Friday, 25 September 2015

Dynamics CRM performance analyzer Google Chrome and CTRL+SHIFT+Q

A quick Tip when comparing performance on different browsers, did you know in Google Chrome you should use CTRL+SHIFT+ALT + Q to retrieve the performance analyzer window?

Hope this helps

Wednesday, 8 April 2015

Dynamics CRM ADFS Gotchas

Hi All,

I've collated a number of my own notes on troubleshooting ADFS CRM IFD environments. Below are a number of issues which I've faced working on a variety of different clients I hope this is useful, please note some gotchas contain direct links to other blogs or Microsoft KB articles.

Some of this issues are well known others not so much, if you know any other issue that is not listed here please email me on: and I'll add it to the below list.

Authentication issues
Many of the authentication issues can be related with kerberos, check you have all the SPN's created correctly in particular the server SPN which is often missed.

c:\>setspn -s http/ contoso\crmserver$ 

Certificate has been revoked
An error occurred during an attempt to build the certificate chain for the relying party trust '' certificate identified by thumbprint '6DC995B18B64C7C4089C234D7AB84A425219EA5D'. Possible causes are that the certificate has been revoked, the certificate chain could not be verified as specified by the relying party trust's encryption certificate revocation settings or certificate is not within its validity period.

Resolved by running the following PowerShell command
set-ADFSRelyingPartyTrust -TargetName myCRMRP -EncryptionCertificateRevocationCheck None

SigningCertificateRevocationCheck    : CheckChainExcludeRoot (this is the default value)

EventID: 317

The error above relates to the fact that a check is done against a URL that is contained in the CDP checks run the following command to find out if you able to contact the url:
certutil.exe -verify -urlfetch .\yourCertificate-2014.crt 

Disabling the -EncryptionCertificateRevocationCheck None will stop the checks and fixes the issue

Importing IIS certificate:
To import a crt or cer certificate to IIS, first needs to be converted to pfx, you can use OpenSSL tool to do the convertion using the crt and key files.

C:\OpenSSL-Win32\bin>openssl.exe pkcs12 -export -out myPFXCertificate.pfx -inkey MyCertificate.key -in YourCertificate.crt

Note: You can also export the certificate from the MMC Certificates Snapin you have it already. otherwise if someone gives you the key and crt you can convert it with the above command.

OUTLOOK ADFS 2.1 windows 2012 server
Issues with Outlook configuration when using ADFS on windows 2012 server. Run the below SQL statements to fix the issue:

select *
 from federationprovider

update FederationProvider
set ActiveMexEndpoint = ''

Resolved by changing the ActiveMexEndPoint on the database also powershell available but was not working a hotfix is available (To be tested)

powershell to set ActiveMexEndPoint

PS C:\Users\crm13.admin> Get-CrmAdvancedSetting -ConfigurationEntityName FederationProvider -Setting ActiveMexEndpoint -
Id 8174A23D-C8A0-4612-827C-A697E4E07E7B

Chrome Authentication issues
For Chrome authentication issue disable extended protection on IIS ADFS website under ADFS> Is > authentication and disabling extended protection.

1. On the computer where the web browser is experiencing the issue, start Registry Editor (regedit), and locate the following subkey.

2. In the Lsa subkey, locate the SuppressExtendedProtection value. If the value does not exist, you must add it. To add the value, right-click Lsa, point to New, and then click DWORD (32-bit) Value. Type SuppressExtendedProtection, and then press ENTER.

3. Right-click SuppressExtendedProtection, click Modify, and enter 1 (REG_DWORD).

Also the below registry key will disable all Extended Protection:

Session timeout - Token LifeTime
To increase a user session duration, increase the token Life time by running the following powershell command: 
PS > Add-PSSnapin Microsoft.Adfs.PowerShell 
Get-ADFSRelyingPartyTrust -Name "relying_party"
 set-ADFSRelyingPartyTrust -TargetName MyRelyingPartyName -TokenLifetime 480

Can't connect to federation URL

netsh http show urlacl

this will show reserved HTTP url namespaces, you will find urls that can't resolve SID because ADFs was installed and removed later.

Deleted all stale records

Token Decryption key Issue
Ah encrypted security token was received at the relying party which could not be decrypted. Configure the relying party with a suitable decryption certificate. Current relying party decryption certificate info:
No Certificate Configured ---> Microsoft.IdentityModel.Tokens.EncryptedTokenDecryptionFailedException: ID4036: The key needed to decrypt the encrypted security token could not be resolved from the following security key identifier

AppPool Service account permissions to the certificate and iis reset to make the changes to take effect.

