Override CRM dashboard limit to avoid your solution failing


When trying to upload a solution with more than the maximum number of dashboard components.

Message: “The Dashboard that you are trying to save has more components than the maximum number allowed. Remove some components and try again.”

dashboard

 
 
 
 

To resolve this issue, you can increase the Dashboard limit using Power

1. Retrieve and set the dashboard limit

  1. Open a Windows PowerShell command window
  2. Add the Microsoft Dynamics CRM Windows PowerShell snap-in:

2. Add-PSSnapin Microsoft.Crm.PowerShell

powershell_01

 
 

3. Retrieve the current setting:

$setting = Get-CrmSetting -SettingType DashboardSettings

4. Modify the current setting:

$setting.MaximumControlsLimit = 10

Set-CrmSetting -Setting $setting

powershell_02

 


How to setup load balanced SSRS Servers for CRM 2016


While not very common, there are times when a customer or client requests two servers for the CRM SRS data connector/SSRS to be installed and have load balancing configured for the servers. The idea here is failover; when one server hosting SSRS crashes, all incoming requests are routed to the secondary server. There are a couple of ways to do this, but the following method is the most straightforward and simplistic way.

1.    Create a Virtual IP(VIP) to route to each SSRS server.

In order for this method to work, a virtual IP will need to be created. The virtual IP will accept incoming data packets, then route the requests to each of the IP addresses of the physical servers that will have SSRS installed.

2.      Install and configure SSRS on each server.

Install and configure SSRS on each server as you typically would by pointing to the SQL server and/or instance where you would like the report server databases to be located.

3.    Install the CRM SRS data connector on each server.

Grab the installation files for your respective version of CRM and install the data connector on both servers. Install the data connector as you would for a typical CRM deployment.

4.      Configure the host file on each SSRS server.

On both SSRS servers, open the host file: C:\Windows\System32\Drivers\etc\hosts. Edit the host file by adding the IP and DNS name of the virtual IP created in step 1:

host

 

 

 

 

 

 

 

 

5.      Add the BackConnectionHostNames registry key with the server name and FQDN.

Open Registry Editor on one of the SSRS servers, and locate the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0.

Right click MSV1_0, point to New and then click Multi-String Value. Type BackConnectionHostNames, then press ENTER.

Right click BackConnectionHostNames, then click Modify.

In the Value data box, type the host name of the VIP and FQDN of the VIP, and click OK.

multi

 

 

 

 

 

 

Repeat these steps for the other SSRS server.

6.      Add hostname and URL root values.

On one of the SSRS servers, make a backup of the reportserver.config file located here: C:\Program Files\Microsoft SQL Server\MSRS11.MSSQLSERVER\Reporting Services\ReportServer.

Right click the original reportserver.config file and choose edit.

Modify the hostname and URL root tags of the .xml file located under the service tag by adding the FQDN of the VIP as shown below:

reportserverconfig

 
 
 
 
 
 
 
 
 

Save the file after making the changes.

Repeat these steps for the other SSRS server.

7.   Restart both SSRS servers.

8.   During the import or new creation of an organization in CRM, specify the name of the VIP.

Use the VIP created in step 1 when prompted for the reporting services URL during a new org creation or an org import:


Why You Should Have TCP Port 80 Open Outbound On Your ADFS Server?


Active Directory Federation Services (ADFS) performs a lot of tasks when it comes to authenticating users into CRM securely. One of those tasks in particular is a certification revocation check to validate that the certificates being used are still valid. ADFS completes this process by reaching out to certification revocation lists (CRLs) over TCP port 80 – basic HTTP communication.

What we’ve seen is that businesses will want to lock down their ADFS servers just to be on the “safe side” and that includes closing TCP Port 80 outbound (e.g. no internet access). If left in its default state, ADFS will break and cause authentication to fail as it knows that it is supposed to check the CLRs to validate the certificate before issuing a token to allow a user into CRM. If it cannot do this, it will not issue a token. You may see an error similar to the following in the ADFS event viewer logs after a failed authentication attempt:

adfsport80

 

 

 

 

 

 

 

 

Event ID: 364

Microsoft.IdentityServer.AuthenticationFailedException: MSIS3014: The encryption certificate of the relying party trust ‘https://crm.domain.com/’ identified by thumbprint ’01DEDF6E6F532BF7357457EBEC31DA82SFDA1234′ is not valid. It might indicate that the certificate has been revoked, has expired, or that the certificate chain is not trusted. —>

Microsoft.IdentityServer.Service.SecurityTokenService.RevocationValidationException: MSIS3014: The encryption certificate of the relying party trust ‘https://crm.domain.com/’ identified by thumbprint ’01DEDF6E6F532BF7357457EBEC31DA82SFDA1234′ is not valid. It might indicate that the certificate has been revoked, has expired, or that the certificate chain is not trusted.

