Like many, we have struggled to configure Microsoft CRM 2011 as an Internet Facing Deployment. There is quite a bit of disjointed and some what typical Microsoft "junk" on how to set this up.
So after reading the White Papers, blogs and YouTube videos on the topic, I figured I would need notes for myself as much as anything. This is mostly because I am yet to find one single example that covered the setup I was after. That being:
Single Server
On an existing domain
Running true IFD ready for customer access.
The last point it telling, as all the Microsoft examples give a self generated SSL cert, that really is an example of a DEV environment only. We want to test the "real deal", and don’t mind spending a few $ on a real Certificate to see this in a true working environment.
The Existing Setup
Because this is a test environment, we are running the server on a Hyper V server. A single VM machine, that is running a fully patched version of:
- Windows 2008 R2 SP1 64 Bit
- SQL 2008 R2 64 Bit
- Microsoft CRM 2011 64 Bit
Interesting enough, something that always takes me 15 min, it ensuring I download the correct version of the ISO files from MSDN. I get it that I am somewhat lame, but if you get a wrong version you can waste a load of time and energy later.
With a list looking like this it can be painful. Anyway, these are the files we used for install:
For those who care, the VM was set to run with 6000 MB ram, and fold out to use more.
Importantly
When we setup CRM, we selected the option to NOT use the default website, but configure a new one with the default settings of port 5555. This is necessary as you will see later.
Backup First
In all things Microsoft world, it is vital what you establish a working point to avoid unnecessarily installing things all over again. To get things working we have started fresh over 4 times.
Hyper V is great for this, as we just stopped the server, and made a copy of the VHD file. Then when it is time to start all over, it is just a matter of restoring from copy/backup.
Test First
Test that your CRM setup is working. Go to the local computer name (ours is VSERVER08) on the correct port: http://vserver08:5555
We called our Deployment of CRM – "CRM2011" So the URL redirects to: http://vserver08:5555/CRM2011/main.aspx
and after being prompted for login, we are in and testing.
Apply a Wildcard SSL Certificate
In CRM, the accessing of deployments is handled by the sub domains. So if we call a deployment "business1" we will access that as: https://business1.domain.com
For testing, we purchased a standard Wildcard SSL certificate that applied that to the IIS7 server.
We will let you work out that bundle of joy, but a few tips.
1. Godaddy was about as cheap as you find on the net.
2. Setup involves creating a certificate request from within IIS, then pasting that text into the online providers order system. They then generate the certificates that you then import back into IIS and the server.
3.
Application for a certificate
Here, I will be a wildcard certificate, for example, describes how to create a certificate:
1) Open IIS Manager
2) Click the server name in the main screen double click Server Certificates
3) In the right panel, click Create Certificate Request…
4) fill in the following diagram each column, click Next
5) Cryptographic Service Provider Properties page to keep the default, click Next.
6) In the File Name page, enter C: \ req.txt , and then click Finish.
7) Run cmd , run
certreq-submit -attrib "CertificateTemplate: WebServer" C: \ req.txt
8) Select the CA , click OK.
9) the certificate is stored as C: \ Wildcard.cer . ( 7-9 can also be in the CA to complete)
10) back to the IIS Manager, click No. 3) Step graph Complete Certificate Request …
11) Select the C: \ Wildcard.cer , Friendly name named *. contoso.com , of course, you can take a different name.
12) Click OK.
13) so that we completed the wildcard certificate request.
Additional SSL Certificate Imports
1) RUN MMC at the start / search
2) Select File / Add Remove Snapin – Select Certificates – ADD
Computer Account
3) Expand the first two folders, and Right Click on the Certificates Folder and select: All Tasks / Import.
4) Browse to your wildcard SSL certificate file, and import that into the Personal and Trusted Root Certification Authorities.
Ensure that you
Binding site for the default SSL certificate
1) Open IIS Manager.
2) In the Connections panel, expand Sites , click Default Web Site.
3) In the Actions pane, click Bindings.
4) In the Site Bindings dialog box, click Add.
5) Type select HTTPS.
6) SSL Certificate , select the certificate you just created *. contoso.com , and then click OK.
7) Click Close.
8) Repeat for the Personal certificate folder.
For the CRM 2011 binding site SSL certificate
1) Open IIS Manager.
2) In the Connections panel, expand Sites , click CRM Web Site.
3) In the Actions pane, click Bindings.
4) In the Site Bindings dialog box, click Add.
5) Type select HTTPS.
6) SSL Certificate , select the certificate you just created *. contoso.com .
7) Port to select a different 443 (e.g. 444 ) and port number, and then click OK
8) Click Close.
