoft CRM IFD The SSL certificate does not contain all UPN suffix values that exist in the enterprise – Cannot Login

Cannot Login to a Previously working Microsoft CRM IFD

A previously working IFD deployment of CRM 2016 (but could be CRM 2015 or CRM 2013). About 1 year after you set the system up, you start receiving: An error has occurred. 
Try this action again. If the problem continues, check the Microsoft Dynamics CRM Community for solutions or contact your organization’s Microsoft Dynamics CRM Administrator. Finally, you can contact Microsoft Support.

When researching this error, we suspected what it was, and related to an article we covered here: http://www.interactivewebs.com/blog/index.php/crm-2013/microsoft-crm-2013-or-2015-event-id-1309-adfs-ifd-resolution/

However we never found and EVENT ID 1309 or anything close to that in our logs. The closest error we found (and we are not even certain that it was pointing as a result fo this problem) was the error:  EVENT ID 415

The SSL certificate does not contain all UPN suffix values that exist in the enterprise.  Users with UPN suffix values not represented in the certificate will not be able to Workplace-Join their devices.  For more information, see http://go.microsoft.com/fwlink/?LinkId=311954.

The Problem

This problem arises from a Certificate Rollover that the ADFS server does about 1 month out from your 1 year anniversary. The problem is that the ADFS certificate rolls over, but the CRM configuration does not pickup that new certificate.

 

The Fix

o locate your ADFS Certificates, navigate to the ADFS Console. Under “Service”, click on “Certificates”, where you will find a Primary and Secondary certificate. If the current date is close to the date of your Primary certificate “Effective Date”, it’s safe to assume that this is the underlying issue.

adfs2

To resolve this issue:

1. Navigate to the ADFS Console >> Trust Relationships >> Relying Party Trusts.
2. Right click on the trust and select “Update from Federation Metadata…”
a. If there are two trusts, do them both. This may be a case where you have one for Internal and External.

adfs3

3. Open Command Prompt. Be sure to right-click and “Run as Administrator”.
a. From within CMD, type “iisreset”.

adfs4

4. Open “Services” and restart the “ADFS” service.

adfs5

a. If ADFS does not start, be sure to check the “Windows Internal Database” service and make sure it is started, and then try restarting the ADFS service.

If these initial steps do not resolve your issue for any reason, continue with the following steps below:

5. Navigate to “CRM Deployment Manager”.
a. Run “Configure Claims-Based Authentication” wizard, upper right hand corner.
b. Click “Next” all the way through the wizard, nothing needs to be changed here.

adfs6

6. Run “Configure Internet Facing Deployment” wizard.
a. Click “Next” all the way through the wizard, nothing needs to be changed here either.

adfs7

7. Now, perform Steps 1-4 again as outlined above.
a. Update Federation Metadata
b. IISReset
c. Restart ADFS Service

Your users should be able to log-in to Dynamics CRM again. I hope you find this helpful and that it resolved your issue.

Microsoft CRM global search fails causing in-line search SQL error

CRM in-line search fails with SQL error

After upgrading Microsoft CRM from earlier versions we found that the global search function when enabled failed to return any results, and once the index for the global search had run over a 24-hour period, the in-line search function for any entity would cause a crash and SQL error message to be displayed on page.

The problem

In our particular instance this CRM environment had been upgraded from much earlier versions of CRM and included an attempt to solve some upgrade issues by dropping indexes. Initially our thoughts were that the dropping of the indexes were responsible for the problems. However it appears retrospectively that was a fragmentation of indexes that cause the issue. I cannot be exactly sure why the maintenance procedure that is run on the SQL Server did not rebuild and reorganise the indexes sufficiently that the global social function. However the following solution did work for us.

 We had pretty much followed the recommendation of this discussion forum.

The Solution

After submitting a support ticket to Microsoft they requested us to:

  • Run following command on CRM database to check fragmentation percentage:

 

SELECT object_id AS ObjectID,  index_id AS IndexID, avg_fragmentation_in_percent AS PercentFragment,

fragment_count AS TotalFrags, avg_fragment_size_in_pages AS PagesPerFrag,  page_count AS NumPages

FROM sys.dm_db_index_physical_stats(DB_ID(”), NULL, NULL, NULL , ‘DETAILED’) WHERE avg_fragmentation_in_percent > 0 ORDER BY ObjectID, IndexID

 

 

  • In case the fragmentation percent is more than 25-30% we have to rebuild the indexes.

Reference: https://msdn.microsoft.com/en-us/library/ms189858.aspx

  the reference provided by Microsoft was helpful, but not as helpful as we would have liked. We ended up running the following query that automatically rebuilt all the indexes.

DECLARE @TableName VARCHAR(255)
DECLARE @sql NVARCHAR(500)
DECLARE @fillfactor INT
SET @fillfactor = 80
DECLARE TableCursor CURSOR FOR
SELECT OBJECT_SCHEMA_NAME([object_id])+’.’+name AS TableName
FROM sys.tables
OPEN TableCursor
FETCH NEXT FROM TableCursor INTO @TableName
WHILE @@FETCH_STATUS = 0
BEGIN
SET @sql = ‘ALTER INDEX ALL ON ‘ + @TableName + ‘ REBUILD WITH (FILLFACTOR = ‘ + CONVERT(VARCHAR(3),@fillfactor) + ‘)’
Exec (@sql)
FETCH NEXT FROM TableCursor INTO @TableName
END
CLOSE TableCursor
DEALLOCATE TableCursor
GO

 

After doing this, we were then able to turn on the global search and weight the relevant period of time for it to complete the indexing. It appears to have fixed our problem with both global search returning valid results, and in-line search no longer broken when global search was unable.

ZenDesk to Microsoft CRM integration password change

Changing your password in ZenDesk may affect your Microsoft CRM integration

 if you are to upgrade or change the password that you utilise in your ZenDesk system for the account that has been set to synchronise data with the Microsoft CRM platform, you will notice that the synchronisation may not function correctly or may only perform a one-way synchronisation. 

You will remember from the instructions that you likely followed in your initial configuration: http://www.interactivewebs.com/blog/index.php/zendesk/zendesk-to-crm-2015-integration/  

 that part of these configuration settings is to set up your password and username in the SETTINGS / ZD Personal Settings –  area of your Microsoft CRM system.

 Below is an extract from the vendor’s configuration portal found here

Step 2: Setting up new security roles

The Zendesk integration introduces two new security roles to Microsoft Dynamics CRM that must be assigned before you can proceed to the next step:

  • Zendesk – Read configuration settings – grants the user  access to Zendesk ticket details in read-only mode  To gain access to create/edit Zendesk tickets functionality directly from Microsoft Dynamics CRM, these users must have a valid Zendesk liecense and enter their own personal Zendesk credentials on the ZD Personal Settings page.
  • Zendesk administrator – grants access to the global Zendesk Settings page and the Zendesk Entity mappings .  Have full access to create/edit Zendesk tickets directly from Microsoft Dynamics CRM.

By default, all users can view Zendesk ticket information in Microsoft Dynamics CRM if the panels are enabled.

To enable the roles, do the following:

  1. In Microsoft Dynamics CRM, select Settings System Administration Users .
  2. In the Users page, click New if you need to add new users. 
    If you are editing a list of existing users, select the user you want to modify and click on the Manage Roles button.
  3. In the Add Users dialog box, select the role for the group you want to configure. 
    The two new roles created by the Zendesk integration are at the bottom. Click Next to select and assign the users to a particular role and to send email invitations.  Make sure you give yourself the Zendesk administrator role for now so you can complete the setup.

Users are now configured to use the Z endesk for Microsoft Dynamics CRM integration!  If you have pre-existing users, you can simply add the appropriate roles to each of your uses.

Note: For users with the Zendesk – Read configuration settings permission, they can individually add their own credentials by navigating to Settings->ZD Personal Settings in Microsoft Dynamics and clicking the New button to add credentials. Enter the Zendesk User ID andPassword then save the record and it will be applied when they access Zendesk tickets. The password will be encrypted so others cannot see the value. 
Part3-4.png

Microsoft.Crm.CrmException: Database having version 7.0.1.129 is not supported for upgraded Microsoft.Crm.CrmException: Database having version 7.0.1.129 is not supported for upgraded.

When upgrading from CRM 2013 to CRM 2015 you get an error: Microsoft.Crm.CrmException: Database having version 7.0.1.129 is not supported for upgraded.

Cause:

This is usually because there is already a database that exists with the same ID. You will need to delete that Organisation in CRM deployment manager before upgrading the new organisation from the same name.

Microsoft CRM IFD Event 364 and 111 in ADFS

Microsoft CRM IFD Event ID 364 and 111

We got the ADFS login screen as expected, but on trying to login we received an error:

  • Activity ID: 00000000-0000-0000-0400-0080020000f4
  • Relying party: CRM IFD Relying Party

Screenshot 2016 01 11 19 45 56

Associate with two errors in the ADFS Event Log.