So what are your options?

  1. Have your networking team open TCP 80 outbound on the ADFS server(s). This would also apply to all ADFS Proxies or WAP servers. While opening a port might seem less secure at face value it would actually be the opposite as ADFS is able to validate the certificates being used.

 

  1. The less preferred, but still acceptable, method would be turning off the Certificate Revocation Check of ADFS. The check is controlled individually for each relying party in ADFS so it would need to be turned off for all one by one. To do this open an admin PowerShell prompt and issue the following command:

                    Set-ADFSRelyingPartyTrust  -TargetName <relyingpartytrustName> -EncryptionCertificateRevocationCheck None

 


CRM Organization Import Issue and SSRS MaxRequestLength


When importing an organization to CRM 2011 we came across an error during the import wizard process which was causing the import to fail:

14:54:33| Info| PublishReportsFromDatabase: Creating report in Reporting Services. ReportId: 9f973403-bc84-e111-88bc-0050569e0001, Name: INVOICE PAYMENTS
14:54:34| Error| Error while updating organization information: System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.Crm.Reporting.RuntimeReportServer.UploadReport(String path, Byte[] reportDefinition, String name, String description, Boolean overwriteExistingReport)
at Microsoft.Crm.Reporting.RuntimeReportServer.UploadReport(SRSReport report, String reportNameOnSrs, String name, String description, Boolean isSharedReport, Boolean overwriteExistingReport)
at Microsoft.Crm.Setup.Server.Utility.ReportsUtility.OrganizationPublishReportsScaleGroup(IDbCommand command, Uri reportingUrl, String orgUniqueName, Boolean ignoreCustomReportsFailure, Boolean publishOnlyCustomReports)
at Microsoft.Crm.Tools.Admin.DBImportHelper.RePublishReports(IDbCommand command, Guid organizationId, String organizationUniqueName, Uri reportUrl)
at Microsoft.Crm.Tools.Admin.ImportOrganizationInstaller.UpdateOrganizationInfo(Guid organizationId, OrganizationGroupsInfo organizationInfo, String organizationFriendlyName, String organizationUniqueName, Uri reportServerUrl, Int32 PercentUpdateOrganization, ICollection`1 users)

This was not an upgrade of any sort – just simply a CRM migration to a new environment so there were no versioning differences from a CRM perspective. While the error above is lacking much detail, it did give us enough to begin troubleshooting. We could clearly see that this issue was occurring with a report titled “Invoice Payments” but knew nothing else. After obtaining a copy of the report’s RDL file, we didn’t notice anything wrong in particular with the way the report was written but did think it was rather large for an RDL file – nearly 5MB – there were quite a few embedded images.

We decided to attempt uploading the report directly into SSRS and were met with a much more helpful error message – “Maximum request length exceeded”. What this was telling us rang a bell with what we noticed earlier regarding the RDL file size. By default, SSRS has a limit on the report file size that it will allow to be imported. This limit is 4MB but can be increased by doing the following:

Open the web.config of the Report Manager (%\Program Files\Microsoft SQL Server\MSSQL.X\Reporting Services\ReportManager) and find the “executionTimeout” setting. It should look something like this:

On this line, add the maxRequestLength attribute with the value (in KB) needed to upload the report. This value is not in here by default. It should now look like this (this shows a 10MB limit):

Save the file and then repeat these steps in the web.config of the Report Server (%\Program Files\Microsoft SQL Server\MSSQL.X\Reporting Services\ReportServer). Once both files have been modified and saved, restart the SSRS service.

Following this change, we were able to upload the RDL to SSRS directly to verify that the change worked and then subsequently were able to complete the organization import for CRM without issue.


CRM 2016 available, but not ready for your Production Server just yet!


Over the last few weeks my colleagues and fellow MVP’s have been working on a few CRM 2016 systems. Our general thought is that a lot of this code is from the CRM Online 2015 code base, and should really be production ready. However, the Microsoft CRM team has been hard at work delivering new features, so looks like we introduced a few bugs.

I’m going to recommend that you wait for update rollup 1 before deploying to your production system. There’s still plenty of time to test and install in your dev and test systems as you wait for these fixes. Here’s the main areas:

  1. Overall Outlook 2016 Client Configuration and Usage Issues – Support Recommended to stay with 2015 client
  2. New Form Rending Engine slowing overall form performance – fix in the works for update roll up 1
  3. Tweaks to the 2016 Solution Engine, breaking some backwards capability while importing solutions – fix in the works for update roll up 1
  4. Mobile Client performance issues

So we will re-test about the update roll-up 1 and provide future recommendations when we feel this is ready for production. Remember that there are some best practices and one is two wait until the first update roll-up is available. Stay tuned.


