NAV 2013/2015/2016: Log in any database

Run this on a NAV 2013/2015/2016 database to clear all users and restore default permissions:

 

delete from [dbo].[User]

delete from [dbo].[Access Control]

delete from [dbo].[User Property]

delete from [dbo].[Page Data Personalization]

delete from [dbo].[User Default Style Sheet]

delete from [dbo].[User Metadata]

delete from [dbo].[User Personalization]

Advertisements

HTTP Error 503 Accessing Company Web on SBS 2011 Standard

Taken from: http://blogs.technet.com/b/sbs/archive/2011/08/17/http-error-503-accessing-company-web-on-sbs-2011-standard.aspx

If your SharePoint service account passwords ever become out-of-sync, you will have issues trying to accesshttp://companyweb. The most common error you will see is “HTTP Error 503. The service is unavailable.” While this is the most common symptom, there are also several others depending on where you look and what account is out-of-sync, we have included many more symptoms toward the end of this post.

Background Information

In SBS 2011, we use 3 different accounts to run Windows SharePoint Foundation. The accounts we use are spfarm, spsearch, and spwebapp. For security reasons the passwords on these accounts are periodically reset. SharePoint manages the spsearch and spwebapp accounts and the Windows SBS Manager service manages the spfarm account. All of these accounts can be found under MyBusiness > Users > SBS Users.

Display Name Logon Account
SharePoint Farm Account spfarm
SharePoint Search Service Account spsearch
Windows SBS Internal Web site Account spwebapp

The password for spfarm is reset every 7 days that the Windows SBS Manager service is running. The passwords or spsearch and spwebapp are reset the first day of each month.

In addition to these passwords being stored in AD, they are also kept in the SharePoint configuration database and the services database. Due to this, the passwords can become out of sync. Passwords may get out of sync or expire due to the following causes:

  • A SharePoint database is restored that contains an out of date password.
  • The Windows SBS Manager service is broken/disabled.
  • The Windows SBS Manager is never allowed to run more than 7 days (server is rebooted ever <7 days).
  • The accounts passwords expire due to a combination of password expiration policy and date change. I.e. your passwords must be reset every 180 days and you change the date by more than 180 days.
  • You change your password policy to require passwords be changed more often than every 31 days.
  • Failed migration.

Of all these possible causes, the most common is restoring a database that contains an old password.

To check if your passwords are in sync, run the SharePoint 2010 Management Shell as an administrator. From the powershell then run Repair-SPManagedAccountDeployment. If one or more of the passwords is out-of-sync it will return an error.

clip_image002

Resolution

If you receive an error that your passwords are out of sync, perform the following steps for each out-of-sync account to resolve the issue.

  1. Reset the AD password for the out-of-sync account(s), the accounts can be found under MyBusiness>Users>SBSUsers. Please see above for more information on the accounts.  Note: Be sure to uncheck “User must change password at next logon”
  2. Sync the password for the account(s) from elevated SharePoint 2010 Management Shell (replace accountname with the affected account):
    Set-SPManagedAccount -UseExistingPassword -Identity $env:userdomain\accountname
  3. Run repair to verify that passwords are synced:
    Repair-SPManagedAccountDeployment
  4. IISreset /noforce

Symptoms

If your passwords are out of sync you may receive one or more of the following errors:

Log Name: System
Source: Microsoft-Windows-WAS
Event ID: 5002
Level: Error
Computer: server.domain.local
Description: Application pool ‘SBS Sharepoint AppPool’ is being automatically disabled due to a series of failures in the process(es) serving that application pool.

Log Name: System
Source: Microsoft-Windows-WAS
Event ID: 5021
Level: Warning
Computer: server.domain.local
Description: The identity of application pool SBS Sharepoint AppPool is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request. If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon. If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.

Log Name: System
Source: Microsoft-Windows-WAS
Event ID: 5057
Level: Warning
Computer: server.domain.local
Description: Application pool SBS Sharepoint AppPool has been disabled. Windows Process Activation Service (WAS) did not create a worker process to serve the application pool because the application pool identity is invalid.

