Step by Step: Configuring CRM 2013 Internet facing deployment (IFD)

This blog covers all the steps you have to follow to configure Internet facing deployment (IFD) for a CRM 2013 Onpremise deployment

Before we proceed here are a few details of the environment.

CRM Server 2013 Installed on Windows Server 2012

ADFS 2.1 on a separate box on Windows Server 2012

Important:

With AD FS 2.0, you had to download and install the AD FS 2.0 software to deploy your AD FS server infrastructure.

ADFS 2.1 was released to Windows Server 2012 as part of the operating system and therefore can be installed as a Role from Server Manager.

Prerequisites

    1. Install and configure Dynamics CRM 2013
    2. Install and configure IIS on the ADFS Server
    3. Purchase the appropriate certificates for the IFD configuration

You will need to choose the type of certificate that will work best in your environment. Most people have chosen to use a wildcard for their external domain so in my example it would be *.fabrikam.com so I can use it for all the URLs. If you were to get a SAN certificate you would need to know all of your URLs now and future (if you were going to add more orgs)

  1. If ADFS will be on the same server as CRM, ADFS will need to be on the default website using the default port so CRM will need to use something else.

I will break down the entire process into 5 major sections.

Section 1: Binding Certificates

Section 2: Setup ADFS

Section 3: DNS Configuration

Section 4: Configuring CRM server for claims based authentication

Section 5: Configuring CRM server for IFD

Alright, let’s get this started.

Section 1: Binding Certificates

After you have obtained and installed a certificate, the certificate must be bound to the default Web site before you can use AD FS

On the ADFS Server

Step1: Open IIS Manager and in the Connections pane, expand the Sites node in the tree, and then click theDefault Web Site

image

Step2: In the Actions pane, click Bindings.

image

Step3: In the Site Bindings dialog box, click Add.

Under Type, select https.

Under SSL certificate, select your SSL certificate and then click OK and then Close

image

On the CRM 2013 Server

When enabling claims-based authentication, the Dynamics CRM Server 2013 Web site must be accessible via HTTPS. You must bind your SSL certificate to the Dynamics CRM Server 2013 Web site.

Step4: Open IIS Manager and in the Connections pane, expand the Sites node in the tree, and then click theMicrosoft Dynamics CRM Web site

image

Step5: In the Actions pane, click Bindings.

image

Step6: In the Site Bindings dialog box, click Add.

Under Type, select https.

Under SSL certificate, select your SSL certificate and then click OK and then Close

image

Step 7: The CRMAppPool account and the Microsoft Dynamics CRM encryption certificate

The CRMAppPool account will need to have rights to the certificate being used for the CRM website. If the application pool is running as Network Service as in the example then you will need to give Network Service read rights to that certificate.

You can use IIS Manager to determine what account was used during setup for the CRMAppPool account. In the Connections pane, click Application Pools, and then check the Identity value for CRMAppPool.

Launch the MMC console and go to File menu and select Add-Remove Snap In

image

Select Certificates from the available snap-ins and click Add

image

Select Computer Account and click Next in the Certificates Snap-In window.

image

Click Finish on the next window and then click Ok

image

Expand Certificates->Personal->Certificates ->Right click on Manage Private keys

image

Add the identity which is running the CRM application pool and give it read permissions and then Ok

In my case its Network Service.

image

You are now done configuring the certificates.

Section 2: Setup ADFS

Step1: Launch Server manager and click on Add roles and features

image

Step2: Click Next on the first page in the wizard

image

Step3: Select Role-based or feature based installation and click Next

image

Step4: Select a server from the server pool and click Next

image

Step5: Select Active Directory Federation Services

image

Step6: Click on Add Features and then click Next

image

Step7: Continue to click on Next until you reach the Confirmation page and then click Install.

image

Now that we have installed ADFS, lets go ahead and configure it.

Step8: Launch Administrative tools and then select ADFS management.

image

Step9: Click on ADFS Federation Server Configuration Wizard and on the welcome page select Create a new Federation Service

image

Step10: Select Stand Alone or Farm Deployment.

Depending upon your requirement you can choose the appropriate option. The wizard explains each of the options.

