Dynamics CRM 2011 – Rollup 6

I was recently discussing with Microsoft and was asking for the Update Rollup 6 schedule. I was answered that it is scheduled for January 2012.

Apparently the schedule is safe, and no delay is expected. If you are planning a deployment soon (like me), you might be interested in knowing that the rollup 6 will be released soon.

Regarding the content of the rollup 6, the only thing I know (which is not a big secret) is that it will include this fix : http://support.microsoft.com/kb/2645912 which is described in this post.

Looking forward to 2012…

Dynamics CRM 2011 – Session is about to expire ADFS

If you have a Dynamics CRM 2011 farm configures to use ADFS using Claims based authentication, you must have face the timeout session problem. Long story short, after around 40 minutes (whether you are active or not), you’ll get a popup telling you that your session is about to expire :

In order to avoid getting this popup too often, you need to extend the token life time on your ADFS server.

Simply follow this procedure :

1. Open a Windows PowerShell prompt on your ADFS Server.

2. Add the AD FS 2.0 snap-in to the Windows PowerShell session:

Add-PSSnapin Microsoft.Adfs.PowerShell

3. Configure the relying party token lifetime:

Get-ADFSRelyingPartyTrust -Name "relying_party"
Set-ADFSRelyingPartyTrust -Targetname "relying_party" -TokenLifetime 480

where :
- relying_party is the name of the relying party that you created.
- 480 corresponds to 480 minutes = 8 hours.

Source & credits (really considere reading those if you want to fully understand what you are doing) :

BugNET – Error with attachments in version 0.9.142.0

A new version of BugNET was released recently (18th of December 2011). You might encounter a problem with attachments to an issue, with an error page.

Here is the error you’ll get in the logs :

System.Web.HttpUnhandledException (0x80004005): Exception of type 'System.Web.HttpUnhandledException' was thrown. ---> System.ArgumentOutOfRangeException: Length cannot be less than zero.
Parameter name: length
   at System.String.InternalSubStringWithChecks(Int32 startIndex, Int32 length, Boolean fAlwaysCopy)
   at BugNET.Issues.UserControls.Attachments.CleanFileName(String fileName)
   at BugNET.Issues.UserControls.Attachments.AttachmentsDataGridItemDataBound(Object sender, DataGridItemEventArgs e)
   at System.Web.UI.WebControls.DataGrid.CreateItem(Int32 itemIndex, Int32 dataSourceIndex, ListItemType itemType, Boolean dataBind, Object dataItem, DataGridColumn[] columns, TableRowCollection rows, PagedDataSource pagedDataSource)
   at System.Web.UI.WebControls.DataGrid.CreateControlHierarchy(Boolean useDataSource)
   at System.Web.UI.WebControls.BaseDataList.OnDataBinding(EventArgs e)
   at BugNET.Issues.UserControls.Attachments.BindAttachments()
   at BugNET.Issues.UserControls.Attachments.Initialize()
   at BugNET.Issues.UserControls.IssueTabs.LoadTab(String selectedTab)
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.HandleError(Exception e)
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest()
   at System.Web.UI.Page.ProcessRequest(HttpContext context)
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Unfortunately this is a bug, that has been described and fixed here : http://support.bugnetproject.com/Issues/IssueDetail.aspx?id=2028

In case you cannot wait for the next release that will inlcude this fix, or if don’t want to bother downloading the source code, fix the bug and compile it, you’ll find below some easy step to fix the bug on your platform (it will litterally take you 2 minutes), assuming you are using version 0.9.142.0

Step 0 : Make sure you are using version 0.9.142.0. If you are using another version, DO NOT follow the next steps.

Step 1 : Download the attached file and unzip it.

Step 2 : Copy the file BugNET.dll to your bugNET platform in the bin folder. Just replace the existing file.

Done ! Try to upload or view an attachment, you’ll see that it works.

Hope this will help someone.

CozyRoc and Dynamics CRM 2011 with Claims and IFD

Let’s assume you have a Dynamics CRM 2011 farm that is configured to use Claims and IFD (Internet Facing Deployment) and that you are also using CozyRoc SSIS (excellent by the way) to extract data from your CRM platform.

Note : If you are not using Claims and IFD, this article might not apply to your problem…

You might face the following error : The request failed with HTTP status 401: Unauthorized. (System.Web.Services).

 

  1. Enable Anonymous Authentication on MSCRMServices\2007\SPLA on every web front in your CRM farm
    1. Open Internet Information Services (IIS) Manager.
    2. In the Connections pane, select the Microsoft Dynamics CRM Server 2011 Web site, and then navigate to the following folder: MSCRMServices\2007\SPLA
    3. In Features View, double-click Authentication.
    4. On the Authentication page, select Anonymous Authentication.
    5. In the Actions pane, click Enable to use Anonymous authentication with the default settings.
  2. In your CozyRoc SSIS package, select a deployment type as “Hosted” instead of “Premise”.
    1. Open your SSIS package and double click on your Dynamics CRM Connection Manager
    2. Select “Hosted” in the deployment list :

That’s all you need to do. CozyRoc will then work smoothly !

