Monthly Archives: October 2015

SQL Server Deployment Considerations

27 Tuesday Oct 2015

Posted by in CRM2015

Leave a comment

The following are the guidelines specific to SQL Server instance to be used for CRM 2015 platform:

  • Don’t modify system tables on the SQL instance where Dynamics CRM is to be deployed.
  • Full-text indexing must be installed.
  • CRM organization databases have auto growth setting of 256MB. For intensive database transactions increase the auto growth value to improve performance.
  • Set Max degree of parallelism to 1 in SQL Server to improve the overall application performance on multiprocessor systems.

Dynamics CRM platform creates two databases:

  • MSCRM_CONFIG: Contains the CRM metadata, such as configuration and location information specific to each organization database.
  • OrganizationName_MSCRM: The main organization database where CRM data is stored viz., entity (aka table) records, activities etc. There will be several of these organization databases depending on the number of the organizations setup using CRM Deployment Manager.

SQL Server Connection & SSRS:

  • Dynamics CRM connection to SQL Server is only via Windows Authentication.
  • Dynamics CRM Reporting Extensions are data processing extensions and are installed on the Microsoft SQL Server Reporting Services server. Two data processing extensions: Fetch data processing extension for Fetch-based reports and SQL data processing extensions.
  • The identity account running the instance of Microsoft SQL Server Reporting Services must be added to PrivReportingGroup AD security group.
  • Separate deployments of Microsoft Dynamics CRM cannot share one SQL Server Reporting Services server. But a single deployment of Microsoft Dynamics CRM can use the same SQL Server Reporting servers.

Issues and Limitations of Claim-based authentication when used with Dynamics CRM

20 Tuesday Oct 2015

Posted by in ADFS, ADFS 4.0, CRM2015, CRM2016, Dynamics 365, Dynamics CE 9

Leave a comment

The following are some of the limitations of accessing Dynamics CRM platform using Claims-based authentication

  • Dynamics CRM does not enforce strong password policy and this task is handled by AD.
  • ADFS federation server sessions are valid up to 8 hours for deactivated or deleted users. The ADFS server tokens allocated to a web single sign-on (SSO) have cookie expiration of 8 hours. Therefore even when a user is deactivated or deleted from authentication provider as long as the user session is still active the user can continue to be authenticated to access resources.
  • Certificates created using the CNG key template are incompatible with Microsoft Dynamics CRM.
  • CRMAppPool account used for Dynamics CRM website must have read permission to the private key or encryption certificate.

Work around option(s):

  1. Disable the user in Dynamics CRM and AD.
  2. Reduce the ADFS token life time. (Power Shell). In ADFS 4.0 on Server 2016 TokenLifetime is replaced with SsoLifeTime and default is set to 480

 New Picture

Configuration of CRM for IFD using Claims-Based Authentication

20 Tuesday Oct 2015

Posted by in CRM2015

Leave a comment

For Internal Access

New Picture

  1. The client sends a request to access the Dynamics CRM website.
  2. IIS refuses the connection and sends a HTTP 302 and redirect to ADFS
  3. The client sends a request for a security token to ADFS
  4. ADFS returns a HTTP 401.1 error indicating the client must supply a Kerberos ticket
  5. The client sends an Kerberos Authentication request to Active Directory
  6. Active Directory validates the client and sends a Kerberos ticket
  7. The client sends a request for security token to ADFS along with the Kerberos ticket.

Typically for internal access the Client logons to internal domain example mydomain.com and is already validated by Active Directory and hence the Kerberos ticket is already available so steps 4 through to 7 are skipped.

  1. ADFS provides a security token containing claims for providing access to CRM data
  2. The client sends the security token containing claims as obtained from ADFS to CRM server
  3. The CRM server decrypts and validates the security token and presents the user with the information.

For External Access

New Picture

The flow is similar to Internal Access with the exception of the following:

  • The Client will not be logging onto the domain directly and hence there is no Kerberos ticket.
  • The ADFS will present the client a logon page to select a attribute store at which point they enter the credentials which are then validated against Active Directory.

