Download presentation
Presentation is loading. Please wait.
Published byDeirdre Watson Modified over 9 years ago
1
CRMUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Implementing CRM 2011 Claims-Based Authentication, ADFS and IFD Best Practices and Tips
2
CRMUG Summit 2011– Las Vegas www.crmug.com Agenda Introduction Planning & Installation Best Practices & Tips Pitfalls & Workarounds Q&A
3
CRMUG Summit 2011– Las Vegas www.crmug.com Introduction Christopher Cognetta Tribridge CRM Customer Care Team Leader - Global chris.cognetta@tribridge.com CRM Version 1.0 – CRM 2011 Over 30 upgrades to CRM 2011, 10+ with ADFS & IFD Application Architecture and Infrastructure Background
4
CRMUG Summit 2011– Las Vegas www.crmug.com Special Thanks I would like to extend a special thank you to Dan Francis of Microsoft Bangalore. For without his passion, commitment, follow-up and research, I could have not quickly supported our customer needs and be able to share this presentation with all of you.
5
CRMUG Summit 2011– Las Vegas www.crmug.com Topics Internal and External DNS Entries Firewall Overview Certificates and Types Supported ADFS Diagrams CRM and ADFS Installation Tips ADFS Screen Shots Quick Check List Best Practices and Tips
6
CRMUG Summit 2011– Las Vegas www.crmug.com Internal & External DNS External Orgname.domain.com Auth.domain.com ADFS.domain.com Note: Each organization exposed will require an orgname.domain.com ADFS automatically will pick up new organizations created in deployment manager. Internal Orgname.domain.com Auth.domain.com ADFS.domain.com Dev.domain.com Internalcrm.domain.com Externalcrm.domain.com Alias (Cnames) should not be used as DNS entries are the URL identifiers for ADFS.
7
CRMUG Summit 2011– Las Vegas www.crmug.com Internal & External DNS Plan ahead with your Network Administrator to add these internal and external addresses. External addresses could take 24-48 hours before they resolve. Provide a document of external to internal addresses to ensure there is no confusion. Firewall rules will be required to route outside traffic to the correct internal IP’s and ports. Internal addresses all should point the web server port 443 except ADFS which will use its own port 444.
8
CRMUG Summit 2011– Las Vegas www.crmug.com Firewall Overview FirewallWeb Server External DNS Entries at ISP or HOST CRM Port 443 CRM Port 443 ADFS Port 444 ADFS Port 444 Port Forward All URL’s All URL’s will port forward to the webserver port 443 except ADFS. ADFS will be configured as a separate website under port 444. ADFS must be the default website. CRM must be installed on a port. Note: Multiple servers for CRM and ADFS websites can be deployed CRM is at port 443 to be the default SSL website External IP Internal IP
9
CRMUG Summit 2011– Las Vegas www.crmug.com Certificates CRM 2011 supports the use of 2 certificates types: – Wild Certificate *.domainname.com – Subject Alternative Name – test1.domainname.com test2.domainname.com (all external DNS entries) Some security firms do not allow wildcard everything@domainname.com to connect using that type certificate. everything@domainname.com Pricing Vs. Security Vs. Future Maintenance Most newer Certificates are all 2048 bit.
10
CRMUG Summit 2011– Las Vegas www.crmug.com Certificates Ensure there are NO certificate errors when browsing CRM via HTTPS://crm.domain.com.HTTPS://crm.domain.com Do not continue configuring ADFS as it will break.
11
CRMUG Summit 2011– Las Vegas www.crmug.com Certificates Certificates are installed via the certificate manager add-on in the MMC. Manage Private keys and the identity running the CRM app pool. (#1 Mistake)
12
CRMUG Summit 2011– Las Vegas www.crmug.com ADFS Diagrams Windows Authentication Internal ADFS External ADFS Other Identity Stores, AD, Windows Live, Oracle Etc
13
CRMUG Summit 2011– Las Vegas www.crmug.com ADFS & CRM Installation If ADFS and CRM will be deployed on the same server, ADFS must be the DEFAULT website. (SSL Port 444) CRM should not be installed on the default website, use a port like 5555. (SSL Port 443) CRM 2011 should be installed and working prior to installing and configuring ADFS. Download ADFS 2.0 from Microsoft download http://www.microsoft.com/download/en/details.aspx?id=10909 ADFS service name should not be the same name as the server.
