Monday, March 14, 2011

CRM 2011 - ADFS 2.0 Federating with ADFS 1.1

So by now you've heard about CRM 2011 AND that it supports Claims Based Authentication. You've also heard that in order to create an IFD (Internet Facing Deployment) implementation which is recommended for Mobile configurations you're going to be required to set up a Secure Token Server (STS). Microsoft recommends AD FS 2.0 (Active Directory Federation Services 2.0)

Now ADFS 2.0 isn't your Dad's old Federation Service. That would be ADFS 1.X. ADFS 1.0 comes with Windows 2008 and  ADFS 1.1 is the flavor with Windows 2008 R2.

So, this isn't an article on configuring CRM 2011 with ADFS 2.0 as that has been done and redone. You'll find much of what you need for this here in the Claims Based Authentication white paper and CRM 2011 Implementation Guide located here : http://www.microsoft.com/downloads/en/details.aspx?FamilyID=9886ab96-3571-420f-83ad-246899482fb4&displaylang=en 

This blog post is going to talk about how you federate that CRM 2011 / ADFS 2.0 implementation to a partner organization where your Partner is running ADFS 1.X and may not be ready to upgrade.  In the example below, the CRMPractice domain represents CRM 2011 and the ADFS 2.0 servers and the ADFS1 domain is the partner organization.  The following steps are necessary to get this working.  Both assume that ADFS is set up correctly and that CRM 2011 is already configured with the ADFS 2.0 implementation.

Certificate Management is one of the toughest things to get all of this working.   Your Certificates for Local Computer should have the Signing Certificate with Key on both ADFS servers in the Personal Hive (ADFS1 should have ADFS1 Signing Cert, CRMPractice should have CRMPractice Signing Cert)  Additionally, the opposite Signing Cert should be in Trusted Root Authorities and the path should be constructed so that the cert is trusted.  The ADFS 2.0 creates a special signing certificate that you should export from the ADFS 2.0 Snap-In under  Service | Certificates | Token-signing.  You can View Certificate and under Details, Copy to File.

ADFS 1.x Side
  1. Open MMC with Active Directory Federation Services Snap-In
  2. Open Federation Service | Trust Policy | My Organization
  3. Right Click Account Stores and Select New | Account Store
  4. Click Next and then choose Active Directory Domain Services (AD DS), Click Next
  5. Enable this store is checked, next
  6. Finish
  7. Now go to Partner Organizations
  8. Right Click Resource Partners (CRM 2011 is in the Resource Domain) and Add New Resource Partner
  9. Click Next and then indicate No policy file to import
  10. Enter a Display Name
  11. The URI will be whatever the URI is in ADFS but start with your federation metadata url base and instead of “/federationmetadata/2007-06/federationmetadata.xml” use instead “/adfs/” as this is probably right (more on all the “matchups” later)
  12. The Federation Service Endpoint URL again we’ll use the “/adfs/ls/” in place of the “/federationmetadata/2007-06/federationmetadata.xml” as a start.
  13. Click next, and in most cases you will use Federated Web SSO, click Next
  14. Select UPN Claim only
  15. Pass all UPN suffixes through unchanged
  16. Enable the Resource Partner is checked
  17. Finish

1.x Matchup Data
  1. If you right click your new Resource Partner and choose Properties, you will see something like this:
  2.  
  3. If you right click the Federation Service and choose properties, then click View on the Certificate you should get some notable screens to keep in mind:
  4.  
  5. Next right click the Trust Policy and choose Properties for another important screen
  6.  

ADFS 2.0 Side
  1. Open MMC with the ADFS 2.0 Snap-In
  2. Open Trust Relationships | Claims Provider Trusts
  3. Right click and choose Add Claims Provider Trust and click Start
  4. Choose Enter claims provider trust data manually - this is important as you don't have a federation metadata URL.
  5. On the Display Name, this will actually show up for the Users, so you should name it the name of the ADFS1.0 domain such as “ADFS1 Users” and click next
  6. Choose AD FS 1.0 and 1.1 profile and click next
  7. On the WS-Federation Passive URL use the Federation Service endpoint URL from the screenshot above (ours would be https://sts2.ADFS1.com/adfs/ls/)
  8. On the Claims provider trust identifier use the Federation Service URI from the screenshot, it is said that it is case sensitive (from our example that would be https://sts2.ADFS1.com/adfs/)
  9. Add the Certificate from your ADFS1 Signing cert.
  10. If you get a problem with the length of the cert, just accept it
  11. Click Next, Next again and it should open the Claims Rules
  12. On the Claims rules, we are configuring one rule which is UPN and it will be a transform claim rule. We will be taking an Incoming claim type of “Name ID” with Incoming name ID format of “UPN” and our Outgoing claim type will be “UPN”