Event ID: 111

Additional Data 
Exception details: 
System.ArgumentException: ID4216: The ClaimType ‘* Name’ must be of format ‘namespace’/’name’.
Parameter name: claimType
at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
at Microsoft.IdentityModel.Threading.TypedAsyncResult`1.End(IAsyncResult result)
at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.EndIssue(IAsyncResult result)
at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet)

 Event ID: 364

Encountered error during federation passive request.

Additional Data

Protocol Name: 
wsfed

Relying Party: 
https://crm2016.iwebscrm16.com:444/

Exception details: 
Microsoft.IdentityServer.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. —> System.ArgumentException: ID4216: The ClaimType ‘* Name’ must be of format ‘namespace’/’name’.
Parameter name: claimType
at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
at Microsoft.IdentityModel.Threading.TypedAsyncResult`1.End(IAsyncResult result)
at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.EndIssue(IAsyncResult result)
at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet)
at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1& identityClaimCollection)
at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestBearerToken(MSISRequestSecurityToken signInRequest, Uri& replyTo, IList`1& identityClaimCollection)
at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, SecurityToken deviceSecurityToken, String desiredTokenType, WrappedHttpListenerContext httpContext, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, MSISSession& session)
at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.BuildSignInResponseCoreWithSerializedToken(MSISSignInRequestMessage wsFederationPassiveRequest, WrappedHttpListenerContext context, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.BuildSignInResponseCoreWithSecurityToken(WSFederationSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.BuildSignInResponse(WSFederationSignInContext federationPassiveContext, SecurityToken securityToken, SecurityToken deviceSecurityToken)
— End of inner exception stack trace —
at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.BuildSignInResponse(WSFederationSignInContext federationPassiveContext, SecurityToken securityToken, SecurityToken deviceSecurityToken)
at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

System.ArgumentException: ID4216: The ClaimType ‘* Name’ must be of format ‘namespace’/’name’.
Parameter name: claimType
at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
at Microsoft.IdentityModel.Threading.TypedAsyncResult`1.End(IAsyncResult result)
at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.EndIssue(IAsyncResult result)
at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet)
at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1& identityClaimCollection)
at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestBearerToken(MSISRequestSecurityToken signInRequest, Uri& replyTo, IList`1& identityClaimCollection)
at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, SecurityToken deviceSecurityToken, String desiredTokenType, WrappedHttpListenerContext httpContext, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, MSISSession& session)
at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.BuildSignInResponseCoreWithSerializedToken(MSISSignInRequestMessage wsFederationPassiveRequest, WrappedHttpListenerContext context, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.BuildSignInResponseCoreWithSecurityToken(WSFederationSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.BuildSignInResponse(WSFederationSignInContext federationPassiveContext, SecurityToken securityToken, SecurityToken deviceSecurityToken)

ADFS EVENT 111

The Fix: 

This was caused because we initially had the Transform of Windows Account Name to Name was initially set as * Name rather than just Name. So we updated it (and the instructions above to allow people to not experience this problem.

Update the Relying Party Trusts / Edit Claim Rules / Transform Windows Account Name to Name – Change the name value form * Name to Name

Name to Name

Restart ADFS Service and IIS. And you should resolve these errors.

Update ADFS SSL Certificates Microsoft CRM 2013 2015 and 2016 IFD

How to Update SSL Certificates for AD FS 3.0 in CRM IFD

Introduction

Microsoft Dynamics CRM can be configured to use SSL (Secure Sockets Layer). For this to work, an SSL certificate is required.

Certificates can be purchased from certificate providers and will expire after a certain period of time. Once this time has elapsed, Microsoft Dynamics CRM will no longer work until the certificate is updated.

This article describes the process to update the certificate for Microsoft Dynamics CRM

Installing the new certificate

You will need to import your certificate into the local certificate store on each CRM server that uses web services, and the AD FS server if claims-based authentication is enabled.

CertificateStore

Instructions on how to import a certificate can be obtained from your certificate provider.

Note: Problems may occur if you do not remove the old certificate.

Add permission to the certificate

It is necessary to grant specific permissions to the certificate to allow service accounts access.

Manage Private Keys

The following steps show how to add permissions to the certificate.

  1. Open the Certificate Console on the server.
  2. Check out the Microsoft Wiki for help
  3. Navigate to (Local Computer) > Personal > Certificates
  4. Right click the new certificate. Go to All Tasks > Manage Private Keys
  5. Add following permissions
    • AD FS Server: CRMAppPool Account = “Read”
    • AD FS Server: ADFSAppPool Account = “Full”
    • CRM Server: CRMAppPool Account = “Read”
    • In our case we were using the NETWORK SERVICE account and need to add the Read permissions
       Screenshot 2016 07 07 23 39 44

Update IIS (Internet Information Services) to use the new certificate

On the Microsoft Dynamics CRM website, the certificate bindings will need to be updated.

IIS Select Certificate

The following steps show how to bind the new certificate using IIS 8.

  1. Log on to the Microsoft Dynamics CRM Server.
  2. Open IIS.
  3. Locate the Microsoft Dynamics CRM website.
  4. Right click the website and click Edit Bindings.
  5. Select HTTPS and click Edit….
  6. Select the new certificate and click OK to save the settings.
  7. Close all open windows.

Reconfigure Claims-Based Authentication

The Microsoft Dynamics CRM application will need to be updated to use the new certificate.

Claims Setting

The following steps show how to reconfigure claims-based authentication.

  1. Open Deployment Manager
  2. Click Configure Claims-Based Authentication to open the wizard
  3. Click Next on the Welcome page
  4. Click Next on the Token Service page
  5. Select the new certificate on the Select Certificate page
  6. Click Next to complete the configuration

Update AD FS (Active Directory Federation Services)

In AD FS, the Service Communication certificate will need to be updated.

ADFS Certificate

The following steps show how to update the Service Communication certificate in AD FS 2.0.

  1. Open AD FS 2.0
  2. Navigate to AD FS 2.0 > Service > Certificates
  3. Click Set Service Communications Certificate
  4. Select the certificate and click OK

Update Relying Party Trusts

The Relying Party Trusts in the AD FS Management needs to be checked that the Relying Party Trusts are not showing an ! next to the listed Claims Relying Party Trust and the IFD Relying Party.

If they are, or even just to be safe. Click on each separately and the “Update from Federation Meta Data”

Screenshot 2016 07 07 23 43 26

Once these have both been updated you can move onto the last task.

Final Tasks

To finish the process, all affected services will need to be restarted.

IISRESET

The following steps should be completed once the certificate has been updated.  It may also be necessary to follow these steps if problems occur during any of the previous tasks.

  • Perform an IISRESET on each server
  • Restart the AD FS service on AD FS server
  • Update Relying Party metadata
    1. Open AD FS 2.0
    2. Navigate to AD FS 2.0 > Trust Relationships > Relying Party Trusts
    3. Right click each relying party and select Update from Federation Metadata
    4. Click Update

Microsoft CRM 2013 or 2015 Event ID 1309 ADFS IFD Resolution

When attempting to login to an IFD deployment of CRM 2013 or 2015 you receive an event Error: 1309 looking like this:

Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 7/01/2016 12:08:14 AM
Event time (UTC): 6/01/2016 1:08:14 PM
Event ID: 0daeff15a8f24e939623db80c40522d5
Event sequence: 3
Event occurrence: 2
Event detail code: 0

Application information:
Application domain: /LM/W3SVC/2/ROOT-1-130965592186041416
Trust level: Full
Application Virtual Path: /
Application Path: C:\Program Files\Microsoft Dynamics CRM\CRMWeb\
Machine name: VSERVER07

Process information:
Process ID: 2300
Process name: w3wp.exe
Account name: NT AUTHORITY\NETWORK SERVICE

Exception information:
Exception type: SecurityTokenException
Exception message: ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.
at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.CreateClaims(SamlSecurityToken samlSecurityToken)
at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
at Microsoft.Crm.Authentication.Claims.CrmFederatedAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Request information:
Request URL: https://auth.iwebscrm.com:444/default.aspx
Request path: /default.aspx
User host address: 58.175.75.97
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\NETWORK SERVICE

Thread information:
Thread ID: 29
Thread account name: NT AUTHORITY\NETWORK SERVICE
Is impersonating: True
Stack trace: at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.CreateClaims(SamlSecurityToken samlSecurityToken)
at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
at Microsoft.Crm.Authentication.Claims.CrmFederatedAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

UPDATE

On later version of CRM like CRM 2016 SP1 and using ADFS 3. This error appeared differently. We blogged this here: http://www.interactivewebs.com/blog/index.php/crm/microsoft-crm-ifd-the-ssl-certificate-does-not-contain-all-upn-suffix-values-that-exist-in-the-enterprise-cannot-login/

The cause

This is likely happening after updating the ADFS Token Signing Certificates in an IFD deployment of Microsoft CRM Server. In our case we had recently updated the ADFS signing certificate using the PowerShell command:

Update-AdfsCertificate -CertificateType Token-Decrypting -Urgent
Update-AdfsCertificate -CertificateType Token-Signing -UrgentSet-ADFSProperties -AutoCertificateRollover $false 

After doing that we found that the IFD deployment would not allow login to the CRM server for external users, with the above error being logged.

