Transcript CRMUG_Summit_2011_IFDADFS

Implementing CRM 2011
Claims-Based Authentication,
ADFS and IFD
Best Practices and Tips
CRMUG® Summit 2011
November 8-11
Caesars Palace – Las Vegas, NV
Agenda





Introduction
Planning & Installation
Best Practices & Tips
Pitfalls & Workarounds
Q&A
CRMUG Summit 2011– Las Vegas
www.crmug.com
Introduction
Christopher Cognetta
Tribridge CRM Customer Care Team Leader - Global
[email protected]
CRM Version 1.0 – CRM 2011
Over 30 upgrades to CRM 2011, 10+ with ADFS & IFD
Application Architecture and Infrastructure Background
CRMUG Summit 2011– Las Vegas
www.crmug.com
Special Thanks
I would like to extend a special thank you to Dan Francis of Microsoft
Bangalore. For without his passion, commitment, follow-up and
research, I could have not quickly supported our customer needs and
be able to share this presentation with all of you.
CRMUG Summit 2011– Las Vegas
www.crmug.com
Topics
Internal and External DNS Entries
Firewall Overview
Certificates and Types Supported
ADFS Diagrams
CRM and ADFS Installation Tips
ADFS Screen Shots
Quick Check List
Best Practices and Tips
CRMUG Summit 2011– Las Vegas
www.crmug.com
Internal & External DNS
 External
 Internal
 Orgname.domain.com
 Auth.domain.com
 ADFS.domain.com






Note: Each organization
exposed will require an
orgname.domain.com
ADFS automatically will pick up
new organizations created in
deployment manager.
Orgname.domain.com
Auth.domain.com
ADFS.domain.com
Dev.domain.com
Internalcrm.domain.com
Externalcrm.domain.com
Alias (Cnames) should not be
used as DNS entries are the URL
identifiers for ADFS.
CRMUG Summit 2011– Las Vegas
www.crmug.com
Internal & External DNS
 Plan ahead with your Network Administrator to add
these internal and external addresses. External
addresses could take 24-48 hours before they
resolve.
 Provide a document of external to internal
addresses to ensure there is no confusion.
 Firewall rules will be required to route outside traffic
to the correct internal IP’s and ports.
 Internal addresses all should point the web server
port 443 except ADFS which will use its own port
444.
CRMUG Summit 2011– Las Vegas
www.crmug.com
Firewall Overview
External DNS Entries at
ISP or HOST
External IP
Internal IP
Port Forward All URL’s
Firewall
Web Server
CRM
Port 443
ADFS
Port 444
 All URL’s will port forward to the webserver port 443 except ADFS.
 ADFS will be configured as a separate website under port 444.
ADFS must be the default website. CRM must be installed on a port.
Note: Multiple servers for CRM and ADFS websites can be deployed
CRM is at port 443 to be the default SSL website
CRMUG Summit 2011– Las Vegas
www.crmug.com
Certificates
 CRM 2011 supports the use of 2 certificates
types:
– Wild Certificate *.domainname.com
– Subject Alternative Name – test1.domainname.com
test2.domainname.com (all external DNS entries)
 Some security firms do not allow wildcard
[email protected] to connect
using that type certificate.
 Pricing Vs. Security Vs. Future Maintenance
 Most newer Certificates are all 2048 bit.
CRMUG Summit 2011– Las Vegas
www.crmug.com
Certificates
 Ensure there are NO certificate errors when
browsing CRM via HTTPS://crm.domain.com .
 Do not continue configuring ADFS as it will break.
CRMUG Summit 2011– Las Vegas
www.crmug.com
Certificates
 Certificates are installed via the certificate
manager add-on in the MMC.
 Manage Private keys and the identity
running the CRM app pool. (#1 Mistake)
CRMUG Summit 2011– Las Vegas
www.crmug.com
ADFS Diagrams
Internal ADFS
Windows
Authentication
Other
Identity
Stores, AD,
Windows
Live, Oracle
Etc
External ADFS
CRMUG Summit 2011– Las Vegas
www.crmug.com
ADFS & CRM Installation
 If ADFS and CRM will be deployed on the same
server, ADFS must be the DEFAULT website. (SSL
Port 444)
 CRM should not be installed on the default
website, use a port like 5555. (SSL Port 443)
 CRM 2011 should be installed and working prior
to installing and configuring ADFS.
