Applications Server
 

Microsoft Dynamic CRM 4.0 : Authentication (part 3)

 
11/26/2011 5:35:40 PM
IIS Settings

The web servers containing the web applications (Dynamics CRM, Reporting Services, and SharePoint) will all need to be set up to enable Kerberos. However, you might find that this is not necessary if the web server is the same machine as the domain controller (such as in a small business deployment).

The IIS Metabase needs to be configured for “enabling editing” to ensure that the Metabase attempts to pass credentials using Kerberos. To enable editing in the IIS v6.0 Metabase, right-click the server name and select Properties. Check the Enable Direct Metabase Edit check box.

This will enable you to configure the Metabase without stopping IIS. This can be done in a few ways.

Before performing either, you need to determine the identifier of the site. This can be found by navigating to IIS and viewing the Identifier column. (If you don’t see the column, select View from the Management Console and be sure that the Identifier column is shown.) Figure 9 shows the identifiers of two websites.

Figure 9. IIS identifier.

The first method is by updating the Metabase using admin scripts:

  1. At the command prompt, navigate to C:\Inetpub\Adminscripts.

  2. Type the following command (Where xx is the identifier of the website you want to change authentication type):

    cscript adsutil.vbs set w3svc/xx/NTAuthenticationProviders "Negotiate,NTLM"

Figure 10 shows the output of the adstuil.

Figure 10. Configure authentication using the command line.

For more advanced users, you can modify Metabase.xml directly, as follows:

  1. Navigate to the Metabase.xml file. This is typically found at the following location: <root drive name>\System32\Inetsrv.

  2. Set all existing instances of NTAuthenticationProviders="NTLM" to NTAuthenticationProviders="Negotiate,NTLM".

    Before you can make changes to that file, you will have to enable the changes in the inetmgr, as shown in Figure 11.

    Figure 11. Enable Metabase XML updates.

  3. You can use PowerShell to make changes to the WMI. Use set-wmiobject for IISWebService.

Note

After making these changes, you must restart IIS.


In IIS 6.0, the application pools under which the relevant websites/applications run should be set to run as either a system account (Network Service or Local System) or as a user account configured correctly in Active Directory (as shown in Figure 12).

Figure 12. Application pool setting.


AD Configuration

All SPNs must be defined in Active Directory.

All relevant computers accessing data from a different machine need to be set to Trusted for Delegation. To access this setting, follow these steps:

1.
Open Active Directory Users and Computers.

2.
Search for the relevant account (computer/user) that needs to be trusted for delegation.

3.
Right-click each object, and then check the Trusted for Delegation option on the Properties dialog box (as shown in Figure 13).

Figure 13. Configure Active Directory delegation.


If the Microsoft CRM website is in the application pool that is running under a specific user account (that is, not Network Service/Local System), that account will require an SPN.

To acquire an SPN, perform the following steps:

1.
Download and install the setspn tool on any machine on the domain. For Windows 2003 SP2, you can find this tool at http://go.microsoft.com/fwlink/?LinkId=100114. For Windows 2008, this tool is built in to the operating system.

2.
Open a command prompt window. For Windows 2003, navigate to the directory in which this tool has been installed.

3.
Enter the following command for each account on each web server. You must use the name that the users will be using to access the system:

setspn -A HTTP/computer Domain\User
setspn -A HTTP/computer.domain.local Domain\User
setspn -A HTTP/CRMalias Domain\User
setspn -A HTTP/CRMalias.domain.local Domain\User

Note

The Delegation tab will not appear in the Active Directory Computer/User property screen. To enable the Delegation tab, enable the SPN settings as described earlier.

