CRMUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Implementing CRM 2011 Claims-Based Authentication, ADFS and IFD Best Practices and Tips.

Slides:

Advertisements

Similar presentations

Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.

Advertisements

DSL-2730B, DSL-2740B, DSL-2750B.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.

Module 12 Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 5: Configuring Access to Internal Resources.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 13: Administering Web Resources.

XP Browser and Basics1. XP Browser and Basics2 Learn about Web browser software and Web pages The Web is a collection of files that reside.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.

Browser and Basics Tutorial 1. Learn about Web browser software and Web pages The Web is a collection of files that reside on computers, called.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

1 Chapter Overview Introduction to Windows XP Professional Printing Setting Up Network Printers Connecting to Network Printers Configuring Network Printers.

How to Get The Most Out of Outlook 2003 Michele Schwartzman Division of Customer Support Summer 2006.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Configuring Active Directory Certificate Services Lesson 13.

Working with SharePoint Document Libraries. What are document libraries? Document libraries are collections of files that you can share with team members.

Sharepoint Portal Server Basics. Introduction Sharepoint server belongs to Microsoft family of servers Integrated suite of server capabilities Hosted.

Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.

1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.

11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.

Ch 8-3 Working with domains and Active Directory.

Working with Drivers and Printers Lesson 6. Skills Matrix Technology SkillObjective DomainObjective # Understanding Drivers and Devices Install and configure.

Managing Client Access

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Course 201 – Administration, Content Inspection and SSL VPN

Hosted Exchange The purpose of this Startup Guide is to familiarize you with ExchangeDefender's Exchange and SharePoint Hosting. ExchangeDefender.

Test Review. What is the main advantage to using shadow copies?

Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

1 ISA Server 2004 Installation & Configuration Overview By Nicholas Quinn.

Configuring a Web Server. Overview Overview of IIS Preparing for an IIS Installation Installing IIS Configuring a Web Site Administering IIS Troubleshooting.

MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # ) Chapter Two Deploying Windows Servers.

Back to content Final Presentation Mr. Phay Sok Thea, class “2B”, group 3, Networking Topic: Mail Client “Outlook Express” *At the end of the presentation.

Session 10 Windows Platform Eng. Dina Alkhoudari.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

Microsoft Internet Security and Acceleration (ISA) Server 2004 is an advanced packet checking and application-layer firewall, virtual private network.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.

XP New Perspectives on Browser and Basics Tutorial 1 1 Browser and Basics Tutorial 1.

Home Media Network Hard Drive Training for Update to 2.0 By Erik Collett Revised for Firmware Update.

| | Tel: | | Computer Training & Personal Development Outlook Express Complete.

Copyright 2000 eMation SECURITY - Controlling Data Access with

Installing Ricoh Printers There are two basic steps: 1. Acquire the drivers. 2. Use the Windows Add Printer Wizard to install the drivers within the operating.

Microsoft DirectAccess & Work Folders NICHOLAS A. HAY MONROE COUNTY ISD

Troubleshooting Windows Vista Security Chapter 4.

Course ILT Internet/intranet support Unit objectives Use the Internet Information Services snap-in to manage IIS, Web sites, virtual directories, and WebDAV.

Microsoft FrontPage 2003 Illustrated Complete Finalizing a Web Site.

Cisco ASA 5505 Joseph Cicero Northeast Wisconsin Technical College.

Downloading and Installing Autodesk Revit 2016

Module 6: Managing Client Access. Overview Implementing Client Access Servers Implementing Client Access Features Implementing Outlook Web Access Introduction.

Downloading and Installing Autodesk Inventor Professional 2015 This is a 4 step process 1.Register with the Autodesk Student Community 2.Downloading the.

Turning Windows 7 into a Web Server Ch 28. Understanding Internet Information Services.

Module 12 Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010.

Web Access. Overview  Purpose  Prerequisites  Install Components  Enable Virtual Directories  IIS Configuration & Security  Troubleshooting.

