How to do an Publishing of Dynamics Crm 2011 through ISA 2006 or FAG

This post is going to answer questions regarding ISA 2006/ FAG and CRM 2011 Claims and IFD.
For this post we chose to let ISA handle the SSL Certificates as this is the common scenario for ISA deployments although other methods can be used.

We chose to focus this blog on letting CRM handle the authentication while letting ISA handle the SSL session. The main reason for using IFD despite ISA’s ability to provide forms based authentication was that the Microsoft Dynamics CRM Clients for Outlook would run into authentication problems if prompted with an ISA login. In order to get CRM running with IFD a good starting point is to study the IFD guide called How to configure an Internet-Facing Deployment for Microsoft Dynamics CRM 4.0 it can be downloaded from the Microsoft Download Center. The deployment guide will allow you to better understand the CRM 4 IFD concepts before you create any publishing rules on ISA Server.

Adjusting the Dynamics CRM 2011 Server for External Publishing

To deploy this scenario the following topology was used:



Figure 1 – Topology using CRM 2011 IFD/ Claims with ISA Server 2006.

ISA Publishing will be the same for CRM 2011 but you have to publish 4 rules.
org.contoso.com (will be used over https port 444)
sts1.contoso.com (will be used over https port 443)
auth.contoso.com (will be used over https port 444)
dev.contoso.com (will be used over https port 444)

======================================================================================
This is content from http://www.dynamics-crm-2011.de | Dieser Beitrag ist von http://www.dynamics-crm-2011.de
Themen rund um CRM 2011 onpremise, Dynamics CRM 2011 Online, Dynamics CRM 2011 mit IFD und Claims.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Read more »

New tool: for Microsoft Dynamics CRM 2011 - CrmDiagTool 2011

New tool: CrmDiagTool 2011

Hello CRM community!

Two months ago, Philippe Brissaud from Microsoft Canada asked me to help him migrate the well known CrmDiagTool 4 to Microsoft Dynamics CRM 2011. I guess you know what I answered him: of course I help!

Today, Philippe and I are proud to release this new version of CrmDiagTool.

We focused on Server diagnostics and removed features related to reporting services and email router.

The features are the following:

• Enable/Disable tracing
• Zip content of Trace directory
• Open Trace directory
• Generate diagnostic file

Download it here:

 

======================================================================================
This is content from http://www.dynamics-crm-2011.de | Dieser Beitrag ist von http://www.dynamics-crm-2011.de
Themen rund um CRM 2011 onpremise, Dynamics CRM 2011 Online, Dynamics CRM 2011 mit IFD und Claims.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Read more »

CRM 2011 - ADFS 2.0 Federating with ADFS 1.1

CRM 2011 - ADFS 2.0 Federating with ADFS 1.1

So by now you've heard about CRM 2011 AND that it supports Claims Based Authentication. You've also heard that in order to create an IFD (Internet Facing Deployment) implementation which is recommended for Mobile configurations you're going to be required to set up a Secure Token Server (STS). Microsoft recommends AD FS 2.0 (Active Directory Federation Services 2.0)

Now ADFS 2.0 isn't your Dad's old Federation Service. That would be ADFS 1.X. ADFS 1.0 comes with Windows 2008 and ADFS 1.1 is the flavor with Windows 2008 R2.

So, this isn't an article on configuring CRM 2011 with ADFS 2.0 as that has been done and redone. You'll find much of what you need for this here in the Claims Based Authentication white paper and CRM 2011 Implementation Guide located here : http://www.microsoft.com/downloads/en/details.aspx?FamilyID=9886ab96-3571-420f-83ad-246899482fb4&displaylang=en

This blog post is going to talk about how you federate that CRM 2011 / ADFS 2.0 implementation to a partner organization where your Partner is running ADFS 1.X and may not be ready to upgrade. In the example below, the CRMPractice domain represents CRM 2011 and the ADFS 2.0 servers and the ADFS1 domain is the partner organization. The following steps are necessary to get this working. Both assume that ADFS is set up correctly and that CRM 2011 is already configured with the ADFS 2.0 implementation.

