Thursday, June 26, 2008

MSCRM4 Configuration: Configure MSCRM Services to run under Domain User Account

The MSCRM services can be configured to run under Domain User Account during installation. But it still can be changed after installation has been completed.

1. Create a Domain User Account (e.g. MSCRM4Service) using the dsa.msc tool (Active Directory Users and Computers).

2. On the MSCRM Web Server, launch the Internet Information Services (IIS) Manager, locate the CRMAppPool and right click Properties. Go to the Identity Tab, and change the Application Pool Identity to the Domain User Account.



3. Add the Domain User Account to the local group (on the MSCRM Web Server): CRM_WPG (CRM Worker Process Group).



4. Add the Domain User Account to the local group (on the MSCRM Web Server): IIS_WPG (IIS Worker Process Group).



5. Add the Domain User Account as a member to the SQLAccessGroup in the Active Directory (please take note of the proper GUID for the SQLAccessGroup).



6. Add the Domain User Account as a member to the PrivUserGroup in the Active Directory (please take note of the proper GUID for the PrivUserGroup).



7. Create a Login for the Domain User Account in the SQL Server.



8. Configure appropriate mappings for the Domain User Account for databases MSCRM_Config and Organization_MSCRM, assign the db_owner role for both.



9. Launch ADSI Edit (adsiedit.msc)
10. Expand node Domain [Domain Name]
11. Expand node start with DC= under the domain node
12. Expand node CN=Users

13. Locate the Domain User Account created in Step 1 (e.g. CN=MSCRM4Service), right click and select Properties



14. Locate the Attribute servicePrincipalName and click on Edit. Add following entries:
• HOST/HostName
• HOST/HostName.FQDN (Fully Qualified Domain Name)



15. Restart the MSCRM Server.

Friday, June 13, 2008

MSCRM4 Configuration: Configure IIS to support both Kerberos and NTLM protocols

To ensure the IIS supports both Kerberos and the NTLM protocols, the NTAuthenticationProviders metabase property must be set to "Negotiate, NTLM".

By default, the NTAuthenticationProviders metabase property will not be defined when IIS installed. The "Negotiate, NTLM" will be used as the default value when the NTAuthenticationProviders metabase property is not defined. So, the NTAuthenticationProviders metabase property will not need to be configured to use the "Negotiate,NTLM" property value unless the default value has been overwritten.

To check the current value for NTAuthenticationProviders metabase property:

1. Launch Internet Information Services (IIS) Manager, find out the Web Site ID:



2. Start command prompt
3. Go to directory C:\Inetpub\Adminscripts 4. Enter command: cscript adsutil.vbs get w3svc//root/NTAuthenticationProviders

If the NTAuthenticationProviders metabase property has not been configured, result below will be shown:
The parameter "NTAuthenticationProviders" is not set at this node.
else, the configured value will be shown (example):
NTAuthenticationProviders : (STRING) "Negotiate,NTLM"
To configure the NTAuthenticationProviders metabase property to support Kerberos and the NTLM protocols (Negotiate):
• At the command prompt, go to directory C:\Inetpub\Adminscripts, enter command cscript adsutil.vbs set w3svc//root/NTAuthenticationProviders "Negotiate,NTLM"
To remove the value for the NTAuthenticationProviders metabase property:
• At the command prompt, go to directory C:\Inetpub\Adminscripts, enter command cscript adsutil.vbs delete w3svc//root/NTAuthenticationProviders
Authentication Test Page
A Web Page such as below can be used to test the Authentication Mode currently used for the communication:


<%@ Page Language="C#" %>
<html>
<head>
<title></title>
</head>
<body>
<%= "LOGON_USER: " + Request.ServerVariables["LOGON_USER"] + "<br>" %>
<%= "AUTH_USER: " + Request.ServerVariables["AUTH_USER"] + "<br>" %>
<%= "AUTH_TYPE: " + Request.ServerVariables["AUTH_TYPE"] + "<br>" %>
<%= "HTTP_Authorization: " + Request.ServerVariables["HTTP_Authorization"] + "<br>" %>
</body>
</html>