 

Dynamics CRM 2011 – Error only secure content is displayed

Today I’m facing the following issue when I access my CRM platform :

Internet explorer complains about the fact that only secure content is displayed. Which means that some http is going through while my CRM platform is configured to use https. You’ll notive as well that the get started section is not displayed correctly.

You get exactly the same thing in the outlook plugin with a similar message that asks you if you want to display only the content that was delivered securely over https :

If have read a few articles that were talking about configuring IE to ask to mix secured and unsecured content. I did not like it, and wanted to understand why this content was not delivered through a secured channel.

I figured out that is comes from a configuration in the Dynamics CRM database that is not set correctly. After you have adjusted it, it will work smoothly. Here is the procedure to fix it :

Step 1: Open a SQL Server Management Studio on the CRM database server and open the MSCRM_CONFIG database. And perform the following query :

SELECT     HelpServerUrl
FROM         ConfigSettings

You’ll get something like that :

As you can see, the HelpServerUrl is indicating HTTP (and in my case even a wrong url because it points to a specific web front end instead of the load balancer url…).

Step 2 : Edit the value the you found in the HelpServerUrl to what you need. Especially HTTPS instead of HTTP.

Step 3 : Reboot your farm. CRM dynamics might cache those kind of values… so a reboot might be necessary (it was not the case for me though).

Done ! You’ll see a full page nicely displayed without any error or warning

 

 

Configure CRM Dynamics 2011 outlook client when connected to the internet

I have been trying to configure the outlook add-in for CRM Dynamics 2011 while I was connected to the internet (opposed to my company network) without success for days now.

I initially thought it was coming from my Claims and IFD configuration, but it was not. It was just a bug ! And there is now a hot fix.

Let’s assume you have a Dynamics CRM 2011 platform exposed over the internet (Internet Facing Deployment) and that you need or want your users to be able to configure their Outlook Add-in while connected to the Internet (without any connection to your company’s network, nor any kind of VPN) : You need to apply this fix

http://support.microsoft.com/kb/2645912

(My) explanation :

The rollup 5 introduced a bug. The outlook config wizard was trying to connect to the Active Directory. The problem is that in some cases, when you are not connected to your company’s network, the Active Directory is not available. The configuration wizard was just crashing, due to the fact it was not capable to contact the Active Directory. As simple as that. The hotfix above changed the behavior so that it is no longer required to have the AD available to perform the configuration.

Worked like a charm for me ! So happy !

Side note : I was using the Microsoft Dynamics CRM 2011 for Microsoft Office Outlook add-in with Rollup 5 on top.

And here was the error log I was getting while trying to configure outlook using the configuration wizard :

17:57:06|  Error| Exception : The server could not be contacted.    at System.DirectoryServices.AccountManagement.PrincipalContext.ReadServerConfig(String serverName, ServerProperties& properties)    at System.DirectoryServices.AccountManagement.PrincipalContext.DoServerVerifyAndPropRetrieval()    at System.DirectoryServices.AccountManagement.PrincipalContext..ctor(ContextType contextType, String name, String container, ContextOptions options, String userName, String password)    at System.DirectoryServices.AccountManagement.PrincipalContext..ctor(ContextType contextType)    at System.DirectoryServices.AccountManagement.UserPrincipal.get_Current()    at Microsoft.Crm.Application.Outlook.Config.DeploymentsInfo.DeploymentInfo.SelectOrganization(Guid organizationId)    at Microsoft.Crm.Application.Outlook.Config.ClientConfig.AddDeployment(DeploymentsDeployment[] deployments, AuthUIMode uiMode)    at Microsoft.Crm.Application.Outlook.Config.ClientConfig.Run(Boolean runInsideOutlook)    at Microsoft.Crm.Application.Outlook.Config.ClientConfig.Start(String[] args, Boolean runInsideOutlook)

 

Dynamics CRM 2011 : Claims and IFD

Before configuring it, I was a bit scared to be honest. All the article I read about it were talking about its complexity and the poor documentation. I have to disagree with all this…

Here are the three articles or documents you need to read in order to successfuly implement Claims based authentication and IFD (Internet Facing Deployment).