Understanding the ADFS Token Signing and Decrypting Certificates Rollover Process


Active Directory Federation Services (ADFS) creates and manages the two certificates used for the tokens issued. These are the Token-signing and Token-decrypting certificates. By default, these certificates are valid for one year from their creation and around the one-year mark, they will renew themselves automatically via the Auto Certificate Rollover feature in ADFS. Once this happens, CRM can no longer properly authenticate users as it still holds the old certificates’ metadata in the database. This is easily resolved by rerunning the “Configure Claims Based Authentication” and “Configure Internet Facing Deployment” wizards from the CRM Deployment Manager and then issuing an IISRESET on the CRM server(s).

More details and resolution can be found in this KB: http://support.microsoft.com/kb/2686840

While most CRM administrators understand that aspect, there are a number of settings and configurations that lead up to this issue that are less well-known to most. One of the biggest complexities is understanding EXACTLY when CRM will be going down because of the Auto Certificate Rollover and how to avoid it. We will be going through that today.

We will start with the process that ADFS goes through for certificate renewal:

  1. ADFS determines that its certificates will be expiring soon.
  2. ADFS creates new certificates and sets them as secondary certificates.
  3. ADFS updates the new certificates to primary certificates.

There are a number of settings for ADFS only accessible via PowerShell that control the Auto Certificate Rollover options and properties for the process above. To access these, open an administrative PowerShell prompt and execute the following (Note that if you are using ADFS 2.0, you will need to add the ADFS PowerShell Snap-In first by executing Add-PSSnapin Microsoft.ADFS.PowerShell):

adfs1

 

This will display a listing of the deployment properties for ADFS, including the properties around the certificates and rollover. For our purposes, we will keep our focus on just a handful of these properties:

  • AutoCertificateRolloveradfs2
  • CertificateDuration
  • CertificateGenerationThreshold
  • CertificatePromotionThreshold
  • CertificateRolloverInterval

adfsgrid

 

So what do all of these values mean? Below are the same steps provided earlier but now account for the values in the table above.

  1. ADFS determines that its certificates will be expiring within 20 days.
  2. ADFS creates new certificates valid for 365 days and sets them as secondary certificates.
  3. After 5 days’ time the Certificate Management Cycle kicks off and ADFS updates the new certificates to primary certificates.

As you can see, knowing these values can greatly help in planning for certificate rollover. Here is an example:

In the screenshot below, we can see our primary certificates expire on 2/12/2015 and ADFS has already created new certificates to rollover. The new (secondary) certificates were created 20 days prior to the expiration of the primary certificates (1/23/2015). On 1/28/2015, 5 days after the creation of the new certificates, ADFS will change them to primaries.

adfscert

 

In the above example, you know your deadline is 1/28/2015. Rather than sitting back and waiting until CRM goes down, plan a short outage afterhours and roll the certificates over manually! You can force ADFS to generate new certificates and promote them to primaries immediately using the following command in PowerShell:

adfs3

 

Once the new certificates are in place in ADFS, re-run the Claims and IFD Wizards in the CRM Deployment Manager to update the metadata and issue an IISReset on the CRM server(s). Voila! Happy CRM users!

Of course, given the properties we have at our disposal to modify there is much more you can do to create a better life for yourself. For example, set the CertificateDuration to 1095 days (three years) rather than just 365 (one year) so this is not as frequent of an issue. Another idea would be to set the CertificateGenerationThreshold lower so the actual rollover date is closer to the true expiration of the certificate. Or just turn off AutoCertificateRollover altogether, set a reminder, and take care of it all manually before expiration!

Another great post from my team at www.Tribridge.com

 


CRM 2016: New Form Rending Engine


With the release of CRM 2016 (2015 Update 1 for CRM Online), comes a new form rendering engine (referred to as Turbo Forms in some circles) was built to provide better performance of form loads. The two main changes are focused around loading process of the form and the handling of the cache.

However, while the new rendering engine was built to help with performance you may actually notice the opposite taking place. In heavily customized environment, you might experience long stalls during form loads with messages reading “requesting data from CRM” and/or “loading business logic”.

render1 Render2

 

 

 

 

If you are currently being plagued by these messages, it may be a good idea to turn the new rendering engine off. To do this, simply go to: Administration -> System Setting, scroll all the way down and you will see the “Use legacy form rendering” option. Turning it to “yes” will disable the new engine.

legacy

 

 

While this will help in the short term, it is advised to figure out what on your form is causing conflict with the new engine so that it can be fixed and the new engine can be turned back on for even better performance. Microsoft is also aware of the issue and is looking at it within the Update Roll-up 1 Time frame.