 Download ADFS 2.0 from Microsoft download
http://www.microsoft.com/download/en/details.aspx?id=10909
 ADFS service name should not be the same
name as the server.
CRMUG Summit 2011– Las Vegas
www.crmug.com
CRM Setup URL & HTTPS
 Use deployment
manager to
configure the CRM
internal URLs.
 Note the HTTPS
setting.
 You must also set the
HTTPS binding and
certificate in IIS.
 Changes in this
section require an
IISReset to be issued
via the command
line or GUI.
CRMUG Summit 2011– Las Vegas
www.crmug.com
ADFS Installation
After ADFS installs, the ADFS
configuration wizard will
appear:
 ADFS will prompt for the
name of your federation
service.
 ADFS will recognize any
certificates preconfigured on the website
as well the port number.
 ADFS.domainname.com
 A URL is be provided in the
documentation in order to
test the ADFS Federation
Service is working.
CRMUG Summit 2011– Las Vegas
www.crmug.com
Configure CRM Claims
From deployment manager we
configure Claims based Auth:
 URL will be provided at the
end of the ADFS installation.
 Make sure to test this URL in
your browser for no errors.
 Save as favorite
 If you receive the XML
metadata from the URL the
ADFS service is working
correctly.
 Common errors like 503
require an IISReset.
CRMUG Summit 2011– Las Vegas
www.crmug.com
Configure CRM Claims
Success Window after Claims
in CRM has been configured.
 This configures the CRM
federation services.
 The URL shown on screen is
at the bottom of the log
file. Click view the log file
to copy the URL.
 This URL will setup the first
Relying Party Trust with
ADFS for CRM (Internal)
CRMUG Summit 2011– Las Vegas
www.crmug.com
Configure ADFS - Internal Trust
Chris to insert text here
and screen shot of first
trust
CRMUG Summit 2011– Las Vegas
www.crmug.com
CRM Configure IFD – Part 1
Inside deployment manager, you
will click configure IFD:
 You will be prompted for the
following domain names.
 Web Application and Org
Service should both be the
same domainname.com
 Dev domain is used for the
discovery web server and
should match your DEV DNS
entry.
CRMUG Summit 2011– Las Vegas
www.crmug.com
CRM Configure IFD – Part 2
Next you will be prompted for
the external domain:
 This is where
AUTH.domainname.com
 The documentation uses the
same URL as the STS server
which is not correct.
 The end of the configuration
will provide A URL to configure
the replying party trust in ADFS.
CRMUG Summit 2011– Las Vegas
www.crmug.com
CRM Configure IFD – Part 3
Success window for CRM IFD
Configuration.
 At this point you can test
https://orgname.domainname.com
Internally.
 You will be presented with
the ADFS form login.
 Things to Check:
 Issue IISRESET
 Setspn –A HTTP/webserver
using the machinename or
crmservice account.
 BackConnectionHostNames
registry key for ADFS.
CRMUG Summit 2011– Las Vegas
www.crmug.com
Configure ADFS – External
Chris to insert text
around external URL
configuration,
Entering rules etc.
CRMUG Summit 2011– Las Vegas
www.crmug.com
Quick Checklist
 Follow the documentation closely:
– http://www.microsoft.com/download/en/details.
aspx?displaylang=en&id=3621
 Configure Firewall, Internal, External DNS, Setup IIS
certificate and correct bindings.
