Here’s my track schedule at CRMUG 2017 Summit. You will be able to find me at these tracks, the medic both and MVP Sessions! Looking forward to engaging with you.
Please join me and the rest of the DXC, Tribridge, and Eclipse teams for the CRMUG Summit 2017 in Nashville.
CRMUG Summit is the premier CRM event of the year, with topics and tracks for all users of your Dynamics 365
system. I will be covering MVP, Medic Tent, Upgrade and ADFS sessions, along with a community showcase with my
colleague Donna Edwards.
Here’s a video about what Summit is all about! Register early to get a discount! Stop by and say hello!
CRMUG Summit 2017
An error occurred. Contact your administrator for more information” error when accessing CRM with ADFS/IFD set up.
After completing ADFS/IFD setup where ADFS is installed on a Windows Server 2012 R2 machine, you receive the below error:
To resolve this issue you must enable Forms Authentication:
1. Connect to the ADFS server
2. Open the ADFS management console and click Authentication Policies
3. Under Primary Authentication, click Edit next to Global Settings
4. Put a check mark in the Forms Authentication option on the Extranet and Intranet sections
5. Click OK
6. You should now be able to log in to CRM successfully
Thanks to Ian Holton, Client Field Engineer at Tribridge for putting this together!
Active Directory Federation Services (ADFS) performs a lot of tasks when it comes to authenticating users into CRM securely. One of those tasks in particular is a certification revocation check to validate that the certificates being used are still valid. ADFS completes this process by reaching out to certification revocation lists (CRLs) over TCP port 80 – basic HTTP communication.
What we’ve seen is that businesses will want to lock down their ADFS servers just to be on the “safe side” and that includes closing TCP Port 80 outbound (e.g. no internet access). If left in its default state, ADFS will break and cause authentication to fail as it knows that it is supposed to check the CLRs to validate the certificate before issuing a token to allow a user into CRM. If it cannot do this, it will not issue a token. You may see an error similar to the following in the ADFS event viewer logs after a failed authentication attempt:
Event ID: 364
Microsoft.IdentityServer.AuthenticationFailedException: MSIS3014: The encryption certificate of the relying party trust ‘https://crm.domain.com/’ identified by thumbprint ’01DEDF6E6F532BF7357457EBEC31DA82SFDA1234′ is not valid. It might indicate that the certificate has been revoked, has expired, or that the certificate chain is not trusted. —>
Microsoft.IdentityServer.Service.SecurityTokenService.RevocationValidationException: MSIS3014: The encryption certificate of the relying party trust ‘https://crm.domain.com/’ identified by thumbprint ’01DEDF6E6F532BF7357457EBEC31DA82SFDA1234′ is not valid. It might indicate that the certificate has been revoked, has expired, or that the certificate chain is not trusted.
So what are your options?
- Have your networking team open TCP 80 outbound on the ADFS server(s). This would also apply to all ADFS Proxies or WAP servers. While opening a port might seem less secure at face value it would actually be the opposite as ADFS is able to validate the certificates being used.
- The less preferred, but still acceptable, method would be turning off the Certificate Revocation Check of ADFS. The check is controlled individually for each relying party in ADFS so it would need to be turned off for all one by one. To do this open an admin PowerShell prompt and issue the following command:
Set-ADFSRelyingPartyTrust -TargetName <relyingpartytrustName> -EncryptionCertificateRevocationCheck None
Active Directory Federation Services (ADFS) creates and manages the two certificates used for the tokens issued. These are the Token-signing and Token-decrypting certificates. By default, these certificates are valid for one year from their creation and around the one-year mark, they will renew themselves automatically via the Auto Certificate Rollover feature in ADFS. Once this happens, CRM can no longer properly authenticate users as it still holds the old certificates’ metadata in the database. This is easily resolved by rerunning the “Configure Claims Based Authentication” and “Configure Internet Facing Deployment” wizards from the CRM Deployment Manager and then issuing an IISRESET on the CRM server(s).
More details and resolution can be found in this KB: http://support.microsoft.com/kb/2686840
While most CRM administrators understand that aspect, there are a number of settings and configurations that lead up to this issue that are less well-known to most. One of the biggest complexities is understanding EXACTLY when CRM will be going down because of the Auto Certificate Rollover and how to avoid it. We will be going through that today.
We will start with the process that ADFS goes through for certificate renewal:
- ADFS determines that its certificates will be expiring soon.
- ADFS creates new certificates and sets them as secondary certificates.
- ADFS updates the new certificates to primary certificates.
