I suddenly found myself unable to configure any Dynamics CRM 2011 Outlook client, receiving the following error:
>Failed to refresh entry. Exception Microsoft.Crm.Application.SMWrappers.InvalidOrganizationIdException: Invalid OrganizationId "xxxxx566-5xxx-e1xx-adxx-xxxx56af0xxx".
at Microsoft.Crm.Application.SMWrappers.ClientOrganizationContextFactory.Get(Guid organizationId)
at Microsoft.Crm.Application.SMWrappers.ClientOrganizationContextFactory.Microsoft.Crm.IOrganizationContextFactory.GetOrganizationContext(Guid organizationId)
at Microsoft.Crm.Caching.CrmMultiOrgCache`2.RefreshClientEntryCallback(String key)
at Microsoft.Crm.ClientCrmCache`1.RefreshEntryWaitCallback(Object keyString)
It seems this happened after enabling SPN's to work with the CRM 2011 FetchXml reports. The resolution is to enable IIS to authenticate using the AppPool Account credentials.
Resolution
In IIS highlight the CRM website and open the Configuration Editor
Navigate to:
system.webServer > security > authentication > windowsAuthentication
Set useAppPoolCredentials to True
Tuesday, 13 March 2012
Monday, 5 March 2012
Dynamics CRM Data Driven Security
View the wiki technet article here: http://social.technet.microsoft.com/wiki/contents/articles/8164.dynamics-crm-2011-data-driven-security.aspx
Data design and security for many companies is an important subject and careful planning is mandatory. CRM 2011 has shipped with new functionality extending the design options, the new introduced features are:
I want to talk about the following topics:
Important: To understand the concepts on this article you should have a basic understanding how the following CRM permission levels work:
I would like to think data isolation as company departments, which work on different floors and have different network drives accessed strictly by that department AD accounts. Business units are great to isolate data, however this approach can be very complex if your company spans multiple countries or multiple offices. The below example, the company Global Exports has 3 levels of security.
On the below diagram the concept is simple; We have 1 Parent business unit GlobalExports and 2 Child business units GlobalSales and GlobalEngineers and each also have a child business unit GlobalSales -> JuniorSales and GlobalEngineers->JuniorEngineers
Advantages:
From the above diagram we can ask ourselves a few questions:
Security Roles Data visibility
Again to help connecting data visibility with real world scenarios I would like to think data visibility as employee job title, employees that work on the same department but that do not necessarily access the same level of information, e.g. Sales representative and a junior sales representative, or a support engineer and a project manager. Assigning forms to different security roles is a new feature in CRM 2011. It provides a more robust way to expose different sets of data to users with different interests. E.g. Engineers and Sales want to get more information about company XYZ however both users are looking at different levels of information, so why provide the same form when we can give them just what they looking for?
At the same time, there is no department boundaries, all data lives in the same Business Unit and can be found by everyone. No need for sharing records.
The below diagram illustrates the company Global Exports CRM design but based on Security Roles data visibility:
Advantages:
How to assign security roles to multiple forms:
You assign security roles with forms on the customisation screen. Go to Customization > Customize The System > Expand Accounts and click Form - you should see the below screenshot:
Important: By default if users have no security roles associated with a form for the entity they accessing, the default form is displayed. You should always customize a default form in case by mistake a user has no security role associated with the entity form and doesn't access information which should have been hidden otherwise.
Mix and Match
Mix and match makes all sense and will create a greater design and provide granular control on all aspects of CRM access. But is also true that will increase complexity and management.
Keep it simple
Leave feedback
Data design and security for many companies is an important subject and careful planning is mandatory. CRM 2011 has shipped with new functionality extending the design options, the new introduced features are:
- Forms based on Security Roles
- Field level Security
I want to talk about the following topics:
- Business Unit data isolation
- Confidential Records with data isolation
- Security Role data visibility
- Field level security
Important: To understand the concepts on this article you should have a basic understanding how the following CRM permission levels work:
- Organizational Access
- Business Unit Access
- Business Unit and Child Access
I would like to think data isolation as company departments, which work on different floors and have different network drives accessed strictly by that department AD accounts. Business units are great to isolate data, however this approach can be very complex if your company spans multiple countries or multiple offices. The below example, the company Global Exports has 3 levels of security.