Changing ADFS Port
STS expired click sign-in and get the below error:
Error Details: ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to False


a) Enable user profile loading
b) copy the machine keys
c) Enable NLB in CRM deployment manager

ADFS3.0 Gotchas

Forms not loading on external RPT
The external relying party trust is recognized by ADFS as internal and not loading correctly the forms

MSIS7102: Requested Authentication Method is not supported on the STS.

ADFS 3.0 Outlook Configuration issue Microsoft.Crm.CrmException: Authentication failed
Issues with Outlook configuration when accessing CRM IFD ADFS 3.0 

Issue with the port where ADFS 3 is listening, to fix the issue run the command:
Set-ADFSProperties –nettcpport 809

Monday, 24 November 2014

Dynamics CRM 2013 Performance Optimization

Hi All,

I was one of the speakers at the latest CRM UG UK event at the Microsoft offices in Reading. My presentation topic was Dynamics CRM Performance aimed at improving the multiple layers of a network communication between the CRM client and the CRM server:

  1. Client Layer
  2. Network 
  3. Server
  4. Database
  5. Customization's

It's 34 slides with loads of information and useful tools. Please leave your feedback on my blog if you download it and would like to share your thoughts.

You can access my presentation and other speakers presentations on the following link:

Sunday, 24 August 2014

Dynamics CRM 2013 online implementing single sign-on

On this article I will walk you through how to set up single sign-on with your CRM Online instance using your company domain name. I'm using the Azure portal to perform most of the configuration however if you only have access to office 365 portal I will also demonstrate the same configuration is available via the office 365 portal. Towards the end of the article I also show how Multi Factor Authentication could be implemented as an extra level of security for cloud users.

Throughout the article you will find hyperlinks to Microsoft msdn articles on the related subject.

Lets take a brief look at the steps we are taking to configure single sign-on.
  1. Set up the domain
    • Add your company domain and verify using TXT or MX DNS records
  2. Set up AD User Principal Names 
    • Configuring additional UPN if you not using an external resolvable FQDN domain for your UPNs
  3. Configure AD sync to Azure AD
    • How to enable directory synchronization
  4. ADFS Federate the domain with Azure AD
    • Federate the domain you added on step 1 with Azure AD using Powershell
  5. Testing/Troubleshooting
    • Testing and troubleshooting the configuration using Microsoft online tool
  6. Logging on with Multi Factor Authentication
    • Authentication with Single sign-on plus Multi Factor Authentication
  7. Azure portal and Office 365 portal
    • Overview of both portals and how to configure the same steps in office 365 portal
The installation of the ADFS server or the installation of the Windows Azure Active Directory Synchronization tool is not covered on this article, if you need help with ADFS or the Directory Synch Tool or if you have any questions regarding the set up of single sign-on please don't hesitate to contact me on 

1. Set up the Domain
The first step is to add your company domain to Azure and verify it by adding a custom TXT record to your domain DNS zone.

To do this Navigate to Active Directory and choose Default Directory navigate to the Domains tab and on the bottom of the page click Add Domain. Type the domain and select "I plan to configure this domain for single sign-on"

On the domains tab you now see the newly added domain and says unverified

Click Verify at the bottom of the page and you should get details of the TXT record to add to your DNS zone. Later on step 7 I show you how office 365 portal makes things slightly easier when adding a custom domain.

In your DNS server you should add a TXT record as follows:

2. Set up AD User Principal Names
For Single sign on to work users UPN need to be resolved externally this means your users UPN logon name must be resolved externally. If you are using .local internal domains you can add extra UPN's to your internal Active directory and instruct users to start logging on with the new UPN.

To set up additional UPN suffixes open Active Directory Domains and Trusts right click the root and properties, add the domain you just verified on step 1

Open Active Directory users and computers right click on a test account and click properties on the account tab you will see that from the drop down box after user logon name you have an additional UPN available.

3. Configure AD synchronization to Azure
To configure your local Active directory to sync user accounts and groups to Azure AD you will need to install and configure the Windows Azure Active Directory Sync Tool.