Active Directory Federation Services (AD FS) – Windows Server 2012 R2

17 Saturday Oct 2015

Posted by in ADFS

Leave a comment

The AD FS provides secured identity federation, single sign-on (SSO) capbalities for users to be able to use enterprise applications within an organization or across organizations (federated). Within Windows Server 2012 R2 AD FS is bundled as a role and compared to AD FS 2.0 the following are the notable differences:

  • AD FS is not dependent on IIS instead relies on HTTP.SYS.
  • Installation and Configuration can be done through Server Manager UI
  • Group Managed Service Account (gmsa) support. Although typically a service account with non-expiration passwords can be used.

Other capabilities of AD FS on Server 2012 platform are detailed here

Installation and Configuration of AD FS role:

Go to Server Manager > Dashboard and chooes Add roles and features

Screen1

The following will be set of screens that will be presented in the wizard

Screen2

Screen3

Screen4

Select Active Directory Federation Services role

Screen5

Screen6

Screen7

Click on Install on the final step in the wizard

Screen8

Screen9

Once the installation is completed additional Configuration steps must be performed and this will be indicated as shown below:

Screen10

Federation Service Configuration:

Screen11

The first server where AD FS role is installed in the domain typically becomes the Primary Federation Server. Hence the option “Create first federation server…” is selected. For configuring AD FS on additional sever the second option is selected.

Screen12

In the following screen specify the SSL certificate.

Screen14

Specify the service account to be used for running the ADFS service

Screen15

There are two options available for storing the ADFS configuration information viz., Windows Internal Database (WID) or SQL Server. A detail information is available here and this set up we choose WID.

Screen16

The final Review Options screen provides the option to store the configuration settings as Power Shell script and this script can be used for additional deployments without having to go through all the wizard steps again.

Screen17

Now click on the Configure button

Screen18

Additional Permissions to be Added or Verified:

  • Log On As Service (Accessed through Local Security Policy) should have the service account used for ADFS. This is done on the server where ADFS role is installed.

LogonAsService

  • The private key for the SSL certificate imported should have read permissions for the service account used for ADFS

Screen19

Things to Check:

I had named the service account for the AD FS service to be DEV\svc_adfs but found that the AD FS set up wizard removed the “_” and consequently this distored the SPN (Service Principal Name). As can been from the screen snap shot below the wizard picked up the account name to DEV\svcADFS.

Capture

I then recreated the account to read as: DEV\svc-adfs and then checked the SPN and the registration was correct.

SPN

As viewed in Active Directory:

Capture1

Testing:

  1. Access Federation metadata at: https://sts.dev.local/federationmetadata/2007-06/federationmetadata.xml
  2. Sign-In and Sign-Out at: https://sts.dev.local/adfs/ls/idpinitiatedsignon.aspx

Once above the testing is complete then ADFS is successfully configured.

E-mail Router Configuration Manager

10 Saturday Oct 2015

Posted by in CRM2015

Leave a comment

The E-mail Router Configuration Manager is windows based GUI application that helps to:

  • Configure profiles typically Incoming /Outgoing
  • Associate a deployed Organization to Incoming and Outgoing profile
  • Manage incoming / outgoing e-mail configurations for users and queues.

In the following section we look at details of several functions available in the GUI application.

New Picture

Tab > Configuration Profiles

Typically two profiles will be set up viz., Incoming and Outgoing. The various list columns that are displayed will be values that will set when a new profile is created by clicking the “New” button

Creating Incoming Profile:

New Picture

Creating Outgoing Profile:

New Picture

Tab > Deployments

Under this tab we specify the CRM organization and set the Incoming/Outgoing profile

New Picture

New Picture

Tab > Users, Queues, and Forward Mailboxes

This tab allows to assing Incoming /Outgoing profile against each CRM user, set up Forward Mailbox.

New Picture

Every user in CRM platform must be assigned an incoming or outgoing e-mail access type for the above list to be populated. Within the user administration of CRM this is done at E-mail Access Configuration section in the user details screen.