Certificate Management is one of the toughest things to get all of this working. Your Certificates for Local Computer should have the Signing Certificate with Key on both ADFS servers in the Personal Hive (ADFS1 should have ADFS1 Signing Cert, CRMPractice should have CRMPractice Signing Cert) Additionally, the opposite Signing Cert should be in Trusted Root Authorities and the path should be constructed so that the cert is trusted. The ADFS 2.0 creates a special signing certificate that you should export from the ADFS 2.0 Snap-In under Service | Certificates | Token-signing. You can View Certificate and under Details, Copy to File.

ADFS 1.x Side

1. Open MMC with Active Directory Federation Services Snap-In
2. Open Federation Service | Trust Policy | My Organization
3. Right Click Account Stores and Select New | Account Store
4. Click Next and then choose Active Directory Domain Services (AD DS), Click Next
5. Enable this store is checked, next
6. Finish
7. Now go to Partner Organizations
8. Right Click Resource Partners (CRM 2011 is in the Resource Domain) and Add New Resource Partner
9. Click Next and then indicate No policy file to import
10. Enter a Display Name
11. The URI will be whatever the URI is in ADFS but start with your federation metadata url base and instead of “/federationmetadata/2007-06/federationmetadata.xml” use instead “/adfs/” as this is probably right (more on all the “matchups” later)
12. The Federation Service Endpoint URL again we’ll use the “/adfs/ls/” in place of the “/federationmetadata/2007-06/federationmetadata.xml” as a start.
13. Click next, and in most cases you will use Federated Web SSO, click Next
14. Select UPN Claim only
15. Pass all UPN suffixes through unchanged
16. Enable the Resource Partner is checked
17. Finish

1.x Matchup Data

1. If you right click your new Resource Partner and choose Properties, you will see something like this:

2. If you right click the Federation Service and choose properties, then click View on the Certificate you should get some notable screens to keep in mind:

3. Next right click the Trust Policy and choose Properties for another important screen

ADFS 2.0 Side

1. Open MMC with the ADFS 2.0 Snap-In
2. Open Trust Relationships | Claims Provider Trusts
3. Right click and choose Add Claims Provider Trust and click Start
4. Choose Enter claims provider trust data manually - this is important as you don't have a federation metadata URL.
5. On the Display Name, this will actually show up for the Users, so you should name it the name of the ADFS1.0 domain such as “ADFS1 Users” and click next
6. Choose AD FS 1.0 and 1.1 profile and click next
7. On the WS-Federation Passive URL use the Federation Service endpoint URL from the screenshot above (ours would be https://sts2.ADFS1.com/adfs/ls/)
8. On the Claims provider trust identifier use the Federation Service URI from the screenshot, it is said that it is case sensitive (from our example that would be https://sts2.ADFS1.com/adfs/)
9. Add the Certificate from your ADFS1 Signing cert.
10. If you get a problem with the length of the cert, just accept it
11. Click Next, Next again and it should open the Claims Rules
12. On the Claims rules, we are configuring one rule which is UPN and it will be a transform claim rule. We will be taking an Incoming claim type of “Name ID” with Incoming name ID format of “UPN” and our Outgoing claim type will be “UPN”

2.0 Matchup Data

1. If you click on AD FS 2.0 and in the Actions pane choose Edit Federation Service Properties you will see a similar screen as the one from 1.x

2. So to verify, if you right click the ADFS 1.x Resource Partner you should see that the Federation Service identifier here is the Federation Service URI there. (Case sensitive again I believe)
3. That is normally the last thing.

Troubleshooting

1. If your environment balks like some do you should be able to visit the Event Viewer | Applications and Services | AD FS 2.0 | Admin
2. If you see a set of 3 Errors with 315, 111, 364 standing in your way each time you attempt to connect there is a problem with your certificate revocation checking (common when not using a Trusted Root CA) To remedy this:

• On your ADFS 2.0 server open Powershell
• First command is ‘Add-PSSnapin Microsoft.Adfs.PowerShell’ which allows you to command ADFS using scripts
• Second command is ‘set-ADFSClaimsProviderTrust -TargetName "sts2.ADFS1.com" -SigningCertificateRevocationCheck None’ where you would replace sts2.ADFS1.com with whatever the name you gave the Claims Provider, in our earlier example that would be ADFS1 Users within the quotes.
• Restart the ADFS 2.0 Service and perform an IISRESET on both ADFS boxes.

