Welcome to our website

Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. ed ut perspiciatis unde omnis iste.

Montag, 30. Mai 2011

How to do an Publishing of Dynamics Crm 2011 through ISA 2006 or FAG

This post is going to answer questions regarding ISA 2006/ FAG and CRM 2011 Claims and IFD.
For this post we chose to let ISA handle the SSL Certificates as this is the common scenario for ISA deployments although other methods can be used.

We chose to focus this blog on letting CRM handle the authentication while letting ISA handle the SSL session. The main reason for using IFD despite ISA’s ability to provide forms based authentication was that the Microsoft Dynamics CRM Clients for Outlook would run into authentication problems if prompted with an ISA login. In order to get CRM running with IFD a good starting point is to study the IFD guide called How to configure an Internet-Facing Deployment for Microsoft Dynamics CRM 4.0 it can be downloaded from the Microsoft Download Center. The deployment guide will allow you to better understand the CRM 4 IFD concepts before you create any publishing rules on ISA Server.

Adjusting the Dynamics CRM 2011 Server for External Publishing

To deploy this scenario the following topology was used:

Figure 1 – Topology using CRM 2011 IFD/ Claims with ISA Server 2006.

ISA Publishing will be the same for CRM 2011 but you have to publish 4 rules.

org.contoso.com (will be used over https port 444)
sts1.contoso.com (will be used over https port 443)
auth.contoso.com (will be used over https port 444)
dev.contoso.com (will be used over https port 444)

This is content from http://www.dynamics-crm-2011.de | Dieser Beitrag ist von http://www.dynamics-crm-2011.de
Themen rund um CRM 2011 onpremise, Dynamics CRM 2011 Online, Dynamics CRM 2011 mit IFD und Claims.


Montag, 16. Mai 2011

New tool: for Microsoft Dynamics CRM 2011 - CrmDiagTool 2011

New tool: CrmDiagTool 2011

Hello CRM community!
Two months ago, Philippe Brissaud from Microsoft Canada asked me to help him migrate the well known CrmDiagTool 4 to Microsoft Dynamics CRM 2011. I guess you know what I answered him: of course I help!
Today, Philippe and I are proud to release this new version of CrmDiagTool.
We focused on Server diagnostics and removed features related to reporting services and email router.
The features are the following:
  • Enable/Disable tracing
  • Zip content of Trace directory
  • Open Trace directory
  • Generate diagnostic file
Download it here:

"CrmDiagTool2011.zip" öffnen 

This is content from http://www.dynamics-crm-2011.de | Dieser Beitrag ist von http://www.dynamics-crm-2011.de
Themen rund um CRM 2011 onpremise, Dynamics CRM 2011 Online, Dynamics CRM 2011 mit IFD und Claims.


CRM 2011 - ADFS 2.0 Federating with ADFS 1.1

CRM 2011 - ADFS 2.0 Federating with ADFS 1.1

So by now you've heard about CRM 2011 AND that it supports Claims Based Authentication. You've also heard that in order to create an IFD (Internet Facing Deployment) implementation which is recommended for Mobile configurations you're going to be required to set up a Secure Token Server (STS). Microsoft recommends AD FS 2.0 (Active Directory Federation Services 2.0)

Now ADFS 2.0 isn't your Dad's old Federation Service. That would be ADFS 1.X. ADFS 1.0 comes with Windows 2008 and ADFS 1.1 is the flavor with Windows 2008 R2.

So, this isn't an article on configuring CRM 2011 with ADFS 2.0 as that has been done and redone. You'll find much of what you need for this here in the Claims Based Authentication white paper and CRM 2011 Implementation Guide located here : http://www.microsoft.com/downloads/en/details.aspx?FamilyID=9886ab96-3571-420f-83ad-246899482fb4&displaylang=en

This blog post is going to talk about how you federate that CRM 2011 / ADFS 2.0 implementation to a partner organization where your Partner is running ADFS 1.X and may not be ready to upgrade. In the example below, the CRMPractice domain represents CRM 2011 and the ADFS 2.0 servers and the ADFS1 domain is the partner organization. The following steps are necessary to get this working. Both assume that ADFS is set up correctly and that CRM 2011 is already configured with the ADFS 2.0 implementation.

