Why You Should Have TCP Port 80 Open Outbound On Your ADFS Server?


Active Directory Federation Services (ADFS) performs a lot of tasks when it comes to authenticating users into CRM securely. One of those tasks in particular is a certification revocation check to validate that the certificates being used are still valid. ADFS completes this process by reaching out to certification revocation lists (CRLs) over TCP port 80 – basic HTTP communication.

What we’ve seen is that businesses will want to lock down their ADFS servers just to be on the “safe side” and that includes closing TCP Port 80 outbound (e.g. no internet access). If left in its default state, ADFS will break and cause authentication to fail as it knows that it is supposed to check the CLRs to validate the certificate before issuing a token to allow a user into CRM. If it cannot do this, it will not issue a token. You may see an error similar to the following in the ADFS event viewer logs after a failed authentication attempt:

adfsport80

 

 

 

 

 

 

 

 

Event ID: 364

Microsoft.IdentityServer.AuthenticationFailedException: MSIS3014: The encryption certificate of the relying party trust ‘https://crm.domain.com/’ identified by thumbprint ’01DEDF6E6F532BF7357457EBEC31DA82SFDA1234′ is not valid. It might indicate that the certificate has been revoked, has expired, or that the certificate chain is not trusted. —>

Microsoft.IdentityServer.Service.SecurityTokenService.RevocationValidationException: MSIS3014: The encryption certificate of the relying party trust ‘https://crm.domain.com/’ identified by thumbprint ’01DEDF6E6F532BF7357457EBEC31DA82SFDA1234′ is not valid. It might indicate that the certificate has been revoked, has expired, or that the certificate chain is not trusted.

So what are your options?

  1. Have your networking team open TCP 80 outbound on the ADFS server(s). This would also apply to all ADFS Proxies or WAP servers. While opening a port might seem less secure at face value it would actually be the opposite as ADFS is able to validate the certificates being used.

 

  1. The less preferred, but still acceptable, method would be turning off the Certificate Revocation Check of ADFS. The check is controlled individually for each relying party in ADFS so it would need to be turned off for all one by one. To do this open an admin PowerShell prompt and issue the following command:

                    Set-ADFSRelyingPartyTrust  -TargetName <relyingpartytrustName> -EncryptionCertificateRevocationCheck None

 


Understanding the ADFS Token Signing and Decrypting Certificates Rollover Process


Active Directory Federation Services (ADFS) creates and manages the two certificates used for the tokens issued. These are the Token-signing and Token-decrypting certificates. By default, these certificates are valid for one year from their creation and around the one-year mark, they will renew themselves automatically via the Auto Certificate Rollover feature in ADFS. Once this happens, CRM can no longer properly authenticate users as it still holds the old certificates’ metadata in the database. This is easily resolved by rerunning the “Configure Claims Based Authentication” and “Configure Internet Facing Deployment” wizards from the CRM Deployment Manager and then issuing an IISRESET on the CRM server(s).

More details and resolution can be found in this KB: http://support.microsoft.com/kb/2686840

While most CRM administrators understand that aspect, there are a number of settings and configurations that lead up to this issue that are less well-known to most. One of the biggest complexities is understanding EXACTLY when CRM will be going down because of the Auto Certificate Rollover and how to avoid it. We will be going through that today.

We will start with the process that ADFS goes through for certificate renewal:

  1. ADFS determines that its certificates will be expiring soon.
  2. ADFS creates new certificates and sets them as secondary certificates.
  3. ADFS updates the new certificates to primary certificates.

There are a number of settings for ADFS only accessible via PowerShell that control the Auto Certificate Rollover options and properties for the process above. To access these, open an administrative PowerShell prompt and execute the following (Note that if you are using ADFS 2.0, you will need to add the ADFS PowerShell Snap-In first by executing Add-PSSnapin Microsoft.ADFS.PowerShell):

adfs1

 

This will display a listing of the deployment properties for ADFS, including the properties around the certificates and rollover. For our purposes, we will keep our focus on just a handful of these properties:

  • AutoCertificateRolloveradfs2
  • CertificateDuration
  • CertificateGenerationThreshold
  • CertificatePromotionThreshold
  • CertificateRolloverInterval

adfsgrid

 

So what do all of these values mean? Below are the same steps provided earlier but now account for the values in the table above.

  1. ADFS determines that its certificates will be expiring within 20 days.
  2. ADFS creates new certificates valid for 365 days and sets them as secondary certificates.
  3. After 5 days’ time the Certificate Management Cycle kicks off and ADFS updates the new certificates to primary certificates.

