Server-based authentication process can be done by following the steps from below URL.
Reference URL: https://technet.microsoft.com/en-us/library/mt171421.aspx
Pre-step – 1: Verify prerequisites before starting the process.
Pre-step – 2: Two softwares are to be installed before starting the configuration.
- Online services Sign-in
- Azure Active Directory Module PowerShell
The whole process including software installation has to be done in server where CRM is installed and with the user and Deployment administrator rights.
Remember to run the command shell in administrator mode and navigate to the folder below:
“Drive:\Program Files\Microsoft Dynamics CRM\tools“.
Step-1: Certificate exporting
Export the trusted certificate to the local folder, once with Private Key and then without (x509, Base64 format). Make a note of the Password that you are giving.
Step-2: Adding certificate to service account
.\CertificateReconfiguration.ps1 -certificateFile <Your-CertificatePath> -password <Certificate-PrivateKey> -updateCrm -certificateType S2STokenIssuer -serviceAccount <Service-AccountName> -storeFindType FindBySubjectDistinguishedName
Update the tags in above commands with the below-specified content before running them.
- Certificate (exported with the Private Key) path has to be specified here. (.pfx)
- Private key for the above certificate has to be provided here.
- Service account name has to be provided here.
In our case, with service account name domain configuration for some accounts was set to domain.com and for few others, it was empty – this caused issue.
Check the username for the service account and update with the exact value.
Step-3: Set PowerShell to accept Office 365 cmdlets
Enable-PSRemoting -force New-PSSession Import-Module MSOnline -force Import-Module MSOnlineExtended -force
Now PowerShell is ready to accept cmdlets, but the connection has to be established for the cmdlets to take effect on Azure and SharePoint.
$msolcred = get-credential connect-msolservice -credential $msolcred
Provide the credentials of the user who has global admin privileges in Office 365 once the pop-up appears.
Step-5: Now set the certificate for server-based authentication
$STSCertificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList <Your-CertificatePathWithPrivateKey>, <Certificate-PrivateKey> $PFXCertificateBin = $STSCertificate.GetRawCertData() $Certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $Certificate.Import("<3.Your-CertificatePath-WithOutPrivateKey>") $CERCertificateBin = $Certificate.GetRawCertData() $CredentialValue = [System.Convert]::ToBase64String($CERCertificateBin)
Update the tags in above commands the below-specified content before running them.
- Certificate path (With Private key)
- Private key
- Certificate path (Without Private Key)
Step-6: Linking Azure to SharePoint
$RootDomain = "*.contoso.com" $CRMAppId = "00000007-0000-0000-c000-000000000000" New-MsolServicePrincipalCredential -AppPrincipalId $CRMAppId -Type asymmetric -Usage Verify -Value $CredentialValue $CRM = Get-MsolServicePrincipal -AppPrincipalId $CRMAppId $ServicePrincipalName = $CRM.ServicePrincipalNames $ServicePrincipalName.Remove("$CRMAppId/$RootDomain") $ServicePrincipalName.Add("$CRMAppId/$RootDomain") Set-MsolServicePrincipal -AppPrincipalId $CRMAppId -ServicePrincipalNames $ServicePrincipalName
While linking, when we updated CRMAPPId with the CRM Id from Solutions > Customizations> Developers Resources from CRM, it resulted in – service account not found.
To remedy the above error, do not update the CRMAppId. Leave it as it is. Only update “RootDomain” to your server domain name.
Step-7: Configure CRM with SharePoint for server-based authentication.
Add-PSSnapin Microsoft.Crm.PowerShell $setting = New-Object "Microsoft.Xrm.Sdk.Deployment.ConfigurationEntity" $setting.LogicalName = "ServerSettings" $setting.Attributes = New-Object "Microsoft.Xrm.Sdk.Deployment.AttributeCollection" $attribute1 = New-Object "System.Collections.Generic.KeyValuePair[String, Object]" ("S2SDefaultAuthorizationServerPrincipalId", "00000001-0000-0000-c000-000000000000") $setting.Attributes.Add($attribute1) $attribute2 = New-Object "System.Collections.Generic.KeyValuePair[String, Object]" ("S2SDefaultAuthorizationServerMetadataUrl", "https://accounts.accesscontrol.windows.net/metadata/json/1") $setting.Attributes.Add($attribute2) Set-CrmAdvancedSetting -Entity $setting
Once CRM is configured, then everything from server side is completed. Rest has to be done in CRM.
Step – 8: This is the last step in the process and it has to be done in CRM.
- Navigate to Document Management.
- Click on Enable server-base SharePoint Integration.
- Next > Select Online and proceed.
- In the screen that comes up, enter SharePoint site full url and Sharepoint Tenant ID.
– To get tenant ID, run the following commands in the PowerShell in server.
– This gives a GUID. Copy that.
$CRMContextId = (Get-MsolCompanyInformation).ObjectID $CRMContextId
- Click Next to Validate the Site validity.
Issue 1: Site is shown as invalid, with 401 unauthorized exception.
To fix the above issue, mapping of the users has to be done. User record will have a field named “SharePoint Email Address” and this must match with one of the logins of SharePoint. If this is not the case, update with any of the existing users.
Now, repeat step-8 once again and you can see the configuration happening successfully.
For another user to sync, just update the SharePoint Email field with login email.
Posted By: Jugal Kishore, Osmosee