I know what your next question is going to be, but for now you'll have to wait for the next blog post when I discuss: Can CRM 2011 leverage ADFS 1.1 without ADFS 2.0?

======================================================================================
This is content from http://www.dynamics-crm-2011.de | Dieser Beitrag ist von http://www.dynamics-crm-2011.de
Themen rund um CRM 2011 onpremise, Dynamics CRM 2011 Online, Dynamics CRM 2011 mit IFD und Claims.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Read more »

Posted in: CRM 2011 und IFD - ADFS 2.0

Microsoft Dynamics CrmDiagTool 2011

CRM 2011 – New tool: CrmDiagTool 2011

One of my favourite CRM bloggers and creator of lots of useful CRM tools has been busy updating my one of my favourite CRM 4 tools CrmDiagTool.
you can find some information about the tool here. The tool is manly used to enable/disable tracing (which you can do without restarting the IIS server). You can also zip up the trace files
you can download the tool here
The features are the following:

• Enable/Disable tracing
• Zip content of Trace directory
• Open Trace directory
• Generate diagnostic file in text or html format with components selection
• Enable/Disable DevErrors

Some screenshots:

Read more »

Posted in: CRM 2011 Troubleshooting

Exeeded Column Length Error When Configuring Claims Authentication When Selecting A Certificate

Issue:
When running the Claims Authentication Wizard in the Dynamics CRM Deployment Manager to configuring Claims Based Authentication and you select a certificate that has a name longer than 128 characters Deployment Manager crashes.
The error in the Platform trace is:
Crm Exception: Message: Exceeded column length: Column Name, ErrorCode: -2147220970
[2010-11-04 20:17:36.256] Process: mmc |Organization:00000000-0000-0000-0000-000000000000 |Thread: 3(SnapIn/Main-thread.) |Category: Platform.Sql |User: 00000000-0000-0000-0000-000000000000 |Level: Error | CrmCertificateService.Create
Exception creating Certificate, Name=(CN long_certificate_name :Exceeded column length: Column Name)
Cause:
There is a limit of 128 characters that a certificate name can have if it is the certificate being selected during the Claims Authentication Wizard.
Solution:
Select a certificate that has a name less than 128 characters.
Source: http://support.microsoft.com/kb/2496441
But it is hard to get an certificate less 128 characters from your third party provider.
So it would be the best way to create your own self signed certificate for token signing.
In this case you can specify the length by yourself, makes it much easier.
Have also seen that in the internet (temp. solves the issue but it is strong unsupported and
you can get a real issue when you install the next updaterollup, when the setup wizard aspects an
database field with 128 characters it will bring an exception and the installation will fail:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Please note that this is an unsupported change and there could be unintended consequences including causing future Rollups to fail, having future Rollups or hotfixes overwrite (reverse) this change, and causing some unrelated functionality to fail.
You would need to run this in the MSCRM_CONFIG database:

ALTER TABLE Certificates ALTER COLUMN Name NVARCHAR(256);

  UPDATE
   MSCRM_CONFIG.dbo.ConfigurationMetadata
  SET
   ConfigurationMetadataXml =
     REPLACE(
      CAST(ConfigurationMetadataXml AS NVARCHAR(MAX)),
      'Name of the Certificatenvarchar128',
      'Name of the Certificatenvarchar256'
     );

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
======================================================================================
This is content from http://www.dynamics-crm-2011.de | Dieser Beitrag ist von http://www.dynamics-crm-2011.de
Themen rund um CRM 2011 onpremise, Dynamics CRM 2011 Online, Dynamics CRM 2011 mit IFD und Claims.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Read more »

Posted in: CRM 2011 und IFD - ADFS 2.0

You receive the following error when you install Microsoft Dynamics CRM 2011 for Microsoft Office Outlook: “Installation cannot proceed”

You receive the following error when you install Microsoft Dynamics CRM for Microsoft Office Outlook:

Installation cannot proceed: Setup cannot continue because a pending restart is required. Restart the computer and then try running Setup again.


Check the the crm40setup.log to identify the registry key that causes the issue. The crm40setup.log is located in %appdata%\Microsoft\MSCRM\Logs. Once you have found the registry key, you can delete the registry key with the following steps:

1. Click Start, click Run and type regedit, and then click OK.
2. Locate the Registry Key listed in the Setup Log. For example, the Registry Key is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce.
3. Right click RunOnce, and then click Delete.