On the below diagram the concept is simple; We have 1 Parent business unit GlobalExports and 2 Child business units GlobalSales and GlobalEngineers and each also have a child business unit GlobalSales -> JuniorSales and GlobalEngineers->JuniorEngineers
- Executives have full access to all data. Executives are placed on the top Business Unit GlobalExports
- Sales representative are placed on the GlobalSales Business Unit. Only Executives can access sales data, also junior sales staff cannot access GlobalSales representatives data.
- The same applies to the engineers business unit.
- Junior staff can only access data in their own business unit, they cannot go back and read data on the GlobalSales or GlobalEngineers Business data.
- GlobalSales and GlobalEngineers are separate departments and do not access either data.
- Executives can access all company data, and no child business units can access GlobalExports Business Unit.
- If the Executives would like to share data with sales representatives on the GlobalSales Business Unit, the only available process will be Sharing Records with individual users or creating teams and sharing the records with teams, increasing management time and complexity.
- The same applies to sales representatives or engineers wanting to share data with their junior staff, can only share records with individual users or teams.
- Assigning records to users in different business units can move all child records which hold a parental relationship, adding more extra management complexity with entity relationships. e.g. sales representative assigns a record to a junior staff, the record and all child activities (phone calls, emails, tasks) will be also moved ans ownership taken by the new owner.
 |
| Business Units Diagram. |
From the above diagram we can ask ourselves a few questions:
- How users would share data between themselves?
- After sharing records during 1 year what is the sense of levels of access?
- If you created different Security roles for different users in order for them to be able to read across regions, how many security roles or how many users would be associated with these security roles and how would they be managed?
Confidential records
Business Units are great to isolate data and differentiate departments
and keep data secure. A good example about isolating data with Business
Units is the implementation of confidential records. Below is a brief description on the design concept:- A confidential Business Unit is created under the Parent Business Unit GlobalExports.
- A user account is created and assigned to that Business unit. (crm.confidential)
- All users within GlobalExports BU have Business Unit access level.
- When users would like to make an opportunity confidential they assign the record to the confidential user moving the records automatically to the confidential Business unit, all child records with parental relationships will also move.
- Because GlobalExports BU users permissions is based on Business Unit access level, no records can be read from the confidential business unit.
- The way to access data on the confidential Business unit is to share the records between users or teams. This can be accomplished automatically with the CRM free plugin that auto-share records via workflows, so you could tick a box on the form and save, and this would trigger the confidential workflow which would assign the record and auto-share with user triggering the action. http://crm2011sharestep.codeplex.com/
Security Roles Data visibility
Again to help connecting data visibility with real world scenarios I would like to think data visibility as employee job title, employees that work on the same department but that do not necessarily access the same level of information, e.g. Sales representative and a junior sales representative, or a support engineer and a project manager. Assigning forms to different security roles is a new feature in CRM 2011. It provides a more robust way to expose different sets of data to users with different interests. E.g. Engineers and Sales want to get more information about company XYZ however both users are looking at different levels of information, so why provide the same form when we can give them just what they looking for?
At the same time, there is no department boundaries, all data lives in the same Business Unit and can be found by everyone. No need for sharing records.
The below diagram illustrates the company Global Exports CRM design but based on Security Roles data visibility:
Advantages:
- Keep the design simple with one Business Unit (or two if confidential records are required)
- No need to share record
- Ability to mix security roles and provide multiple forms.
- No data isolation
- Extra administration maintaining multiple security roles.
How to assign security roles to multiple forms:
You assign security roles with forms on the customisation screen. Go to Customization > Customize The System > Expand Accounts and click Form - you should see the below screenshot:
Important: By default if users have no security roles associated with a form for the entity they accessing, the default form is displayed. You should always customize a default form in case by mistake a user has no security role associated with the entity form and doesn't access information which should have been hidden otherwise.