Hosted Exchange The purpose of this Startup Guide is to familiarize you with ExchangeDefender's Exchange and SharePoint Hosting. ExchangeDefender.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

1 Chapter Overview Creating Web Sites and FTP Sites Creating Virtual Directories Managing Site Security Troubleshooting IIS.

FTP COMMANDS OBJECTIVES. General overview. Introduction to FTP server. Types of FTP users. FTP commands examples. FTP commands in action (example of use).

Panasonic UC Pro - UC Pro Web Service Basic setup -

@CRMUG Agenda  4:00 – 4:15 Registration/Networking  4:15 – 4:30 Welcome & Introductions  4:30 – 5:00 Converting to CRM 2011  5:00 – 5:30 ADFS and.

SMOOTHWALL FIREWALL By Nitheish Kumarr. INTRODUCTION  Smooth wall Express is a Linux based firewall produced by the Smooth wall Open Source Project Team.

Windows Vista Configuration MCTS : Internet Explorer 7.0.

Data Virtualization Tutorial… SSL with CIS Web Data Sources

Implementing CRM 2011 Claims-Based Authentication, ADFS and IFD

Microsoft FrontPage 2003 Illustrated Complete

Dynamic DNS support for EGI Federated cloud

Chapter 10: Advanced Cisco Adaptive Security Appliance

How to install and manage exchange server 2010 OP Saklani.

Presentation transcript:

CRMUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Implementing CRM 2011 Claims-Based Authentication, ADFS and IFD Best Practices and Tips

CRMUG Summit 2011– Las Vegas Agenda  Introduction  Planning & Installation  Best Practices & Tips  Pitfalls & Workarounds  Q&A

CRMUG Summit 2011– Las Vegas Introduction Christopher Cognetta Tribridge CRM Customer Care Team Leader - Global CRM Version 1.0 – CRM 2011 Over 30 upgrades to CRM 2011, 10+ with ADFS & IFD Application Architecture and Infrastructure Background

CRMUG Summit 2011– Las Vegas Special Thanks I would like to extend a special thank you to Dan Francis of Microsoft Bangalore. For without his passion, commitment, follow-up and research, I could have not quickly supported our customer needs and be able to share this presentation with all of you.

CRMUG Summit 2011– Las Vegas Topics Internal and External DNS Entries Firewall Overview Certificates and Types Supported ADFS Diagrams CRM and ADFS Installation Tips ADFS Screen Shots Quick Check List Best Practices and Tips

CRMUG Summit 2011– Las Vegas Internal & External DNS  External Orgname.domain.com Auth.domain.com ADFS.domain.com Note: Each organization exposed will require an orgname.domain.com ADFS automatically will pick up new organizations created in deployment manager.  Internal Orgname.domain.com Auth.domain.com ADFS.domain.com Dev.domain.com Internalcrm.domain.com Externalcrm.domain.com Alias (Cnames) should not be used as DNS entries are the URL identifiers for ADFS.

CRMUG Summit 2011– Las Vegas Internal & External DNS Plan ahead with your Network Administrator to add these internal and external addresses. External addresses could take hours before they resolve. Provide a document of external to internal addresses to ensure there is no confusion. Firewall rules will be required to route outside traffic to the correct internal IP’s and ports. Internal addresses all should point the web server port 443 except ADFS which will use its own port 444.

CRMUG Summit 2011– Las Vegas Firewall Overview FirewallWeb Server External DNS Entries at ISP or HOST CRM Port 443 CRM Port 443 ADFS Port 444 ADFS Port 444 Port Forward All URL’s All URL’s will port forward to the webserver port 443 except ADFS. ADFS will be configured as a separate website under port 444. ADFS must be the default website. CRM must be installed on a port. Note: Multiple servers for CRM and ADFS websites can be deployed CRM is at port 443 to be the default SSL website External IP Internal IP

CRMUG Summit 2011– Las Vegas Certificates  CRM 2011 supports the use of 2 certificates types: – Wild Certificate *.domainname.com – Subject Alternative Name – test1.domainname.com test2.domainname.com (all external DNS entries) Some security firms do not allow wildcard to connect using that type certificate. Pricing Vs. Security Vs. Future Maintenance Most newer Certificates are all 2048 bit.