Other common registry keys that cause this error:

• HKEY_CURRENT_USER\Software\Microsoft\Windwos\CurrentVersion\RunOnce
• HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce

Read more »

How to install Microsoft Dynamics CRM 2011 with the minimum required permissions

This article describes the minimum permissions that are required for a user to install Microsoft Dynamics CRM 4.0 this article can alsp be used for Microsoft Dynamics CRM 2011

Notes

• This article assumes that all the Microsoft Dynamics CRM 4.0 server roles are being installed on the same computer.
• For more information about server roles, see the implementation guide.
• During the installation, the Environment Diagnostic wizard checks whether the user who is installing Microsoft Dynamics CRM has the minimum required permissions. If the minimum required permissions are not met, you receive an error message.

Installation options

You have two options when you install Microsoft Dynamics CRM with the minimum required permissions. You can let the Microsoft Dynamics CRM server Setup program create the security groups during the installation. Or, you can use pre-created Active Directory security groups.

You can also select to turn on the Auto Group Management functionality or to turn off the Auto Group Management functionality. By default, the Auto Group Management functionality is turned on. Microsoft Dynamics CRM automatically adds the appropriate user accounts and the appropriate computer accounts to the required Microsoft Dynamics CRM security groups. If you turn off Auto Group Management, Microsoft Dynamics CRM does not automatically add these accounts. In this case, a domain administrator or a user who has sufficient permissions must add the appropriate user accounts and the appropriate computer accounts to the required groups. These additions must be made after the installation and after any user is added to Microsoft Dynamics CRM.

Installation option 1: The Setup program creates the Active Directory security groups when you install Microsoft Dynamics CRM

1. Add the user account of the user who is installing Microsoft Dynamics CRM as a member of the local administrator group. To do this, follow these steps on the Microsoft Dynamics CRM server and on the computer that is running Microsoft SQL Server:
   1. Log on to the server as a user who has local administrator permissions.
   2. Click Start, point to Administrative Tools, and then click Computer Management.
   3. Expand System Tools.
   4. Expand Local Users and Groups.
   5. Click Groups.
   6. Right-click Administrators, and then click Properties.
   7. To add the account of the user who is installing Microsoft Dynamics CRM, click Add.
2. If SQL Server Reporting Services (SSRS) is installed on a server other than the server on which you added permissions in step 1, you must add the Content Manager role at the root level for the installing user account. And, you must add the System Administrator role at the site-wide level for the installing user account. To do this, follow these steps on the Reporting Services server:
   1. Start Windows Internet Explorer, and then locate the following site:
      http://srsserver/reports
   2. On the Properties tab, click New Role Assignment.
   3. In the Group or user name box, type the user name of the user who is installing Microsoft Dynamics CRM, click to select the Content Manager check box, and then click OK.
      
      Note Use the following format when you type the user name:
      domainname\username
   4. Click Site Settings.
   5. Under Security, click Configure site-wide security, and then click New Role Assignment.
   6. In the Group or user name text box, type the user name of the user who is installing Microsoft Dynamics CRM, click to select the System Administrator check box, and then click OK.
      
      Note Use the following format when you type the user name:
      domainname\username
3. For the user account of the user who is installing Microsoft Dynamics CRM, add the following permissions to the organizational unit (OU) in the Active Directory directory service. You must do this step for the OU to which you select to install during the installation of Microsoft Dynamics CRM 4.0.
   
   Permissions
   • Read
   • Create All Child Objects
   Advanced permissions
   • Read Permissions
   • Modify Permissions
   • Read Members
   • Write Members
   To add the permissions, follow these steps:
   1. Log on to the domain controller server as a user who has domain administrator permissions.
   2. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
   3. On the View menu, click Advanced Features.
   4. In the navigation pane, find the OU that you want to use for the Microsoft Dynamics CRM installation. To do this, expand the tree to the node that contains the security group.
   5. Right-click the security group, click Properties, and then click the Security tab.
   6. In the Group or user names list, click the user account of the user who is installing Microsoft Dynamics CRM if the account is listed. If the account is not listed, click Add to add the user account.
   7. In the Allow column, click to select the check box for the Create All Child Objects permission.
      