 
Others
 
- Microsoft Dynamic CRM 4.0 : Authentication (part 2)
- Microsoft Dynamic CRM 4.0 : Authentication (part 1)
- Implementing with Microsoft Dynamics Sure Step 2010 : Setting up a program for solution rollout
- Implementing with Microsoft Dynamics Sure Step 2010 : Waterfall-based implementation project types
- Microsoft Dynamics AX 2009 : Design and Implementation Patterns (part 2) - Table-Level Patterns
- Microsoft Dynamics AX 2009 : Design and Implementation Patterns (part 1) - Class-Level Patterns
- BizTalk 2009 : Creating More Complex Pipeline Components (part 4) - Custom Disassemblers
- BizTalk 2009 : Creating More Complex Pipeline Components (part 3) - Validating and Storing Properties in the Designer
- BizTalk 2009 : Creating More Complex Pipeline Components (part 2) - Schema Selection in VS .NET Designer
- BizTalk 2009 : Creating More Complex Pipeline Components (part 1) - Dynamically Promoting Properties and Manipulating the Message Context
- Microsoft Dynamics GP 2010 : Tailoring SmartLists by adding Fields
- Microsoft Dynamics GP 2010 : Controlling data with SmartList Record Limits
- Upgrading and Configuring SharePoint 2010 : Configuring a content database
- Upgrading and Configuring SharePoint 2010 : Creating and associating content databases to a specific web application and site collection
- Administering Active Directory Domain Services : Working with Active Directory Snap-ins (part 2) - Saving and Distributing a Custom Console
- Administering Active Directory Domain Services : Working with Active Directory Snap-ins (part 1)
- Microsoft Dynamic CRM 2011 : Canceling and Reopening a Service Request Case
- Microsoft Dynamic CRM 2011 : Resolving a Service Request Case
- Systems Management Server 2003 : Server Modifications After Installation
- Systems Management Server 2003 : Modifying the Installation
 
 
Most View
 
- Microsoft Visio 2010 : Connecting Shapes - Understanding Visio Connectors (part 1) - Connecting Basics
- Introducing the iPhone SDK (part 3) - Assembling iPhone Projects
- Microsoft Dynamic GP 2010 : System and Company Setup (part 4) - Company setup - Multicurrency, Taxes
- Microsoft Project 2010 : Understanding Task Types & Adding Tasks to Your Project
- Customizing Dynamics AX 2009 : Table and Class Customization (part 1) - Creating New Dimension Types
- Introducing Windows Phone 8 : Application Lifecycle, Driving Your Development with Services, Live Tiles
- Microsoft Visio 2010 : Building Basic Network Diagrams
- CorelDraw 10 : Using the Scrapbook Docker - To insert clip art or bitmap images
- Windows 8 : Disks and Storage Devices - Optical Discs, USB Flash Drives
- SQL Server 2008 R2 : Query Analysis in SSMS (part 2) - Logical and Physical Operator Icons
 
 
Top 10
 
- Developing Custom Microsoft Visio 2010 Solutions : Creating SmartShapes with the ShapeSheet (part 6) - Adding Right-Click Actions to the SmartShape
- Developing Custom Microsoft Visio 2010 Solutions : Creating SmartShapes with the ShapeSheet (part 5) - Modifying the Text Block Using the ShapeSheet
- Developing Custom Microsoft Visio 2010 Solutions : Creating SmartShapes with the ShapeSheet (part 4) - Linking Subshape Text to Shape Data Fields
- Developing Custom Microsoft Visio 2010 Solutions : Creating SmartShapes with the ShapeSheet (part 3) - Controlling Grouped Shapes with the ShapeSheet
- Developing Custom Microsoft Visio 2010 Solutions : Creating SmartShapes with the ShapeSheet (part 2) - Creating Smart Geometry in the ShapeSheet
- Developing Custom Microsoft Visio 2010 Solutions : Creating SmartShapes with the ShapeSheet (part 1) - Introducing the ShapeSheet
- Developing Custom Microsoft Visio 2010 Solutions : Introducing the Notes Shape, Using the Developer Ribbon Tab
- Microsoft Excel 2010 : Working with Graphics - Inserting Clip Art, Inserting a Picture from File
- Microsoft Excel 2010 : Working with Graphics - Using Drawing Tools
- Windows Phone 8 : Walking Through the Bookshop Sample Application (part 5) - Overview of the Sample Bookshop WCF Service