I will choose Stand-alone federation server.

image

Step11: Specify the Federation Service Name

image

Step12: Shows you the summary of what is about to be installed. Click Next to continue

image

Step13: Wait for the configuration process to complete and click the Close button.

image

Section3: DNS Configuration

You should configure your domain records in DNS so the various Dynamics CRM Server endpoints resolve correctly.

Step1: Open DNS Manager by clicking Start, pointing to Administrative Tools, and then clicking DNS.

image

Step2: Expand Forward lookup Zones and then select the <Domain name>.com and create the below CNAME records.

Name

IP Address

Description

auth Point it to the machine that as CRM 2013 installed This record will be used by the AD FS server when retrieving the Microsoft Dynamics CRM IFD federationmetadata.xml file
Dev Point it to the machine that contains the discovery web service Microsoft Dynamics CRM Discovery Web Service domain
Internalcrm Point it to the machine that as CRM 2013 installed Internal URL used to access Microsoft Dynamics (for example, internalcrm.fabrikam.com).
<CRM
organization name>
Point it to the machine that as CRM 2013 installed External URL used to access Microsoft Dynamics – Web Application Server domain (for example, orgname.contoso.com).
ADFS Point it to the machine that has ADFS installed AD FS 2.1 server

Here is a screen shot of all the DNS records created

image

You must also set your firewall to allow inbound traffic on the ports used for Dynamics CRM Server 2013 and AD FS 2.1

Section 4: Configuring CRM server for claims based authentication

Once ADFS is setup and the certificate/s are bound to the websites, you will need to prepare CRM for Claims Authentication.

On The CRM Server

Step1: Set Microsoft Dynamics CRM Server 2013 binding to HTTPS and configure the root domain Web addresses

Start the Deployment Manager=>Actions pane=>Properties=>Web Address tab=>Binding Type select HTTPS.

You can now enter your internal URL for CRM. This will be the URL that users can use if they want to access CRM within the network without being prompted for credentials. Click on ‘Apply’

image

Step2: In the Deployment Manager console tree, right-click Microsoft Dynamics CRM, and then click Configure Claims-Based Authentication. Click Next on the Welcome page

image

Step3: On the Specify the security token service page, enter the Federation metadata URL, such ashttps://adfs.fabrikam.com/federationmetadata/2007-06/federationmetadata.xml.

This data is typically located on the Web site where the Active Directory Federation Services (AD FS) 2.1 is running. To verify the correct URL, open an Internet browser by using the URL to view the federation metadata. Verify that no certificate-related warnings appear.

image

Step4: On Specify the encryption certificate page, specify the encryption certificate

image

Step5: On the System Checks page, review the results, perform any steps required to fix problems, and then click Next.

image

Step6: On the Review your selections and then click Apply page, verify your selections, and then click Apply.

image

Step7: Click View log file and scroll to the bottom and copy the Federation metadata URL to avoid typos

You will need to use the federation metadata URL that was created during Claims-Based Authentication configuration in CRM to setup the Relying Party Trust in ADFS 2.1

image

On The ADFS Server

After enabling claims-based authentication, the next step is add and configure claims provider trusts and relying party trusts in AD FS 2.1

Step8: Start AD FS 2.1 Management. In the Navigation Pane, expand Trust Relationships, and then click Claims Provider Trusts. Under Claims Provider Trusts, right-click Active Directory, and then click Edit Claims Rules.

image

Step9: In the Rules Editor, click Add Rule, In the Claim rule template list, select the Send LDAP Attributes as Claims template, and then click Next

image

Step10: Create the following rule

Claim rule name: UPN Claim Rule (or something descriptive)

Attribute store: Active Directory

LDAP Attribute: User Principal Name

Outgoing Claim Type: UPN

Click Finish, and then click OK to close the Rules Editor

image

After you enable claims-based authentication, you must configure Dynamics CRM Server 2013 as a relying party to consume claims from AD FS 2.1 for authenticating internal claims access.