      Note By default, the Allow check box is selected for the Read permission.
   8. Click Advanced.
   9. In the Permission entries list, click Add, select the user account of the user who is installing Microsoft Dynamics CRM, and then click OK.
   10. In the Apply onto list, click Group objects.
   11. In the Allow column, click to select the following check boxes:
       • Read Permissions
       • Modify Permissions
   12. Click the Properties tab.
   13. In the Apply onto list, click Group objects.
   14. In the Allow column, click to select the following check boxes:
       • Read Members
       • Write Members
   15. Click OK three times.
4. Install Microsoft Dynamics CRM.

Installation option 2: Use the pre-created Active Directory security groups when you install Microsoft Dynamics CRM

1. Create the following security groups in Active Directory:
   • PrivUserGroup
   • PrivReportingGroup
   • ReportingGroup
   • SQLAccessGroup
   • UserGroup
   To create the security groups in Active Directory, follow these steps:
   1. Log on to the domain controller server as a user who has domain administrator permissions.
   2. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
   3. Expand the "Active Directory Users and Computers" tree to the root of the domain or to the specific organizational unit (OU) that you want to use to install Microsoft Dynamics CRM.
   4. Right-click the domain root or the OU that you want to use, click New, and then click Group.
   5. In the Group Name field, type the name of the group. For example, type PrivUserGroup.
   6. If the domain functional level is Windows Server 2003 or Microsoft Windows 2000 native, click Domain local in the Group scope list. If the domain functional level is Windows 2000 mixed, click Global in the Group scope list.
   7. Click OK.
   8. Repeat steps 1d through 1g earlier in this section to create each security group.
2. Add the user account of the user who is installing Microsoft Dynamics CRM as a member of the Local Administrator group. You must complete this step on the computer that is running the Microsoft Dynamics CRM server and on the computer that is running SQL Server.
   1. Log on to the server as a user who has local administrator permissions.
   2. Click Start, click Administrative Tools, and then click Computer Management.
   3. Expand System Tools, expand Local Users and Groups, and then expand Groups.
   4. Right-click Administrators, and then click Properties.
   5. To add the user account of the user who is installing Microsoft Dynamics CRM, click Add, and then click OK.
3. If SQL Server Reporting Services (SSRS) is installed on a server other than the server on which you added permissions in step 1, add the Content Manager role at the root level for the installing user account. Then, add the System Administrator Role at site-wide level for the installing user account. To do this, follow these steps on the server that is running Reporting Services:
   1. Start Internet Explorer, and then locate the following site:
      http://srsserver/reports
   2. Click the Properties tab, and then click New Role Assignment.
   3. In the Group or user name box, type the name of the user who is installing Microsoft Dynamics CRM, click to select the Content Manager check box, and then click OK.
      
      Note Use the following format when you type the user name:
      domainname\username
   4. Click Site Settings.
   5. Under Security, click Configure site-wide security, and then click New Role Assignment.
   6. In the Group or user name box, type the name of the user who is installing Microsoft Dynamics CRM, click to select the System Administrator check box, and then click OK.
      
      Note Use the following format when you type the user name:
      domainname\username
4. If you want Microsoft Dynamics CRM to manage the Microsoft Dynamics CRM security groups that are created during the installation, add the following permissions to the security groups that you created in step 1 earlier in this section:
   
   Permissions
   • Read
   • Write
   • Add/Remove self as member
   Advanced permissions
   • List Contents
   • Read All Properties
   • Write All Properties
   • Read Permissions
   • Modify Permissions
   • All Validated Writes
   • Add/Remove self as member
   To add the permissions, follow these steps for each security group that you created in step 1 earlier in this section:
   1. Log on to the domain controller server as a user who has domain administrator permissions.
   2. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
   3. On the View menu, click Advanced Features.
   4. In the navigation pane, expand the tree to the security group, right-click the security group, click Properties, and then click the Security tab.
   5. In the Group or user names list, click the user account of the user who is installing Microsoft Dynamics CRM if the account is listed. If the account is not listed, click Add to add the user account.
   6. In the Allow column, click to select the check box for the Write permission. This action causes the system to automatically select the check box for the Add/Remove self as member permission.
      
