Applications Server
 

Microsoft Dynamic CRM 4.0 : Authentication (part 3)

11/26/2011 5:35:40 PM
IIS Settings

The web servers containing the web applications (Dynamics CRM, Reporting Services, and SharePoint) will all need to be set up to enable Kerberos. However, you might find that this is not necessary if the web server is the same machine as the domain controller (such as in a small business deployment).

The IIS Metabase needs to be configured for “enabling editing” to ensure that the Metabase attempts to pass credentials using Kerberos. To enable editing in the IIS v6.0 Metabase, right-click the server name and select Properties. Check the Enable Direct Metabase Edit check box.

This will enable you to configure the Metabase without stopping IIS. This can be done in a few ways.

Before performing either, you need to determine the identifier of the site. This can be found by navigating to IIS and viewing the Identifier column. (If you don’t see the column, select View from the Management Console and be sure that the Identifier column is shown.) Figure 9 shows the identifiers of two websites.

Figure 9. IIS identifier.

The first method is by updating the Metabase using admin scripts:

  1. At the command prompt, navigate to C:\Inetpub\Adminscripts.

  2. Type the following command (Where xx is the identifier of the website you want to change authentication type):

    cscript adsutil.vbs set w3svc/xx/NTAuthenticationProviders "Negotiate,NTLM"

Figure 10 shows the output of the adstuil.

Figure 10. Configure authentication using the command line.

For more advanced users, you can modify Metabase.xml directly, as follows:

  1. Navigate to the Metabase.xml file. This is typically found at the following location: <root drive name>\System32\Inetsrv.

  2. Set all existing instances of NTAuthenticationProviders="NTLM" to NTAuthenticationProviders="Negotiate,NTLM".

    Before you can make changes to that file, you will have to enable the changes in the inetmgr, as shown in Figure 11.

    Figure 11. Enable Metabase XML updates.

  3. You can use PowerShell to make changes to the WMI. Use set-wmiobject for IISWebService.

Note

After making these changes, you must restart IIS.


In IIS 6.0, the application pools under which the relevant websites/applications run should be set to run as either a system account (Network Service or Local System) or as a user account configured correctly in Active Directory (as shown in Figure 12).

Figure 12. Application pool setting.


AD Configuration

All SPNs must be defined in Active Directory.

All relevant computers accessing data from a different machine need to be set to Trusted for Delegation. To access this setting, follow these steps:

1.
Open Active Directory Users and Computers.

2.
Search for the relevant account (computer/user) that needs to be trusted for delegation.

3.
Right-click each object, and then check the Trusted for Delegation option on the Properties dialog box (as shown in Figure 13).

Figure 13. Configure Active Directory delegation.


If the Microsoft CRM website is in the application pool that is running under a specific user account (that is, not Network Service/Local System), that account will require an SPN.

To acquire an SPN, perform the following steps:

1.
Download and install the setspn tool on any machine on the domain. For Windows 2003 SP2, you can find this tool at http://go.microsoft.com/fwlink/?LinkId=100114. For Windows 2008, this tool is built in to the operating system.

2.
Open a command prompt window. For Windows 2003, navigate to the directory in which this tool has been installed.

3.
Enter the following command for each account on each web server. You must use the name that the users will be using to access the system:

setspn -A HTTP/computer Domain\User
setspn -A HTTP/computer.domain.local Domain\User
setspn -A HTTP/CRMalias Domain\User
setspn -A HTTP/CRMalias.domain.local Domain\User

Note

The Delegation tab will not appear in the Active Directory Computer/User property screen. To enable the Delegation tab, enable the SPN settings as described earlier.

 
Others
 
- Microsoft Dynamic CRM 4.0 : Authentication (part 2)
- Microsoft Dynamic CRM 4.0 : Authentication (part 1)
- Implementing with Microsoft Dynamics Sure Step 2010 : Setting up a program for solution rollout
- Implementing with Microsoft Dynamics Sure Step 2010 : Waterfall-based implementation project types
- Microsoft Dynamics AX 2009 : Design and Implementation Patterns (part 2) - Table-Level Patterns
- Microsoft Dynamics AX 2009 : Design and Implementation Patterns (part 1) - Class-Level Patterns
- BizTalk 2009 : Creating More Complex Pipeline Components (part 4) - Custom Disassemblers
- BizTalk 2009 : Creating More Complex Pipeline Components (part 3) - Validating and Storing Properties in the Designer
- BizTalk 2009 : Creating More Complex Pipeline Components (part 2) - Schema Selection in VS .NET Designer
- BizTalk 2009 : Creating More Complex Pipeline Components (part 1) - Dynamically Promoting Properties and Manipulating the Message Context
- Microsoft Dynamics GP 2010 : Tailoring SmartLists by adding Fields
- Microsoft Dynamics GP 2010 : Controlling data with SmartList Record Limits
- Upgrading and Configuring SharePoint 2010 : Configuring a content database
- Upgrading and Configuring SharePoint 2010 : Creating and associating content databases to a specific web application and site collection
- Administering Active Directory Domain Services : Working with Active Directory Snap-ins (part 2) - Saving and Distributing a Custom Console
- Administering Active Directory Domain Services : Working with Active Directory Snap-ins (part 1)
- Microsoft Dynamic CRM 2011 : Canceling and Reopening a Service Request Case
- Microsoft Dynamic CRM 2011 : Resolving a Service Request Case
- Systems Management Server 2003 : Server Modifications After Installation
- Systems Management Server 2003 : Modifying the Installation
 
 
Most View
 
- Microsoft Lync Server 2013 : Mediation Server Administration
- Windows Server 2012 : Installing and Configuring FTP Services (part 1) - IIS 8 FTP Server Service Features , Installing the FTP Server
- Sharepoint 2013 : Sign Out of a Site, Use the Ribbon
- Windows Phone 8 : Walking Through the Bookshop Sample Application (part 4) - Image Caching
- Sharepoint 2013 : Community portals and sites - Working with badges
- SQL Server 2012 : Authorizing Securables - A Sample Security Model
- Windows 8 : Cloud Connections - SkyDrive (part 3) - To access SkyDrive from a browser
- Windows Phone 8 : Scheduled Notifications (part 1)
- Windows Server 2012 : Scalable and elastic web platform (part 5) - Application Initialization,Dynamic IP Address Restrictions
- Exchange Server 2013 : The Exchange Management Shell - EMS basics (part 7) - Execution policies, Profiles
 
 
Top 10
 
- Microsoft Project 2010 : Setting Up Project for Your Use - Defining Project Information (part 2) - Defining Project Properties
- Microsoft Project 2010 : Setting Up Project for Your Use - Defining Project Information (part 1) - Understanding the Project Information Dialog Box
- Microsoft Project 2010 : Setting Up Project for Your Use - Setting the Task Mode
- Securing an Exchange Server 2007 Environment : Securing Outlook Web Access
- Securing an Exchange Server 2007 Environment : Protecting Against Spam (part 2) - Filtering Junk Mail
- Securing an Exchange Server 2007 Environment : Protecting Against Spam (part 2) - Filtering Junk Mail
- Securing an Exchange Server 2007 Environment : Protecting Against Spam (part 1) - Protecting Against Web Beaconing
- Securing an Exchange Server 2007 Environment : Securing Outlook 2007 (part 2) - Encrypting Communications Between Outlook and Exchange , Blocking Attachments
- Securing an Exchange Server 2007 Environment : Securing Outlook 2007 (part 1) - Outlook Anywhere
- Securing an Exchange Server 2007 Environment : Securing Your Windows Environment (part 3) - Keeping Up with Security Patches and Updates