As you can see, knowing these values can greatly help in planning for certificate rollover. Here is an example:

In the screenshot below, we can see our primary certificates expire on 2/12/2015 and ADFS has already created new certificates to rollover. The new (secondary) certificates were created 20 days prior to the expiration of the primary certificates (1/23/2015). On 1/28/2015, 5 days after the creation of the new certificates, ADFS will change them to primaries.

adfscert

 

In the above example, you know your deadline is 1/28/2015. Rather than sitting back and waiting until CRM goes down, plan a short outage afterhours and roll the certificates over manually! You can force ADFS to generate new certificates and promote them to primaries immediately using the following command in PowerShell:

adfs3

 

Once the new certificates are in place in ADFS, re-run the Claims and IFD Wizards in the CRM Deployment Manager to update the metadata and issue an IISReset on the CRM server(s). Voila! Happy CRM users!

Of course, given the properties we have at our disposal to modify there is much more you can do to create a better life for yourself. For example, set the CertificateDuration to 1095 days (three years) rather than just 365 (one year) so this is not as frequent of an issue. Another idea would be to set the CertificateGenerationThreshold lower so the actual rollover date is closer to the true expiration of the certificate. Or just turn off AutoCertificateRollover altogether, set a reminder, and take care of it all manually before expiration!

Another great post from my team at www.Tribridge.com

 


CRM 2016: New Form Rending Engine


With the release of CRM 2016 (2015 Update 1 for CRM Online), comes a new form rendering engine (referred to as Turbo Forms in some circles) was built to provide better performance of form loads. The two main changes are focused around loading process of the form and the handling of the cache.

However, while the new rendering engine was built to help with performance you may actually notice the opposite taking place. In heavily customized environment, you might experience long stalls during form loads with messages reading “requesting data from CRM” and/or “loading business logic”.

render1 Render2

 

 

 

 

If you are currently being plagued by these messages, it may be a good idea to turn the new rendering engine off. To do this, simply go to: Administration -> System Setting, scroll all the way down and you will see the “Use legacy form rendering” option. Turning it to “yes” will disable the new engine.

legacy

 

 

While this will help in the short term, it is advised to figure out what on your form is causing conflict with the new engine so that it can be fixed and the new engine can be turned back on for even better performance. Microsoft is also aware of the issue and is looking at it within the Update Roll-up 1 Time frame.


Join me at CRMUG Summit in Reno NV October 13-16


Join me at the CRMUG Summit In Reno NV. This is the premier Dynamics CRM Event of the year. Don’t miss out, not too late to register below.

renosummit

 

More details..

http://www.crmugsummit.com/home

Here’s my preliminary schedule. Please refer to the website!

Monday, October 12

8:00pm-10:00pm @ Peppermill – Terrace Lounge Chapter Leader Bash

Tuesday, October 13

2:00pm-4:30pm @ Atlantis: Paradise D & E Volunteer Immersion at CRMUG Summit
5:00pm-8:00pm @ Hall 2 Welcoming Expo Reception

Wednesday, October 14

7:00am-8:00am @ Hall 1 Breakfast – Jump Into a Great Day
9:15am-9:45am @ Ballroom Lobby Networking Break
9:45am-10:45am @ D2 Getting Ready to Pull the CRM Trigger
11:15am-12:25pm @ C4 CRMUG Opening General Session – Microsoft Keynote
1:30pm-2:30pm @ D4 The CRM Superhero’s Tips, Tricks, and Toolbox
1:30pm-2:30pm @ D2 Scouting & Preparing as CRM GameDay Draws Near
2:30pm-3:00pm @ Ballroom Lobby Networking Break
4:00pm-4:30pm @ Ballroom Lobby Networking Break
4:30pm-6:00pm @ D2 ADFS & Upgrading with a Mobile State of Mind
6:00pm-8:00pm @ Hall 2 Expo Reception

Tribridge Customer Party – Invitation Only 7pm on..

Please contact me if your a customer or prospect and did not receive an invitation.