Before you can go ahead and synchronize your local AD environment to Azure you need to make sure you Activate Azure for Directory Synchronization. Navigate to Active Directory click Default Active Directory and click the tab Directory Integration:

The installation and configuration of the tool is out of scope of this article, you can find loads of information online about how to install and configure the Windows Azure Active Directory Sync Tool.

When the synchronization is complete check Azure if your user and group accounts are now visible on your AD instance in Azure.

Note: After you synchronize users to Azure/Office 365 they need to be activated and licenses assigned. By default users are deactivated when synchronized to the cloud.

4. ADFS - Federate the domain with Azure AD
This is the step where you connect your ADFS server to Azure and federate your company domain for single sign-on. This process will automatically add to your ADFS server a relying party trust with office 365.

First you need to install Azure Active Directory Power Shell Tools so you can connect to your Azure Active Directory instance and run a few commands to federated domain with Azure:

Connect-MsolService –Credential $cred
Set-MsolAdfscontext -Computer MyADFSserver
Convert-MsolDomainToFederated –DomainName

Download windows power-shell:

Set up a trust between ADFS and Azure AD:

When completed you should see the following Relaying party trust in your ADFS server:

5. Testing/Troubleshooting 
Microsoft provides the Remote Connectivity Analyzer tool to test and troubleshooting the multiple layers of a single sign-on implementation and provides detailed information if anything goes wrong.

You can access the tool here: 

6. logging on
If all goes well when you access your online CRM instance you should see Microsoft redirecting you to your company ADFS server for authentication and the ADFS server will issue a token saying that your credentials have been verified. However in my scenario, I've configured my test account with Multi Factor Authentication. When I attempt to logon it stops me and sends me a text message with a code for me to check my identify, screenshots below:

Note that for global administrators Multi Factor Authentication is free, so you can test this in your test environment.

A code was sent to my phone in a couple of seconds and I just had to insert that code for CRM to load. Although the user didn't have to insert her password because it's configured for single sign-on she was configured for multi factor authentication which forced an extra level of security.

You also have the Microsoft Phone App which can be used for Multi factor Authentication instead of text messages.

After inserting the code and clicking sign in I land on my CRM online instance.

7. Azure and Office 365 portals
Azure and Office 365 portals are very similar with regards to providing menus to set up domains and single-sign on configuration. If you have access to the Azure instance associated to your office 365 account you will notice that everything that you configure in Azure will automatically surface in Office 365 and the same way if you do any configuration in Office 365 will also surface in Azure both portals connect to the same "collection" of services e.g your active directory instance in the cloud.

Below a few screenshots of office 365 portal showing you where to find and configure the same features we have just done in Azure.

When you open your office 365 portal you can easily locate the domains link, here you can add new domains and easily access the information needed to verify your domain by adding either a TXT or MX record to your DNS server

When you click Add domain, you will be taken to a 3 step process to create, confirm and verify the domain you just added.

When selecting general instructions the below page comes up with all the information you need to create the required TXT or MX record on your DNS zone to verify the domain.

Users and Single Sign-On configuration. 
Clicking on the Users & Groups and Active users you can  manage all user accounts including passwords and licenses. Notice that from this configuration panel you can also manage:
  1. Single-sign on
  2. Enable Directory synchronization
  3. Change password policy
  4. Configure multi-factor authentication.

clicking Manage Single sign-on provides you with a 10 step process on how to implement Single sign-on with your company AD and the office 365 platform. This is exactly the same as in the Azure - Directory Integration steps, which have been simplified into 4 main topics with child steps below as you can see on the below screenshots

Azure Portal

Office 365

I hope the article was useful please leave your feedback. I have not covered some features in great detail like how to install and configure ADFS or the windows Azure Synchronization tool this would make the all article very long and remove the focus from single sign-on.

Thursday, 31 July 2014

Free Webinar Azure ADFS domain federation with CRM Online

I'm doing a series of free webinars on Dynamics CRM and starting with how to federate your company domain with Azure and provide single sign-on with an Azure VM and Multi Factor Authentication.

