Monday, 24 November 2014

Dynamics CRM 2013 Performance Optimization

Hi All,

I was one of the speakers at the latest CRM UG UK event at the Microsoft offices in Reading. My presentation topic was Dynamics CRM Performance aimed at improving the multiple layers of a network communication between the CRM client and the CRM server:

  1. Client Layer
  2. Network 
  3. Server
  4. Database
  5. Customization's

It's 34 slides with loads of information and useful tools. Please leave your feedback on my blog if you download it and would like to share your thoughts.

You can access my presentation and other speakers presentations on the following link:
http://www.crmug.com/communities/community-home/digestviewer/viewthread/?GroupId=187&MID=7046








Sunday, 24 August 2014

Dynamics CRM 2013 online implementing single sign-on

On this article I will walk you through how to set up single sign-on with your CRM Online instance using your company domain name. I'm using the Azure portal to perform most of the configuration however if you only have access to office 365 portal I will also demonstrate the same configuration is available via the office 365 portal. Towards the end of the article I also show how Multi Factor Authentication could be implemented as an extra level of security for cloud users.

Throughout the article you will find hyperlinks to Microsoft msdn articles on the related subject.

Lets take a brief look at the steps we are taking to configure single sign-on.
  1. Set up the domain
    • Add your company domain and verify using TXT or MX DNS records
  2. Set up AD User Principal Names 
    • Configuring additional UPN if you not using an external resolvable FQDN domain for your UPNs
  3. Configure AD sync to Azure AD
    • How to enable directory synchronization
  4. ADFS Federate the domain with Azure AD
    • Federate the domain you added on step 1 with Azure AD using Powershell
  5. Testing/Troubleshooting
    • Testing and troubleshooting the configuration using Microsoft online tool
  6. Logging on with Multi Factor Authentication
    • Authentication with Single sign-on plus Multi Factor Authentication
  7. Azure portal and Office 365 portal
    • Overview of both portals and how to configure the same steps in office 365 portal
The installation of the ADFS server or the installation of the Windows Azure Active Directory Synchronization tool is not covered on this article, if you need help with ADFS or the Directory Synch Tool or if you have any questions regarding the set up of single sign-on please don't hesitate to contact me on nuno.m.costa@gmail.com 

1. Set up the Domain
The first step is to add your company domain to Azure and verify it by adding a custom TXT record to your domain DNS zone.

To do this Navigate to Active Directory and choose Default Directory navigate to the Domains tab and on the bottom of the page click Add Domain. Type the domain and select "I plan to configure this domain for single sign-on"






On the domains tab you now see the newly added domain and says unverified










Click Verify at the bottom of the page and you should get details of the TXT record to add to your DNS zone. Later on step 7 I show you how office 365 portal makes things slightly easier when adding a custom domain.







In your DNS server you should add a TXT record as follows:







2. Set up AD User Principal Names
For Single sign on to work users UPN need to be resolved externally this means your users UPN logon name must be resolved externally. If you are using .local internal domains you can add extra UPN's to your internal Active directory and instruct users to start logging on with the new UPN.

http://msdn.microsoft.com/en-us/library/azure/jj151786.aspx

To set up additional UPN suffixes open Active Directory Domains and Trusts right click the root and properties, add the domain you just verified on step 1

Open Active Directory users and computers right click on a test account and click properties on the account tab you will see that from the drop down box after user logon name you have an additional UPN available.


3. Configure AD synchronization to Azure
To configure your local Active directory to sync user accounts and groups to Azure AD you will need to install and configure the Windows Azure Active Directory Sync Tool.

Before you can go ahead and synchronize your local AD environment to Azure you need to make sure you Activate Azure for Directory Synchronization. Navigate to Active Directory click Default Active Directory and click the tab Directory Integration:



The installation and configuration of the tool is out of scope of this article, you can find loads of information online about how to install and configure the Windows Azure Active Directory Sync Tool.

When the synchronization is complete check Azure if your user and group accounts are now visible on your AD instance in Azure.


Note: After you synchronize users to Azure/Office 365 they need to be activated and licenses assigned. By default users are deactivated when synchronized to the cloud.


4. ADFS - Federate the domain with Azure AD
This is the step where you connect your ADFS server to Azure and federate your company domain for single sign-on. This process will automatically add to your ADFS server a relying party trust with office 365.