ADFS Logon Page Loop Issue with Dynamics CRM 2015


We recently setup CRM 2015 and ADFS 2.2 (the version that comes on Server 2012 R2, aka ADFS 2.2) on new servers for a customer. Everything configured fine and initial tests proved successful when logging in with the domain admin account used to set everything up. However, we quickly found an issue when other users tried to access CRM via the external URL. At the ADFS login page, a user would enter his or her credentials as usual and try to login but rather than giving a 302 redirect back to CRM for access, it redirected back to the ADFS login page. This presented no errors on screen or in the CRM event viewer – it was as if we never tried logging in. If we purposefully entered invalid credentials, it provided the error regarding incorrect user ID or password so we knew authentication against AD was taking place successfully and that something was wrong with the passing of the token. Also of note was the fact that despite the external URL not working, all users were able to access CRM just fine using the internal (pass-through auth) URL.

login1

 

 

 

 

 

 

 

Nothing appeared in the ADFS Admin event viewer logs but upon closer inspection, the Security log in the event viewer on the ADFS server was loading up with Audit Failure notifications – Event ID 4625. The failure reason indicated “Unknown user name or bad password” for the ADFS service account. As any logical person would assume, we figured the account was locked out, the password expired, or we entered invalid credentials during setup. Unfortunately, upon resetting the password in Active Directory, the audit failures persisted.

property1

 

 

 

 

 

 

 

 

 

 

After some digging around, we uncovered that adding the ADFS service account to the Windows Authorization Access Group in Active Directory was the resolution. The members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects. We added the account to the group, restarted the ADFS service, and all users were then able to access CRM via the external URL as expected! Another great tip from the CFE team!

property2

 

 


Join me at CRMUG Summit in Reno NV October 13-16


Join me at the CRMUG Summit In Reno NV. This is the premier Dynamics CRM Event of the year. Don’t miss out, not too late to register below.

renosummit

 

More details..

http://www.crmugsummit.com/home

Here’s my preliminary schedule. Please refer to the website!

Monday, October 12

8:00pm-10:00pm @ Peppermill – Terrace Lounge Chapter Leader Bash

Tuesday, October 13

2:00pm-4:30pm @ Atlantis: Paradise D & E Volunteer Immersion at CRMUG Summit
5:00pm-8:00pm @ Hall 2 Welcoming Expo Reception

Wednesday, October 14

7:00am-8:00am @ Hall 1 Breakfast – Jump Into a Great Day
9:15am-9:45am @ Ballroom Lobby Networking Break
9:45am-10:45am @ D2 Getting Ready to Pull the CRM Trigger
11:15am-12:25pm @ C4 CRMUG Opening General Session – Microsoft Keynote
1:30pm-2:30pm @ D4 The CRM Superhero’s Tips, Tricks, and Toolbox
1:30pm-2:30pm @ D2 Scouting & Preparing as CRM GameDay Draws Near
2:30pm-3:00pm @ Ballroom Lobby Networking Break
4:00pm-4:30pm @ Ballroom Lobby Networking Break
4:30pm-6:00pm @ D2 ADFS & Upgrading with a Mobile State of Mind
6:00pm-8:00pm @ Hall 2 Expo Reception

Tribridge Customer Party – Invitation Only 7pm on..

Please contact me if your a customer or prospect and did not receive an invitation.

Thursday, October 15

7:00am-8:00am @ Hall 1 Breakfast – Jump Into a Great Day
8:00am-9:00am @ D2 Getting that CRM Upgrade to Purr Like a Kitten
9:00am-9:30am @ Ballroom Lobby Networking Break
10:30am-11:00am @ Ballroom Lobby Networking Break
11:00am-12:00pm @ C4 CRMUG General Community Session
12:00pm-2:00pm @ Halls 1 & 2 Networking Lunch and Expo
2:00pm-3:00pm @ D7 Going OnPremise to CRM Online
2:00pm-3:00pm @ C1 Take It to the Next Level with End User Experience Upgrades in CRM 2015
3:00pm-3:15pm @ Ballroom Lobby Networking Break
3:15pm-4:15pm @ D4 Ask the MVPs: Admin-Foundation Edition
3:15pm-4:15pm @ D7 Ask the Experts – User Adoption Edition: Enterprise CRM Strategies and Pitfalls to Avoid
4:15pm-4:45pm @ Ballroom Lobby Networking Break
4:45pm-5:45pm @ D2 Dissecting Multifaceted CRM Upgrades

Friday, October 16 – CANCLLED

8:00am-9:15am @ D2 Deployment Method of Choice  CANCELLED

 

 


Deploying and administering Microsoft Dynamics CRM Online and Microsoft Dynamics CRM 2015


This deployment and administration documentation, known as the Implementation Guide or IG in previous versions of Microsoft Dynamics CRM, is a set of comprehensive deployment and administration topics that can help you plan, deploy, configure, customize, and maintain Microsoft Dynamics CRM 2015 (on-premises) or Microsoft Dynamics CRM Online.

http://technet.microsoft.com/en-US/library/hh699811(v=crm.7).aspx