DNS configuration
For MS CRM 2011 configuration Claims-based authentication, you need the DNS to add some records to make CRM 2011 for each breakpoint can be resolved correctly.
There are two ways you can achieve the desired result. But first lets understand the desired result.
- We make the assumption that your server is running at least one static IP address.
- Because this is Internet Facing, that IP needs to be accessible to the world.
- That same IP can be used for access to your server both internally on the matching we are playing with, and externally form anyone on the net.
Lets Get Basic
Start a Command Prompt, and work out what your IP address of the server is.
Click START > RUN > CMD
Type IPCONFIG – Enter
Under the name: IPv4 Address is a number that looks like: 66.34.204.220
That is Your IP Address of the Server.
The DNS Goal
Make sure that when you PING xxx.domain.com that it points to that IP address. Both for the world and for you when you do that on your server.
(xxx is the sub domain that we are about to configure.)
To configure CRM, we need some sub domains to point to the server IP.
- sts.domain.com
- auth.domain.com
- dev.domain.com
- Your ORG name. org.domain.com (Where ORG is the CRM deployment name of your organization or organizations), e.g.
We have two setup here: CRM and CRM2011. So we need to configure crm.interactivewebs.com and crm2011.interactivewebs.com.
Hosting Your Own DNS
If you host your own Domain Name Server (DNS) and you host the domain name that you are using to setup IFD. Then configuring an A record for the above mentioned sub domains is easy.
START > Administrative Tools > DNS
Find your Domain Name
Right Click and select NEW HOST A
Add an A record that points to your servers IP address.
Repeat this process for all of the above mentioned sub domains. auth, sts1, dev, and your own organization names.
Test DNS
You must be able to ping all of those names and get the correct server IP address. Both from computers on the internet, and from the server.
Note: If you have added the DNS records, but still encounter name resolution problems, you can try running on the client ipconfig / flushdns to clean up the cache. You can also click the DNS server root and click CLEAR CACHE so that the server is responding with the latest updates.
Note: Don’t bother proceeding past this step if you cannot ping your sub domains internally and externally correctly.
Firewall configuration
You need to set the firewall to allow the CRM 2011 and the AD FS 2.0 port used by the incoming data stream. HTTPS (SSL) is the default port 443.
For Initial setup testing etc. We recommend just turning the thing off. Better start from a place where it does not muck you around, then turn it all back on after you are successful.
Configuration Claim-based authentication -internal access
Configure the internal access Claim-based authentication requires the following steps:
- Install and configure AD FS 2.0 .
- Set Claims-based authentication configuration CRM 2011 server.
- Set the Claims-based authentication configuration AD FS 2.0 server.
- Test claims-based authentication within the access.
Install and configure AD FS 2.0
CRM 2011 with a variety of STS provider ( STS Provider ) together. This article uses Active Directory Federation Services (AD FS) 2.0 to provide a security token service (security token service ).
Note: AD FS 2.0 will be installed to the default site, so install AD FS 2.0 , you must have CRM 2011 installation in the new site. (Remember we said that earlier)
IIS Looks like this if it is correctly installed: 
If you only see the default website with CRM installed in that. Start AGAIN!
Download the AD FS 2.0
From the following link to download the AD FS 2.0
Active Directory Federation Services 2.0 RTW( http://go.microsoft.com/fwlink/?LinkID=204237 ).
Install AD FS 2.0
In the installation wizard, select the federation server role installed, for more information refer to
Install the AD FS 2.0 Software( http://go.microsoft.com/fwlink/?LinkId=192792 ).
Configure AD FS 2.0
1 in the AD FS 2.0 server, click Start , then click AD FS 2.0 Management .
2 In the AD FS 2.0 Management page , click AD FS 2.0 Federation Server Configuration Wizard .
3 In the Welcome page , select Create a new Federation Service , and then click Next.
4 In the Select Deployment Type page , select Stand-alone Federation Server , and then click Next.
5 Choose your SSL certificate (the choice of a certificate created *. contoso.com ) ,add a Federation Service name ( for example , sts1.contoso.com), and then click Next.
Note: Only you as the AD FS 2.0 sites when using the wildcard certificate, only need to add the Federation Service name.
6 Summary page, click Next.
7 Click Close to close the AD FS 2.0 Configuration Wizard.
Note: If you have not added ( sts1.contoso.com ) to add DNS records, then do it now.
Verify the AD FS 2.0 is working
Follow the steps below to verify that the AD FS 2.0 is working :
1 Open Internet Explorer.
2 Enter the federation metadata of the URL , for example:
https://sts1.contoso.com/federationmetadata/2007-06/federationmetadata.xml
3. to ensure that no certificate associated with the warning appears.
No comments:
Post a Comment