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
Computer: server.domain.local
Description: An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: SERVER$
Account Domain: domain
Logon ID: 0x3e7
Logon Type: 4
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: spwebapp
Account Domain: domain
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a

Following services may fail to start with a logon failure:

  • SharePoint 2010 VSS Writer
  • SharePoint 2010 Timer
  • SharePoint Foundation Search V4

Update

9/9/2011:  We have identified another cause of the 503 error and have detailed it here:http://blogs.technet.com/b/sbs/archive/2011/09/01/an-uncommon-reason-why-browsing-companyweb-may-fail-with-http-error-503-on-sbs-2011-standard.aspx.

Force-removing the RDS licensing time-bomb

Force-removing the RDS licensing time-bomb registry entry:

HKLM\system\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod

RegEdit alone couldn’t do it. It had to actually be run under highest privileges with the help of Sysinternals: psexec -s -i regedit.exe

After another reboot things seem to be working now.

How to change the Port of ADFS 3.0 (Windows server 2012 R2) to 444

Thanx to: http://inogic.com/blog/2014/07/how-to-change-the-port-of-adfs-3-0-windows-server-2012-r2-to-444/

This worked also on Windows Server 2008 R2 with AD FS 2.0  installed for me.

 

 

There have been times when we need to configure IFD and both, ADFS and CRM are installed on same server.

In case of Windows server 2008, we need to install ADFS 2.0 and in Windows server 2012 standard, ADFS 2.1 comes by default as a part of windows features, we just need to install and configure ADFS. But in both cases, ADFS gets installed on Default website in IIS. Hence we used to change the port of ADFS to 444 directly from the IIS default website and CRM (https) remains on 443. So that we could easily browse CRM IFD URL as https://orgname.domainame.com without appending port to the URL.

But this is not the same with Windows server 2012 R2, as ADFS 3.0 on Windows server 2012 R2 does not depend on IIS. So in that case, as ADFS port cannot be changed we used to change CRM (https) port to 444. As a result of which the users need to browse CRM IFD URL ashttps://orgname.domainame.com:444.

But sometimes the requirement is that they should not be required to append the port in IFD URL. To achieve this we should have ADFS to use port 444 instead which can be done by some PowerShell commands.

We have outlined below our experience and learning during IFD configuration on such Windows server 2012 R2 having both ADFS 3.0 and CRM installed on same server.

1)      Firstly install ADFS 3.0 on Windows Server 2012 R2,

2)      Now after that configure ADFS 3.0. You can get the detailed steps of configuring ADFS 3.0 and IFD from here.

3)      During the configuration of ADFS 3.0, you will come across following screen where you can clearly see that, you can only configure the Federation Service Name and *not* the port which could be done with earlier ADFS versions and earlier windows server versions.

img1

1)      Hence after configuring ADFS 3.0 and IFD. You need to run some commands in PowerShell, but before that first you need to check how many URLs are reserved by ADFS already, so that for them you can run some PowerShell commands,

netsh http show urlacl

The above command will display the list of reserved URLs. As you can see below form the list, the highlighted 2 URLs are reserved by ADFS 3.0 on port 443 i.e. https://+:443/adfs/ andhttps://+:443/FederationMetadata/2007-06/

img2

5)      Now we need to first delete them using following PowerShell commands.

netsh http del urlacl https://+:443/adfs/

netsh http del urlacl https://+:443/FederationMetadata/2007-06/

img3

6)      After deleting them you need to execute following commands to add them on port 444.

netsh http add urlacl https://+:444/adfs/ user=”NT SERVICE\adfssrv” delegate=yes

netsh http add urlacl https://+:444/FederationMetadata/2007-06/ user=”NT SERVICE\adfssrv” delegate=yes

img4

7)      Finally run following command

Set-ADFSProperties -HttpsPort 444

Note: If you change the Port of ADFS to 444 from default port then it will give following warning. It means, if you set ADFS on 444, then you will not be able to register mobile device in ADFS, hence you will not be able to develop Mobile device app for CRM.