14
CRMUG Summit 2011– Las Vegas www.crmug.com CRM Setup URL & HTTPS Use deployment manager to configure the CRM internal URLs. Note the HTTPS setting. You must also set the HTTPS binding and certificate in IIS. Changes in this section require an IISReset to be issued via the command line or GUI.
15
CRMUG Summit 2011– Las Vegas www.crmug.com ADFS Installation After ADFS installs, the ADFS configuration wizard will appear: ADFS will prompt for the name of your federation service. ADFS will recognize any certificates pre- configured on the website as well the port number. ADFS.domainname.com A URL is be provided in the documentation in order to test the ADFS Federation Service is working.
16
CRMUG Summit 2011– Las Vegas www.crmug.com Configure CRM Claims From deployment manager we configure Claims based Auth: URL will be provided at the end of the ADFS installation. Make sure to test this URL in your browser for no errors. Save as favorite If you receive the XML metadata from the URL the ADFS service is working correctly. Common errors like 503 require an IISReset.
17
CRMUG Summit 2011– Las Vegas www.crmug.com Configure CRM Claims Success Window after Claims in CRM has been configured. This configures the CRM federation services. The URL shown on screen is at the bottom of the log file. Click view the log file to copy the URL. This URL will setup the first Relying Party Trust with ADFS for CRM (Internal)
18
CRMUG Summit 2011– Las Vegas www.crmug.com Configure ADFS - Internal Trust Chris to insert text here and screen shot of first trust
19
CRMUG Summit 2011– Las Vegas www.crmug.com CRM Configure IFD – Part 1 Inside deployment manager, you will click configure IFD: You will be prompted for the following domain names. Web Application and Org Service should both be the same domainname.com Dev domain is used for the discovery web server and should match your DEV DNS entry.
20
CRMUG Summit 2011– Las Vegas www.crmug.com CRM Configure IFD – Part 2 Next you will be prompted for the external domain: This is where AUTH.domainname.com The documentation uses the same URL as the STS server which is not correct. The end of the configuration will provide A URL to configure the replying party trust in ADFS.
21
CRMUG Summit 2011– Las Vegas www.crmug.com CRM Configure IFD – Part 3 Success window for CRM IFD Configuration. At this point you can test https://orgname.domainname.com https://orgname.domainname.com Internally. You will be presented with the ADFS form login. Things to Check: Issue IISRESET Setspn –A HTTP/webserver using the machinename or crmservice account. BackConnectionHostNames registry key for ADFS.
22
CRMUG Summit 2011– Las Vegas www.crmug.com Configure ADFS – External Chris to insert text around external URL configuration, Entering rules etc.