Field Level Security
Field level security is a new feature with CRM 2011. Provides granular control over information that should only be accessed by a group of people within CRM e.g. credit card information, company financial information.Things to know about field level security:
- Field level Security only works with custom fields.
- You create Field security profiles and associate with custom fields.
- Assign to users or teams
Mix and Match
Mix and match makes all sense and will create a greater design and provide granular control on all aspects of CRM access. But is also true that will increase complexity and management.
Keep it simple
- Always keep it as simple as possible.
- Consider data isolation only if really necessary.
- Keep Security roles to a minimum.
- Keep Business Units to a minimum.
- Provide minimum permissions to users.
Leave feedback
Monday, 20 February 2012
Dynamics CRM Excel Connection failed (Microsoftj(ODBC SQL Server Driverj[SQI. ServeriLogin failed
Today came across an error which I think is worth blogging. A new user can access CRM via IE and Outlook, when exporting data to an Excel dynamic Worksheet, receives the following error:
Connection failed:
SQLState ‘28000
SQL Server Error 18456
(Microsoftj(ODBC SQL Server Driverj[SQI. ServeriLogin failed for user DOMAIN\Username’.
The error above also does not specify why the login failed. So to understand exactly what's hapenning, we can give it a try and use the Excel built-in Data Source connection and retrieve a more friendly error message:
Select From SQL Server, below type the SQL server name and click next, this should give you something like Access Denied.
For some reason, the user was not a member of the CRM ReportingGroup (which provides the SQL access) causing the Access Denied error.
Resolution
Adding user to the CRM ReportingGroup fixed the issue, providing read access and allow Excel to fetch CRM data.
Connection failed:
SQLState ‘28000
SQL Server Error 18456
(Microsoftj(ODBC SQL Server Driverj[SQI. ServeriLogin failed for user DOMAIN\Username’.
The error above also does not specify why the login failed. So to understand exactly what's hapenning, we can give it a try and use the Excel built-in Data Source connection and retrieve a more friendly error message:
Select From SQL Server, below type the SQL server name and click next, this should give you something like Access Denied.
For some reason, the user was not a member of the CRM ReportingGroup (which provides the SQL access) causing the Access Denied error.
Resolution
Adding user to the CRM ReportingGroup fixed the issue, providing read access and allow Excel to fetch CRM data.
Monday, 13 February 2012
Dynamics CRM Improving Reports Performance
When developing reports, specially reports with dashboards we can end up with complex SQL code which running against FilteredViews is slower than directly on a table. A great trick to improve the code performance, is to download all content of the filtered view onto a temporary table stored in memory and then run the SQL code against this table in memory.
The example I have below, on the first query I get 5 min run time against a few thousand opportunities, the second block of code, I store the data onto a temporary table and then query it, and reduce the time to 36 seconds. The result is a much happier customer.
The example I have below, on the first query I get 5 min run time against a few thousand opportunities, the second block of code, I store the data onto a temporary table and then query it, and reduce the time to 36 seconds. The result is a much happier customer.
Wednesday, 8 February 2012
Dynamics CRM Installing Email router on multiple servers
View the wiki technet article here: http://social.technet.microsoft.com/wiki/contents/articles/7527.dynamics-crm-installing-email-router-on-multiple-servers.aspx
This article will show how with a few tweaks the email router can be deployed onto multiple servers across multiple offices and processing emails for specific users/queues or for specific regions.
To improve performance and resilience, configure a local SMTP service using the Windows Simple Mail Transfer protocol, managed via IIS and point your outgoing profile to the local service. The following are the advantages of using a local SMTP service, instead of an external server:
Scaling CRM E-mail router
A manual configuration is needed in order to make the email router scalable.
The following configuration file holds the core email router configuration:
C:\Program Files\Microsoft CRM Email\Service\Microsoft.Crm.Tools.EmailAgent.xml
There are two sections on the EmailAgent.xml file that makes scaling possible:
System Configuration:
<ConfigUpdatePeriod>3600000</ConfigUpdatePeriod>
This key enables the email router to reload all users and queues from CRM on the scheduled period, by default every 1hour.