      Note By default, the Allow check box is selected for the Read permission.
   7. Click Advanced.
   8. In the Permission entries list, click the user account of the user who is installing Microsoft Dynamics CRM, and then click Edit.
   9. Click to select the Modify Permissions check box in the Allow column.
   10. Click OK three times.
   Notes
   • By default, the following permissions are set to Allow:
     • List Contents
     • Read All Properties
     • Write All Properties
     • Read Permissions
     • All Validated Writes
     • Add/Remove self as member
   • If you will turn off Auto Group Management for the installation, you do not have to complete step 4.
   • For more information about Auto Group Management, see the "Auto Group Management options" section.
5. When you first log on to Microsoft Dynamics CRM, and every time that a user is added to Microsoft Dynamics CRM, you must complete the following actions:
   • To log on, use a user account that has the necessary rights.
   • Manually add the users and the computers to the appropriate security groups.
6. To use the pre-created Active Directory security groups, create a configuration file to point to Microsoft Dynamics CRM. To do this, create an XML configuration file that uses the syntax that is in the following example. Modify the variables as appropriate. The list that follows the sample code describes how to modify the variables that are in this example.
   
   In the following sample code, the XML file is named Config_precreate.xml. The domain name is microsoft.com. These names represent the actual names that you use. The Active Directory hierarchy is as follows:
   • root domain
     • Company Name OU
       • Company Name OU
   Sample code
   
   
   

   <CRMSetup>
      <Server>
           <Groups AutoGroupManagementOff="true">
               <PrivUserGroup>CN=PrivUserGroup,OU=Company Name,OU=Company Name,DC=<domain>,DC=<domain_extension></PrivUserGroup>
             <SQLAccessGroup>CN=SQLAccessGroup,OU=Company Name,OU=Company Name, DC=<domain>,DC=<domain_extension></SQLAccessGroup>
               <UserGroup>CN=UserGroup,OU=Company Name,OU=Company Name,DC=<domain>,DC=<domain_extension></UserGroup>
               <ReportingGroup>CN=ReportingGroup,OU=Company Name,OU=Company Name, DC=<domain>,DC=<domain_extension></ReportingGroup>
    <PrivReportingGroup>CN=PrivReportingGroup,OU=Company Name,OU=Company Name, DC=<domain>,DC=<domain_extension></PrivReportingGroup>
     </Groups>
       </Server>
   </CRMSetup>
   

   Modify the parameters in the example by using the following replacement values:
   • PrivUserGroup: The name of the PrivUserGroup security group
   • SQLAccessGroup: The name of the SQLAccessGroup security group
   • UserGroup: The name of the UserGroup security group
   • ReportingGroup: The name of the ReportingGroup security group
   • PrivReportingGroup: The name of the ReportingGroup security group
   • domain: The domain name
   • domain_extension: The domain extension
   Note For more information about all the configuration file parameters and samples, see the implementation guide.
7. Run the Microsoft Dynamics CRM server installation. To do this, click Start, click Run, type C:\ServerSetup.exe /config C:\configprecreate.xml in the Open box, and then click OK.
   
   Notes
   • "C:\ServerSetup.exe" refers to the path of the ServerSetup.exe file on the installation medium.
   • "C:\configprecreate.xml" refers to the name and the path of the configuration file that was created.

Back to the top

Auto Group Management options

The Auto Group Management option is used to determine how the appropriate users and the appropriate computers are added to the security groups. Microsoft Dynamics CRM can add the users and the computers. Or, a user who has appropriate permissions in the Microsoft Dynamics CRM security groups can manually add the users and the computers.

For the Auto Group Management option, use one of the following methods. Use Method 1 to set the AutoGroupManagementOff option to "false" and to have Auto Group Management turned on. Use Method 2 to set the AutoGroupManagementOff option to "true" and to have Auto Group Management turned off.

Note The Auto Group Management option can be used only if you are installing Microsoft Dynamics CRM by using pre-created Active Directory security groups.

Note: When import organization wizard runs to import organization it considers AutoGroupManagementOff registry value to assign necessary SQL permissions on the imported database. If it's set to 1 import org wizard will not assign SQL permissions on the database, so SQL permissions may need to be assigned through SQL management studio after the import wizard succeeds. If it's set to 0 import org wizard will assign SQL permissions on the database. By default AutoGroupManagementOff reg value is set to 0.