There are a number of settings for ADFS only accessible via PowerShell that control the Auto Certificate Rollover options and properties for the process above. To access these, open an administrative PowerShell prompt and execute the following (Note that if you are using ADFS 2.0, you will need to add the ADFS PowerShell Snap-In first by executing Add-PSSnapin Microsoft.ADFS.PowerShell):
This will display a listing of the deployment properties for ADFS, including the properties around the certificates and rollover. For our purposes, we will keep our focus on just a handful of these properties:
So what do all of these values mean? Below are the same steps provided earlier but now account for the values in the table above.
- ADFS determines that its certificates will be expiring within 20 days.
- ADFS creates new certificates valid for 365 days and sets them as secondary certificates.
- After 5 days’ time the Certificate Management Cycle kicks off and ADFS updates the new certificates to primary certificates.
As you can see, knowing these values can greatly help in planning for certificate rollover. Here is an example:
In the screenshot below, we can see our primary certificates expire on 2/12/2015 and ADFS has already created new certificates to rollover. The new (secondary) certificates were created 20 days prior to the expiration of the primary certificates (1/23/2015). On 1/28/2015, 5 days after the creation of the new certificates, ADFS will change them to primaries.
In the above example, you know your deadline is 1/28/2015. Rather than sitting back and waiting until CRM goes down, plan a short outage afterhours and roll the certificates over manually! You can force ADFS to generate new certificates and promote them to primaries immediately using the following command in PowerShell:
Once the new certificates are in place in ADFS, re-run the Claims and IFD Wizards in the CRM Deployment Manager to update the metadata and issue an IISReset on the CRM server(s). Voila! Happy CRM users!
Of course, given the properties we have at our disposal to modify there is much more you can do to create a better life for yourself. For example, set the CertificateDuration to 1095 days (three years) rather than just 365 (one year) so this is not as frequent of an issue. Another idea would be to set the CertificateGenerationThreshold lower so the actual rollover date is closer to the true expiration of the certificate. Or just turn off AutoCertificateRollover altogether, set a reminder, and take care of it all manually before expiration!
Another great post from my team at www.Tribridge.com
We recently setup CRM 2015 and ADFS 2.2 (the version that comes on Server 2012 R2, aka ADFS 2.2) on new servers for a customer. Everything configured fine and initial tests proved successful when logging in with the domain admin account used to set everything up. However, we quickly found an issue when other users tried to access CRM via the external URL. At the ADFS login page, a user would enter his or her credentials as usual and try to login but rather than giving a 302 redirect back to CRM for access, it redirected back to the ADFS login page. This presented no errors on screen or in the CRM event viewer – it was as if we never tried logging in. If we purposefully entered invalid credentials, it provided the error regarding incorrect user ID or password so we knew authentication against AD was taking place successfully and that something was wrong with the passing of the token. Also of note was the fact that despite the external URL not working, all users were able to access CRM just fine using the internal (pass-through auth) URL.
Nothing appeared in the ADFS Admin event viewer logs but upon closer inspection, the Security log in the event viewer on the ADFS server was loading up with Audit Failure notifications – Event ID 4625. The failure reason indicated “Unknown user name or bad password” for the ADFS service account. As any logical person would assume, we figured the account was locked out, the password expired, or we entered invalid credentials during setup. Unfortunately, upon resetting the password in Active Directory, the audit failures persisted.
After some digging around, we uncovered that adding the ADFS service account to the Windows Authorization Access Group in Active Directory was the resolution. The members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects. We added the account to the group, restarted the ADFS service, and all users were then able to access CRM via the external URL as expected! Another great tip from the CFE team!
Join me at the CRMUG Summit In Reno NV. This is the premier Dynamics CRM Event of the year. Don’t miss out, not too late to register below.
Here’s my preliminary schedule. Please refer to the website!
Monday, October 12
|8:00pm-10:00pm @ Peppermill – Terrace Lounge Chapter Leader Bash|
Tuesday, October 13
|2:00pm-4:30pm @ Atlantis: Paradise D & E Volunteer Immersion at CRMUG Summit|
|5:00pm-8:00pm @ Hall 2 Welcoming Expo Reception|
Wednesday, October 14
|7:00am-8:00am @ Hall 1 Breakfast – Jump Into a Great Day|
|9:15am-9:45am @ Ballroom Lobby Networking Break|
|9:45am-10:45am @ D2 Getting Ready to Pull the CRM Trigger|
|11:15am-12:25pm @ C4 CRMUG Opening General Session – Microsoft Keynote|
|1:30pm-2:30pm @ D4 The CRM Superhero’s Tips, Tricks, and Toolbox|
|1:30pm-2:30pm @ D2 Scouting & Preparing as CRM GameDay Draws Near|
|2:30pm-3:00pm @ Ballroom Lobby Networking Break|
|4:00pm-4:30pm @ Ballroom Lobby Networking Break|
|4:30pm-6:00pm @ D2 ADFS & Upgrading with a Mobile State of Mind|
|6:00pm-8:00pm @ Hall 2 Expo Reception|
Tribridge Customer Party – Invitation Only 7pm on..