First you need to install Azure Active Directory Power Shell Tools so you can connect to your Azure Active Directory instance and run a few commands to federated domain with Azure:

$cred=Get-Credential
Connect-MsolService –Credential $cred
Set-MsolAdfscontext -Computer MyADFSserver
Convert-MsolDomainToFederated –DomainName myDomain.com

Download windows power-shell:

Set up a trust between ADFS and Azure AD:

When completed you should see the following Relaying party trust in your ADFS server:







5. Testing/Troubleshooting 
Microsoft provides the Remote Connectivity Analyzer tool to test and troubleshooting the multiple layers of a single sign-on implementation and provides detailed information if anything goes wrong.

You can access the tool here:
https://testconnectivity.microsoft.com/?testid=SingleSignOn 





























6. logging on
If all goes well when you access your online CRM instance you should see Microsoft redirecting you to your company ADFS server for authentication and the ADFS server will issue a token saying that your credentials have been verified. However in my scenario, I've configured my test account nadia@quantumcrm.co.uk with Multi Factor Authentication. When I attempt to logon it stops me and sends me a text message with a code for me to check my identify, screenshots below:


Note that for global administrators Multi Factor Authentication is free, so you can test this in your test environment.

A code was sent to my phone in a couple of seconds and I just had to insert that code for CRM to load. Although the user didn't have to insert her password because it's configured for single sign-on she was configured for multi factor authentication which forced an extra level of security.

You also have the Microsoft Phone App which can be used for Multi factor Authentication instead of text messages.




After inserting the code and clicking sign in I land on my CRM online instance.









7. Azure and Office 365 portals
Azure and Office 365 portals are very similar with regards to providing menus to set up domains and single-sign on configuration. If you have access to the Azure instance associated to your office 365 account you will notice that everything that you configure in Azure will automatically surface in Office 365 and the same way if you do any configuration in Office 365 will also surface in Azure both portals connect to the same "collection" of services e.g your active directory instance in the cloud.

Below a few screenshots of office 365 portal showing you where to find and configure the same features we have just done in Azure.

When you open your office 365 portal you can easily locate the domains link, here you can add new domains and easily access the information needed to verify your domain by adding either a TXT or MX record to your DNS server





When you click Add domain, you will be taken to a 3 step process to create, confirm and verify the domain you just added.



When selecting general instructions the below page comes up with all the information you need to create the required TXT or MX record on your DNS zone to verify the domain.


Users and Single Sign-On configuration. 
Clicking on the Users & Groups and Active users you can  manage all user accounts including passwords and licenses. Notice that from this configuration panel you can also manage:
  1. Single-sign on
  2. Enable Directory synchronization
  3. Change password policy
  4. Configure multi-factor authentication.




















clicking Manage Single sign-on provides you with a 10 step process on how to implement Single sign-on with your company AD and the office 365 platform. This is exactly the same as in the Azure - Directory Integration steps, which have been simplified into 4 main topics with child steps below as you can see on the below screenshots

Azure Portal



































Office 365



































Conclusion
I hope the article was useful please leave your feedback. I have not covered some features in great detail like how to install and configure ADFS or the windows Azure Synchronization tool this would make the all article very long and remove the focus from single sign-on.

Thursday, 31 July 2014

Free Webinar Azure ADFS domain federation with CRM Online

I'm doing a series of free webinars on Dynamics CRM and starting with how to federate your company domain with Azure and provide single sign-on with an Azure VM and Multi Factor Authentication.

If you interested please register your place here:

https://www.surveymonkey.com/s/D6DFWR2

Below you find more information on what will be covered on the day. In a nutshell the webinar session will cover Azure VMs providing domain and ADFS single sign-on authentication for CRM online plus the configuration of Multi Factor authentication. Multi factor authentication is a process which helps protecting organization data enforcing two-factor user authentication.
  • Azure and office 365 portal
  • Session overview configuration steps
  • Adding a domain to Azure portal
  • Verify the domain
  • Overview of ADFS configuration and SSL certifcate configuration
  • Install & Connect to Azure powershell
  • Promote the newly added domain to federated domain.
  • Adding users to CRM online
  • Enable Multi Factor Authentication
  • Question and Answers

    If you have an on-premise Dynamics CRM instance there will be relevant information to on-premise configuration scenarios with ADFS and Azure.
Please leave your feedback, comments or any questions you may have.

If you would like to contact me directly please feel free to drop me an email to: nuno.m.costa@gmail.com

Wednesday, 23 July 2014

Dynamics CRM ADFS 3.0 changing HTTPS port

If you run into a situation where you require to change ADFS default HTTPS port from 443 to something else the steps to do this are highlighted below:

1. URL's ACL
The first steps are to reserve the ADFS urls using the new port, run the below commands:

netsh http add urlacl url=https://+:4433/FederationMetadata/2007-06/ user=domain\account listen=yes delegate=yes

netsh http add urlacl url=https://+:4433/adfs/ user=domain\account listen=yes delegate=yes

Then confirmed the above URL's have been added by running the command:
netsh http show urlacl 

to confirm the url's you added are listed.