Step11: Start AD FS Management. On the Actions menu located in the right column, click Add Relying Party Trust. In the Add Relying Party Trust Wizard, click Start.

image

Step12: On the Select Data Source page, click Import data about the relying party published online or on a local network, and then type the URL you copied earlier from the log file. So that will behttps://internalcrm.fabrikam.com/FederationMetadata/2007-06/FederationMetadata.xml. Verify that no certificate-related warnings appear by opening it in the browser.

image

Step13: On the Specify Display Name page, type a display name, such as CRM Claims Relying Party, and then click Next.

image

Step14: On the Choose Issuance Authorization Rules page, leave the Permit all users to access this relying party option selected, and then click Next.

image

Step15: On the Ready to Add Trust page, click Next, and then click Close.

image

Step16: If the Rules Editor appears, click Add Rule. Otherwise, in the Relying Party Trusts list, right-click the relying party object that you created, click Edit Claims Rules, and then click Add Rule.

image

Step17: In the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next.

image

Step18: Create the following Rule #1

Claim rule name: Pass Through UPN (or something descriptive)

Incoming claim type: UPN

Pass through all claim values

Click Finish.

image

Step19: In the Rules Editor, click Add Rule, in the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next

image

Step20: Create the following Rule #2

Claim rule name: Pass Through Primary SID (or something descriptive)

Incoming claim type: Primary SID

Pass through all claim values

Click Finish

image

Step21: In the Rules Editor, click Add Rule. In the Claim rule template list, select the Transform an Incoming Claim template, and then click Next.

image

Step22: Create the following rule #3

Claim rule name: Transform Windows Account Name to Name (or something descriptive)

Incoming claiming type: Windows account name

Outgoing claim type: Name

Pass through all claim values

Click Finish, and when you have created all three rules, click OK to close the Rules Editor.

image

So now we have claims setup for CRM.

In both Servers (ADFS and CRM) go to IE -> tools -> IE options -> security-> local intranet -> sites -> add internal URL and ADFS URL (https://internalcrm.fabrikam.com and https://adfs.fabrikam.com ) This would have to done on any machines that are accessing the internal access points so that ADFS and CRM can pass those Kerberos tickets without being prompted for credentials.

Type the internal url in CRM server: https://internalcrm.fabrikam.com see how it hits the ADFS and then launches the CRM page.

Section 5: Configuring CRM server for IFD

Now you are ready to configure Internet-Facing Deployment within the Microsoft Dynamics CRM 2013 Deployment Manager.

On The CRM Server

Step1: Start the Deployment Manager. In the Deployment Manager console tree, right-click Microsoft Dynamics CRM, and then click Configure Internet-Facing Deployment. Click Next.

image

Step2: Enter the URLs for the Web Application Server Domain, Organization Web Service Domain and the Discovery Web Service Domain and click on the Next button.

Important things to consider

. Specify domains, not servers.

· If your deployment is on a single server or on servers that are in the same domain, the Web Application Server Domain and Organization Web Service Domain will be identical.

· The Discovery Web Service Domain must be a resolvable host name and not a root domain. For example: dev.fabrikam.com.

· The Discovery Web Service domain must not match an organization’s fully qualified domain name (FQDN). For example, the Discovery Web Service Domain should not be: orgname.fabrikam.com.

· The domains must be valid for the SSL certificate’s common name or names.

· The domains must be set to resolve correctly in DNS to your Microsoft Dynamics CRM servers holding the server roles.

· The domains can be in a different domain than the domain which the Microsoft Dynamics CRM servers reside.

image

Step3: In the Enter the external domain where your Internet-facing servers are located box, type the external domain information where your Internet-facing Microsoft Dynamics CRM Server 2013 servers are located, and then click Next.

The domain you specify must be a sub-domain of the Web Application Server Domain specified in the previous step. By default, “auth.” is pre-pended to the Web Application Server Domain.

Important things to consider

· The external domain is used by the AD FS server when retrieving the Microsoft Dynamics CRM IFD federationmetadata.xml file.

· The external domain must not contain an organization name.

· The external domain must not contain an underscore character (“_”).

· The external domain must be valid for the SSL certificate’s common name or names.