img5

8)      After performing above step, you need to restart the “Active Directory Federation Services”.

img6

9)      Now if your FederationMetadata URL is shifted to port 444, then it will look likehttps://sts1.adventure25.com:444/federationmetadata/2007-06/federationmetadata.xmland if you browse this URL then it will not work, as shown in the below screen. So there seems to be some issue with ADFS 3.0 configuration

img7

10)      Microsoft says ADFS 3.0 does not depend on IIS i.e. not installed under default website of IIS, and this is true, because you will not find any ADFS related files under default website of IIS

11)      But still if you go to IIS and set the binding of Default Website to port 444, then it starts working as shown in below screen:

img8

12)      After completing above steps, first you need to change the CRM website port to 443, then you need to configure Web Address Properties, Claim Based, IFD from Deployment Manager to this new Federation Metadata URL, and then update the relying party in ADFS. Then IFD will start working and you just need to browse it like https://orgname.domainame.com

Step by Step : Deploy DFS in Windows Server 2012 R2

Thanx to: https://mizitechinfo.wordpress.com/2013/08/21/step-by-step-deploy-dfs-in-windows-server-2012-r2/

What Is DFS?

Normally for domain users, to access a file share, they might use Universal Naming Convention (UNC) name to access the shared folder content.

Many large company have 100 of file servers that are dispersed geographically throughout an organization.

This is very challenging for users who are trying to find and access files efficiently.

So by using a namespace, DFS can simplify the UNC folder structure. In addition, DFS can replicate the virtual namespace and the shared folders to multiple servers within the organization. This can ensure that the shares are located as close as possible to users, thereby providing an additional benefit of fault tolerance for the network shares.

Orait, that’s a just a bit of DFS introduction, for more information, please do refer to http://technet.microsoft.com/en-us/library/jj127250.aspx, or for those who interested to “feel” the hands-on on the DFS, please do join my Server 2012 training, please refer to my website for more information : http://compextrg.com/

So, enough said, lets get started with our DFS deployment.

** as usual, for this DFS demo, I’m using 3 server 2012 (DC01, SVR01, COMSYS-RODC01) and Window Client (Surface01).

1

** I will install DFS into SVR01 and COMSYS-RODC01 Server

1 – Always be aware that to deploy DFS you need 2 Servers so that the Folder will replicate each other, so I will install DFS into SVR01 and COMSYS-RODC01 server, you can install DFS simultaneously.

To install DFS in Svr01 server, open Server Manager, on the Dashboard click Add Roles and Features

2

2 – In the Before you begin box, click Next

3

3 – On the Select installation type box, click Next to proceed (make sure Role-based or feature-based installation is selected)…

4

4 – On the Select destination server box, click Next to proceed…

5

5 – On the Select server roles page, expand File and Storage Services, expand File and iSCSI Services, and then select the DFS Namespaces check box, in the Add Roles and Features pop-up box, click Add Features…

6

6 – Next, make sure you select the DFS Replication check box, and then only click next to proceed…

7

7 – Next, on the Select features box, click Next

8

8 – On the Confirm installation selections box, click Install

9

9 – Wait for few minutes for the installation to complete and when the installation completes, click close…

10

11

** As I mentioned previously, you need to install DFS in another server also which is in my demo is a COMSYS-RODC01 server…

** Once you confirm both of the Server has been installed with DFS, please proceed with DFS namespace configuration.

10 – 1st, open DFS Management from Server Manager…

12

11 – Next, on the DFS console, right-click Namespaces, and then click New Namespace (A namespace is a virtual view of shared folders in your server)…

13

12 – In the New Namespace Wizard, on the Namespace Server page, under Server, type svr01, and then click Next…

14

13 – Next, on the Namespace Name and Settings box, under Name, type MarketingDocs, and then click Edit Settings…

15

14 – In the Edit Settings box, under Local Path of shared folder: type C:\DFSRoots\MarketingDocs and select Administrator have full access; other users have read and write permissions, then click OK…

16

15 – Next, on the Namespace Type box, verify that Domain-based namespace is selected. Take note that the namespace will be accessed by \\comsys.local\MarketingDocs, ensure also that the Enable Windows Server 2008 mode check box is selected, and then click Next…

17

16 – On the Review Settings and Create Namespace page, click Create

18

17 – On the Confirmation box, verify that the Create namespace task is successful, and then click Close…

19

18 – Next, you need to enable access-based enumeration for the MarketingDocs namespace.