 Installation for CRM (5555), Installation of ADFS (444)
 Configure CRM to use HTTPS(443),ADFS via wizard
 Configure CRM Claims Based Auth with URL
 ADFS Relying Party Trust – Internal Ready
 Configure CRM IFD,
 Configure Final Trust – External Ready
CRMUG Summit 2011– Las Vegas
www.crmug.com
Best Practice and Tips
BackConnectionHostNames Registry
Changing your ADFS login Name
Setting the IFD timeout
Multiple HTTPS Bindings
Internal Service Error 503 & 505
Updating ADFS Cache
401 Errors
Outlook Client V4 with CRM 2011
Caution on Cache
CRMUG Summit 2011– Las Vegas
www.crmug.com
BackConnectionHostNames
– Error with 401.1 for DNS name. You only receive
this error message if you try to browse the Web site
directly on the server. If you browse the Web site
from a client computer, the Web site works as
expected.
http://support.microsoft.com/kb/896861
– Use for ADFS.domainname.com for regkey
– Add ADFS.domainname.com and Add
InternalCRM.domainname.com to intranet/trusted
CRMUG Summit 2011– Las Vegas
www.crmug.com
Changing ADFS Login Name
CRMUG Summit 2011– Las Vegas
www.crmug.com
Changing ADFS Login Name
CRMUG Summit 2011– Las Vegas
www.crmug.com
Setting the ADFS/IFD Timeout
http://technet.microsoft.com/en-us/library/gg188586.aspx
CRMUG Summit 2011– Las Vegas
www.crmug.com
HTTPS Binding
 Ensure ADFS only has an HTTPS binding, no
HTTP.
 One HTTPS binding per website in IIS.
Internal Service Error 503
 Issue IISReset
 Reboot
 Reconfigure via the CRM wizards
CRMUG Summit 2011– Las Vegas
www.crmug.com
Updating the ADFS Cache
 Updating the ADFS cache is
sometimes required when
adding new organization to
IFD, making changes to DNS
entries or troubleshooting
issues.
 Updating is done from the
ADFS configuration tool,
while on replying party trusts,
you will see the option to
Update the Federation
Metadata.
 Remember an IISReset
CRMUG Summit 2011– Las Vegas
www.crmug.com
IFD 404 Error & Workaround
A common error reported
after IFD is enabled by
external access user:
 This is because ADFS had
a copy of the CRM
metadata during the
install and not the exact
copy is cached.
 The fix is to publish all
customizations.
 If this continues for a
specific user, update the
user record by removing
their name, replace with
test name, save, and
then replace domain
name again.
CRMUG Summit 2011– Las Vegas
www.crmug.com
CRM Outlook Client 4
 In order for older outlook clients (v4) to work with ADFS and IFD
in CRM 2011, you must enable Anonymous Authentication as
well as apply rollup 7 or later to the client
Enabling anonymous authentication








To use Microsoft Dynamics CRM 4.0 for Outlook (Update Rollup 7 or later) with Microsoft
Dynamics CRM Server 2011 IFD, you must enable anonymous authentication for the 2007
SPLA CrmDiscoveryService on each server where Microsoft Dynamics CRM Server 2011 is
installed. For other requirements, see Microsoft Dynamics CRM for Outlook software
requirements (http://go.microsoft.com/fwlink/?LinkID=210780) in the Microsoft Dynamics
CRM Planning Guide.
To enable anonymous authentication
Open Internet Information Services (IIS) Manager.
In the Connections pane, select the Microsoft Dynamics CRM Server 2011 Web site, and
then navigate to the following folder: MSCRMServices\2007\SPLA
In Features View, double-click Authentication.
On the Authentication page, select Anonymous Authentication.
In the Actions pane, click Enable to use Anonymous authentication with the default
settings.
For more information about enabling anonymous authentication in IIS, see Enable
Anonymous Authentication (IIS 7) (http://go.microsoft.com/fwlink/?LinkId=205316).
CRMUG Summit 2011– Las Vegas
www.crmug.com
Caution on Cache
 Be careful when testing DNS, then
modifying DNS entries and testing again.
 These entries can become cached in
Internet Explorer and cause good DNS
entries to fail.
 Clear IE Cache, delete all items in IE
 Add CRM and ADFS URLs to intranet sites
 Ipconfig /flushdns & IISReset
 Fiddler2.com can clear the cache. Make
sure to close when testing to avoid errors.
CRMUG Summit 2011– Las Vegas
www.crmug.com
Closing & Q&A
Use of the Microsoft Forums – Ask an MVP!
http://social.microsoft.com/Forums/en-US/category/dynamics
Please don’t forget to accept the answer that helps you!
CRMUG Summit 2011– Las Vegas
www.crmug.com