Certificate Management is one of the toughest things to get all of this working. Your Certificates for Local Computer should have the Signing Certificate with Key on both ADFS servers in the Personal Hive (ADFS1 should have ADFS1 Signing Cert, CRMPractice should have CRMPractice Signing Cert) Additionally, the opposite Signing Cert should be in Trusted Root Authorities and the path should be constructed so that the cert is trusted. The ADFS 2.0 creates a special signing certificate that you should export from the ADFS 2.0 Snap-In under Service | Certificates | Token-signing. You can View Certificate and under Details, Copy to File.

ADFS 1.x Side

  1. Open MMC with Active Directory Federation Services Snap-In
  2. Open Federation Service | Trust Policy | My Organization
  3. Right Click Account Stores and Select New | Account Store
  4. Click Next and then choose Active Directory Domain Services (AD DS), Click Next
  5. Enable this store is checked, next
  6. Finish
  7. Now go to Partner Organizations
  8. Right Click Resource Partners (CRM 2011 is in the Resource Domain) and Add New Resource Partner
  9. Click Next and then indicate No policy file to import
  10. Enter a Display Name
  11. The URI will be whatever the URI is in ADFS but start with your federation metadata url base and instead of “/federationmetadata/2007-06/federationmetadata.xml” use instead “/adfs/” as this is probably right (more on all the “matchups” later)
  12. The Federation Service Endpoint URL again we’ll use the “/adfs/ls/” in place of the “/federationmetadata/2007-06/federationmetadata.xml” as a start.
  13. Click next, and in most cases you will use Federated Web SSO, click Next
  14. Select UPN Claim only
  15. Pass all UPN suffixes through unchanged
  16. Enable the Resource Partner is checked
  17. Finish

1.x Matchup Data

  1. If you right click your new Resource Partner and choose Properties, you will see something like this:
  2. If you right click the Federation Service and choose properties, then click View on the Certificate you should get some notable screens to keep in mind:
  3. Next right click the Trust Policy and choose Properties for another important screen

ADFS 2.0 Side

  1. Open MMC with the ADFS 2.0 Snap-In
  2. Open Trust Relationships | Claims Provider Trusts
  3. Right click and choose Add Claims Provider Trust and click Start
  4. Choose Enter claims provider trust data manually - this is important as you don't have a federation metadata URL.
  5. On the Display Name, this will actually show up for the Users, so you should name it the name of the ADFS1.0 domain such as “ADFS1 Users” and click next
  6. Choose AD FS 1.0 and 1.1 profile and click next
  7. On the WS-Federation Passive URL use the Federation Service endpoint URL from the screenshot above (ours would be https://sts2.ADFS1.com/adfs/ls/)
  8. On the Claims provider trust identifier use the Federation Service URI from the screenshot, it is said that it is case sensitive (from our example that would be https://sts2.ADFS1.com/adfs/)
  9. Add the Certificate from your ADFS1 Signing cert.
  10. If you get a problem with the length of the cert, just accept it
  11. Click Next, Next again and it should open the Claims Rules
  12. On the Claims rules, we are configuring one rule which is UPN and it will be a transform claim rule. We will be taking an Incoming claim type of “Name ID” with Incoming name ID format of “UPN” and our Outgoing claim type will be “UPN”

2.0 Matchup Data

  1. If you click on AD FS 2.0 and in the Actions pane choose Edit Federation Service Properties you will see a similar screen as the one from 1.x
  2. So to verify, if you right click the ADFS 1.x Resource Partner you should see that the Federation Service identifier here is the Federation Service URI there. (Case sensitive again I believe)
  3. That is normally the last thing.