CRMUG Summit 2011– Las Vegas Certificates Ensure there are NO certificate errors when browsing CRM via Do not continue configuring ADFS as it will break.

CRMUG Summit 2011– Las Vegas Certificates Certificates are installed via the certificate manager add-on in the MMC. Manage Private keys and the identity running the CRM app pool. (#1 Mistake)

CRMUG Summit 2011– Las Vegas ADFS Diagrams Windows Authentication Internal ADFS External ADFS Other Identity Stores, AD, Windows Live, Oracle Etc

CRMUG Summit 2011– Las Vegas ADFS & CRM Installation  If ADFS and CRM will be deployed on the same server, ADFS must be the DEFAULT website. (SSL Port 444)  CRM should not be installed on the default website, use a port like (SSL Port 443)  CRM 2011 should be installed and working prior to installing and configuring ADFS.  Download ADFS 2.0 from Microsoft download  ADFS service name should not be the same name as the server.

CRMUG Summit 2011– Las Vegas CRM Setup URL & HTTPS Use deployment manager to configure the CRM internal URLs. Note the HTTPS setting. You must also set the HTTPS binding and certificate in IIS. Changes in this section require an IISReset to be issued via the command line or GUI.

CRMUG Summit 2011– Las Vegas ADFS Installation After ADFS installs, the ADFS configuration wizard will appear: ADFS will prompt for the name of your federation service. ADFS will recognize any certificates pre- configured on the website as well the port number. ADFS.domainname.com A URL is be provided in the documentation in order to test the ADFS Federation Service is working.

CRMUG Summit 2011– Las Vegas Configure CRM Claims From deployment manager we configure Claims based Auth: URL will be provided at the end of the ADFS installation. Make sure to test this URL in your browser for no errors. Save as favorite If you receive the XML metadata from the URL the ADFS service is working correctly. Common errors like 503 require an IISReset.

CRMUG Summit 2011– Las Vegas Configure CRM Claims Success Window after Claims in CRM has been configured. This configures the CRM federation services. The URL shown on screen is at the bottom of the log file. Click view the log file to copy the URL. This URL will setup the first Relying Party Trust with ADFS for CRM (Internal)

CRMUG Summit 2011– Las Vegas Configure ADFS - Internal Trust Chris to insert text here and screen shot of first trust

CRMUG Summit 2011– Las Vegas CRM Configure IFD – Part 1 Inside deployment manager, you will click configure IFD: You will be prompted for the following domain names. Web Application and Org Service should both be the same domainname.com Dev domain is used for the discovery web server and should match your DEV DNS entry.

CRMUG Summit 2011– Las Vegas CRM Configure IFD – Part 2 Next you will be prompted for the external domain: This is where AUTH.domainname.com The documentation uses the same URL as the STS server which is not correct. The end of the configuration will provide A URL to configure the replying party trust in ADFS.

CRMUG Summit 2011– Las Vegas CRM Configure IFD – Part 3 Success window for CRM IFD Configuration. At this point you can test Internally. You will be presented with the ADFS form login. Things to Check: Issue IISRESET Setspn –A HTTP/webserver using the machinename or crmservice account. BackConnectionHostNames registry key for ADFS.

CRMUG Summit 2011– Las Vegas Configure ADFS – External Chris to insert text around external URL configuration, Entering rules etc.