The Fix

Microsoft Dynamics CRM error: The issuer of the security token was not recognized by the IssuerNameRegistry – Solved

“The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.”
Or…

adfs1

If your Microsoft Dynamics CRM users are seeing the above errors when attempting to log-in, you may have an ADFS Certificate issue. ADFS generates new certificates about a month prior to certificate expiration, however, Dynamics CRM does not recognize them until you take a few steps to resolve the issue.

To locate your ADFS Certificates, navigate to the ADFS Console. Under “Service”, click on “Certificates”, where you will find a Primary and Secondary certificate. If the current date is close to the date of your Primary certificate “Effective Date”, it’s safe to assume that this is the underlying issue.

adfs2

To resolve this issue:

1. Navigate to the ADFS Console >> Trust Relationships >> Relying Party Trusts.
2. Right click on the trust and select “Update from Federation Metadata…”
a. If there are two trusts, do them both. This may be a case where you have one for Internal and External.

adfs3

3. Open Command Prompt. Be sure to right-click and “Run as Administrator”.
a. From within CMD, type “iisreset”.

adfs4

4. Open “Services” and restart the “ADFS” service.

adfs5

a. If ADFS does not start, be sure to check the “Windows Internal Database” service and make sure it is started, and then try restarting the ADFS service.

If these initial steps do not resolve your issue for any reason, continue with the following steps below:

5. Navigate to “CRM Deployment Manager”.
a. Run “Configure Claims-Based Authentication” wizard, upper right hand corner.
b. Click “Next” all the way through the wizard, nothing needs to be changed here.

adfs6

6. Run “Configure Internet Facing Deployment” wizard.
a. Click “Next” all the way through the wizard, nothing needs to be changed here either.

adfs7

7. Now, perform Steps 1-4 again as outlined above.
a. Update Federation Metadata
b. IISReset
c. Restart ADFS Service

Your users should be able to log-in to Dynamics CRM again. I hope you find this helpful and that it resolved your issue.

Zendesk to CRM 2015 and Microsoft Dynamics 365 Integration

Installing the Zendesk to CRM 2015 or Dynamics 365 integration

These instruction have been updated from the Zendesk instructions provided here: https://support.zendesk.com/hc/en-us/articles/203660156-Zendesk-for-Microsoft-Dynamics-CRM-Part-1-Installing-the-Zendesk-for-Microsoft-Dynamics-CRM-as-a-module-in-Microsoft-Dynamics-CRM

 

They use a combination of the original processes that Zendesk have created originally for CRM 2011 and that worked on Pre SP1 versions of CRM 2013. The packages referenced have been update by InteractiveWebs to work with CRM 2013 Post SP1 and CRM 2015 (technically all versions but we recommend post SP 0.1)

 

Instillation of the CRM Solution

Install the CRM Managed Solution as you would any other CRM solution.

Download the managed solution for CRM 2015 https://www.dropbox.com/s/0rhlgnxcwz9s4yh/ZendeskDynamicsCRMConnector_2_0_0_2_managed.zip?dl=0

In CRM Navigate to SETTINGS / SOLUTIONS

Click on Import

Screenshot 2015 06 18 17 45 23

Chose File

Screenshot 2015 06 18 17 47 09

 

Select the Managed CRM package – Click Next

Screenshot 2015 06 18 17 49 51

Click Next

Screenshot 2015 06 18 17 51 30

 

Leave the Enable any SDK ticked, and click on Import

Screenshot 2015 06 19 23 39 37

 

Allow the Import to take place

Screenshot 2015 06 19 23 40 43

 

Click on Close

Screenshot 2015 06 19 23 42 16

 

On Completion, Click “Publish All Customisations”.

Screenshot 2015 06 19 23 43 04

 

Update Security Roles

In the CRM menu, select Settings / Security

Screenshot 2015 06 19 23 45 15

 

Select the User that you wish to use to bring in Zendesk Integration Items. We are using in this example the Administrator account, but it could be anyones account.

Then with the account loaded, select the additional item dropdown menu to the far right of the top level menu, selecting Manage Roles

Screenshot 2015 06 19 23 48 51

 

Select Zendesk Administrator

Screenshot 2015 06 19 23 50 18

There is also a Zendesk Read configuration setting. The Zendesk support site has details on how this can be used.

 

 

 

Screenshot 2015 06 19 23 47 22

Double Click on that name to load the account.

 

Configure Entity Mapping

In your browser, click on Refresh to reload the CRM page, and in turn the top level menu that has been updated after import for the Zendesk Solution.

In the CRM system, select Settings / Zen Entity Mappings

Screenshot 2015 06 19 23 54 49

 

Click + New

Screenshot 2015 06 19 23 55 47

 

The most typical setups are things like on a “Contact” entity, match the Zendesk ticket requester with the email address on the “Contact” record. But what if you wanted to match of the “Full Name” field instead in both systems?  Now you can by utilizing entity mappings.

 

  • Select the following items

    • Entity Name – This is the Microsoft Dynamics entity that you want the mapping applied to.
    • Zendesk Object – This is where you can select which object from Zendesk you’d like to pick your field from.
    • Zendesk Field – This will populate with values depending on your selection from Zendesk Object.
    • Entity Field – This is a list of fields associated to the selected Entity Name.  Pick which field you want to match to the Zendesk Field.Click “Save” to store the mapping. 
  • Click the ZD Entity Mapping tile to return to the page. 
  • Repeat steps 1-5 if you wish to add more mappings for additional Entities..

 

Here’s a list of the most common types of mappings:

 

  • Account/Organization Entity
    • Entity Name: “Account” or “Organization”
    • Zendesk Object: Organization
    • Zendesk Field: Name
    • Entity Field: Account Name
    • Contact/Lead Entity
      • Entity Name: “Contact” or “Lead”
      • Zendesk Object: User
      • Zendesk Field: EmailAddress
      • Entity Field: EmailAddress 1


 

Configure Zendesk Settings Page

In CRM Navigate to Settings / ZD Settings (Note that this one is not the ZD Personal Settings Menu Item).

NOTE – This works best in Chrome – We found troubles with IE and Safari (not our work)!

 

Screenshot 2015 06 20 00 11 05

You now need to set up your Zendesk credentials so that the system can authenticate to the appropriate Zendesk instance.

To do so, navigate to Settings, then locate the Zendesk Settings->Settings title and click the title.

You will be presented with 4 sections:

  • Ticket view defaults  – global default settings for ticket views in the Zendesk ticket panel. 
    This sets the defaults at the account level, but can be overwritten by individual preferences by each user.
  • Filtering – sets the default values for filters in the Zendesk ticket panel.
  • Sorting – sets the default sort order for tickets in the Zendesk ticket panel.
  • Authentication – enter your Zendesk subdomain (make sure you specify HTTP vs. HTTPS if you have SSL enabled) and login credentials (you need administrator credentials). 
    This gives your Microsoft Dynamics CRM users read-only access to available tickets. To create or edit tickets from Microsoft Dynamics CRM, your Dynamics users must have a Zendesk license, and they will need to enter their own credentials (explained later in this article).  
  • Mapped record types – enables you to modify the data elements that display in a Zendesk user profile when a ticket is loaded. 
    You can choose from LeadContact, and Account. All fields are available, including custom fields.
  • Ticket-to-case mapping – identifies data items that should be mapped from standard Zendesk ticket fields into Microsoft Dynamics CRM cases. 
    The three Zendesk fields that are supported are StatusPriority, and Type.

 

Add Zendesk Ticket Grid

Now you are ready to add the Zendesk ticketing panel to any of the entity pages that you’ve configured mappings for. You need to repeat the steps below for each entity type you want the ticketing grid displayed on.

  1. In Microsoft Dynamics, navigate to the first entity where you want to add the ticketing grid. 
    For this example, we’ll refer to a Contact record.
  2. Select any contact in your list and navigate to the Form Editor.
  • In Dynamics 2015, highlight the More (…) tab(1) and select the option for Form(2) to start the form editor.Form2013-1.png
  • In Dynamics 2011, navigate to the Customize (1) tab and click on Form (2)Form2011-1.png
  • In the Form Editor, click the Insert tab (1), then click the Web Resource button (2).Form2013-2.png
  • In the Add Web Resource page, click the magnifying glass next to Web resource to find the Zendesk ticket grid (zd_/Pages/TicketGrid/TicketGrid.html).Form2013-3.png
  • In the next page, select the check box next to zd_/Pages/TicketGrid/TicketGrid.html, then click OK.
  • Back in the Add Web Resource dialog box you should see zd_/Pages/TicketGrid/TicketGrid.html in the Web resource field. Enter a Name and Label you can easily recognize (consider naming it Zendesk Ticket Panel). Check the box for Pass record object-type code and unique identifier as parameters.  
    Form2013-4.png
    Click OK. 
  • ou now have a Zendesk ticket panel in the form layout that you can drag anywhere you’d like on the page. You can even create a special subsection for it if you’d like.
  • After you place the panel, navigate to the Home tab, click Save, then click Publish
  • Refresh the contact page you had open and you should see the new Zendesk ticket panel where you placed it!  Form2013-5.png
  •  Repeat these steps for any other entities you have created mappings for.