Provider Configuration:
<UserId>xxx-xxx</UserId>
<QueueId>xxx-xxx</QueueId>
This Section holds all the Users System Id's and Queues Id's which the email router will process email for.
To allow the email router to be deployed to multiple servers we need to make sure they don't overlap each other and end-up processing the same emails. To avoid the overlapping we need to change the <SystemConfiguration> <ConfigUpdatePeriod> and set it to 0, this will make sure that the email router will not pick up any new users or queues apart form the manually specified on the configuration file.
<ConfigUpdatePeriod>0</ConfigUpdatePeriod>
The second part, will be to manually specify which users or queues we want each email router to process email for. We do this by adding the <UserId> <QueueId> entries below the <EmailAuthMode> tag, below is an example how this would look like
By manually specifying the users or queues we want the email router to process, we make sure no other email routers overlap the same users. Also specifying the configuration update period to 0 we force the email router to never check for new users in CRM, making sure one email router does not suddenly download all users and queues in the system and ends up overlapping with other email routers.
This article will show how with a few tweaks the email router can be deployed onto multiple servers across multiple offices and processing emails for specific users/queues or for specific regions.
Consider the following deployment requirement:
- Client network spans multiple offices across multiple countries
- CRM processes 2000 emails a day.
- Lisbon, New-York, London and Toquio generate most of the emails produced by leads and opportunities.
- The Toquio office wants to have complete control of all outbound emails from CRM
- A few offices want to be able to control which domains are allowed to relay and block others.
To improve performance and resilience, configure a local SMTP service using the Windows Simple Mail Transfer protocol, managed via IIS and point your outgoing profile to the local service. The following are the advantages of using a local SMTP service, instead of an external server:
- Performance wise is faster, the E-mail router can send emails locally which are queued for external delivery much faster than going externally.
- Granular control for the outbound email. e.g. you can process 3 different domains on your organisation each domain with different amounts of emails processed each day, you can specify 3 different SMTP external servers for each domain, improving performance and scaling your deployment.
- Better resilience by specifying on-the-fly different SMTP servers to relay email to, in case an external SMTP server fails.
- E-mail logging, log all incoming and outgoing emails.
A manual configuration is needed in order to make the email router scalable.
The following configuration file holds the core email router configuration:
C:\Program Files\Microsoft CRM Email\Service\Microsoft.Crm.Tools.EmailAgent.xml
There are two sections on the EmailAgent.xml file that makes scaling possible:
System Configuration:
<ConfigUpdatePeriod>3600000</ConfigUpdatePeriod>
This key enables the email router to reload all users and queues from CRM on the scheduled period, by default every 1hour.
Provider Configuration:
<UserId>xxx-xxx</UserId>
<QueueId>xxx-xxx</QueueId>
This Section holds all the Users System Id's and Queues Id's which the email router will process email for.
To allow the email router to be deployed to multiple servers we need to make sure they don't overlap each other and end-up processing the same emails. To avoid the overlapping we need to change the <SystemConfiguration> <ConfigUpdatePeriod> and set it to 0, this will make sure that the email router will not pick up any new users or queues apart form the manually specified on the configuration file.
<ConfigUpdatePeriod>0</ConfigUpdatePeriod>
The second part, will be to manually specify which users or queues we want each email router to process email for. We do this by adding the <UserId> <QueueId> entries below the <EmailAuthMode> tag, below is an example how this would look like
<EmailAuthMode>Anonymous</EmailAuthMode>
<UserId>xxxxxxxx-13d8-e011-9077-xxxxxxxx</UserId>
<UserId>xxxxxxxx-19d8-e011-9077-xxxxxxxx</UserId>
<UserId>xxxxxxxx-13d8-e011-9077-xxxxxxxx</UserId>
<UserId>xxxxxxxx-19d8-e011-9077-xxxxxxxx</UserId>
<QueueId>xxxxxxxx-19d8-e011-9077-xxxxxxxx</QueueId>
By manually specifying the users or queues we want the email router to process, we make sure no other email routers overlap the same users. Also specifying the configuration update period to 0 we force the email router to never check for new users in CRM, making sure one email router does not suddenly download all users and queues in the system and ends up overlapping with other email routers.