  1. Microsoft offical documentation (download the doc named “Microsoft Dynamics CRM 2011 and Claims-based Authentication.doc”) :
    http://www.microsoft.com/download/en/details.aspx?id=3621
  2. A Microsoft video (very pragmatic) :
    http://www.youtube.com/watch?v=ZD5qaa-G99E
  3. A blog article very detailed with useful tips :
    http://www.interactivewebs.com/blog/index.php/server-tips/microsoft-crm-2011-how-to-configure-ifd-hosted-setup/

After you have spent 1 day reading and understanding those documents, you’ll be able to go through Claims authentication configuration and IFD quite quickly. This includes ADFS 2.0 configuration and installation (which is not so difficult).

Here are some tips from my side that would help you to avoid classical mistakes :

  1. Pay attention to DNS records and make sure you always configure them properly. Use hosts file if you don’t have easy access to DNS servers, but make sure the DNS are fine.
  2. Use valid certificates. Doing so will simplify your life and you’ll avoid certificate error that might block you during the process. Don’t forget to install the intermediate certificate if needed, so that certificates are fully valid.
  3. Understand what happens. You first need to understand at least the basics of ADFS, Claims and IFD so that you can react when an error shows up. If you don’t understand what you are doing, it is likely that it won’t work. That’s why I recommand you spend one day reading documentations before starting the implementation.
  4. Install ADFS on a separate server. Your CRM will already expose a web site over HTTP and/or HTTPS and the last thing you want is the ADFS 2.0 installation to interract with your CRM installation. Use a separated machine (2 GB of RAM will do in most cases) for ADFS 2.0 deployment.

If after struggling with your configuration, you still don’t get it working, you can still request a Microsoft Consultant to help you.

Dynamics CRM 2011 Outlook client and load balancing

Let’s assume you are using :

  • Dynamics CRM 2011 farm with 2 (or more) web front ends
  • A load balancer (Microsoft TMG, Citrix Netscaler, Apache, …) to split the load between your Dynamics CRM 2011 front ends
  • The fantastic Outlook Add-in for Microsoft Dynamics CRM 2011

You might face the situation where your CRM installation works fine when you use a web browser but the outlook add-in (or client) does not work properly. It is impossible to connect or configure it through the configuration wizard.

It might be due to the fact that you need to configure your load balancer to use IP based sticky session (opposed to cookie based sessions). The reason for this is very simple, the outlook add-in does not implement any cookies mechanism and the load balancer will simply fail to stick to one specific server. This will result in authentication failures since the outlook client will not “stick” to one specific web front end.

Here are basic steps to configure “IP based sticky sessions” in Microsoft ForeFront TMG:

Step 1: Open ForeFront TMG management console and go to the firewall policies

Step 2: Double click the firewall policy you have setup to expose your multiple CRM web fronts with load balancing

Step 3: In the ”Web Farm” tab, select “Source-IP based” instead of “Cookie based”

Step 4: Click Ok, and apply the modifications. You’ll see that the outlook client will now work correctly.

Side note to conclude : I got ForeFront TMG working smoothly with Microsoft Dynamics CRM 2011 and the outlook add-in as described above by using Source-IP based sessions. We also had the exact same issue with a Citrix Netscaler load balancer and after configuring it with Source-IP based sessions, it worked fine as well !

Hope this will help someone…

Configure flood mitigation in ForeFront TMG

I recently (and almost accidently) saw today an error in the alert tab in ForeFront TMG that was saying :

Description: The number of HTTP requests per minute from the source IP address 10.136.17.176 exceeded the configured limit. Forefront TMG will block new HTTP requests sent from this IP address. This event indicates that this IP address probably belongs to an infected host. See the product documentation for more information about
Forefront TMG flood mitigation.

After a quick look at the IP address, it occured that it was someone from my team who was intensively testing a web service and therefore generating a lot of traffic. I decided to therefore to configure ForeFront flood mitigation in order to get rid of this error.

To do so, you need to

  • Go into “Intrusion Prevention System” in ForeFront Admin console.

  • Select the second tab called “Behavioral Intrusion Detection” and click “Configure Flood Mitigation Settings“.

  • A screen pops up and you can configure several settings. In my case, my error was about a large number of HTTP requests per second. I’ll the look at the “Maximum HTTP Requests” and click the Edit button

  • The default values appears. You’ll notice that we distinguish the “limit” and the “Custom limit”. I decided not to change those values, but to add my develper in the “IP Exceptions” list so that he can benefit from a 6000 limit opposed to the default 600 one. So I clicked Cancel to escape this screen and go to the place where I can add some IP exceptions.

  • So I went to the IP Exceptions tab where I can add a list of computers that will be treated as exceptions. Since I want all my local computers (not just the one that was blocked initially) to benefit from this exception, I created a new “Computer Set” with an address range from 10.136.0.0 to 10.136.255.255 (all my computers are sitting within this private IP range).

  • Click OK and then the top ribbon to get the changes committed.