 

Configuring InteractiiveWebs Zendesk to CRM 2015 or Dynamics 365 Web Service

Next you need to enable your CRM instance to use the InteractiveWebs Web Service that will connect Zendesk to your CRM instance either in the cloud, IFD or on premises.

If you have an IFD instance or a Microsoft Hosted Cloud

instance of CRM then go here: http://www.interactivewebs.com/Admin/Zendesk/tabid/3566/Default.aspx

If you have never registered with InteractieWebs then click on “Subscribe Now”

 Screenshot 2015 06 20 19 08 05

Fill in the form with the following details.

Username: Select a user name to use with our website.

Password: Select a password to use on our website

Email: Be sure to use a valid email address. We will not share or spam you, but for services we need this to be accurate.

First Name: Your First Name

Last Name: Your Last Name

CRM Address: This is the address of your CRM server in the following format: e.g.. https://contoso.hostedcrm.com:444/  You type “contoso.hostedcrm.com” (without the  “ “ ).

CRM Organization: You administrator can help with this, but in the example above it is “contoso” and is usually the word before the domain of your hosting environment.

You can contact us on the help link at the bottom of the page if you are not sure what you should type here.

Screenshot 2015 06 20 19 15 01

 

If you have an on premises CRM solution

you will need a custom version of the web service to host on your own servers. Contact us at our website: http://www.interactivewebs.com/ContactUs/tabid/55/Default.aspx

and advise that you are after a custom web service for Zendesk to CRM 2015 integration. Advise us of:

1. The URL you use to access your CRM internally.

2. The Organisation name you use in CRM.

We can then provide you with a custom web service for $200 one off fee with no expiry date on the web service.

 

Zendesk Setup – Display of CRM Data

It is possible to display the user data from Microsoft CRM in the Zendesk tickets. To do this:

1. In Zendesk select Admin

2. Select Apps / Market Place and search the words – “Microsoft Dynamics”

3. Install the App – Microsoft Dynamics

Screenshot 2015 09 15 04 27 23

Under Manage – you should see the app installed:

Screenshot 2015 09 15 04 28 09

Installing this will allow you to select the “User Data Lookup” Feature that is explained in the next section below.

Screenshot 2015 09 15 04 29 03 – Found in the Extensions / CRM in Zendesk.

 

Setup Zendesk Settings

Now you will need to set up the Zendesk side of the integration.

To do this, you login to your Zendesk interface and Admin / Extensions 

Screenshot 2015 06 21 09 12 10

In Extensions you select CRM

Select Microsoft Dynamics CRM 2011 (For all versions of CRM including Dynamics 365)

Screenshot 2015 09 15 04 30 17

Select your hosting type

Screenshot 2015 09 15 04 30 36

If you have IFD or Microsoft Cloud Hosted Solution, select Cloud or IFD respectively

FOR CRM versions before Dynamics 365 (up to CRM 2016 pre SP1)

For the Web Service (having subscribed to the service) put in:

https://zendesk.interactivewebs.com  (note that this will only work if you have subscribed)

Screenshot 2015 09 15 04 31 03

For Dynamics 365 (or CRM versions after CRM 2016 SP1)

Because the SDK was updated for Dynamics 365 we have created a web service URL unique for later versions of Dynamics 365. Use the

URL: https://zendesk365.interactivewebs.com (note that this will only work if you have subscribed)

 

If you have an on-premise then select that and put in the URL of your web service that was supplied to you after contact InteractiveWebs for a custom solution.

All the other data for that page is per the instructions and help provided by Zendesk in their help pages found here: 

https://support.zendesk.com/hc/en-us/articles/203660186-Zendesk-for-Microsoft-Dynamics-CRM-Part-3-Setting-up-the-Zendesk-App-and-Ticket-to-Case

 

 

Support

If you have problems or questions, please feel free to contact us at: http://www.interactivewebs.com – We have a range of other integration products, including website to CRM integrations for forms, billing, kb, support and more.

 

 

Microsoft CRM Solution Import Fields that are not valid were specified for the entity

While importing a solution to CRM 2011, CRM 2013, or CRM 2015 you receive an error 

Fields that are not valid were specified for the entity

 

The Cause

The cause of this is likely that one of the attributes that you are importing (from a dev environment) already exists in the CRM instance, but with a different attribute.

For Example:

  • In your Live Environment
  • Within Accounts, you create a new attribute called “Friendly Cusomter” and mark it TEXT 
  • Publish and all is well and good.
  • In you Dev Environment
  • Within Accounts, you create a new attribute called “Friendly Customer” and make it a PICK LIST

 

in other words, the same name for the attribute, but a different kind of field.

Then try to export from DEV and import to LIVE. You get the error.

 

The solution

You have to remove the conflicting fields from the destination (live in the example above) CRM system.

Microsoft gives you some help here, in the form of an XML dump file. What you need to do is open that file in something like DreamWeaver that has the ability to apply “Source Formatting”. This makes the file pretty to read. 

From

Ugly XML Dump file from CRM.png

To

CRM xml dump file in DreamWeaver.png

Then do a search for the text “errortext” and start clicking next / next till you get to some text with an attribute and an error message. 

In our case:

Screenshot 2015 04 29 21 52 24

<Cell ss:StyleID=”s137″ name=”ErrorText”>
<Data ss:Type=”String”>Attribute new_leasecustomer is a Picklist, but a Boolean type was specified.</Data>
</Cell>

This gives the name of the attribute at fault.

<Cell ss:StyleID=”s137″ name=”ErrorText”>
<Data ss:Type=”String”>Attribute new_leasecustomer is a Picklist, but a Boolean type was specified.</Data>
</Cell>

And the error on the import will tell you the Entity that it failed the import on. Again in this case it was the ACCOUNT entity.

So we just removed that attribute from any forms and views, then deleted the attribute (be sure that your live data is not relying on data entered here by users as you will loose it). Publish the entity. Then test the import again. 

CRM 2015 2013 find Dependencies for Managed Solution

How to Delete a Managed Solution in CRM 2013 or CRM 2015

Sometimes when you try to delete a managed Solution, there is an error message about the dependancies of the solution being in use.

CRM Cannot Delete Component

When you download the log file, you see some typical Microsoft Crap that really does nothing to help you.

Screenshot 2015 04 12 16 02 08

The only thing it does is to tell you that you can’t delete the component because it is being used in this case by two other components.

Now the hard part is finding the components that are using it.

 

Finding the Referenced Dependencies CRM 2015 Components

1. Work out the Solution Name. Navigate to CRM / Settings / Solutions – and read the exact Name of the Solution to be deleted. In this case it was “ZendeskCRM2011Connector

Deleting CRM Managed Solution

 

2. Login to your CRM Server and open the SQL database that matches the Organisation name being used in CRM.

3. Execute an SQL query against that database that reads.

select
SolutionId
from
Solution
where
UniqueName
=’Name of your Solution

(Replacing the Name of Your Solution) with the exact name of your solution, So in our case:

select
SolutionId
from
Solution
where
UniqueName
=’ZendeskCRM2011Connector’

And it executes to give:

CRM Find GUID for Managed Soltuon

This gives you the GUID of the managed solution in the results area. In our example it is the: 3AC85885-F78B-47A3-BAB5-F8DE569B4EDD number at the bottom.

4. Now navigate to the following URL: 

https://YOUR CRM URL/tools/dependency/dependencyviewdialog.aspx?objectid=GUID&objecttype=7100&operationtype=dependenciesforuninstall

 

Replacing the “YOUR CRM URL” with the URL to your own CRM system.  and replace the GUID with the GUID retrieved from step 3 above. Thus the URL may look like this: 

https://crm.iwebscrm15.com:444/tools/dependency/dependencyviewdialog.aspx?objectid=3AC85885-F78B-47A3-BAB5-F8DE569B4EDD&objecttype=7100&operationtype=dependenciesforuninstall

 

It will show a page that looks like this: 

Show Solution Dependencies CRM 2015

 

Which you can use to help you work out what to edit to remove the dependencies and delete the solution.

Thanks Microsoft for making something so easy so hard!

 

 

CRM 2015 Extend Auto Logout Time in IFD

CRM 2015 and CRM 2016 IFD will Automatically Logout the user with a Message:

Your session in Microsoft Dynamics CRM is about to expire. To continue working, you must sin in again.