Deployment Scenarios
We have covered how to make the email router resilient, how to gain granular control over the domains allowed to send emails using a local SMTP server, how to manually configure the email router to process emails for specific users or queues, and how to stop overlapping with other email routers.
The below diagrams illustrate possible scenarios for our requirements:
Scenario 1
New york and London only process emails sent from their queue, if their users send an email will be routed via the Lisbon Email router, Toquio has been given full control, and processes emails for their own queue and all their users.
Scenario 2
On this scenario the approach is to give each office full control over which users are allowed to send emails from CRM. The only disadvantage from the Scenario 1 is the time spent on managing the configuration file if your company have multiple users joining and leaving the company, but this would be decentralised and managed locally by the IT team in each office.
There are a few other scenarios which could be considered. e.g. we could have designed a scenario where we only use queues, this would be much easier to manage and the only drawback would be to create a workflow to re-write every single email leaving CRM changing the From field to include the CRM queue responsible for the user region, increasing the workload on the asynchronous services.
Conclusion
With a few configuration changes the email router can be deployed on complex environments and scale to meet enterprise requirements. Configuring a local SMTP server improves performance and resilience giving admins the flexibility and granular control over all inbound/outbound emails. Hope this post was helpful.
Saturday, 4 February 2012
Dynamics CRM Excel dynamic spreadsheet not loading data
Users export CRM data onto a dynamic spreadhseet and no data is downloaded or displayed. I come across this quite often. Users specially women, change names when marry. when they go back to work, the first thing that happens is a request to change the name in Active Directory. This change will not reflect in CRM, and when exporting data to Excel, this will cause problems, the spreadsheet will use the current logon name and CRM holds the old domain logon name and this prevents data from loading.
A quick way to fix this issue, is to update the user domain logon name directly on the database, the following command will update the user domain logon name:
A quick way to fix this issue, is to update the user domain logon name directly on the database, the following command will update the user domain logon name:
UPDATE SystemUser set DomainName = 'domain\new_user'
WHERE DomainName='domain\old_user'
Hope this helps.
Wednesday, 1 February 2012
Dynamics CRM 2011 Mobile Express Read-only
I have posted a few weeks ago how to make the CRM 4.0 Mobile express read-only.
http://quantusdynamics.blogspot.com/2012/01/dynamics-crm-40-mobile-express-read.html
This post is a "part-2" for Dynamics CRM 2011 Mobile Express.
The Mobile Express for 2011 is based on the same concept but with some cosmetic changes. The files to change in order to make Mobile Express read-only are the same but the CSS entries are slightly different.
Edit the below files to make CRM 2011 Mobile Express read-only:
The files to be edited are located on:
entityhome.css.aspx and change:
on the entityform.css.aspx:
Reset IIS
And this will hide the New, Edit and Delete buttons.
http://quantusdynamics.blogspot.com/2012/01/dynamics-crm-40-mobile-express-read.html
This post is a "part-2" for Dynamics CRM 2011 Mobile Express.
The Mobile Express for 2011 is based on the same concept but with some cosmetic changes. The files to change in order to make Mobile Express read-only are the same but the CSS entries are slightly different.
Edit the below files to make CRM 2011 Mobile Express read-only:
The files to be edited are located on:
C:\Program Files\Microsoft Dynamics CRM\CRMWeb\_common\styles\
entityhome.css.aspx and change:
.newRecordButton
{
padding : 4px;
display: none;
}
on the entityform.css.aspx:
input.editButton
{
display: none;
<% if (CrmStyles.IsRightToLeft) { %>
float: right;
<% } else { %>
float: left;
<% } %>
width: 108px;
}
input.deleteButton
{
display: none;
<% if (CrmStyles.IsRightToLeft) { %>
float: left;
<% } else { %>
float: right;
<% } %>
width: 108px;
}
Reset IIS
And this will hide the New, Edit and Delete buttons.
Subscribe to:
Posts (Atom)