CRMUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Implementing CRM 2011...

CRMUGCRMUG®® Summit 2011 Summit 2011November 8-11November 8-11

Caesars Palace – Las Vegas, NVCaesars Palace – Las Vegas, NV

Implementing CRM 2011 Implementing CRM 2011 Claims-Based Authentication, Claims-Based Authentication,

ADFS and IFDADFS and IFDBest Practices and Tips

CRMUG Summit 2011– Las Vegas www.crmug.comCRMUG Summit 2011– Las Vegas www.crmug.com

Agenda

Introduction Planning & Installation Best Practices & Tips Pitfalls & Workarounds Q&A


IntroductionChristopher CognettaTribridge CRM Customer Care Team Leader - [email protected]

CRM Version 1.0 – CRM 2011Over 30 upgrades to CRM 2011, 10+ with ADFS & IFDApplication Architecture and Infrastructure Background


Special ThanksI would like to extend a special thank you to Dan Francis of Microsoft Bangalore. For without his passion, commitment, follow-up and research, I could have not quickly supported our customer needs and be able to share this presentation with all of you.


TopicsInternal and External DNS EntriesFirewall OverviewCertificates and Types SupportedADFS Diagrams CRM and ADFS Installation TipsADFS Screen ShotsQuick Check ListBest Practices and Tips


Internal & External DNS External Orgname.domain.com Auth.domain.com ADFS.domain.com

Note: Each organization exposed will require an orgname.domain.com

ADFS automatically will pick up new organizations created in deployment manager.

Internal Orgname.domain.com Auth.domain.com ADFS.domain.com Dev.domain.com Internalcrm.domain.com Externalcrm.domain.com

Alias (Cnames) should not be used as DNS entries are the URL identifiers for ADFS.


Internal & External DNS Plan ahead with your Network Administrator to add

these internal and external addresses. External addresses could take 24-48 hours before they resolve.

Provide a document of external to internal addresses to ensure there is no confusion.

Firewall rules will be required to route outside traffic to the correct internal IP’s and ports.

Internal addresses all should point the web server port 443 except ADFS which will use its own port 444.


Firewall Overview

Firewall Web Server

External DNS Entries atISP or HOST

CRMPort 443

CRMPort 443

ADFSPort 444

ADFSPort 444

Port Forward All URL’s

All URL’s will port forward to the webserver port 443 except ADFS.

ADFS will be configured as a separate website under port 444.

ADFS must be the default website. CRM must be installed on a port.

Note: Multiple servers for CRM and ADFS websites can be deployed

CRM is at port 443 to be the default SSL website

External IP Internal IP


Certificates CRM 2011 supports the use of 2 certificates

types:– Wild Certificate *.domainname.com– Subject Alternative Name – test1.domainname.com

test2.domainname.com (all external DNS entries)

Some security firms do not allow wildcard [email protected] to connect using that type certificate.

Pricing Vs. Security Vs. Future MaintenanceMost newer Certificates are all 2048 bit.


Certificates Ensure there are NO certificate errors when

browsing CRM via HTTPS://crm.domain.com . Do not continue configuring ADFS as it will break.


Certificates Certificates are installed via the certificate

manager add-on in the MMC.

Manage Private keys and the identity running the CRM app pool. (#1 Mistake)


ADFS Diagrams

WindowsAuthentication

Internal ADFS

External ADFS

Other Identity

Stores, AD, Windows

Live, Oracle Etc

Other Identity

Stores, AD, Windows

Live, Oracle Etc


ADFS & CRM Installation If ADFS and CRM will be deployed on the same

server, ADFS must be the DEFAULT website. (SSL Port 444)

CRM should not be installed on the default website, use a port like 5555. (SSL Port 443)

CRM 2011 should be installed and working prior to installing and configuring ADFS.

Download ADFS 2.0 from Microsoft downloadhttp://www.microsoft.com/download/en/details.aspx?id=10909

ADFS service name should not be the same name as the server.


CRM Setup URL & HTTPS Use deployment

manager to configure the CRM internal URLs.

Note the HTTPS setting.

You must also set the HTTPS binding and certificate in IIS.

Changes in this section require an IISReset to be issued via the command line or GUI.


ADFS Installation

After ADFS installs, the ADFS configuration wizard will appear:

ADFS will prompt for the name of your federation service. ADFS will recognize any certificates pre-configured on the website as well the port number.ADFS.domainname.comA URL is be provided in the documentation in order to test the ADFS Federation Service is working.


Configure CRM ClaimsFrom deployment manager we configure Claims based Auth:

URL will be provided at the end of the ADFS installation.Make sure to test this URL in your browser for no errors.Save as favoriteIf you receive the XML metadata from the URL the ADFS service is working correctly.Common errors like 503 require an IISReset.