CRM 2015 Auto Logout

By Default this setting is 60 minutes, and the message will pop up around 20 minutes before logout.

Any unsaved changes will be lost as your session ends.

 

The Fix

To extend the automatic logout time in CRM 2015, we must extend the time set in ADFS 3.0 using the PowerShell command. First we need to know the name that was used to set up the Relying Party Trust in ADFS.

1. Open Server Manager and from the Tools menu select ADFS Management

ADFS Management

2. in AD FS management, open Relying Party Trusts and find the Display name for the CRM IFD Relying Party Trust

Screenshot 2015 04 03 17 30 58

In this case, we have called the Relying Party Trust – “CRM IFD Relying Party” as we keep things simple when we create things. Using the exact name for the title of the trust as we created it. But really it could be anything. One distinguishing feature is that the URL identifier is going to be optioning to the URL that displays in the browser window when you are in the process of login into your IFD CRM.

3. Start PowerShell

Screenshot 2015 04 03 17 35 57

4.  Check you have the correct name of the Relying Party Trust by typing the following command.

Get-ADFSRelyingPartyTrust -Name "relying_party"

Where you replace the “relying_party” with the name you identified in Step 2 above. In our case the command will be: 

Get-ADFSRelyingPartyTrust -Name “CRM IFD Relying Party

 

The result should look something like this if you get it correct.

Screenshot 2015 04 03 17 40 02

5. Not type the command to set the time you want to set for Auto Logout.

Set-ADFSRelyingPartyTrust -Targetname “CRM IFD Relying Party“ -TokenLifetime 720

(Again replacing the “CRM IFD Relying Party” with the name used on your system.)

Note: The 720 is time in minutes. 12 Hours in this case. You can change the value up and down as liked.

Set-ADFSRelyingPartyTrust -Targetname “CRM IFD Relying Party“ -TokenLifetime 720

Screenshot 2015 04 03 17 43 47

6. Close out the PowerShell and you are done.

CRM 2015 IFD Adding a New Organization Additional Steps

Error when attempting to login to a New Organisation in CRM 2015 IFD

When attempting to login to a newly configured Organisation you may receive an error looking like this.

Screenshot 2015 03 28 18 43 05 

             An error occurred
An error occurred. Contact your administrator for more information.

 

  • Activity ID: 00000000-0000-0000-1400-0080010000ff
  • Error time: Sat, 28 Mar 2015 07:37:45 GMT

 

The Cause

Because IFD (Internet Facing Deployment) uses the AD FS Authentication it requires an additional step after using the CRM Deployment Manager to setup a new Organisation to then register at login with the AD FS setup.

Basically it is saying that you have set up the org, but not gin figured the authentication login settings in AD FS.

 

The Fix

1. Open AD FS Mananagement

Screenshot 2015 03 28 18 46 58 

2. Click on AD FS / Trust Relationships / Relying Party Trusts and local your CRM IFD Relying Party Trust associated with the IFD Authentication.

Screenshot 2015 03 28 18 49 52 

3. Highlight it, and select Update Federation Metadata

 Screenshot 2015 03 28 18 50 30

4. Update

Screenshot 2015 03 28 19 04 29 

And you are done!

You should now be able to login to the CRM server without getting the error message, and with no need to reset IIS or any other services.

 

 

 

CRM 2015 Reporting Extension Setup Error The SQL Server Reporting Services account is a local user and is not supported

Error Message installing CRM 2015 Reporting Extensions

When installing Microsoft Dynamics CRM Reporting Extension Setup you receive an error message: The SQL Server Reporting Services account is a local user and is not supported. This is during the System Checks.

SQL 2014 CRM 2015 Reporting Extension Setup Error.png

In our instance this was with MS CRM 2015 on SQL 2014 on the same server in a test environment.

The Solution

The fix is easy.

1. Open the SQL 2014 Reporting service configuration Manager

Screenshot 2015 03 28 17 56 17

2. Connect to your Server.

Screenshot 2015 03 28 17 57 04

3. Select the Service Account

Screenshot 2015 03 28 17 57 37

4. Select the Local System account and apply with the appropriate security levels.

Screenshot 2015 03 28 17 58 25

That’s about it. Run the setup process again and you should be good to go.

CRM 2015 Improve Outlook Client Performance Issue WFC Compression

CRM 2015 Outlook Performance

After installing the Microsoft CRM 2015  and client, you may notice that the connection over the internet is slow and not as desired. One likely reason for this is that WCF communication is not compressed, and the outlook client is using that to talk to the CRM server.

Assuming that your current environment is configured correctly with Windows 2012 R2 and IFD, then you can simply update the server to support WCF compression and improve performance for CRM 2015 and outlook.

Enable compression by manually updating the ApplicationHost.Config

1. On the CRM Server Navigate to: C:\Windows\System32\Inetsrv\Config\applicationHost.config and open it with notepad.

Screenshot 2015 03 20 23 03 14

Screenshot 2015 03 20 23 03 29

2. Search for the Section: “<dynamicTypes>” and in that section you should fine an entry that looks like this:  
<add mimeType=”application/x-javascript” enabled=”true” /> 

Screenshot 2015 03 20 23 04 15

3.  Below that, add the following line:  
<add mimeType=”application/soap+xml; charset=utf-8″ enabled=”true” /> 

Screenshot 2015 03 20 23 04 40

4. Save the file and reset IIS for the setting to take effect.

Screenshot 2015 03 20 23 04 53

The e-mail address for one or more recipients is either blank or not a valid e-mail address

The message cannot be sent to all selected recipients. 

When running a workflow / process in Microsoft CRM, you receive a message that looks like this:

The e-mail address for one or more recipients is either blank or not a valid e-mail address

The e-mail address for one or more recipients is either blank or not a valid e-mail address

The Cause

This error message is a little misleading as it points to an email address problem. As the title of the error suggests, the problem could be from:

1. A blank email address.

2. An email address with an error, such as a “.” at the end of it: email@addresss.com.

3. The more likely one is that the contact or account record associated with the flow has a setting to 

MS CRM e-mail do not allow

E-mail Do Not Allow.

This setting will prevent any workflows in CRM from running and sending email messages.

The Solution

The fix is easy… just change the setting back to allow. Then save the associated record.

You then need to restart the stalled process or workflow.

Screenshot 2015 03 17 15 24 13

CRM Resume Workflow

How to Set up CRM 2015 IFD on Windows 2012 and ADFS 3.0

We already have a popular post for the configuration of IFD setup with CRM 2013 and CRM 2011. Now we are updating this post to support CRM 2015.

Microsoft have a compatibility listing for CRM 2015 here: http://support.microsoft.com/kb/3018360

The Development Setup

 Once again we are running this configuration as a test environment for development. As such we will be running, we are running the server on a Hyper V server. A single VM machine, that is running a fully patched version of:

  • Windows 2012 R2 SP2 64 Bit – (MSDN File: en_windows_server_2012_r2_x64_dvd_2707946
  • SQL 2014 R2 64 Bit – SQL Server 2014 Standard Edition x64 – (MSDN File: en_sql_server_2014_standard_edition_x64_dvd_3932034) – Patched to SP2
  • Microsoft Dynamics CRM Server 2015 (x86 and x64) – DVD (English) – (MSDN File: en_microsoft_dynamics_crm_server_2015_x86_x64_dvd_5853339)
NOTE: The Domain we have used for setup with this dev server is: iwebscrm15.com You can substitute your domain in place throughout these step by step IFD instructions CRM 2015.

Installing CRM 2015

We pretty much followed a combination of these instructions:
http://blogs.msdn.com/b/niran_belliappa/archive/2013/11/05/step-by-step-installing-dynamics-crm-2013-on-windows-server-2012.aspx

During the install, we were asked to install services associated with the services required for CRM 2015.

CRM 2015 Install Process

We Selected all options on install:

Screenshot 2015 02 12 14 57 24

We selected the default account for authority. Note that the blog referenced above suggests a dedicated account for security. As we are setting up a dev environment we did not bother with this.

CRM 2015 Security Account

IMPORTANT

Create a new Website with port 5555

CRM 2015 IFD Website 5555

As we intend to set up the Email Router service on this server later, we set this server “VSERVER06” in this instance as the server for email router service:

CRM 2015 Email Router Server

We set “CRM2015” As the default initial test environment deployment.

CRM 2015 Default Deployment

Reporting Server defaulted to the server name/reportserver

CRM 2015 Report Server

We received a few warnings about the install:

CRM 2015 Install Warnings

For a deployment that is more secure, the Microsoft Dynamics CRM Sandbox Processing Service should be run under a least-privileged domain user account that is not shared by other Microsoft Dynamics CRM services on this computer.

For a deployment that is more secure, the Microsoft Dynamics CRM VSS Writer Service should be run under a least-privileged domain user account that is not shared by other Microsoft Dynamics CRM services on this computer.