2. Powershell Set new HTTPS port
The second step you set the ADFS https port via powershell:

Set-ADFSProperties -HttpsPort 4433

Restart the ADFS service

3. Binding IIS to the new port
The last step is to change the default website bindings for the HTTPs port.

Open IIS > Highlight Default Website and click on the right-hand-side Bindings












4. Testing
To test the new port open Internet Explorer and type:

https://myadfs.domain.com/FederationMetadata/2007-06/FederationMetadata.xml 

and you should get a page with XML:












Hope this was helpful, please leave your feedback or let me know if you have any questions.

Thanks

Monday, 14 July 2014

Dynamics CRM 2013 Configuring SMTP profiles on port 25

If you just process outgoing email in Dynamics CRM 2013 then you no longer need Email router to do this. Dynamics CRM 2013 introduces Exchange synchronization but also POP3 and SMTP profiles which you can leverage as an SMTP gateway. In this article I'm focusing on SMTP profiles and how to make it work on SMTP port 25.

Why SSL does not matter in this case? it's because we are not storing any credentials we are using Anonymous authentication to relay email.

1. Enabling Port 25
Before we start configuring the SMTP profile in CRM you need to run the following SQL commands to disable SSL for SMTP profiles:

SQL Update

Update DeploymentProperties set BitColumn = 1 where columnname = 'AllowCredentialsEntryViaInsecureChannels'

Update DeploymentProperties set BitColumn = 1 where columnname = 'ECAllowNonSSLEmail'

Via Power Shell

  • To allow the use of credentials when not using SSL, run the following commands.

$itemSetting = new-object 'System.Collections.Generic.KeyValuePair[String,Object]' ("AllowCredentialsEntryViaInsecureChannels",1)$configEntity= new-object "Microsoft.Xrm.Sdk.Deployment.ConfigurationEntity"$configEntity.LogicalName = "Deployment"$configEntity.Attributes=new-object "Microsoft.Xrm.Sdk.Deployment.AttributeCollection"$configEntity.Attributes.Add($itemSetting)set-CrmAdvancedSetting -Entity $configEntity

  • To allow the use of connections to servers that do not use SSL, run the following commands.

$itemSetting = new-object 'System.Collections.Generic.KeyValuePair[String,Object]' ("ECAllowNonSSLEmail",1)$configEntity= new-object "Microsoft.Xrm.Sdk.Deployment.ConfigurationEntity"$configEntity.LogicalName = "Deployment"$configEntity.Attributes=new-object "Microsoft.Xrm.Sdk.Deployment.AttributeCollection"$configEntity.Attributes.Add($itemSetting)set-CrmAdvancedSetting -Entity $configEntity

After the SQL update do an iisreset and refresh the page, then Navigate to Settings > Email Configuration


2. Create The SMTP profle
Click New and select POP3-SMTP Profile











Choose a name and type the FQDN for the email server, if you don't want to use pop3 you can leave it empty:














The Authentication options should be as follows:













Click Advanced and select No on the option that says Use SSL for Outgoing connection














3. Configure User Profiles 
The next step is configuring the user mailbox properties; we want to set the mailbox to use the SMTP profile and disable incoming mail.

















4. Global Settings
If you want these settings applied globally you can use the global Settings under Settings > Administration > System Settings

Email tab:







Hope this was helpful please leave your feedback










Wednesday, 2 July 2014

Dynamics CRM 2013 New version of CTRL+SHIFT+Q with SP1

I've blogged a few weeks ago about the great little gem hidden in the CRM 2013 forms the CTRL+SHIFT+Q which provided a new report with performance stats. With the introduction of SP1 (Leo) the new feature had a major re-design and it looks a lot better check my screenshots below:

The first time you load an record and hit CTRL+SHIFT+Q you get first a blank page, click Enable refresh the CRM page and do again CTRL+SHIFT+Q and you now get the full performance stats.




Monday, 19 May 2014

Dynamics CRM 2013 tips & Tricks

Tips & tricks for this week on CRM 2013 performance built-in tools: CRM 2013 comes with a hidden gem that can report on form loading times and a breakdown by component as well, you can access this performance report using the following shortcut after the form has been loaded:

  •  CTRL+SHIFT+Q
It may take a few seconds to appear, the below window should appear:


at the bottom of the report you also have a link to the known diagnostics page:



























Hope this was useful.  If you need advise on performance optimization please feel free to contact me on nuno.m.costa@gmail.com