  1. If your environment balks like some do you should be able to visit the Event Viewer | Applications and Services | AD FS 2.0 | Admin
  2. If you see a set of 3 Errors with 315, 111, 364 standing in your way each time you attempt to connect there is a problem with your certificate revocation checking (common when not using a Trusted Root CA) To remedy this:

    • On your ADFS 2.0 server open Powershell
    • First command is ‘Add-PSSnapin Microsoft.Adfs.PowerShell’ which allows you to command ADFS using scripts
    • Second command is ‘set-ADFSClaimsProviderTrust -TargetName "sts2.ADFS1.com" -SigningCertificateRevocationCheck None’ where you would replace sts2.ADFS1.com with whatever the name you gave the Claims Provider, in our earlier example that would be ADFS1 Users within the quotes.
    • Restart the ADFS 2.0 Service and perform an IISRESET on both ADFS boxes.

I know what your next question is going to be, but for now you'll have to wait for the next blog post when I discuss: Can CRM 2011 leverage ADFS 1.1 without ADFS 2.0?

This is content from http://www.dynamics-crm-2011.de | Dieser Beitrag ist von http://www.dynamics-crm-2011.de
Themen rund um CRM 2011 onpremise, Dynamics CRM 2011 Online, Dynamics CRM 2011 mit IFD und Claims.


Mittwoch, 11. Mai 2011

Microsoft Dynamics CrmDiagTool 2011

CRM 2011 – New tool: CrmDiagTool 2011

One of my favourite CRM bloggers and creator of lots of useful CRM tools has been busy updating my one of my favourite CRM 4 tools CrmDiagTool.
you can find some information about the tool here. The tool is manly used to enable/disable tracing (which you can do without restarting the IIS server). You can also zip up the trace files
you can download the tool here
The features are the following:
  • Enable/Disable tracing
  • Zip content of Trace directory
  • Open Trace directory
  • Generate diagnostic file in text or html format with components selection
  • Enable/Disable DevErrors
Some screenshots:

Sonntag, 1. Mai 2011

Exeeded Column Length Error When Configuring Claims Authentication When Selecting A Certificate

When running the Claims Authentication Wizard in the Dynamics CRM Deployment Manager to configuring Claims Based Authentication and you select a certificate that has a name longer than 128 characters Deployment Manager crashes.
The error in the Platform trace is:
Crm Exception: Message: Exceeded column length: Column Name, ErrorCode: -2147220970
[2010-11-04 20:17:36.256] Process: mmc |Organization:00000000-0000-0000-0000-000000000000 |Thread: 3(SnapIn/Main-thread.) |Category: Platform.Sql |User: 00000000-0000-0000-0000-000000000000 |Level: Error | CrmCertificateService.Create
Exception creating Certificate, Name=(CN long_certificate_name :Exceeded column length: Column Name)
There is a limit of 128 characters that a certificate name can have if it is the certificate being selected during the Claims Authentication Wizard.
Select a certificate that has a name less than 128 characters.
Source: http://support.microsoft.com/kb/2496441
But it is hard to get an certificate less 128 characters from your third party provider.
So it would be the best way to create your own self signed certificate for token signing.
In this case you can specify the length by yourself, makes it much easier.
Have also seen that in the internet (temp. solves the issue but it is strong unsupported and
you can get a real issue when you install the next updaterollup, when the setup wizard aspects an
database field with 128 characters it will bring an exception and the installation will fail:
Please note that this is an unsupported change and there could be unintended consequences including causing future Rollups to fail, having future Rollups or hotfixes overwrite (reverse) this change, and causing some unrelated functionality to fail.
You would need to run this in the MSCRM_CONFIG database:

   ConfigurationMetadataXml =
      CAST(ConfigurationMetadataXml AS NVARCHAR(MAX)),
      'Name of the Certificatenvarchar128',
      'Name of the Certificatenvarchar256'

This is content from http://www.dynamics-crm-2011.de | Dieser Beitrag ist von http://www.dynamics-crm-2011.de
Themen rund um CRM 2011 onpremise, Dynamics CRM 2011 Online, Dynamics CRM 2011 mit IFD und Claims.


Twitter Delicious Facebook Digg Stumbleupon Favorites More

Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | Free Samples By Mail