Method 1: Set the AutoGroupManagementOff option to "false"

Because this setting is the default setting, you do not have to add anything to the configuration file. However, the following procedure is an example that describes how to set the AutoGroupManagementOff option to "false."

Create an XML configuration file that uses the syntax in the following example. Modify the variables as appropriate. To modify the variables that are in this example, refer to step 6 in the "Installation option 2: Use the pre-created Active Directory security groups when you install Microsoft Dynamics CRM" section as a guideline.

In this example, the XML file is named Config_precreate.xml. The domain name is microsoft.com. The Active Directory hierarchy is as follows:

• root domain
  • Company Name OU
    • Company Name OU

Sample code

<CRMSetup>
   <Server>
         <Groups>
  <Groups autogroupmanagementoff="false">
            <PrivUserGroup>CN=PrivUserGroup,OU=Company Name,OU=Company Name,DC=microsoft,DC=com</PrivUserGroup>
          <SQLAccessGroup>CN=SQLAccessGroup,OU=Company Name,OU=Company Name, DC=microsoft,DC=com</SQLAccessGroup>
            <UserGroup>CN=UserGroup,OU=Company Name,OU=Company Name,DC=microsoft,DC=com</UserGroup>
            <ReportingGroup>CN=ReportingGroup,OU=Company Name,OU=Company Name, DC=microsoft,DC=com</ReportingGroup>
 <PrivReportingGroup>CN=PrivReportingGroup,OU=Company Name,OU=Company Name, DC=microsoft,DC=com</PrivReportingGroup>
 </Groups>
</CRMSetup>

Method 2: Set the AutoGroupManagementOff option to "true"

1. Create an XML configuration file that uses the syntax that is in the following example. Modify the variables as appropriate. To modify the variables that are in this example, refer to step 6 in the "Installation option 2: Use the pre-created Active Directory security groups when you install Microsoft Dynamics CRM" section as a guideline.
   
   In this example, the XML file is named Config_manageoff.xml. The domain name is microsoft.com. The Active Directory hierarchy is as follows:
   • root domain
     • Company Name OU
       • Company Name OU
   Sample code
   
   
   

   <CRMSetup>
      <Server>
            <Groups AutoGroupManagementOff="true">
               <PrivUserGroup>CN=PrivUserGroup,OU=Company Name,OU=Company Name, DC=microsoft,DC=com</PrivUserGroup>
             <SQLAccessGroup>CN=SQLAccessGroup,OU=Company Name,OU=Company Name, DC=microsoft,DC=com</SQLAccessGroup>
               <UserGroup>CN=UserGroup,OU=Company Name,OU=Company Name, DC=microsoft,DC=com</UserGroup>
               <ReportingGroup>CN=ReportingGroup,OU=Company Name,OU=Company Name, DC=microsoft,DC=com</ReportingGroup>
    <PrivReportingGroup>CN=PrivReportingGroup,OU=Company Name,OU=Company Name, DC=microsoft,DC=com</PrivReportingGroup>
     </Groups>
       </Server>
   </CRMSetup>
   

2. Add the appropriate user accounts and the appropriate computer accounts as members of the following groups.
   
   Note You must follow this step only if the AutoGroupManagementOff option is set to "true."
   