To do so, under Namespaces, right-click \\comsys.local\MarketingDocs, and then click Properties…

20

19 – In the \\comsys.local\MarketingDocs Properties box, click the Advanced tab, then  select the Enable access-based enumeration for this namespace check box, and then click OK…

21

20 – Next, let’s add the Brochures folder to the MarketingDocs namespace…

To do that, right-click \\comsys.local\MarketingDocs , and then click New Folder

22

21 – In the New Folder box, under Name, type Brochures then click Add…

24

22 – In the Add Folder Target dialog box, type \\comsys-rodc01\Brochures, and then click OK…

25

23 – In the Warning box, click Yes

26

24 – In the Create Share box, in the Local path of shared folder box, type C:\MarketingDocs\Brochures, and select Administrator have full access; other users have read and write permissions, then click OK…

27

25 – In the Warning box, click Yes to proceed…

28

26 – Click OK again to close the New Folder dialog box…

29

27 – Next, I want to add the OnlineAdvert folder to the MarketingDocs namespace, so to do that, right-click \\comsys.local\MarketingDocs, and click New Folder, then In the New Folder box, under Name, type OnlineAdvert, and then, click Add…

30

28 – In the Add Folder Target box, type \\svr01\OnlineAdvert, and then click OK…

31

29 -In the Warning box, click Yes to create OnlineAdvert folder

32

30 – Next, in the Create Share box, in the Local path of shared folder box, type C:\MarketingDocs\OnlineAdvert, make sure also you select Administrator have full access; other users have read and write permissions, then click OK…

33

31 – In the Warning box, click Yes

34

 

32 – Click OK again to close the New Folder dialog box (verify that \\svr0\OnlineAdvert is listed) and also Brochures and OnlineAdvert folder is listed under \\comsys.local\MarketingDocs namespaces…

35

 

36

 

33 – Now lets verify our MarketingDocs namespace and its folder can be access using UNC, open RUN and type \\comsys.local\MarketingDocs, then in the MarketingDocs window, verify that both Brochures and OnlineAdvert is display.

37

 

34 – Now is the the second important task which is to configure DFS replication (DFS-R), but before that, why don’t we to create another folder target for Brochures…

Right-click Brochures, and then click Add Folder Target…

38

 

35 – In the New Folder Target box, under Path to folder target, type\\svr01\Brochures, and then click OK…

39

 

36 – In the Warning box, click Yes to create the shared folder on svr01 server…

40

37 – Next, in the Create Share box, under Local path of shared folder, type C:\MarketingDocs\Brochures, don’t forget to select  Administrator have full access; other users have read and write permissions, then click OK…

41

38 – In the Warning box, click Yes to create the folder on svr01 server…

42

39 – In the Replication box, click Yes. The Replicate Folder Wizard starts…

43

40 – Next, in the Replicate Folder Wizard, on both the Replication Group and Replicated Folder Name page, accept the default settings, and then click Next…

44

 

41 – On the Replication Eligibility page, click Next

45

 

42 – On the Primary Member box, I choose SVR01 server to be my Primary DFS server, and then click Next…

46

 

43 – On the Topology Selection box, select Full Mesh, and then click Next…

47

44 – On the Replication Group Schedule and Bandwidth, I choose Full and then click next…

48

 

45 – On the Review Settings and Create Replication Group box, click Create

49

 

46 – On the Confirmation box, click Close (verify that all status is Success)…

50

 

47 – In the Replication Delay box, click OK…

51

 

48 – Next, expand Replication, and then click comsys.local\marketingdocs\brochures, on the right pane, under Memberships tab, verify that both comsys-rodc01 and svr01 server is listed….