CRMUG Summit 2011– Las Vegas Quick Checklist  Follow the documentation closely: – aspx?displaylang=en&id= aspx?displaylang=en&id=3621  Configure Firewall, Internal, External DNS, Setup IIS certificate and correct bindings.  Installation for CRM (5555), Installation of ADFS (444)  Configure CRM to use HTTPS(443),ADFS via wizard  Configure CRM Claims Based Auth with URL  ADFS Relying Party Trust – Internal Ready  Configure CRM IFD,  Configure Final Trust – External Ready

CRMUG Summit 2011– Las Vegas Best Practice and Tips BackConnectionHostNames Registry Changing your ADFS login Name Setting the IFD timeout Multiple HTTPS Bindings Internal Service Error 503 & 505 Updating ADFS Cache 401 Errors Outlook Client V4 with CRM 2011 Caution on Cache

CRMUG Summit 2011– Las Vegas BackConnectionHostNames – Error with for DNS name. You only receive this error message if you try to browse the Web site directly on the server. If you browse the Web site from a client computer, the Web site works as expected. – Use for ADFS.domainname.com for regkey – Add ADFS.domainname.com and Add InternalCRM.domainname.com to intranet/trusted

CRMUG Summit 2011– Las Vegas Changing ADFS Login Name

CRMUG Summit 2011– Las Vegas Changing ADFS Login Name

CRMUG Summit 2011– Las Vegas Setting the ADFS/IFD Timeout

CRMUG Summit 2011– Las Vegas HTTPS Binding  Ensure ADFS only has an HTTPS binding, no HTTP.  One HTTPS binding per website in IIS. Internal Service Error 503  Issue IISReset  Reboot  Reconfigure via the CRM wizards

CRMUG Summit 2011– Las Vegas Updating the ADFS Cache Updating the ADFS cache is sometimes required when adding new organization to IFD, making changes to DNS entries or troubleshooting issues. Updating is done from the ADFS configuration tool, while on replying party trusts, you will see the option to Update the Federation Metadata. Remember an IISReset

CRMUG Summit 2011– Las Vegas IFD 404 Error & Workaround A common error reported after IFD is enabled by external access user: This is because ADFS had a copy of the CRM metadata during the install and not the exact copy is cached. The fix is to publish all customizations. If this continues for a specific user, update the user record by removing their name, replace with test name, save, and then replace domain name again.

CRMUG Summit 2011– Las Vegas CRM Outlook Client 4  In order for older outlook clients (v4) to work with ADFS and IFD in CRM 2011, you must enable Anonymous Authentication as well as apply rollup 7 or later to the client Enabling anonymous authentication  To use Microsoft Dynamics CRM 4.0 for Outlook (Update Rollup 7 or later) with Microsoft Dynamics CRM Server 2011 IFD, you must enable anonymous authentication for the 2007 SPLA CrmDiscoveryService on each server where Microsoft Dynamics CRM Server 2011 is installed. For other requirements, see Microsoft Dynamics CRM for Outlook software requirements ( in the Microsoft Dynamics CRM Planning Guide.  To enable anonymous authentication  Open Internet Information Services (IIS) Manager.  In the Connections pane, select the Microsoft Dynamics CRM Server 2011 Web site, and then navigate to the following folder: MSCRMServices\2007\SPLA  In Features View, double-click Authentication.  On the Authentication page, select Anonymous Authentication.  In the Actions pane, click Enable to use Anonymous authentication with the default settings.  For more information about enabling anonymous authentication in IIS, see Enable Anonymous Authentication (IIS 7) (

CRMUG Summit 2011– Las Vegas Caution on Cache  Be careful when testing DNS, then modifying DNS entries and testing again.  These entries can become cached in Internet Explorer and cause good DNS entries to fail.  Clear IE Cache, delete all items in IE  Add CRM and ADFS URLs to intranet sites  Ipconfig /flushdns & IISReset  Fiddler2.com can clear the cache. Make sure to close when testing to avoid errors.

CRMUG Summit 2011– Las Vegas Closing & Q&A Use of the Microsoft Forums – Ask an MVP! Please don’t forget to accept the answer that helps you!