· The external domain must be set to resolve correctly in DNS to your Microsoft Dynamics CRM server holding the Web Application Server role.

image

Step4: On the System Checks page, review the results, fix any problems, and then click Next.

image

Step5: On the Review your selections and then click Apply page, verify your selections, and then click Apply andFinish

image

Step6: Run the following command at a command prompt: iisreset

On the ADFS Server

After you have enabled IFD on the Microsoft Dynamics CRM Server 2013 you will need to create a relying party for the IFD endpoint on the AD FS server.

Step6: Start AD FS Management. On the Actions menu located in the right column, click Add Relying Party Trust. In the Add Relying Party Trust Wizard, click Start.

image

Step7: On the Select Data Source page, click Import data about the relying party published online or on a local network, and then type the URL to locate the federationmetadata.xml file. This federation metadata is created during IFD Setup.

For example, https://auth.fabrikam.com/FederationMetadata/2007-06/FederationMetadata.xml.

Type this URL in your browser and verify that no certificate-related warnings appear.

image

Step8: On the Specify Display Name page, type a display name, such as CRM IFD Relying Party, and then clickNext

image

Step9: On the Choose Issuance Authorization Rules page, leave the Permit all users to access this relying partyoption selected, and then click Next.

image

Step10: On the Ready to Add Trust page, click Next, and then click Close.

image

Step11: If the Rules Editor appears, click Add Rule. Otherwise, in the Relying Party Trusts list, right-click the relying party object that you created, click Edit Claims Rules, and then click Add Rule

image

Step12: In the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next.

image

Step13: Create the following rule#1

Claim rule name: Pass Through UPN (or something descriptive)

Incoming claim type: UPN

Pass through all claim values

Click Finish

image

Step14: In the Rules Editor, click Add Rule, and in the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next

image

Step15: Create the following rule#2

Claim rule name: Pass Through Primary SID (or something descriptive)

Incoming claim type: Primary SID

Pass through all claim values

Click Finish

image

Step16: In the Rules Editor, click Add Rule. In the Claim rule template list, select the Transform an Incoming Claim template, and then click Next.

image

Step17: Create the following rule #3

Claim rule name: Transform Windows Account Name to Name (or something descriptive)

Incoming claim type: Windows account name

Outgoing claim type: Name

Pass through all claim values

Click Finish, and when you have created all three rules, click OK to close the Rules Editor.

image

Test external claims-based authentication

You should now be able to access Microsoft Dynamics CRM Server 2013 externally using claims authentication. Browse to your Microsoft Dynamics CRM Server 2013 Web site’s external address (for example:https://orgname.fabrikam.com). You should see a screen like the following

image

Sign in and verify that you have external access to Microsoft Dynamics CRM Server 2013

tada….

image

You have successfully configured Internet facing deployment for Dynamics CRM 2013.

Hope this article was useful.

 

http://blogs.msdn.com/b/niran_belliappa/archive/2014/01/16/step-by-step-configuring-crm-2013-internet-facing-deployment-ifd.aspx

Advertisements

Step by Step: Installing Dynamics CRM 2013 Server

Taken from the Microsoft Dynamics CRM Community:

Installing Dynamics CRM 2013 Server

 

The process for installing Microsoft Dynamics CRM 2013 Server is very similar to the installation for CRM 2011, although there are a few new services that are installed. In this post, we will take a look at the CRM 2013 Server installation process. Note that I am installing the CRM 2013 Server Beta edition, so it is possible that the installation process changes slightly with the final release.

Step 1 – Extract Files

This is very self-explanatory. I have created a new folder in C drive called CRM Serverwhich will hold the extracted installation files.

Installing Dynamics CRM 2013 Server

Step 2 – Get Updated Installation Files

It is recommended that you check for the latest installation files by selecting Get Updates for Microsoft CRM (recommended).

Installing Dynamics CRM 2013 Server

Step 3 – Insert Product Key

Enter the product key for your Workgroup or Server edition. Note that you can obtain a 90-day trial product key from the Microsoft Download Center.

Installing Dynamics CRM 2013 Server

Step 4 – Accept the License Agreement

Of course, you need to accept the license agreement before you can proceed with the installation.