Data encryption will be active after the install or upgrade. We strongly recommend that you copy the organization encryption key and store it in a safe place. For more information, see http://go.microsoft.com/fwlink/?LinkId=316366.

The only one of real interest in our Dev environment would be the last item. making a backup of data encryption keys is always a good idea. 

Test First

Test that your CRM setup is working. Go to the local computer name (ours is vserver06) on the correct port: http://vserver06:5555

We called our Deployment of CRM – “CRM2015″ So the URL redirects to: http://vserver06:5555/CRM2015/main.aspx

Because we were were logged in as the server administrator, we were able to load

CRM 2015 Initial Login 

Apply a Wildcard SSL Certificate

In CRM, the accessing of deployments is handled by the sub domains. So if we call a deployment “business1″ we will access that as: https://business1.domain.com

For testing, we purchased a standard Wildcard SSL certificate that applied that to the IIS Server 

In our case we registered a test domain: iwebscrm15.com and set the SSL wildcard to: *.iwebscrm15.com and applied that cert to the server.

Application for a certificate

Here, I will be a wildcard certificate, for example, describes how to create a certificate:

1) Open IIS Manager

2) Click the server name in the main screen double click Server Certificates

3) In the right panel, click Create Certificate Request…

image

4) fill in the following diagram each column, click Next

image

5) Cryptographic Service Provider Properties page change the Bit Length to 2048 click Next.

Screenshot 2014 07 05 18 50 18

6) In the File Name page, enter C: \ req.txt , and then click Finish. (You can save it any place you like, with any name)

7) Open the certificate in Notepad, and copy the contents.

Screenshot 2014 07 05 18 53 05

This is the text that is pasted into the Start SSL Certificate request page to generate the certificate:

Screenshot 2014 07 05 18 55 03

8) After you finish generating the certificate text in StartSSL.com you get a bunch of code that looks similar to the request code. Copy that generated code

9) Paste the code back into a new Text / Notepad Document on the Web server, but call it something that ends in .cer  (not .txt). 

10) back to the IIS Manager, click No. 3)  Step graph Complete Certificate Request …

11) Select the the file you created at point 9 above to complete the request.

12) Click OK.
Note: We did get an error message: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
In this instance, it turned out to be a crappy Microsoft Error. After doing some research, we found that it was likely meaningless and the cert installed correctly. We rebooted the machine and logged in again, to find that the CERT was there installed as we wanted it to be.

Binding site for the default SSL certificate

1) Open IIS Manager.

2) In the Connections panel, expand Sites , click Default Web Site.

3) In the Actions pane, click Bindings.

image

4) In the Site Bindings dialog box, click Add.

5) Type select HTTPS.

6) SSL Certificate , select the certificate you just created *. contoso.com , and then click OK.

Screenshot 2015 02 18 18 03 45

 Ours is *.iwebscrm15.com

CRM 2015 SSL

7) Click Close.

For the CRM 2015 binding site SSL certificate

This is in effect repeating the above process like you did for the default certificate, but using a different port (444 for example). This way you are binding the same certificate to the two websites in your IIS instance.

1)Open IIS Manager.

2) In the Connections panel, expand Sites , click CRM Web Site.

3) In the Actions pane, click Bindings.

4) In the Site Bindings dialog box, click Add.

5) Type select HTTPS.

6) SSL Certificate , select the certificate you just created *. contoso.com .

7) Port to select a different 443 (e.g. 444 ) and port number, and then click OK

 SSL CERT CRM 2015

IFD CRM 2015 CERT.png

8) Click Close.

 

DNS configuration

We are going to add a few DNS “A” records so that the records listed in point 1-4 below in DNS Goal are resolving correctly to the IP address of your CRM server.

There are two ways you can achieve the desired result. But first lets understand the desired result.

  1. We make the assumption that your server is running at least one static IP address.
  2. Because this is Internet Facing, that IP needs to be accessible to the world.
  3. That same IP can be used for access to your server both internally on the matching we are playing with, and externally form anyone on the net.
Lets Get Basic

Start a Command Prompt, and work out what your IP address of the server is.

Click START > RUN > CMD

Type IPCONFIG – Enter

Under the name: IPv4 Address is a number that looks like: 66.34.204.220

image

That is Your IP Address of the Server.

The DNS Goal

Make sure that when you PING xxx.domain.com that it points to that IP address. Both for the world and for you when you do that on your server.

(xxx is the sub domain that we are about to configure.)

To configure CRM, we need some sub domains to point to the server IP.

Adding records in DNS like this:

Screenshot 2014 07 05 19 28 02

  1. sts1.domain.com
  2. auth.domain.com
  3. dev.domain.com
  4. Your ORG name.  org.domain.com (Where ORG is the CRM deployment name of your organization or organizations), e.g.
  5. crm2015.iwebscrm15.com (We usually set up a dev environment with CRM2015 being the year of the version. Just something we select to do).
  6. adfs.domain.com (used for reference to the ADFS server)
  7. one for the root domain so that domain.com points to the same server. (This is for the ADFS logout URL)

CRM 2015 IFD DNS SETTINGS

We have two setup here: CRM and CRM2015. So we need to configure crm.iwebscrm15.com and crm2015.iwebscrm15.com (Not necessary but our choice for this instance).

Test DNS

You must be able to ping all of those names and get the correct server IP address. Both from computers on the internet, and from the server. At the command prompt, type “ping sts1.iwebscrm15.com” for example with our config. Ping them all to be sure you get them correct. 

Note: If you have added the DNS records, but still encounter name resolution problems, you can try running on the client ipconfig / flushdns to clean up the cache. You can also click the DNS server root and click CLEAR CACHE so that the server is responding with the latest updates.

image

Note: Don’t bother proceeding past this step if you cannot ping your sub domains internally and externally correctly.

 

Firewall configuration

You need to set the firewall to allow the CRM 2015 and the AD FS 3.0 port used by the incoming data stream. HTTPS (SSL) is the default port 443.

For Initial setup testing etc. We recommend just turning the thing off. Better start from a place where it does not muck you around, then turn it all back on after you are successful.

1) In Windows 2012 I can’t frigging work out how to find anything. Literally!  But most things you can search for. As is the case here if you search for “Firewall”. Select the firewall option:

Screenshot 2015 02 18 18 14 37

2) Select Turn Windows Firewall on or off

Screenshot 2015 02 18 18 16 04

4) Turn Off or On Firewall

Screenshot 2014 07 05 19 33 53

Just turn it all off for now. (Remember to come back, turn it on and allow access for the unusual port 444 that you configured earlier for the SSL on the CRM site. But for testing and setting up… the last things you want is to be banging your head agains a firewall.

Screenshot 2015 02 18 18 18 31

Configuration Claim-based authentication internal access

Configure the internal access Claim-based authentication requires the following steps:

  • Install and configure AD FS 3.0
  • Set Claims-based authentication configuration CRM 2015 server.
  • Set the Claims-based authentication configuration AD FS 3.0 server.
  • Test claims-based authentication within the access.

Install and configure ADFS 3.0

CRM 2015 with a variety of STS provider ( STS Provider ) together. This article uses Active Directory Federation Services (AD FS) 3.0 to provide a security token service (security token service ).

Note: AD FS 2.0 will be installed to the default site, so install AD FS 3.0 , you must have CRM 2015 installation in the new site. (Remember we said that earlier)

IIS Looks like this if it is correctly installed: image

If you only see the default website with CRM installed in that. Start AGAIN!

If you have it all correct at this point. Probably a good time to take a SnapShot (backup of the virtually system) and label it something you remember.

CRM 2015 Setup with Snapshots.png 

Install ADFS Server Role

From Server Manager – Add A Server role for: Active Directory Federation Services

Screenshot 2014 07 05 19 39 54 

Screenshot 2015 02 18 18 24 23

Screenshot 2015 02 18 18 24 53

Screenshot 2015 02 18 18 25 34

Click Install at the last step.

Screenshot 2015 02 18 18 26 20

After if Finishes: 

Configure the Fediration service on this server

Click the Configure the Federation Services on this server.

Configure AD FS 3.0

1 Click on Configure the federation service on this server.

2 In the AD FS 3.0 Management page , click AD FS 3.0 Federation Server Configuration Wizard .

3 In the Welcome page , select Create the first federation server in a federation server farm, and then click Next.

Screenshot 2014 07 05 19 43 52

4 Select next to continue with the current administrator (must be a domain admin).

Screenshot 2014 07 10 16 34 34

5 Choose your SSL certificate (the one we created and imported above i.e. *.iwebscrm15.com ) ,add a Federation Service name ( Selecting the second one for the dropdown in this instance iwebscrm15.com, don’t select the one with the wildcard in the name, so not the *.iwebscrm15.com for example.), then Select a Service Display Name for your business – selecting the one that is NOT starting with a *, then click Next.