Thursday, October 15

7:00am-8:00am @ Hall 1 Breakfast – Jump Into a Great Day
8:00am-9:00am @ D2 Getting that CRM Upgrade to Purr Like a Kitten
9:00am-9:30am @ Ballroom Lobby Networking Break
10:30am-11:00am @ Ballroom Lobby Networking Break
11:00am-12:00pm @ C4 CRMUG General Community Session
12:00pm-2:00pm @ Halls 1 & 2 Networking Lunch and Expo
2:00pm-3:00pm @ D7 Going OnPremise to CRM Online
2:00pm-3:00pm @ C1 Take It to the Next Level with End User Experience Upgrades in CRM 2015
3:00pm-3:15pm @ Ballroom Lobby Networking Break
3:15pm-4:15pm @ D4 Ask the MVPs: Admin-Foundation Edition
3:15pm-4:15pm @ D7 Ask the Experts – User Adoption Edition: Enterprise CRM Strategies and Pitfalls to Avoid
4:15pm-4:45pm @ Ballroom Lobby Networking Break
4:45pm-5:45pm @ D2 Dissecting Multifaceted CRM Upgrades

Friday, October 16 – CANCLLED

8:00am-9:15am @ D2 Deployment Method of Choice  CANCELLED

 

 


Deploying and administering Microsoft Dynamics CRM Online and Microsoft Dynamics CRM 2015


This deployment and administration documentation, known as the Implementation Guide or IG in previous versions of Microsoft Dynamics CRM, is a set of comprehensive deployment and administration topics that can help you plan, deploy, configure, customize, and maintain Microsoft Dynamics CRM 2015 (on-premises) or Microsoft Dynamics CRM Online.

http://technet.microsoft.com/en-US/library/hh699811(v=crm.7).aspx

 

 


Join me at CRMUG Summit 2014!


summit

 

 

 

 

It’s that time of year again, when all the CRM User base gets together for the biggest CRM user group event of the year. CRMUG Summit is a great place to learn, network and do all things CRM! Some details to the event can be found here.

If you’re attending, see my schedule below. Stop by to ask a question or just say hello!

Dynamics Partner Conference Oct 13-14

DynamicsPartnerConfernence

CRMUG Summit 2014 October 15-17
cmrug

Please note the 2:15 session has been moved to 8am that morning, giving you plenty of time to catch your flights.

I will be at both the MVP sessions.
mvp

mvp1


CRM 2015 has been announced. Fall Release 2014.


Before you say not again!, CRM 2015 has been announced and should be available by years end. From my initial testing, I can tell you we have reached a very stable, almost turning point with our common CRM platform. Now, like the ERP systems, we are going to see functionality enhancements not system re-designs, while keeping the same interface with some small enhancements around performance and usability. Multi-entity search now available out of the box! 🙂

The CRM team has really delivered, and is keeping the momentum by delivering today. A great way to sum up this new releases to others, its like CRM 2013 R2, but since we had the time, we changed the name too! 🙂

Press Release:
http://www.microsoft.com/en-us/news/press/2014/sep14/09-16crmpr.aspx
Bob Stutz’s Blog:
https://community.dynamics.com/crm/b/crmconnection/archive/2014/09/16/marketing-sales-service-one-cloud-for-all.aspx
Customer Center Get Ready Page:
http://www.microsoft.com/en-us/dynamics/crm-customer-center/get-ready-for-the-next-release.aspx


Need to build a CRM 3 VM to Upgrade to CRM 2013? Here’s how.


We have a few customers still running CRM 3.0 after all these years. With the excitement of CRM 2013, they have decided to upgrade at one shot. Dynamics CRM 3.0 can upgrade to CRM 4.0, or one version at a time. The users don’t have be aware of this step, only the end game which is CRM 2013.

In order to process this change, and migrate the customer to the cloud, we need to upgrade their systems. In order to do this, I decided to build a VM in order to upgrade CRM 3.0 to 4.0, and then will use my 2011 VM to upgrade to 2011, then insert DB into the new CRM 2013 development system.

Easier said than done Right? I really had to dig into my memory banks to remember the process, and thought it would be helpful to others to have it accessible. So Here we go:

1. Build a Windows Server 2003 R2 Standard build VM
2. Make sure you add enough disc space to cover the size of your production database, zipped and unzipped together. I’m using 60 gigs, 2 processors and 2.5 gigs of memory in the VM.
3. Add the Domain Controller and Application Server Roles (select ASP.NET as well).
4. Reboot
5. Install SQL Server 2005 with reporting services. You must configure reporting services as well.
** CRM 3.0 started on SQL2000, and was commonly upgraded to SQL2005. The CRM 3.0 installation download includes the fixes to work with SQL2005. In the past we had to install it on SQL 2000, upgrade SQL2005 after.
6. Test Access to Reporting services once completed.
7. Copy the production CRM 3.0 database and unzip on this VM.
** Make sure you copy both ORGNAME_MSCRM and ORGNAME_METABASE as these were separate DBS in CRM 3.0
8. Restore CRM 3.0 database to the SQL Server.
9. On the CRM 3.0 CD, explore and run the redeployment tool .MSI.
10. Run the CRM 3.0 redeployment tool, enter server name localhost and select the production DBs.
11. Choose to manually map, and find a user account of administrator, mapping your VM admin id.
12. Let redeployment complete.
13. Launch the CRM 3.0 installation, and proceed with setup. When you enter the SQL Server (localhost) you will be able to connect to an existing deployment. Choose your databases here.