52

 

49 – To make sure all replication process is running without any issue and also to verify that our second server which is COMSYS-RODC01 server is having same function on DFS, log on into COMSYS-RODC01 server, open DFS and right click namespace and click Add Namespace to Display…

53

 

50 – In the Add Namespace to Display box, verify that domain is Comsys.local and under Namespace:, \\Comsys.local\MarketingDocs is listed and then click OK…

54

 

51 – Next, in the DFS console on the Comsys-RODC01 server, you should see that both Brochures and OnlineAdvert folder is listed…

55

 

52 – Lastly, log on into your client PC as any domain users, open RUN and type \\Comsys.local\MarketingDocs and press enter, and you should notice that marketingdocs folder is pop up with Brochures and OnlineAdvert folder is inside…

56

 

We done for now, as at this configuration, you now can start using DFS, but we still have few thing to verify especially on the High Availability.

 

 

Step by Step: Configuring CRM 2013 Internet facing deployment (IFD)

This blog covers all the steps you have to follow to configure Internet facing deployment (IFD) for a CRM 2013 Onpremise deployment

Before we proceed here are a few details of the environment.

CRM Server 2013 Installed on Windows Server 2012

ADFS 2.1 on a separate box on Windows Server 2012

Important:

With AD FS 2.0, you had to download and install the AD FS 2.0 software to deploy your AD FS server infrastructure.

ADFS 2.1 was released to Windows Server 2012 as part of the operating system and therefore can be installed as a Role from Server Manager.

Prerequisites

    1. Install and configure Dynamics CRM 2013
    2. Install and configure IIS on the ADFS Server
    3. Purchase the appropriate certificates for the IFD configuration

You will need to choose the type of certificate that will work best in your environment. Most people have chosen to use a wildcard for their external domain so in my example it would be *.fabrikam.com so I can use it for all the URLs. If you were to get a SAN certificate you would need to know all of your URLs now and future (if you were going to add more orgs)

  1. If ADFS will be on the same server as CRM, ADFS will need to be on the default website using the default port so CRM will need to use something else.

I will break down the entire process into 5 major sections.

Section 1: Binding Certificates

Section 2: Setup ADFS

Section 3: DNS Configuration

Section 4: Configuring CRM server for claims based authentication

Section 5: Configuring CRM server for IFD

Alright, let’s get this started.

Section 1: Binding Certificates

After you have obtained and installed a certificate, the certificate must be bound to the default Web site before you can use AD FS

On the ADFS Server

Step1: Open IIS Manager and in the Connections pane, expand the Sites node in the tree, and then click theDefault Web Site

image

Step2: In the Actions pane, click Bindings.

image

Step3: In the Site Bindings dialog box, click Add.

Under Type, select https.

Under SSL certificate, select your SSL certificate and then click OK and then Close

image

On the CRM 2013 Server

When enabling claims-based authentication, the Dynamics CRM Server 2013 Web site must be accessible via HTTPS. You must bind your SSL certificate to the Dynamics CRM Server 2013 Web site.

Step4: Open IIS Manager and in the Connections pane, expand the Sites node in the tree, and then click theMicrosoft Dynamics CRM Web site

image

Step5: In the Actions pane, click Bindings.

image

Step6: In the Site Bindings dialog box, click Add.

Under Type, select https.

Under SSL certificate, select your SSL certificate and then click OK and then Close

image

Step 7: The CRMAppPool account and the Microsoft Dynamics CRM encryption certificate

The CRMAppPool account will need to have rights to the certificate being used for the CRM website. If the application pool is running as Network Service as in the example then you will need to give Network Service read rights to that certificate.

You can use IIS Manager to determine what account was used during setup for the CRMAppPool account. In the Connections pane, click Application Pools, and then check the Identity value for CRMAppPool.

Launch the MMC console and go to File menu and select Add-Remove Snap In

image

Select Certificates from the available snap-ins and click Add

image

Select Computer Account and click Next in the Certificates Snap-In window.

image

Click Finish on the next window and then click Ok

image

Expand Certificates->Personal->Certificates ->Right click on Manage Private keys

image

Add the identity which is running the CRM application pool and give it read permissions and then Ok

In my case its Network Service.

image

You are now done configuring the certificates.