Installing Dynamics CRM 2013 Server

Step 5 – Install Prerequisite Software

The installation process will check if any required software prerequisites are installed. If not, they will be downloaded and installed for you.

Installing Dynamics CRM 2013 Server

Step 6 – Specify Installation Directory

If you wish, you can choose to install CRM 2013 in a different location to the one selected by default.

Installing Dynamics CRM 2013 Server

Step 7 – Specify Server Roles

Here you can specify the server roles to install on the current server if you wish to split the installation up across multiple servers. Notice that there are two new services as part of the Back End Server roles and the Deployment Administration Server roles. These are theEmail Integration Service and the VSS Writer Service. I will explain these two new services in an upcoming blog post.

Installing Dynamics CRM 2013 Server

Step 8 – Deployment Options

Here you must specify whether you are creating a new deployment or connecting to an existing deployment of CRM 2013. You must also specify the name of the computer where SQL Server is installed.

Installing Dynamics CRM 2013 Server

Step 9 – Select Organization Unit

Select the OU where the CRM 2013 Security Groups will be setup.

Installing Dynamics CRM 2013 Server

Step 10 – Specify Service Accounts

It is recommended that you create dedicated user accounts in AD for each of the CRM service accounts. The user accounts for the Application Service and Asynchronous Processing Service must be added to the Performance Log Users security group in AD. Notice that there are two additional services with CRM 2013 – the VSS Writer Service and the Monitoring Service. I will explain each of these in an upcoming post.

Installing Dynamics CRM 2013 Server

Step 11 – Select Web Site

Specify whether you want to install CRM on the default website in IIS, or let the server setup create a new website for you on a selected port. It is recommended that you install CRM on the default website (port 80).

Installing Dynamics CRM 2013 Server

Step 12 – Specify Email Router Settings

If you have already installed the Email Router, specify the name of the computer where the Email Router is installed.

Installing Dynamics CRM 2013 Server

Step 13 – Specify Organization Settings

Specify the details of the default organization you wish to create. Notice that the ISO currency code and Currency name is automatically prefilled based on your regional settings.

Installing Dynamics CRM 2013 Server

Step 14 – Report Server

The URL for the report server will be automatically prefilled for you based on the selected SQL Server in step 8. It is recommended that you copy-paste the URL into a browser to check that it resolves.

Installing Dynamics CRM 2013 Server

Step 15 – Customer Experience

Select whether or not you wish to participate in the Customer Experience Improvement Program.

Installing Dynamics CRM 2013 Server

Step 16 – Select Microsoft Update Preference

Choose if you want to use Microsoft Update when checking for CRM 2013 updates.

Installing Dynamics CRM 2013 Server

Step 17 – System Checks

A number of checks will be performed to ensure that all necessary settings are correct. If you haven’t added the user accounts for the Application Service and Asynchronous Processing Service to the Performance Log security groups in AD, you will see an error with the Microsoft Dynamics CRM Server User Input check.

Installing Dynamics CRM 2013 Server

Step 18 – Service Disruption Warning

This step indicates which services will be stopped and restarted during the installation process.

Installing Dynamics CRM 2013 Server

Step 19 – Ready to Install

This screen acts as a summary screen for you to review before CRM 2013 Server is installed.

Installing Dynamics CRM 2013 Server

Possible Errors During Installation

You may encounter the following error during installation:

Installing Dynamics CRM 2013 Server

If you check the Event Viewer, you will see that it is a permission issue with the user account that you have selected for the VSS Writer Service.

Volume Shadow Copy Service error: The process that hosts the writer with name Microsoft Dynamics CRM and ID {74bf91e0-e0fa-4ba9-9258-48f4fd1d0445} does not run under a user with sufficient access rights. Consider running this process under a local account which is either Local System, Administrator, Network Service, or Local Service.

To assign the necessary privileges, visit this link.

That’s all there is to it! In my next post, I will show you how to install CRM 2013 Reporting Extensions. It is likely that the setup program for this component will execute automatically once CRM 2013 Server is installed, provided that CRM and SQL are installed on the same machine.