   PrivUserGroup
   • The account that the CRMAppPool application pool uses
   • The account that the ASP.NET process model uses
   • The user account that runs the Microsoft Dynamics CRM installation
   • The computer account on which the Microsoft Dynamics CRM-Exchange E-mail Router will be installed
   ReportingGroup
   • All Microsoft Dynamics CRM user accounts (this includes the user who is installing Microsoft Dynamics CRM)
   SQLAccessGroup
   • The account that the CRMAppPool application pool uses
   • The account that the ASP.NET process model uses
   UserGroup
   • All Microsoft Dynamics CRM user accounts (this includes the user who is installing Microsoft Dynamics CRM)
   PrivReportingGroup
   • The computer account on which the Microsoft Dynamics CRM Data Connector for Microsoft SQL Server Reporting Services will be installed
   To add the accounts, follow these steps for each group in the list:
   1. Log on to the domain controller server as a user who has domain administrator permissions.
   2. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
   3. In the navigation pane, expand the tree to the node that contains the security group, right-click the security group, click Properties, and then click the Members tab.
   4. To add a user account, click Add, and then click OK. To add a computer account, click Object Types, click to select the Computers check box, and then click OK.
3. To verify which account the CRMAppPool application pool uses, follow these steps on the computer that is running the Microsoft Dynamics CRM server:
   1. Click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.
   2. Expand the computer name.
   3. Expand Application Pools.
   4. Right-click CRMAppPool, click Properties, and then click the Identity tab.
   The NetworkService account and the LocalSystem account are both represented by the "domainname\computername $" account. Therefore, if you must add the NetworkService account or the LocalSystem account to a security group, you must add the "domainname\computername $" account.
   
   If the Configurable option is selected, you must add the specified user account to the security group. The specified user account appears in a text box.
4. To verify the account that the ASP.NET process model uses, follow these steps on the Microsoft Dynamics CRM server:
   1. In Windows Explorer, open the following folder:
      C:\WINNT\Microsoft.NET\Framework\v1.1.4322\CONFIG
   2. Right-click Machine.config, click Open With, and then click Notepad.
   3. Search for the word "username" in the text. The file contains multiple instances of the word. Locate the fifth instance of "username" that is in the text. The value for the fifth instance of "username" is the account that the ASP.NET process model uses.
   The SYSTEM account and the computer account are both represented by the "domainname\computername $" account. Therefore, if you must add the SYSTEM account or the computer account to a security group, you must add the "domainname\computername $" account.
   
   If a user name is specified in the Machine.config file, you must add the specified user account to the security group.

Back to the top

MORE INFORMATION

Service accountDuring the installation of Microsoft Dynamics CRM, you will see a...

Service account

During the installation of Microsoft Dynamics CRM, you will see a Specify Security Account page. On this page, you can select to use a domain user account as the security account. To do this, follow these steps:

1. Add the domain user account to the Performance Log Users local group. To do this, follow these steps:
   1. On the computer that is running the Microsoft Dynamics CRM server, click Start, click All Programs, click Administrative Tools, and then click Computer Management.
   2. Expand Local Users and Groups, and then expand Groups.
   3. Right-click the Performance Log Users group, and then click Add to Group.
   4. Click Add, type the domain user account, and then click OK two times.
2. Create the HTTP Service Principal Names account under the domain user account. To do this, follow these steps:
   1. Install Windows Server Support Tools if it is not installed.
      
      Note This step does not have to be done on the computer that is running the Microsoft Dynamics CRM server. This step can be done on another server in the domain. And, you must be logged on by using an account that has permissions to add service principal names (SPNs) to user accounts.
   2. At a command prompt, type the following commands, and then press ENTER after each command:
      SETSPN –a http/crmservername.domain.comuseraccount
      SETSPN –a http/crmservernameuseraccount
   Note The crmservername placeholder is the name of the server on which Microsoft Dynamics CRM will be installed. The domain.com placeholder represents the name of the domain. The useraccount placeholder represents the account that you are using as the Service Account during the Microsoft Dynamics CRM installation.

REFERENCES

For more information about how to use SPNs, click the following article number t...

For more information about how to use SPNs, click the following article number to view the article in the Microsoft Knowledge Base:

929650 (http://support.microsoft.com/kb/929650/ ) How to use SPNs when you configure Web applications that are hosted on IIS 6.0

For more information about the minimum permissions that are required for a user to be a Deployment Administrator in Microsoft Dynamics CRM 4.0, click the following article number to view the article in the Microsoft Knowledge Base:

946686 (http://support.microsoft.com/kb/946686/ ) How to assign the minimum permissions to a deployment administrator in Microsoft Dynamics CRM 4.0

Source: http://support.microsoft.com/kb/946677/en

======================================================================================
This is content from http://www.dynamics-crm-2011.de | Dieser Beitrag ist von http://www.dynamics-crm-2011.de
Themen rund um CRM 2011 onpremise, Dynamics CRM 2011 Online, Dynamics CRM 2011 mit IFD und Claims.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Read more »

Posted in: Installation