If you interested please register your place here:

Below you find more information on what will be covered on the day. In a nutshell the webinar session will cover Azure VMs providing domain and ADFS single sign-on authentication for CRM online plus the configuration of Multi Factor authentication. Multi factor authentication is a process which helps protecting organization data enforcing two-factor user authentication.
  • Azure and office 365 portal
  • Session overview configuration steps
  • Adding a domain to Azure portal
  • Verify the domain
  • Overview of ADFS configuration and SSL certifcate configuration
  • Install & Connect to Azure powershell
  • Promote the newly added domain to federated domain.
  • Adding users to CRM online
  • Enable Multi Factor Authentication
  • Question and Answers

    If you have an on-premise Dynamics CRM instance there will be relevant information to on-premise configuration scenarios with ADFS and Azure.
Please leave your feedback, comments or any questions you may have.

If you would like to contact me directly please feel free to drop me an email to:

Wednesday, 23 July 2014

Dynamics CRM ADFS 3.0 changing HTTPS port

If you run into a situation where you require to change ADFS default HTTPS port from 443 to something else the steps to do this are highlighted below:

1. URL's ACL
The first steps are to reserve the ADFS urls using the new port, run the below commands:

netsh http add urlacl url=https://+:4433/FederationMetadata/2007-06/ user=domain\account listen=yes delegate=yes

netsh http add urlacl url=https://+:4433/adfs/ user=domain\account listen=yes delegate=yes

Then confirmed the above URL's have been added by running the command:
netsh http show urlacl 

to confirm the url's you added are listed.

2. Powershell Set new HTTPS port
The second step you set the ADFS https port via powershell:

Set-ADFSProperties -HttpsPort 4433

Restart the ADFS service

3. Binding IIS to the new port
The last step is to change the default website bindings for the HTTPs port.

Open IIS > Highlight Default Website and click on the right-hand-side Bindings

4. Testing
To test the new port open Internet Explorer and type: 

and you should get a page with XML:

Hope this was helpful, please leave your feedback or let me know if you have any questions.


Monday, 14 July 2014

Dynamics CRM 2013 Configuring SMTP profiles on port 25

If you just process outgoing email in Dynamics CRM 2013 then you no longer need Email router to do this. Dynamics CRM 2013 introduces Exchange synchronization but also POP3 and SMTP profiles which you can leverage as an SMTP gateway. In this article I'm focusing on SMTP profiles and how to make it work on SMTP port 25.

Why SSL does not matter in this case? it's because we are not storing any credentials we are using Anonymous authentication to relay email.

1. Enabling Port 25
Before we start configuring the SMTP profile in CRM you need to run the following SQL commands to disable SSL for SMTP profiles:

SQL Update

Update DeploymentProperties set BitColumn = 1 where columnname = 'AllowCredentialsEntryViaInsecureChannels'

Update DeploymentProperties set BitColumn = 1 where columnname = 'ECAllowNonSSLEmail'

Via Power Shell

  • To allow the use of credentials when not using SSL, run the following commands.

$itemSetting = new-object 'System.Collections.Generic.KeyValuePair[String,Object]' ("AllowCredentialsEntryViaInsecureChannels",1)$configEntity= new-object "Microsoft.Xrm.Sdk.Deployment.ConfigurationEntity"$configEntity.LogicalName = "Deployment"$configEntity.Attributes=new-object "Microsoft.Xrm.Sdk.Deployment.AttributeCollection"$configEntity.Attributes.Add($itemSetting)set-CrmAdvancedSetting -Entity $configEntity

  • To allow the use of connections to servers that do not use SSL, run the following commands.

$itemSetting = new-object 'System.Collections.Generic.KeyValuePair[String,Object]' ("ECAllowNonSSLEmail",1)$configEntity= new-object "Microsoft.Xrm.Sdk.Deployment.ConfigurationEntity"$configEntity.LogicalName = "Deployment"$configEntity.Attributes=new-object "Microsoft.Xrm.Sdk.Deployment.AttributeCollection"$configEntity.Attributes.Add($itemSetting)set-CrmAdvancedSetting -Entity $configEntity

After the SQL update do an iisreset and refresh the page, then Navigate to Settings > Email Configuration

2. Create The SMTP profle
Click New and select POP3-SMTP Profile

Choose a name and type the FQDN for the email server, if you don't want to use pop3 you can leave it empty:

The Authentication options should be as follows:

Click Advanced and select No on the option that says Use SSL for Outgoing connection

3. Configure User Profiles 
The next step is configuring the user mailbox properties; we want to set the mailbox to use the SMTP profile and disable incoming mail.

4. Global Settings
If you want these settings applied globally you can use the global Settings under Settings > Administration > System Settings

Email tab:

Hope this was helpful please leave your feedback