CRM 105 ADFS Setup

6 Open PowerShell and run the following command: “Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)”

 Screenshot 2014 07 10 16 40 55

Screenshot 2015 02 18 18 42 53

If you don’t you will se the error: Group Managed Service Accounts are not available because the KDS Root Key has not been set.

7 We specified the Administrator account for the service account, as security is not our primary concern here with a Dev environment. You could and probably should use a defined account for a production environment.

ADFS Service Account

7 Create a database on this server using Windows Internal Database (we suggest using the SQL instance in the step below), click Next.

Screenshot 2014 07 10 16 43 30

Or use the local SQL instance etc if you have one. (Because we have SQL installed on this same server. We are using this SQL instance for the database host. 

Screenshot 2015 02 18 18 44 11

8 Review Options click Next

 

Screenshot 2015 02 18 18 49 339 Pre-requisits checklist, click Configure

Screenshot 2014 07 10 16 45 44

10 You should see a message that “This Server was successfully configured

Screenshot 2015 02 18 18 53 47

11 Close out the Instillation progress window

Screenshot 2015 02 18 18 54 07

Screenshot 2015 02 18 18 54 33

Verify the AD FS 3.0 is working

Follow the steps below to verify that the AD FS 3.0 is working :

1 Open Internet Explorer.

Under Internet Options

IE Options

Security / Local Intranet

Screenshot 2015 02 19 08 49 36

Sites / Advanced

IE Sites Advance

Add *.domain.com to the websites. In our case here we added: *.iwebscrm15.com

ADFS Local Intranet Sites

Close all this down when added.

2 Now we need browse to the the federation metadata in Internet explorer to test access is working. 

Use this URL below as an example to browse to your own server. Remembering that we set up a DNS entry earlier for “ADFS’ on your domain, thus you should be able to browse to the URL below replacing our domain name with yours and have it access the server we are configuring.

https://adfs.iwebscrm15.com/federationmetadata/2007-06/federationmetadata.xml (Replace your domain name in place of ours)

3. to ensure that no certificate associated with the warning appears, and you can view the certificate to be sure it is showing.

ADFS IFD CRM 2015 Test

Check the certificate is correct and working by clicking on the padlock looking thing and viewing certificate.

Screenshot 2015 02 19 09 00 40

 

Claims-based authentication configuration CRM 2015 server

After you install and configure the AD FS 3.0 , we need to configure the Claims-based authentication before setting CRM 2015 binding types and the root domain.

1 Open the CRM Deployment Manager.

CRM 2015 Deployment Manager Launch

2 In the Actions pane , click Properties .

CRM 2015 Internal CRM Settings

3 Click the Web Address page.

4 In the Binding Type , select HTTPS .

Screenshot 2014 07 10 17 09 07

5. You can most likely select Apply at this point, and the default internal address for the CRM will work fine. We however we had you created a new A record in the DNS for “internalcrm” and pointed it to this new server. This allows us to user a clear path for the internal URL.

6 For example, internalcrm.iwebscrm15.com:444 for our install. (you can use your own domain internalcrm.domain.com:444)
Note: We use the :444 as this is the HTTPS binding that we applied to the Microsoft Dynamics CRM Website in IIS

Screenshot 2015 02 19 18 18 28 

CRM 2015 Web Addresses

7 Click OK.

8 In the Deployment Manager console tree, right-click Microsoft Dynamics CRM, and then click Configure Claims-Based Authentication.

Screenshot 2014 07 10 17 59 37

9 Click Next on the Welcome page

10  On the Specify the security token service page, enter the Federation metadata URL, in our case because we setup a DNS record for “adfs” we are going to use that: https://adfs.iwebscrm15.com/federationmetadata/2007-06/federationmetadata.xml
Note: that this is the same URL we tested ADFS was set up correctly on in the steps above. Also note that the step of adding the domain to internal sites in the IE security settings that we did above is an important one! If you can’t hit that URL on the web browser of the server and get a clean XML defined page, then you deployment will not work.

CRM 2015 Claims Based Authentication

11 Click Next then select the certificate that we created perviously for the *.domain connection

CRM 2015 Claims Based Authentication

12 Select Next
Note: At this point it is possible to get an error something along the lines of “Encrypted Certificate Error”. This is implying that the account used to run CRM does not have access to the Private Key of the certificate being used. Skip forward to point 25 below, and add the service accounts that CRM is using to the private key of the certificate to be used. This will ensure that this next configuration step has access to the certificate. Then come back to this point and continue. 

Screenshot 2014 07 10 18 09 58

13 Select Apply (BUT – NOT FINISH)

Screenshot 2014 07 10 18 10 31

14 IMPORTANT – Click View Log File

Screenshot 2015 02 19 16 26 26

15 Scroll to the end, and Copy the URL from the bottom of the file.

Screenshot 2015 02 19 18 26 29

This will be used in the next configuration.
Note: that this is different to the URL used in step 4 above, as it represents the internal URL. Subtle but vital (and the cause of frustration the first 10 times we tried this). In our case the URL looked like this: https://internalcrm.iwebscrm15.com:444/FederationMetadata/2007-06/FederationMetadata.xml

16 Click Finish.

Set the CRM AppPool account and the Microsoft Dynamics CRM Encryption certificate.

17 Right Click the Start Button and select RUN

18 Type MMC and enter

Run MMC

19 Select File / Add/Remove Snap-in

Add Remove Snap-in

20 Select Certificates and Add

Add Certificates MMC

21 Select Computer Account

Computer Account

22 Local Computer is selected, so click Finish

Screenshot 2015 02 19 16 57 47

23 Expand the console tree / Personal / Click Certificates

Screenshot 2015 02 19 17 00 09

24 Right click the certificate we used for the CRM endpoint, and select All Tasks / Manage Private Keys

CRM IFD Manage Private Keys

25 Select Add

Screenshot 2015 02 19 17 04 11

26 Select Advanced

Screenshot 2015 02 19 17 11 47

27 Select Find Now

Screenshot 2015 02 19 17 12 34

28 Scroll Down and Find the NETWORK SERVICE Account

Network Service Account

29 Select OK / OK

Screenshot 2015 02 19 17 15 08

Ensuring that the NETWORK SERVICE has Read Access

Screenshot 2015 02 19 17 40 44

Note: We have used the NETWORK SERVICE account here because that is the one associated with the CRMAppPool used in IIS by default for the Microsoft Dynamics CRM Website that was automatically configured with the CRM setup.

Screenshot 2015 02 19 17 19 28

CRMAppPool

If you are using another account for running the application pool, then you should ensure that this account has access to the encryption certificate. Some details can be found here.

30 Validate that you can browse to the URL above. If you cannot view this in a browser, then have a look again at your permissions on the certificate in relation to the account on the application pool in IIS for CRM. Read above: Claims-based authentication configuration CRM 2015 server.

Screenshot 2015 02 19 18 24 33

Once you can browse this URL, you are done if it fails, then repeat the process till you can access the URL on the server in question. Note: Often it is confusion over the port :5555 that defaults in CRM Deployment Manager Web settings and the HTTPS Port :444 that we defined in the binding for the Microsoft CRM Dynamics Website. So double check that you have the correct port set in the Deployment Manager, then run the steps again following that setting.

Claims-based authentication configuration AD FS 3.0 server

After completion of the previous step, the next step we need AD FS 3.0 to add and configure the statement provider trust ( claims Provider trusts ) and the relying party trust ( Relying Party trusts ).

Configure claims provider trusts

Start AD FS 3.0 Management. In the Navigation Pane, expand Trust Relationships, and then click Claims Provider Trusts. Under Claims Provider Trusts, right-click Active Directory, and then click Edit Claims Rules.

Screenshot 2014 07 10 18 27 02


In the Rules Editor, click Add Rule, In the Claim rule template list, select the Send LDAP Attributes as Claims template, and then click Next

Screenshot 2014 07 10 18 27 33


Step10: Create the following rule

Claim rule name: UPN Claim Rule (or something descriptive)
Attribute store: Active Directory
LDAP Attribute: User Principal Name
Outgoing Claim Type: UPN

Screenshot 2014 07 10 18 34 58

Click Finish, and then click OK to close the Rules Editor

After you enable claims-based authentication, you must configure Dynamics CRM Server 2015 as a relying party to consume claims from AD FS 3.0 for authenticating internal claims access.

Start AD FS Management. On the Actions menu located in the right column, click Add Relying Party Trust. In the Add Relying Party Trust Wizard, click Start.

On the Select Data Source page, click Import data about the relying party published online or on a local network, and then type the URL you copied earlier from the log file during the creation of the CRM Claims Based Authentication. e.g. https://internalcrm.iwebscrm15.com:444/FederationMetadata/2007-06/FederationMetadata.xml

Screenshot 2014 07 10 18 38 23

On the Specify Display Name page, type a display name, such as CRM Claims Relying Party, and then click Next.