New Picture

As in the above screen shot for a user “User1” Incoming profile is set to Forward Mail Box and Outgoing is set to E-mail Router.

The action buttons available against each user in the list above are:

New Picture

Select a User and click on Modify.

New Picture

Why is the Incoming Configuration Profile drop down disabled? > In the E-mail Access Configuration section against the “User 1” details  the “E-mail access type Incoming” is set to Forward Mailbox.  Typically this will be same for all the Organization users and a Forward Mailbox will have to be configured.

Go to Forward Mailboxes tab and click on New

New Picture

The following functions can be performed for the Forward Mailbox setup above:

New Picture

The Test Access button will validate if the setup is right.

New Picture

E-mail Router Configuration and Trouble Shooting

07 Wednesday Oct 2015

Posted by in CRM2015

Leave a comment

E-mail router serves the purpose of delivering and creating mails into Dynamics CRM platform. The windows service “Microsoft CRM Email Router” brokers the communication between CRM platform and e-mail handling service typically Microsoft Exchange. The following diagram illustrates the capability provided by the CRM platform for sending e-mail messages.

New Picture

Sequence of Step(s):

  • The user will create an E-mail Activity the status of which progresses from Open > Draft (when Save button is clicked) > Pending Send (when Send button is clicked)
  • The Email Router will query the CRM and retrieve e-mails with status of “Pending Send” that are to be sent.
  • The Email Router will now establish connection with Exchange Server and the e-mails will be delivered to the Server.

If the e-mail server is able to deliver the message to the recipient a notification is sent to E-mail Router and status changes from “Pending Send” to “Sent”.

To check the status of all e-mail messages that were attempted by the E-mail Router use the Advance Find

New Picture

New Picture

Processing of Incoming E-mails:

In this section we look at how CRM platform handles the reply e-mail sent by the recipient.

New Picture

  • When the User replies back to an e-mail received from CRM, the e-mail is available in the Exchange Server Mail box.
  • The E-mail Router connects to the mail box using the credentials that has full mail box permission and then crawls the folder(s).
  • For each e-mail identified a query is sent to CRM to determine if an e-mail activity needs to be created and if required creates an e-mail activity with a status of “Received”.

Administration Guide for Restoring database backup as CRM Organization

02 Friday Oct 2015

Posted by in CRM2015

Leave a comment

In this post I will detail the steps involved in Importing an Organization from a database backup. For the scenario we consider a Sample Organization named ACM

  • Within the CRM Deployment Manager disable and delete the organization.Deleting the Organization through the Deployment Manager UI does not delete the underlying SQL database. Logon to the SQL instance and perform database deletion.

New Picture

New Picture

  • Restore the database backup with required name for example ACM_MSCRM on the SQL server Instance.
  • Run the following script to put the database in SINGLE_USER and revert back to MULTI_USER mode, recovery mode to SIMPLE and disable Read_Committed_SnapShot this will speed up the organization import process.

New Picture

Note: In the above script the database is set to SINGLE_USER mode first to quickly disable RCSI and then reverted back to MULTI_USER mode. Without MULTI_USER mode the Deployment Manager will not pick up the Organization database.

Once the above script is completed successfully run the following to ensure   that database level changes are applied as expected.

New Picture

  • Go to Dynamics CRM Deployment Manager and click on Import Organization under Actions pane. The various Wizard Navigation steps are as per screen snap shots below.

New Picture

New Picture

New Picture

New Picture

Note: The Next step in the above wizard will prompt to Edit User Mappings.

New Picture

Typically the things that need attention in this dialogue window will be the service accounts that will be used across different environments. Correct this mapping and navigate to next step this will bring up the System Checks window.

New Picture

After the checks are completed successfully click on Import button.

New Picture

  • Once the Import process is successful runs the following script to > enable RCSI, Full Recovery mode, Multi-User mode.

New Picture

This will now complete the successful Import of Organization