Sunday, February 19, 2012

A few tricks how to set up Internet facing deployment for Dynamics CRM 2011

The process of setting up IFD (Internet facing deployment) for Microsoft Dynamics CRM 2011 is notoriously difficult and error-prone. Tons of questions on the Internet with quite a lot of them left unanswered. There are several very well-written guidances and video tutorials, so I won't repeat that, but rather pinpoint the issues that I have encountered.

In this particular situation I've been dealing with my own CRM installation for internal purposes, so definitely could cut some corners in the security area. Alas IFD does not allow simple 'I don't need that kind of security, please let me do this quickly and easily'. You have to have ADFS (Federation Service) and certificates. Actually the most of the problems I had were just because of wrong certificates.

So you have two options: the right one is to buy a commercial certificate, like the one from GoDaddy. The second one - is mostly for dev purposes and uses self-signed certificate. Not very secure I must admit, but okay for my own needs.

So, first we need certificates. My situation server-wise:

I have a server with internal domain, let's say internal.local. Also I have one of public domains that I use also to access my CRM from the Internet. Let's call it external.com.

Extenal.com was not specified anywhere on my server, so getting one certificate issued to *.external.com by *.external.com was not sufficient, as the certificate was deemed to be dangerous and untrustworthy. So I created two certificates:

One issued by myserver.internal.local to itself (i.e. myserver.internal.local) - this one would act as a certificate authority. And the second one is for *.external.com issued by myserver.internal.local.

To create certificates I used makecert.exe that is part of Windows SDK and can be downloaded from Microsoft web-site.

In terms of syntax, it was something like that (good article on that subject is right here)

makecert -n "CN=myserver.internal.local" 
         -cy authority 
         -a sha1 
         -sv "myserver.internal.local.pvk"
         -r
         "myserver.internal.local.cer"

 and for the second certificate:

makecert -n "CN=*.external.com" 
         -ic "myserver.internal.local.cer" 
         -iv "myserver.internal.local.pvk"
         -a sha1
         -sky exchange
         -pe
         -sr currentuser
         -ss my
         "externalcom.cer"

Both certicates are to be installed in the Trusted Root Certification Authority section and applied to the web-site in IIS.

The next part of installation was more or less uneventful, you just have to follow the instructions and make those 10-20 different steps accurately.

Having done all that and tried to log in to CRM another error came up, also rather regular according to Google. The error was very much of a generic sense, like 'Unexpected error occurred', so the first thing I looked up was Windows Event Viewer. Now the error was much more descriptive:

An error occurred during an attempt to build the certificate chain for the relying party trust 'https://myorganization.external.com:444/' certificate identified by thumbprint '1A35E5B8E2A7EFC11DB5C39343BA478C3948AA5A'. Possible causes are that the certificate has been revoked, the certificate chain could not be verified as specified by the relying party trust's encryption certificate revocation settings or certificate is not within its validity period.

Obviously ADFS tried to check the validity of my certificates and could not do it. I guess there's something I could do with this error by manipulating with certificates or the best way probably - buy a proper certificate. But for development/test/internal use purposes it was not worth it.

The solution to this problem is to switch this ADFS check alltogether. Again - I don't recommend this for proper production environments.

How to switch it off? In order to do this you'll need Powershell. The commands are:

Add-pssnapin microsoft.adfs.powershell
set-adfsrelyingpartytrust -targetname "your relying party trust name" encryptioncertificaterevocationcheck none
set-adfsrelyingpartytrust -targetname "your relying party trust name" signingcertificaterevocationcheck none

If you're not sure what to put in "your relying party trust name", issue the following command

get-adfsrelyingpartytrust

and note the property called "Name" - this is what you need.

Another good video instruction.


RECENT BLOG ENTRIES
30 November 2013
Bigcommerce template editing
How to change content in BigCommerce.com templates: guide for a complete newbie.
Read full story
09 October 2013
What if Fancybox does not work at all
If Fancybox library does not work, this might be due to the conflicts with other JS libraries and not the syntax error.
Read full story
14 October 2012
Fancybox with ASP.NET form on Umbraco
Using ASP.NET form on Fancybox popup to make login window
Read full story

Blog archive

The author of this web-site supports WWF . Please do your part in saving our planet!

Alex’s expertise in developing and maintaining web applications has been invaluable to the College – J. Wittersheim, Director of Information Management and Funding, Bury College