23
CRMUG Summit 2011– Las Vegas www.crmug.com Quick Checklist Follow the documentation closely: – http://www.microsoft.com/download/en/details. aspx?displaylang=en&id=3621 http://www.microsoft.com/download/en/details. aspx?displaylang=en&id=3621 Configure Firewall, Internal, External DNS, Setup IIS certificate and correct bindings. Installation for CRM (5555), Installation of ADFS (444) Configure CRM to use HTTPS(443),ADFS via wizard Configure CRM Claims Based Auth with URL ADFS Relying Party Trust – Internal Ready Configure CRM IFD, Configure Final Trust – External Ready
24
CRMUG Summit 2011– Las Vegas www.crmug.com Best Practice and Tips BackConnectionHostNames Registry Changing your ADFS login Name Setting the IFD timeout Multiple HTTPS Bindings Internal Service Error 503 & 505 Updating ADFS Cache 401 Errors Outlook Client V4 with CRM 2011 Caution on Cache
25
CRMUG Summit 2011– Las Vegas www.crmug.com BackConnectionHostNames – Error with 401.1 for DNS name. You only receive this error message if you try to browse the Web site directly on the server. If you browse the Web site from a client computer, the Web site works as expected. http://support.microsoft.com/kb/896861 – Use for ADFS.domainname.com for regkey – Add ADFS.domainname.com and Add InternalCRM.domainname.com to intranet/trusted
26
CRMUG Summit 2011– Las Vegas www.crmug.com Changing ADFS Login Name
27
CRMUG Summit 2011– Las Vegas www.crmug.com Changing ADFS Login Name
28
CRMUG Summit 2011– Las Vegas www.crmug.com Setting the ADFS/IFD Timeout http://technet.microsoft.com/en-us/library/gg188586.aspx
29
CRMUG Summit 2011– Las Vegas www.crmug.com HTTPS Binding Ensure ADFS only has an HTTPS binding, no HTTP. One HTTPS binding per website in IIS. Internal Service Error 503 Issue IISReset Reboot Reconfigure via the CRM wizards
30
CRMUG Summit 2011– Las Vegas www.crmug.com Updating the ADFS Cache Updating the ADFS cache is sometimes required when adding new organization to IFD, making changes to DNS entries or troubleshooting issues. Updating is done from the ADFS configuration tool, while on replying party trusts, you will see the option to Update the Federation Metadata. Remember an IISReset
31
CRMUG Summit 2011– Las Vegas www.crmug.com IFD 404 Error & Workaround A common error reported after IFD is enabled by external access user: This is because ADFS had a copy of the CRM metadata during the install and not the exact copy is cached. The fix is to publish all customizations. If this continues for a specific user, update the user record by removing their name, replace with test name, save, and then replace domain name again.
32
CRMUG Summit 2011– Las Vegas www.crmug.com CRM Outlook Client 4 In order for older outlook clients (v4) to work with ADFS and IFD in CRM 2011, you must enable Anonymous Authentication as well as apply rollup 7 or later to the client Enabling anonymous authentication To use Microsoft Dynamics CRM 4.0 for Outlook (Update Rollup 7 or later) with Microsoft Dynamics CRM Server 2011 IFD, you must enable anonymous authentication for the 2007 SPLA CrmDiscoveryService on each server where Microsoft Dynamics CRM Server 2011 is installed. For other requirements, see Microsoft Dynamics CRM for Outlook software requirements (http://go.microsoft.com/fwlink/?LinkID=210780) in the Microsoft Dynamics CRM Planning Guide.http://go.microsoft.com/fwlink/?LinkID=210780 To enable anonymous authentication Open Internet Information Services (IIS) Manager. In the Connections pane, select the Microsoft Dynamics CRM Server 2011 Web site, and then navigate to the following folder: MSCRMServices\2007\SPLA In Features View, double-click Authentication. On the Authentication page, select Anonymous Authentication. In the Actions pane, click Enable to use Anonymous authentication with the default settings. For more information about enabling anonymous authentication in IIS, see Enable Anonymous Authentication (IIS 7) (http://go.microsoft.com/fwlink/?LinkId=205316).http://go.microsoft.com/fwlink/?LinkId=205316
33
CRMUG Summit 2011– Las Vegas www.crmug.com Caution on Cache Be careful when testing DNS, then modifying DNS entries and testing again. These entries can become cached in Internet Explorer and cause good DNS entries to fail. Clear IE Cache, delete all items in IE Add CRM and ADFS URLs to intranet sites Ipconfig /flushdns & IISReset Fiddler2.com can clear the cache. Make sure to close when testing to avoid errors.
34
CRMUG Summit 2011– Las Vegas www.crmug.com Closing & Q&A Use of the Microsoft Forums – Ask an MVP! http://social.microsoft.com/Forums/en-US/category/dynamics Please don’t forget to accept the answer that helps you!
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.