That will get CRM 3.0 running again in your VM. Please note that all ISV’s etc should be removed as they will no longer work. You could have manually cleanup unless you run the uninstallers of these applications in production.

You might also want to consider using a P to V technology (Physical to Virtual) to build the VM exactly as it is in production but Virtual.

Enjoy!


CRM 2013 Upgrade Flurry has Started! Upgrade Checklist


Microsoft has begun switching over many of our Microsoft Dynamics CRM customers to CRM 2013.

Here’s some things you should know about the overall process:

1. Ensure you have another environment (test/dev) that matches your CRM production setup.
This is a best practice by far. Not having a test environment, makes troubleshooting and changes in your production environment almost impossible to manage. This is no different for which deployment model you have choose: Online, On-Premise or Partner Hosted.

Ensure this environment has a copy of the latest customizations, solutions, ISV’s etc. Data can also be replicated from production, using tools like the CRM 2011 Instance Adapter or tool like Scribe.

If you do not have a CRM 2011 instance for test/dev. already, its now too late to create a new one as only CRM 2013 instances are available as of Nov 4th. You will have no choice but to create a test CRM 2013 trial and import your 2011 solution which if fully supported. This will provide you with what your system will look like after the upgrade.

You should also push out your production CRM Online date as far as possible. Today, the last date available to upgrade is 2/14/2014. For other implementations, you still have some time :).

2. Understanding your Environment
Ensuring that your understand all the components that have been deployed with your CRM system is critical to the success of your upgrade. You will need to review all your Solutions, Web Resources and Custom Code to ensure that your and your ISV’s are prepared for the upgrade.

Microsoft has provided a tool to help pin point this issues.
http://www.microsoft.com/en-us/download/details.aspx?id=30151

The information provided by the tool will be a roadmap for your upgrade. Check with ISV’s website’s for their plans in regards to CRM 2013.

3. Fixes Issues
It’s very important to record and fix your issues and test them fully before User Acceptance Training (UAT). Errors with the application can quickly kill your user adoption. If you’re not ready, wait! Once the issues have been resolved your ready for testing!

4. Testing your Upgrade
Once you have all the customizations, solutions and errors fixed in your development/test server, you can now perform your User Acceptance Training (UAT) and overall product training. Please note that even with no errors, your users will need training for CRM 2013’s completely redesigned interface.

Make sure you have a strong test plan, allowing users to fully test all of their daily functions. This should also include processes they don’t often run. This should include the Outlook and Web Clients as well as desktop versions Win7/Win8 as well as Office versions (2007/2010/2013) or the combination that is being deployed by your organization.

Once you have signoff, you will want to take the solutions and ISV’s files and you will need to deployment them in the production environment the night of Production Go-Live.

5. Planning your Upgrade
Once you have completed your testing, you can now select to move in your production upgrade date from the CRM Online System. This will allow you to choose the next available date. Once the upgrade starts, you will not be able to access the system for a few hours, and as long as 24 hours.


CRM 2013: Windows 8 Mobile Client – How to Pin/Create CRM Tiles to Start Menu


The Microsoft Product Team has done a great job delivering the Microsoft Dynamics CRM 2013 mobility clients for Windows 8 and IPADs. I noticed a screen shot on the web, where tile related to CRM we posted on the Windows 8 Start Menu for quick access.Screenshot (1)

I was trying to figure this out, and it’s rather simple. Once inside the Microsoft Dynamics CRM 2013 Mobility Client, the first page is the Mobile Dashboard. On that dashboard, you can select the view of activities, account, contacts etc by pressing on the name with your finger or your mouse and drag them down like you would an tile on the Windows 8 start menu.Screenshot (3)

This will bring up the bottom navigation bar. You can then choose to pin to start menu! As you can see this quick tip will let you immediately access your leads and opportunities right from the start! Enjoy.