2.0 Matchup Data

  1. If you click on AD FS 2.0 and in the Actions pane choose Edit Federation Service Properties you will see a similar screen as the one from 1.x
  2. So to verify, if you right click the ADFS 1.x Resource Partner you should see that the Federation Service identifier here is the Federation Service URI there. (Case sensitive again I believe)
  3. That is normally the last thing.
Troubleshooting
  1. If your environment balks like some do you should be able to visit the Event Viewer | Applications and Services | AD FS 2.0 | Admin
  2. If you see a set of 3 Errors with 315, 111, 364 standing in your way each time you attempt to connect there is a problem with your certificate revocation checking (common when not using a Trusted Root CA) To remedy this:
    • On your ADFS 2.0 server open Powershell
    • First command is ‘Add-PSSnapin Microsoft.Adfs.PowerShell’ which allows you to command ADFS using scripts
    • Second command is ‘set-ADFSClaimsProviderTrust -TargetName "sts2.ADFS1.com" -SigningCertificateRevocationCheck None’ where you would replace sts2.ADFS1.com with whatever the name you gave the Claims Provider, in our earlier example that would be ADFS1 Users within the quotes.
    • Restart the ADFS 2.0 Service and perform an IISRESET on both ADFS boxes.

I know what your next question is going to be, but for now you'll have to wait for the next blog post when I discuss: Can CRM 2011 leverage ADFS 1.1 without ADFS 2.0?

Thursday, January 28, 2010

CRM: Oops I did it again (created a folder in the CRM folder in Outlook)

Many are the curious, few are cautious.

I've seen the curious user who has created a folder within the CRM folder in Outlook. When asked "why?" the normal response boils down to "I wanted to see if I could."

Problem is this mere mortal cannot like all other areas of his/her Outlook actually DELETE that folder.

Creating is easy, simply right click something like My Work folder under the Workplace and hit 'new folder' and give it a name.

Ah, then click that folder to enjoy the goodness of 'Outlook cannot display this view.'. The sound you hear is my sympathy played out in a resounding 'HA!'

Next in your anguish try to right click and choose 'Delete Folder' and click the yes you are sure. CURSES, 'Cannot delete this folder. Right-click the folder, and then click Properties to check your permissions for the folder. See the folder owner or your administrator to hamge your permissions. The folder you are trying to change do not support this operation. Could not complete the operation because the service provider does not support it.' The upshot of all that is no-can-do. Go ahead and try to look at the permissions, I'll wait...

Ok, now we'll dive into the registry and banish this folder straight away.

If you don't know what the registry is or how to find it, you should stop now BEFORE the warning of the irreparable damage you can do if you monkey with the registry... I am serious the folder is way less harm than possibly fouling up a perfectedly useful machine.

Properly scared, let's head into the HKCU because it's your folder so current user is the best starting place. Then Software and then Microsoft because CRM and Outlook are both Microsoft products... Now you should scroll down and find MSCRMMsgStore, click inside to find the RootFolder.

Now your hunting skills should help. You should see just GUIDs now. I had three 'folders' but only one had sub-folders. Dig into the one with subs. Each sub-folder when clicked shows a value in the Data column in the right pane. Under 3001001F (your mileage may vary) we see things like 'Service,' 'Sales,' and 'Workplace.' Well I know my folder is under workplace so I open that one. Similarly more sub-folders with more 3001001F values, where I look for 'My Work' folder. Finally in the sub-folders I see my bad folder and with a right click of that key only, I can banish it to deletedville. It will require an Outlook restart, but away it will go.

Cheers!