Section 2: Setup ADFS

Step1: Launch Server manager and click on Add roles and features

image

Step2: Click Next on the first page in the wizard

image

Step3: Select Role-based or feature based installation and click Next

image

Step4: Select a server from the server pool and click Next

image

Step5: Select Active Directory Federation Services

image

Step6: Click on Add Features and then click Next

image

Step7: Continue to click on Next until you reach the Confirmation page and then click Install.

image

Now that we have installed ADFS, lets go ahead and configure it.

Step8: Launch Administrative tools and then select ADFS management.

image

Step9: Click on ADFS Federation Server Configuration Wizard and on the welcome page select Create a new Federation Service

image

Step10: Select Stand Alone or Farm Deployment.

Depending upon your requirement you can choose the appropriate option. The wizard explains each of the options.

I will choose Stand-alone federation server.

image

Step11: Specify the Federation Service Name

image

Step12: Shows you the summary of what is about to be installed. Click Next to continue

image

Step13: Wait for the configuration process to complete and click the Close button.

image

Section3: DNS Configuration

You should configure your domain records in DNS so the various Dynamics CRM Server endpoints resolve correctly.

Step1: Open DNS Manager by clicking Start, pointing to Administrative Tools, and then clicking DNS.

image

Step2: Expand Forward lookup Zones and then select the <Domain name>.com and create the below CNAME records.

Name

IP Address

Description

auth Point it to the machine that as CRM 2013 installed This record will be used by the AD FS server when retrieving the Microsoft Dynamics CRM IFD federationmetadata.xml file
Dev Point it to the machine that contains the discovery web service Microsoft Dynamics CRM Discovery Web Service domain
Internalcrm Point it to the machine that as CRM 2013 installed Internal URL used to access Microsoft Dynamics (for example, internalcrm.fabrikam.com).
<CRM
organization name>
Point it to the machine that as CRM 2013 installed External URL used to access Microsoft Dynamics – Web Application Server domain (for example, orgname.contoso.com).
ADFS Point it to the machine that has ADFS installed AD FS 2.1 server

Here is a screen shot of all the DNS records created

image

You must also set your firewall to allow inbound traffic on the ports used for Dynamics CRM Server 2013 and AD FS 2.1

Section 4: Configuring CRM server for claims based authentication

Once ADFS is setup and the certificate/s are bound to the websites, you will need to prepare CRM for Claims Authentication.

On The CRM Server

Step1: Set Microsoft Dynamics CRM Server 2013 binding to HTTPS and configure the root domain Web addresses

Start the Deployment Manager=>Actions pane=>Properties=>Web Address tab=>Binding Type select HTTPS.

You can now enter your internal URL for CRM. This will be the URL that users can use if they want to access CRM within the network without being prompted for credentials. Click on ‘Apply’

image

Step2: In the Deployment Manager console tree, right-click Microsoft Dynamics CRM, and then click Configure Claims-Based Authentication. Click Next on the Welcome page

image

Step3: On the Specify the security token service page, enter the Federation metadata URL, such ashttps://adfs.fabrikam.com/federationmetadata/2007-06/federationmetadata.xml.

This data is typically located on the Web site where the Active Directory Federation Services (AD FS) 2.1 is running. To verify the correct URL, open an Internet browser by using the URL to view the federation metadata. Verify that no certificate-related warnings appear.

image

Step4: On Specify the encryption certificate page, specify the encryption certificate

image

Step5: On the System Checks page, review the results, perform any steps required to fix problems, and then click Next.

image

Step6: On the Review your selections and then click Apply page, verify your selections, and then click Apply.

image

Step7: Click View log file and scroll to the bottom and copy the Federation metadata URL to avoid typos

You will need to use the federation metadata URL that was created during Claims-Based Authentication configuration in CRM to setup the Relying Party Trust in ADFS 2.1

image

On The ADFS Server

After enabling claims-based authentication, the next step is add and configure claims provider trusts and relying party trusts in AD FS 2.1