Please contact me if your a customer or prospect and did not receive an invitation.
Thursday, October 15
|7:00am-8:00am @ Hall 1 Breakfast – Jump Into a Great Day|
|8:00am-9:00am @ D2 Getting that CRM Upgrade to Purr Like a Kitten|
|9:00am-9:30am @ Ballroom Lobby Networking Break|
|10:30am-11:00am @ Ballroom Lobby Networking Break|
|11:00am-12:00pm @ C4 CRMUG General Community Session|
|12:00pm-2:00pm @ Halls 1 & 2 Networking Lunch and Expo|
|2:00pm-3:00pm @ D7 Going OnPremise to CRM Online|
|2:00pm-3:00pm @ C1 Take It to the Next Level with End User Experience Upgrades in CRM 2015|
|3:00pm-3:15pm @ Ballroom Lobby Networking Break|
|3:15pm-4:15pm @ D4 Ask the MVPs: Admin-Foundation Edition|
|3:15pm-4:15pm @ D7 Ask the Experts – User Adoption Edition: Enterprise CRM Strategies and Pitfalls to Avoid|
|4:15pm-4:45pm @ Ballroom Lobby Networking Break|
|4:45pm-5:45pm @ D2 Dissecting Multifaceted CRM Upgrades|
Friday, October 16 – CANCLLED
|8:00am-9:15am @ D2 Deployment Method of Choice CANCELLED|
Dynamics CRM Videos and eBooks are now available for Sales, Service, Social Listening, Mobile and upgrading. Take a look:
It’s that time of year again, when all the CRM User base gets together for the biggest CRM user group event of the year. CRMUG Summit is a great place to learn, network and do all things CRM! Some details to the event can be found here.
If you’re attending, see my schedule below. Stop by to ask a question or just say hello!
Dynamics Partner Conference Oct 13-14
Please note the 2:15 session has been moved to 8am that morning, giving you plenty of time to catch your flights.
Microsoft has begun switching over many of our Microsoft Dynamics CRM customers to CRM 2013.
Here’s some things you should know about the overall process:
1. Ensure you have another environment (test/dev) that matches your CRM production setup.
This is a best practice by far. Not having a test environment, makes troubleshooting and changes in your production environment almost impossible to manage. This is no different for which deployment model you have choose: Online, On-Premise or Partner Hosted.
Ensure this environment has a copy of the latest customizations, solutions, ISV’s etc. Data can also be replicated from production, using tools like the CRM 2011 Instance Adapter or tool like Scribe.
If you do not have a CRM 2011 instance for test/dev. already, its now too late to create a new one as only CRM 2013 instances are available as of Nov 4th. You will have no choice but to create a test CRM 2013 trial and import your 2011 solution which if fully supported. This will provide you with what your system will look like after the upgrade.
You should also push out your production CRM Online date as far as possible. Today, the last date available to upgrade is 2/14/2014. For other implementations, you still have some time :).
2. Understanding your Environment
Ensuring that your understand all the components that have been deployed with your CRM system is critical to the success of your upgrade. You will need to review all your Solutions, Web Resources and Custom Code to ensure that your and your ISV’s are prepared for the upgrade.
Microsoft has provided a tool to help pin point this issues.
The information provided by the tool will be a roadmap for your upgrade. Check with ISV’s website’s for their plans in regards to CRM 2013.
3. Fixes Issues
It’s very important to record and fix your issues and test them fully before User Acceptance Training (UAT). Errors with the application can quickly kill your user adoption. If you’re not ready, wait! Once the issues have been resolved your ready for testing!
4. Testing your Upgrade
Once you have all the customizations, solutions and errors fixed in your development/test server, you can now perform your User Acceptance Training (UAT) and overall product training. Please note that even with no errors, your users will need training for CRM 2013’s completely redesigned interface.
Make sure you have a strong test plan, allowing users to fully test all of their daily functions. This should also include processes they don’t often run. This should include the Outlook and Web Clients as well as desktop versions Win7/Win8 as well as Office versions (2007/2010/2013) or the combination that is being deployed by your organization.
Once you have signoff, you will want to take the solutions and ISV’s files and you will need to deployment them in the production environment the night of Production Go-Live.
5. Planning your Upgrade
Once you have completed your testing, you can now select to move in your production upgrade date from the CRM Online System. This will allow you to choose the next available date. Once the upgrade starts, you will not be able to access the system for a few hours, and as long as 24 hours.