- Posted from my iPhone

CRM 4.0 Email Tracking Options for the User

In addition to the myriad of options available for HOW an email will make its way into CRM from a user mailbox, there are options available for the user to determine WHICH emails will be tracked into CRM automatically. These options seem intuitive, but recent testing has flushed out an interesting result.

The Email options are found in the Email tab in the Options screen for CRM Client for Outlook, as well as the Tools | Options in the web client. They are as follows:

  • All e-mail messages
  • E-mail messages in response to CRM e-mail (default)
  • E-mail messages from CRM Leads, Contacts and Accounts

Now, these aren't rocket science.

As you can imagine "All e-mail messages" is likely to be a poor choice for most users as every incoming e-mail received will be tracked into CRM and could be searched. Most users engage in some non-business from their work e-mail, so invitations to happy hour, possible job invitations, and other undesirable e-mails will find their way into CRM.

The default OOTB selection is the "E-mail messages in response to CRM e-mail" which is a holdover from the CRM 3.0 days when tracked e-mail messages had a token and non-tracked messages did not. If a message is tracked (with or without a token) into CRM, and responses where the subject is unaltered and the email addresses are known from the initial e-mail, will be tracked into CRM with the original message.

The last option, "E-mail messages from CRM Leads, Contacts and Accounts" is a nice addition, but may not work EXACTLY as intended. As the name suggests, emails started by an e-mail address known to CRM to a user of CRM will be tracked into CRM. As with the first option, this may increase the number of tracked e-mails and may result in some unintended tracking. For instance, Joe works for Microsoft and has a client called McDonalds for whom he frequently works. If his long time contact at McDonalds decides to attempt to lure Joe away from Microsoft with an e-mail, in this scenario, that e-mail would be automatically tracked.

Recently during some testing, we wanted to answer the question of if any method was mutually exclusive or inclusive of other rules. Obviously, All means All so it is inclusive of the other 2 rules. Beyond this, the results were a bit unexpected. If Joe has his settings for "E-mail messages from CRM Leads, Contacts and Accounts" and sends a tracked e-mail message to a non-crm e-mail address, the replies he receives are NOT tracked into CRM automatically. So the third rule excludes possible second rule candidates. Obviously, if Joe tracks an e-mail to a user that IS represented in CRM, the replies would be tracked. So Rule 2 "E-mail messages in response to CRM e-mail" is neither exclusive nor inclusive to rule 3.

This only represents a challenge that should be overcome with user training, but one worth noting when discussing these e-mail options.

Monday, December 7, 2009

CRM 4.0 Mobile Emulators

Back in the day, (CRM 3.0 for you whippersnappers new to the arena) the Mobile Express application could be leveraged using the Lazy Emulator courtesy of Joris Kalz at the address below.

http://blogs.msdn.com/joris_kalz/archive/2007/03/12/lazy-emulator-for-crm-mobile-express.aspx

I find that people like to have a look and feel of an emulator. Sure you can fire up the Mobile Device SDK and run that against CRM 4.0 Mobile Express. WOW! Is that boring to look at. Granted you get a look and feel and the size on some is nice especially if you are throwing that out onto a projector.

Once I realized what was going on with the Lazy Emulator, it was fairly straightforward to mock up a few more devices. Keep in mind that we're more talking about pretty pictures than say resolution correctness.

I decided to throw to together a few images and make them available. With the help of my good buddy Justin, we also created a nice page that lets you toggle each of the three devices on or off the screen.

Directions are simple.
  1. You will obviously have to install Mobile Express on your existing CRM. If you can't find it, here is the page: http://www.microsoft.com/downloads/details.aspx?FamilyID=F592EC6C-F412-4FD5-9A80-CD3BCBD26D8B&displaylang=en
  2. If you accepted the defaults, you should have a new \M directory in your CRMWeb folder.
  3. Drop the Contents of the ZIP file into a folder called 'Emulators' at the same level under CRMWeb.
  4. Browse to http://yourcrmurl/Emulators (provided that default.aspx is still in the default documents on the website in IIS)
Known Issues:
IE8 doesn't work, but it will work in Firefox or Safari. IE7 is fine as well.

http://www.box.net/shared/16u69c4bla