Step8: Start AD FS 2.1 Management. In the Navigation Pane, expand Trust Relationships, and then click Claims Provider Trusts. Under Claims Provider Trusts, right-click Active Directory, and then click Edit Claims Rules.

image

Step9: In the Rules Editor, click Add Rule, In the Claim rule template list, select the Send LDAP Attributes as Claims template, and then click Next

image

Step10: Create the following rule

Claim rule name: UPN Claim Rule (or something descriptive)

Attribute store: Active Directory

LDAP Attribute: User Principal Name

Outgoing Claim Type: UPN

Click Finish, and then click OK to close the Rules Editor

image

After you enable claims-based authentication, you must configure Dynamics CRM Server 2013 as a relying party to consume claims from AD FS 2.1 for authenticating internal claims access.

Step11: Start AD FS Management. On the Actions menu located in the right column, click Add Relying Party Trust. In the Add Relying Party Trust Wizard, click Start.

image

Step12: On the Select Data Source page, click Import data about the relying party published online or on a local network, and then type the URL you copied earlier from the log file. So that will behttps://internalcrm.fabrikam.com/FederationMetadata/2007-06/FederationMetadata.xml. Verify that no certificate-related warnings appear by opening it in the browser.

image

Step13: On the Specify Display Name page, type a display name, such as CRM Claims Relying Party, and then click Next.

image

Step14: On the Choose Issuance Authorization Rules page, leave the Permit all users to access this relying party option selected, and then click Next.

image

Step15: On the Ready to Add Trust page, click Next, and then click Close.

image

Step16: If the Rules Editor appears, click Add Rule. Otherwise, in the Relying Party Trusts list, right-click the relying party object that you created, click Edit Claims Rules, and then click Add Rule.

image

Step17: In the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next.

image

Step18: Create the following Rule #1

Claim rule name: Pass Through UPN (or something descriptive)

Incoming claim type: UPN

Pass through all claim values

Click Finish.

image

Step19: In the Rules Editor, click Add Rule, in the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next

image

Step20: Create the following Rule #2

Claim rule name: Pass Through Primary SID (or something descriptive)

Incoming claim type: Primary SID

Pass through all claim values

Click Finish

image

Step21: In the Rules Editor, click Add Rule. In the Claim rule template list, select the Transform an Incoming Claim template, and then click Next.

image

Step22: Create the following rule #3

Claim rule name: Transform Windows Account Name to Name (or something descriptive)

Incoming claiming type: Windows account name

Outgoing claim type: Name

Pass through all claim values

Click Finish, and when you have created all three rules, click OK to close the Rules Editor.

image

So now we have claims setup for CRM.

In both Servers (ADFS and CRM) go to IE -> tools -> IE options -> security-> local intranet -> sites -> add internal URL and ADFS URL (https://internalcrm.fabrikam.com and https://adfs.fabrikam.com ) This would have to done on any machines that are accessing the internal access points so that ADFS and CRM can pass those Kerberos tickets without being prompted for credentials.

Type the internal url in CRM server: https://internalcrm.fabrikam.com see how it hits the ADFS and then launches the CRM page.

Section 5: Configuring CRM server for IFD

Now you are ready to configure Internet-Facing Deployment within the Microsoft Dynamics CRM 2013 Deployment Manager.

On The CRM Server

Step1: Start the Deployment Manager. In the Deployment Manager console tree, right-click Microsoft Dynamics CRM, and then click Configure Internet-Facing Deployment. Click Next.

image

Step2: Enter the URLs for the Web Application Server Domain, Organization Web Service Domain and the Discovery Web Service Domain and click on the Next button.

Important things to consider

. Specify domains, not servers.

· If your deployment is on a single server or on servers that are in the same domain, the Web Application Server Domain and Organization Web Service Domain will be identical.

· The Discovery Web Service Domain must be a resolvable host name and not a root domain. For example: dev.fabrikam.com.