Configure CRM ClaimsSuccess Window after Claims in CRM has been configured.This configures the CRM federation services.The URL shown on screen is at the bottom of the log file. Click view the log file to copy the URL.This URL will setup the first Relying Party Trust with ADFS for CRM (Internal)


Configure ADFS - Internal Trust Chris to insert text

here and screen shot of first trust


CRM Configure IFD – Part 1

Inside deployment manager, you will click configure IFD:

You will be prompted for the following domain names.Web Application and Org Service should both be the same domainname.comDev domain is used for the discovery web server and should match your DEV DNS entry.


CRM Configure IFD – Part 2

Next you will be prompted for the external domain:

This is where AUTH.domainname.com

The documentation uses the same URL as the STS server which is not correct.

The end of the configuration will provide A URL to configure the replying party trust in ADFS.


CRM Configure IFD – Part 3Success window for CRM IFD Configuration.At this point you can test https://orgname.domainname.com

Internally.You will be presented with the ADFS form login.Things to Check:Issue IISRESETSetspn –A HTTP/webserver using the machinename or crmservice account.BackConnectionHostNames registry key for ADFS.


Configure ADFS – External Chris to insert text around external URL configuration,Entering rules etc.


Quick Checklist Follow the documentation closely:– http://www.microsoft.com/download/en/

details.aspx?displaylang=en&id=3621 Configure Firewall, Internal, External DNS, Setup

IIS certificate and correct bindings. Installation for CRM (5555), Installation of ADFS

(444) Configure CRM to use HTTPS(443),ADFS via wizard Configure CRM Claims Based Auth with URL ADFS Relying Party Trust – Internal Ready Configure CRM IFD, Configure Final Trust – External Ready


Best Practice and TipsBackConnectionHostNames Registry Changing your ADFS login NameSetting the IFD timeoutMultiple HTTPS BindingsInternal Service Error 503 & 505Updating ADFS Cache401 Errors Outlook Client V4 with CRM 2011Caution on Cache


BackConnectionHostNames– Error with 401.1 for DNS name. You only receive

this error message if you try to browse the Web site directly on the server. If you browse the Web site from a client computer, the Web site works as expected.

http://support.microsoft.com/kb/896861

– Use for ADFS.domainname.com for regkey– Add ADFS.domainname.com and Add

InternalCRM.domainname.com to intranet/trusted


Changing ADFS Login Name


Changing ADFS Login Name


Setting the ADFS/IFD Timeout

http://technet.microsoft.com/en-us/library/gg188586.aspx


HTTPS Binding Ensure ADFS only has an HTTPS binding, no

HTTP. One HTTPS binding per website in IIS.

Internal Service Error 503 Issue IISReset Reboot Reconfigure via the CRM wizards


Updating the ADFS Cache Updating the ADFS cache is

sometimes required when adding new organization to IFD, making changes to DNS entries or troubleshooting issues.

Updating is done from the ADFS configuration tool, while on replying party trusts, you will see the option to Update the Federation Metadata.

Remember an IISReset


IFD 404 Error & WorkaroundA common error reported after IFD is enabled by external access user:This is because ADFS had a copy of the CRM metadata during the install and not the exact copy is cached.The fix is to publish all customizations.If this continues for a specific user, update the user record by removing their name, replace with test name, save, and then replace domain name again.


CRM Outlook Client 4 In order for older outlook clients (v4) to work with ADFS and

IFD in CRM 2011, you must enable Anonymous Authentication as well as apply rollup 7 or later to the client

Enabling anonymous authentication To use Microsoft Dynamics CRM 4.0 for Outlook (Update Rollup 7 or later) with

Microsoft Dynamics CRM Server 2011 IFD, you must enable anonymous authentication for the 2007 SPLA CrmDiscoveryService on each server where Microsoft Dynamics CRM Server 2011 is installed. For other requirements, see Microsoft Dynamics CRM for Outlook software requirements (http://go.microsoft.com/fwlink/?LinkID=210780) in the Microsoft Dynamics CRM Planning Guide.

To enable anonymous authentication Open Internet Information Services (IIS) Manager. In the Connections pane, select the Microsoft Dynamics CRM Server 2011 Web site,

and then navigate to the following folder: MSCRMServices\2007\SPLA In Features View, double-click Authentication. On the Authentication page, select Anonymous Authentication. In the Actions pane, click Enable to use Anonymous authentication with the

default settings. For more information about enabling anonymous authentication in IIS, see Enable

Anonymous Authentication (IIS 7) (http://go.microsoft.com/fwlink/?LinkId=205316).


Caution on Cache Be careful when testing DNS, then

modifying DNS entries and testing again. These entries can become cached in

Internet Explorer and cause good DNS entries to fail.

Clear IE Cache, delete all items in IE Add CRM and ADFS URLs to intranet sites Ipconfig /flushdns & IISReset Fiddler2.com can clear the cache. Make

sure to close when testing to avoid errors.


Closing & Q&AUse of the Microsoft Forums – Ask an MVP!http://social.microsoft.com/Forums/en-US/category/dynamics

Please don’t forget to accept the answer that helps you!

Date post:	24-Dec-2015
Category:	Documents
Upload:	deirdre-watson
View:	223 times
Download:	2 times

CRMUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Implementing CRM 2011...

Documents