This blog article will walk you through the required steps on how to install GroupCalendar and ActivityTools in a claims-based environment.
This article is valid for GroupCalendar for CRM 2011, 2013, 2015 and 2016 but only for CRM 2013 and older versions of ActivityTools. From CRM 2015 onwards ActivityTools does not have to be configured for IFD anymore!
The steps are the same for both products, so instead of an explicit product name, we will use the term the addon in this guide.
The IFD configuration for the GroupCalendar is as follows:
- IFD-Tool -> Download Link you must have a login on our web site
- For installing GroupCalendar you need at least version 5.12 from our Download Section
- For installing ActivityTools you need at least version 5.13 from our Download Section
Before you start the installation, make sure that MS CRM is working correctly in IFD/Claims-Mode, including your ADFS, which should be installed correctly and configured to work with MS CRM.
More details on how to configure MSCRM for IFD/Claims can be found in the Microsoft Guide Configuring Claims-based Authentication for Microsoft Dynamics CRM 2011 Download
The following system configuration is the base for our guide.
Your setup will differ in these URLs, make sure you are replacing the URLs with your own URLs when following the guide.
Internal Url used to access Microsoft Dynamics CRM:
https://internalcrm.rc1ifd.ptm-edv.at
External Url used to access Microsoft Dynamics CRM:
https://[orgname].rc1ifd.ptm-edv.at
AD FS Server:
https://win2008domain.ptm-edv.at
The addon itself also requires a dns name:
https://activitytoolsserver.rc1ifd.ptm-edv.at (for ActivityTools)
or
https://groupcalendarserver.rc1ifd.ptm-edv.at (for GroupCalendar)
Basic installation/configuration of the addon:
- Install the addon on the CRM Server.
- You will be asked for the Logon Information. Fill in the internal IFD name of your CRM. In our case it is internalcrm.rc1ifd.ptm-edv.at
Now select the organization on which you want to install the addon and click on the [OK]-button.Figure 1: Connection dialog
- After the installation has finished, you have to open the IIS ( inetmgr.exe ) and go to Sites > the addon WebSite. Right click the ActivityToolsserver or GroupCalendarserver – WebSite and select Edit Bindings…
Figure 2: Select Edit Bindings…
On the Bindings, click on the [Add…]-button and select in the Add Site Binding the type https.
You also have to specify the port. In our example we use 4446Figure 3: Add Bindings
With that we have made the website available for https. Now click on the [OK]-button.
- Reselect the addon website and double click on the Authentication-item in the right side details pane.
Verify that the options Anonymous and ASP.Net Impersonation settings are enabled. ( Anonymous must be disabled with non IFD systems). - The addon URL must be added to your DNS Server.
Your DNS-Servers have to resolve the activitytoolsserver.[your-domain] or groupcalendarserver.[yourdomain] names correctly. That means, they should resolve it with the same IP-address your CRM Server has.
Please note: IF you are have an external DNS, make sure that both external and internal DNS are able to resolve the URL.
- Extract the IFD-Tool (.zip-File), that you have downloaded before and execute the IFDSetupWizard.exe.
Follow the steps in the IFD Setup carefully. - Open your CRM in Internet Explorer and go to Settings > MSCRM-ADDONS.com Products > Open the addon. In the MSCRM-ADDONS.com Products form, select the MSCRM-ADDONS.com Settingskeys and search for the WebApplicationPort entry.
Figure 4: mscrm-addons.com Settingskeys
- Open the WebApplicationPort and replace the existing KeyValue with the following:
[httpsPort]|[httpPort]|[claimsbased]|[addonname]|[debugging]e.g.:
4446|5557|true|activitytoolsserver|false
We have finished the configuration of the CRM part and now need to configure the AD FS.
- Please logon your AD FS Server and start AD FS 2.0 Management.
- On the Actions menu located in the right column, click Add Relying Party Trust.
- In the Add Relying Party Trust Wizard, click on the [Start]-button.
- On the Select Data Source page, click on Import data about the relying party published online or on a local network, and then type in the URL to locate the federationmetadata.xml file.This federation metadata is created with the IFD-Tool on the CRM Server. For example:
https://activitytoolsserver.rc1ifd.ptm-edv.at:4446/FederationMetadata/2007-06/FederationMetadata.xmlType this URL in your browser and verify that no certificate-related warnings appear.
- Click on the [Next]-button.
- On the Specify Display Name page, type a display name, such as ActivityTools IFD, and click on the [Next]-button.
- On the Choose Issuance Authorization Rules page, leave the Permit all users to access this relying party option selected, and then click on the [Next]-button.
- On the Ready to Add Trust page, click on the [Next]-button, and then click on the [Close]-button.
- If the Rules Editor appears, click on Add Rule. Otherwise, in the Relying Party Trusts list, right-click the relying party object that you created, click Edit Claims Rules, and then click on Add Rule.
Please note: Make sure the Issuance Transform Rules tab is selected.
- In the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click on the [Next]-button.
- Create the following rule:
• Claim rule name: Pass Through UPN (or something descriptive)Add the following mapping:
i. Incoming claim type: UPN
ii. Pass through all claim values - Click on the [Finish]-button.
- In the Rules Editor, click on Add Rule, and in the Claim rule template list, select the Pass Through or Filter an Incoming Claim template. Then click on the [Next]-button.
Create the following rule:
• Claim rule name: Pass Through Primary SID (or something descriptive)• Add the following mapping:
i. Incoming claim type: Primary SID
ii. Pass through all claim values - Click on the [Finish]-button.
- In the Rules Editor, click on Add Rule.
- In the Claim rule template list, select the Transform an Incoming Claim template, and then click on the [Next]-button.
- Create the following rule:
• Claim rule name: Transform Windows Account Name to Name (or something descriptive)• Add the following mapping:
i. Incoming claim type: Windows account name
ii. Outgoing claim type: Name
iii. Pass through all claim values - Click on the [Finish]-button and when you have created all three rules, click the [OK]-button to close the Rules Editor.
You have finished the configuration and you should be able to use the addon in your IFD/Claims Environment now.
Troubleshooting:
Error message:
Figure 5: Error Message
Reason:
This indicates you are using a wrong certificate for the ADFS signing.
Solution:
Make sure the thumbprint in the web.config matches the one the token signing certificate in ADFS.
Error message:
Figure 6: Error Message
Reason:
This error could (also) indicate access rights problems with the certificates private key (mainly an issue for self signed certificates).
Solution:
Open your certificate store on the server (MMC, add certificate snapin for local computer) and find your HTTPS certificate. In the context menu, under all tasks select the manage private keys option and grant access to everyone.
Checklist for general troubleshooting:
- Is the Setting WebApplicationPort still intact?
- Are there any not http/https bindings in CRM?
- Are there any not http/https bindings in the product website?
- Is the DNS correctly resolving the products link?
- Has the ConnectionProfile been created with IFD as connection type?
That’s it! We appreciate your feedback! Please share your thoughts by sending an email to support@mscrm-addons.com.
reworkneeded… check links and pictures