· The Discovery Web Service domain must not match an organization’s fully qualified domain name (FQDN). For example, the Discovery Web Service Domain should not be: orgname.fabrikam.com.

· The domains must be valid for the SSL certificate’s common name or names.

· The domains must be set to resolve correctly in DNS to your Microsoft Dynamics CRM servers holding the server roles.

· The domains can be in a different domain than the domain which the Microsoft Dynamics CRM servers reside.

image

Step3: In the Enter the external domain where your Internet-facing servers are located box, type the external domain information where your Internet-facing Microsoft Dynamics CRM Server 2013 servers are located, and then click Next.

The domain you specify must be a sub-domain of the Web Application Server Domain specified in the previous step. By default, “auth.” is pre-pended to the Web Application Server Domain.

Important things to consider

· The external domain is used by the AD FS server when retrieving the Microsoft Dynamics CRM IFD federationmetadata.xml file.

· The external domain must not contain an organization name.

· The external domain must not contain an underscore character (“_”).

· The external domain must be valid for the SSL certificate’s common name or names.

· The external domain must be set to resolve correctly in DNS to your Microsoft Dynamics CRM server holding the Web Application Server role.

image

Step4: On the System Checks page, review the results, fix any problems, and then click Next.

image

Step5: On the Review your selections and then click Apply page, verify your selections, and then click Apply andFinish

image

Step6: Run the following command at a command prompt: iisreset

On the ADFS Server

After you have enabled IFD on the Microsoft Dynamics CRM Server 2013 you will need to create a relying party for the IFD endpoint on the AD FS server.

Step6: Start AD FS Management. On the Actions menu located in the right column, click Add Relying Party Trust. In the Add Relying Party Trust Wizard, click Start.

image

Step7: On the Select Data Source page, click Import data about the relying party published online or on a local network, and then type the URL to locate the federationmetadata.xml file. This federation metadata is created during IFD Setup.

For example, https://auth.fabrikam.com/FederationMetadata/2007-06/FederationMetadata.xml.

Type this URL in your browser and verify that no certificate-related warnings appear.

image

Step8: On the Specify Display Name page, type a display name, such as CRM IFD Relying Party, and then clickNext

image

Step9: On the Choose Issuance Authorization Rules page, leave the Permit all users to access this relying partyoption selected, and then click Next.

image

Step10: On the Ready to Add Trust page, click Next, and then click Close.

image

Step11: If the Rules Editor appears, click Add Rule. Otherwise, in the Relying Party Trusts list, right-click the relying party object that you created, click Edit Claims Rules, and then click Add Rule

image

Step12: In the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next.

image

Step13: Create the following rule#1

Claim rule name: Pass Through UPN (or something descriptive)

Incoming claim type: UPN

Pass through all claim values

Click Finish

image

Step14: In the Rules Editor, click Add Rule, and in the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next

image

Step15: Create the following rule#2

Claim rule name: Pass Through Primary SID (or something descriptive)

Incoming claim type: Primary SID

Pass through all claim values

Click Finish

image

Step16: In the Rules Editor, click Add Rule. In the Claim rule template list, select the Transform an Incoming Claim template, and then click Next.

image

Step17: Create the following rule #3

Claim rule name: Transform Windows Account Name to Name (or something descriptive)

Incoming claim type: Windows account name

Outgoing claim type: Name

Pass through all claim values

Click Finish, and when you have created all three rules, click OK to close the Rules Editor.

image

Test external claims-based authentication

You should now be able to access Microsoft Dynamics CRM Server 2013 externally using claims authentication. Browse to your Microsoft Dynamics CRM Server 2013 Web site’s external address (for example:https://orgname.fabrikam.com). You should see a screen like the following

image

Sign in and verify that you have external access to Microsoft Dynamics CRM Server 2013

tada….

image

You have successfully configured Internet facing deployment for Dynamics CRM 2013.

Hope this article was useful.

 

http://blogs.msdn.com/b/niran_belliappa/archive/2014/01/16/step-by-step-configuring-crm-2013-internet-facing-deployment-ifd.aspx