Screenshot 2014 07 10 18 40 57

Click Next on the multi-factor authentication options.

Screenshot 2014 07 10 18 41 35

On the Choose Issuance Authorisation Rules page, leave the Permit all users to access this relying party option selected, and then click Next.

Screenshot 2014 07 10 18 41 44

On the Ready to Add Trust page Click Next

Screenshot 2015 02 19 19 02 22

On Finish Page, click the checkbox option to Open the Edit Claim Rules, Next, and then click Close.

Screenshot 2015 02 19 19 04 59

The Rules Editor appears, click Add Rule. Otherwise, in the Relying Party Trusts list, right-click the relying party object that you created, click Edit Claims Rules, and then click Add Rule.

Screenshot 2014 07 10 18 42 52

In the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next.

Screenshot 2014 07 10 18 44 21

Create the following Rule #1
Claim rule name: Pass Through UPN (or something descriptive)
Incoming claim type: UPN
Pass through all claim values

Click Finish.

Screenshot 2014 07 10 18 44 59

Screenshot 2014 07 10 18 50 07

In the Rules Editor, click Add Rule, in the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next

Screenshot 2014 07 10 18 50 26

Create the following Rule #2

Claim rule name: Pass Through Primary SID (or something descriptive)
Incoming claim type: Primary SID
Pass through all claim values

Click Finish

Screenshot 2014 07 10 18 51 11

Screenshot 2014 07 10 18 51 23

In the Rules Editor, click Add Rule. In the Claim rule template list, select the Transform an Incoming Claim template, and then click Next.

Screenshot 2014 07 10 18 51 59

Create the following rule #3

Claim rule name: Transform Windows Account Name to Name (or something descriptive)
Incoming claiming type: Windows account name
Outgoing claim type: * Name
Pass through all claim values

Screenshot 2015 02 19 19 10 09

Click Finish, and when you have created all three rules, click OK to close the Rules Editor.

Screenshot 2014 07 10 18 53 20

Click OK

Enable Forms Authentication

AD FS in Windows Server 2012 R2, forms authentication is not enabled by default.

Open the AD FS management console and click Authentication Policies. Under Primary Authentication, Global Settings, Authentication Methods, click Edit.

Screenshot 2015 02 19 19 13 39

Under Intranet, enable (check) Forms Authentication

Screenshot 2014 08 02 18 06 40

So now we have claims setup for CRM.

Add the ADFS server to the Local intranet zone.

We previously added the *.domain.com or in our case, *.iwebscrm15.com to the Local intranet zone in Internet explorer on the server. If you have not done this you should do it now. Then:

1. Select the Advanced tab. Scroll down and verify that under Security Enable Integrated Windows Authentication is checked.

Screenshot 2015 02 19 19 37 22

2. Click OK to close the Internet Options dialog box.You will need to update the Local intranet zone on each client computer accessing Microsoft Dynamics CRM data internally. 

Specify the security token service

1 Open a command line tool .

2 Enter the following command : ( application, in your own environment, substitute the name of the name of the command line )

c: \> setspn -a http/sts1.iwebscrm15.com fserver4\VSERVER06

fserver4\VSERVER08 = the domain / machine name of the server.

Screenshot 2015 02 19 21 33 22

c: \> iisreset 

Configure Internet-Facing Deployment in CRM Deployment Manager.

1 Open the CRM Deployment Manager.

2 In the tree structure , right-click Microsoft Dynamics CRM , and then click Configure Internet-Facing Deployment.

Screenshot 2014 08 02 18 14 52

3 Click Next.

Screenshot 2014 08 02 18 15 20

4 Fill in the correct domain information for the Web Application

Thus we use:

  • Web Application Server Domain: iwebscrm15.com:444
  • Organization Web Service Domain: iwebscrm15.com:444
  • Web Service Discovery Domain: dev.iwebscrm15.com:444 
     Screenshot 2015 02 19 20 15 10

Leave the Default option for the Internet Facing Server Location

Screenshot 2015 02 19 20 17 15

System Checks work

Screenshot 2015 02 19 20 18 19

IFD Summary looks like this. Then Apply

Screenshot 2015 02 19 20 19 00

Finish

Screenshot 2015 02 19 20 19 41

9. Open a command line tool, run: iisreset

Screenshot 2015 02 19 22 11 38

 

ADFS Relying Party Trust for the IFD Endpoint

Effectively you are creating the third Relying party trust in your deployment and the second that you have manually set up at this point. We are doing this again as this is now for the IFD endpoint.

Step 1: Start AD FS Management. On the Actions menu located in the right column, click Add Relying Party Trust. In the Add Relying Party Trust Wizard, click Start.

image

Step 2: On the Select Data Source page, click Import data about the relying party published online or on a local network, and then type the URL to locate the federationmetadata.xml file. This federation metadata is created during IFD Setup.

For example, https://auth.iwebscrm.com:444/FederationMetadata/2007-06/FederationMetadata.xml (Remember to replay your domain for ours)

Type this URL in your browser and verify that no certificate-related warnings appear.

Screenshot 2015 02 19 21 50 58

Step 3: On the Specify Display Name page, type a display name, such as CRM IFD Relying Party, and then click Next

image

Step4: On the Choose Issuance Authorization Rules page, leave the Permit all users to access this relying party option selected, and then click Next.

Screenshot 2015 02 19 21 51 44

Click Next

image

Screenshot 2015 02 19 21 52 25

Step 5: On the Ready to Add Trust page, click Next, and then click Close.

Step 6: If the Rules Editor appears, click Add Rule. Otherwise, in the Relying Party Trusts list, right-click the relying party object that you created, click Edit Claims Rules, and then click Add Rule

image

Step 7: In the Claim rule template list, select the Pass Through or Filter an Incoming Claimtemplate, and then click Next.

image

Step 8: Create the following rule#1

Claim rule name: Pass Through UPN (or something descriptive)

Incoming claim type: UPN

Pass through all claim values

Click Finish

image

Step 9: In the Rules Editor, click Add Rule, and in the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next

image

Step 10: Create the following rule#2

Claim rule name: Pass Through Primary SID (or something descriptive)

Incoming claim type: Primary SID

Pass through all claim values

Click Finish

image

Step 11: In the Rules Editor, click Add Rule. In the Claim rule template list, select the Transform an Incoming Claim template, and then click Next.

image

Step 12: Create the following rule #3

Claim rule name: Transform Windows Account Name to Name (or something descriptive)

Incoming claim type: Windows account name

Outgoing claim type: Name

Pass through all claim values

Click Finish, and when you have created all three rules, click OK to close the Rules Editor.

image

Now, you should see three Relying Party Trusts in the ADFS Trust Relationships.

Screenshot 2015 02 19 22 23 41


Test External Access to CRM 2015 with IFD

Now, you should use the claims certified external access CRM 2015 a. In IE the browser CRM 2015 external address (for example: https://crm2015.iwebscrm15.com:444/main.aspx ), you will see the following pages:

Screenshot 2015 02 19 22 20 28

Enter the user name password in the format “domain\username”  and pass. You should get in fine.

Additional Tasks for mex Endpoints – Services that connect to XRM

We found after following these instructions, that we could not write services that connected via the endpoint https://your.crm.dom:444/adfs/services/trust/mex. This is due to the CRM Sandbox service using port 808. The solution we applied what one that we wrote for CRM 2013, but is applicable here for CRM 2015: https://www.interactivewebs.com/blog/index.php/crm-2013/adfsservicestrustmex-returns-503-on-crm-2013-windows-2012-ifd-mex-endpoint-fix/ 

This should be done routinely as it will only pop it’s head up at a later date.

 

Turn the Firewall Back On

As you may expect, this is a rather important last step

1. Turn on all Firewall Settings as they were at the start

Screenshot 2015 02 19 22 50 17

2. Click Advanced Settings 

Screenshot 2015 02 19 22 51 06

3. Click Inbound Rules / New Rule

Screenshot 2015 02 19 22 52 22

4. Select Port / Next

Screenshot 2015 02 19 22 46 28

5. Select TCP and Specify Port 444

Screenshot 2015 02 19 22 46 54

6. Allow the Connection

Screenshot 2015 02 19 22 47 08

7. Domain, Private and Public all ticked.

Screenshot 2015 02 19 22 47 28

8. Give it a name like: CRM Port 444

Screenshot 2015 02 19 22 47 46

And you are about finished. Remember if in the future you are mucking with something and getting no place. Turn off the Firewall as a starting point. Banging heads with firewalls is a waste of time!

Remember to test access again externally!

 

Your Feedback and Our Services

Please post a comment or note if you have anything to add about these notes. We welcome feedback that helps us improve them.

If you have a need for CRM 2015 Developer Services, we offer professional services and support for CRM 2015. This includes upgrade services for upgrading from any of the past CRM releases to new ones. We also write custom plugin solutions and are specialists with advanced web services and portals that connect to CRM for many applications. http://www.interactivewebs.com/crm