Applications Server
 

Microsoft Dynamic CRM 4.0 : Authentication (part 3)

11/26/2011 5:35:40 PM
IIS Settings

The web servers containing the web applications (Dynamics CRM, Reporting Services, and SharePoint) will all need to be set up to enable Kerberos. However, you might find that this is not necessary if the web server is the same machine as the domain controller (such as in a small business deployment).

The IIS Metabase needs to be configured for “enabling editing” to ensure that the Metabase attempts to pass credentials using Kerberos. To enable editing in the IIS v6.0 Metabase, right-click the server name and select Properties. Check the Enable Direct Metabase Edit check box.

This will enable you to configure the Metabase without stopping IIS. This can be done in a few ways.

Before performing either, you need to determine the identifier of the site. This can be found by navigating to IIS and viewing the Identifier column. (If you don’t see the column, select View from the Management Console and be sure that the Identifier column is shown.) Figure 9 shows the identifiers of two websites.

Figure 9. IIS identifier.

The first method is by updating the Metabase using admin scripts:

  1. At the command prompt, navigate to C:\Inetpub\Adminscripts.

  2. Type the following command (Where xx is the identifier of the website you want to change authentication type):

    cscript adsutil.vbs set w3svc/xx/NTAuthenticationProviders "Negotiate,NTLM"

Figure 10 shows the output of the adstuil.

Figure 10. Configure authentication using the command line.

For more advanced users, you can modify Metabase.xml directly, as follows:

  1. Navigate to the Metabase.xml file. This is typically found at the following location: <root drive name>\System32\Inetsrv.

  2. Set all existing instances of NTAuthenticationProviders="NTLM" to NTAuthenticationProviders="Negotiate,NTLM".

    Before you can make changes to that file, you will have to enable the changes in the inetmgr, as shown in Figure 11.

    Figure 11. Enable Metabase XML updates.

  3. You can use PowerShell to make changes to the WMI. Use set-wmiobject for IISWebService.

Note

After making these changes, you must restart IIS.


In IIS 6.0, the application pools under which the relevant websites/applications run should be set to run as either a system account (Network Service or Local System) or as a user account configured correctly in Active Directory (as shown in Figure 12).

Figure 12. Application pool setting.


AD Configuration

All SPNs must be defined in Active Directory.

All relevant computers accessing data from a different machine need to be set to Trusted for Delegation. To access this setting, follow these steps:

1.
Open Active Directory Users and Computers.

2.
Search for the relevant account (computer/user) that needs to be trusted for delegation.

3.
Right-click each object, and then check the Trusted for Delegation option on the Properties dialog box (as shown in Figure 13).

Figure 13. Configure Active Directory delegation.


If the Microsoft CRM website is in the application pool that is running under a specific user account (that is, not Network Service/Local System), that account will require an SPN.

To acquire an SPN, perform the following steps:

1.
Download and install the setspn tool on any machine on the domain. For Windows 2003 SP2, you can find this tool at http://go.microsoft.com/fwlink/?LinkId=100114. For Windows 2008, this tool is built in to the operating system.

2.
Open a command prompt window. For Windows 2003, navigate to the directory in which this tool has been installed.

3.
Enter the following command for each account on each web server. You must use the name that the users will be using to access the system:

setspn -A HTTP/computer Domain\User
setspn -A HTTP/computer.domain.local Domain\User
setspn -A HTTP/CRMalias Domain\User
setspn -A HTTP/CRMalias.domain.local Domain\User

Note

The Delegation tab will not appear in the Active Directory Computer/User property screen. To enable the Delegation tab, enable the SPN settings as described earlier.

 
Others
 
- Microsoft Dynamic CRM 4.0 : Authentication (part 2)
- Microsoft Dynamic CRM 4.0 : Authentication (part 1)
- Implementing with Microsoft Dynamics Sure Step 2010 : Setting up a program for solution rollout
- Implementing with Microsoft Dynamics Sure Step 2010 : Waterfall-based implementation project types
- Microsoft Dynamics AX 2009 : Design and Implementation Patterns (part 2) - Table-Level Patterns
- Microsoft Dynamics AX 2009 : Design and Implementation Patterns (part 1) - Class-Level Patterns
- BizTalk 2009 : Creating More Complex Pipeline Components (part 4) - Custom Disassemblers
- BizTalk 2009 : Creating More Complex Pipeline Components (part 3) - Validating and Storing Properties in the Designer
- BizTalk 2009 : Creating More Complex Pipeline Components (part 2) - Schema Selection in VS .NET Designer
- BizTalk 2009 : Creating More Complex Pipeline Components (part 1) - Dynamically Promoting Properties and Manipulating the Message Context
- Microsoft Dynamics GP 2010 : Tailoring SmartLists by adding Fields
- Microsoft Dynamics GP 2010 : Controlling data with SmartList Record Limits
- Upgrading and Configuring SharePoint 2010 : Configuring a content database
- Upgrading and Configuring SharePoint 2010 : Creating and associating content databases to a specific web application and site collection
- Administering Active Directory Domain Services : Working with Active Directory Snap-ins (part 2) - Saving and Distributing a Custom Console
- Administering Active Directory Domain Services : Working with Active Directory Snap-ins (part 1)
- Microsoft Dynamic CRM 2011 : Canceling and Reopening a Service Request Case
- Microsoft Dynamic CRM 2011 : Resolving a Service Request Case
- Systems Management Server 2003 : Server Modifications After Installation
- Systems Management Server 2003 : Modifying the Installation
 
 
Most View
 
- Sharepoint 2013 : Installing and Configuring Windows Azure Workflow Server (part 3) - Testing and Verifying the Workflow Installation
- Microsoft Exchange Server 2013 : Validating Exchange Server licensing
- SQL Server 2012 : Enhancing Your Troubleshooting Toolset with Powershell (part 5) - Interrogating Current Server Activity
- Microsoft Project 2010 : Work Breakdown Structure (part 1) - Work Breakdown Structure Concepts
- Sharepoint 2013 : Use Managed Metadata Navigation in a Publishing Site (part 3) - Configuring a Friendly URL
- Installing Exchange 2013 : Versions, cumulative updates, and service packs (part 1) - Cumulative updates, Version numbers
- Microsoft OneNote 2010 : Inserting Documents and Files (part 1) - Inserting a Copy of a File on a Page
- Microsoft Excel 2010 : Working with Graphics - Inserting a Diagram,Inserting an Object
- Windows Server 2012 : Deploying Dynamic Access Control (part 2) - Configuring Resource Property for Files
- Windows 7 : Configuring a Dial-Up Internet Connection (part 1) - Creating a New Dial-Up Connection
 
 
Top 10
 
- Sharepoint 2013 : Developing Integrated Apps for Office and Sharepoint Solutions - The New App Model for Office
- Overview of Oauth in Sharepoint 2013 : Application Authorization - On-Premises App Authentication with S2S
- Overview of Oauth in Sharepoint 2013 : Application Authorization - Requesting Permissions Dynamically
- Microsoft Excel 2010 : Working with Graphics - Inserting a Diagram,Inserting an Object
- Microsoft Excel 2010 : Working with Graphics - Inserting WordArt, Using Smart Art in Excel
- Microsoft Excel 2010 : Working with Graphics - Using AutoShapes
- Overview of Oauth in Sharepoint 2013 : Application Authentication (part 2) - Managing Tokens in Your Application
- Overview of Oauth in Sharepoint 2013 : Application Authentication (part 1) - Using TokenHelper
- Overview of Oauth in Sharepoint 2013 : Creating and Managing Application Identities
- Overview of Oauth in Sharepoint 2013 : Introduction to OAuth