CRM IFD/ADFS and Biztalk the underlying story

i have been recently working on one of the large CRM installation configuration and deployments for emergency management applications. a part from following the best practices and communicated knowledge we still had so many hiccups and i am sure people playing with large implementation must have face similar stories. as linking-pin between development teams and infrastructure teams i really enjoyed the situation with huge stress by both sides 🙂

initial implementation was doing using

Step by Step Guide

after initial configuration we realized that in case multiple server deployments you have to be very careful for some the key things.

  • ensure that your server name is different from the organisation name
  • ensure that you are not using any kind of host header if you are being a load balances
  • make sure server are configured for web farm configuration using same machine key
  • ADFS en metadata requires refersh every time you add a new organisation the picture.
  • wildcard certificates must be used by CRM, load balance and any WEB API components used with CRM interface. for example if you have custom component which is using non crm oData, this oData should also be on https otherwise it will be an error.
  • make sure you don’t have multiple host-header in CRM because CRM don’t like
  • once configured and if you using load balancer make sure communication between the servers (biztalk and CRM) is done via claim now otherwise ….

few activities to be done

  • Configuration of CRM to handle claim tokens rather than windows security tokens
  • Modification of integration endpoints and in this situation Biztalk proxy services and web services.
  • Enabling of SSL on servers to encrypt the data movement and avoid web reference errors
  • Configuration of CRM front end websites and developer services.
  • Resolution of fixes to support BizTalk to integration CRM if it is on ADFS
  • Optimisation of web server to support stateless web requests rather than relay on NTLM token
  • Modification in JavaScript’s referring to web API because not it need to communicate on secure channel rather http
  • Renaming of CRM organisations to support new DNS changes

BizTalk handling of ADFS is different from BizTalk handling of windows based authentication. A long list of configuration steps and manual tweaking of the configuration requires a lot of time due to complexity of integration level authentications.

stackoverflow link for config

F5 was not configured to work without host headers initially so based on suggestion by client team we added multiple host headers. Microsoft Dynamics CRM does not support multiple hosts headers because registration of developer tools. A natural alternate to the situation is to add multiple sites to CRM to resolve that problem however eventually during the smoke testing we realised that Microsoft Dynamics CRM does not support multiple host headers and logical web sites due to security reasons so we need to remove the host headers. Situation caused the issues for the propagation of the request to the target server. Considering a single load balancer is used for multiple applications so DNS should work properly.

After resolution of initial issues with load balancer we performed second smoke test and realised that reports are not working. A detailed investigation of the problem resulted in missing configurations of web servers to support web farm environment. In order to have multiple front end CRM servers we need to configure a Network balancer in front of these servers which should be configured in a way that all underlying servers should be able to decrypt same web request no matter which server initiated this response.

CRM server and CRM organisation cannot have same names due to limitation of metadata configurations. The problem is not observed in case of single server because all DNS entries points to server. However in case of load balanced environments, request can be routed to any of the physical server resulting in a failed server response. The problem is not documented in Microsoft knowledgebase and we discovered this problem when external applications like BizTalk and web services were calling for the data. It gives an internal server error (500) without any details. After trying to resolve this situation with different workarounds we finally suggested client team to change organisation name. every change in organisation names requires at least following activities.

  • –    Removing and importing SQL organisation with new name which can take time based on the database size.
  • –    Configuration changes in SPN and DNS which is dependency on Client side
  • –    Refreshing the organisation metadata in ADFS dependency of Client side.
  • –    Configuration in load balancer to support new DNS names dependency of Client side.
  • –    Changes in the javascript, web API and Biztalk with smoke testing


Measures for future steps:

The process of configuration of IFD and ADFS is itself a complex process which requires a lot of communication between all stakeholders. it also requires a list of configuration steps at multiple servers. It is always have major impact due a change in underlying security layer. As of today, it seems that things are working as they are configured and we have a list of internal checklist items that can be used to reduce the time and effort in future.


The trust relationship between this workstation and the primary domain failed

some much time has been wasted by so much people in past and now it can be resolved quickly.
ideally this happens when you clone a VM or a 2 VM have same name connected to a single AD
steps rename the new server and restart

  1. log on as local admin using .\administrator and password
  2. open PowerShell as in run as administrator mode
  3.  $credential = Get-Credential – (enter domain admin account when prompted)
  4. in an other command propmpt try to get the AD name using nbtstat –a target ip or ping –a target IP
  5. Reset-ComputerMachinePassword –Server [ClosestDomainControllerNameHere]
  6. enjoy :

History of Automation

Today I just came across this article thanks to Ruan for sharing such a nice piece of information. It has a correlation with release automation.

Noon Gun
The Noon Gun has been a historic time signal in Cape Town, South Africa since 1806. The gun is situated on Signal Hill, close to the center of the city.
Source: Wikipedia

And the first ever bug in the process was not a bug it was spider

After the advent of the galvanic telegraph, it became possible to trigger a gun remotely and since 1864 the Noon Gun has been fired from the master clock of the oldest timekeeper in the country, the South African Astronomical Observatory. One day in June 1895 the gun fired at 10:30 rather than 12:00 when a spider interfered with the relay used to remotely fire the gun

Things to Remember during SQL SERVER HA Configuration

Recently configured a SQL SERVER high availability Cluster in AWS. the process was smooth and i followed a provided documentation however things to remember when configure HA in AWS

  1. Make sure your Cluster Quorum is on a separate host within different security zone just to ensure you fail-overs are remain intact in case of node failure.
  2. Each HA cluster need entries in primary DNS server to ensure parallel requests are processed however normal TTL time is 300 which means secondary server will not be available till 5 minutes of the last fail-over this situation can create real confusion during testing and configurations. so keep that minimum
  3. make sure your nodes are joined with this will help to use single user and permission level across all machines.
  4. the stuff i forgot during deployment was the binding of multiple IP address to the private network subnet. if the setting is not there listener will unable to communicate from the network locations.
  5. make sure your port 1433 is open from all security zone and port 137 and 139 are open from quorum witness.
  6. Opens the TCP ports 1433, 1434, 4022, 5022, and 135 on the Windows Firewall
  7. for cluster node need to ensure that static IP option is selected by default its dynamic. in case of dynamic IPs your cluster will remain offline.
  8. Ensure required Database is uses Full Recover model.
    1. SELECT name, recovery_model_desc  FROM sys.databases
  9.  Check DNS to ensure all availability group Listeners (e.g., AG1-Listener) IP addresses are listed.

CRM 2013 legacy CRMwebservices An unexpected error occurred.

Today I was trying to run a legacy application which was used by our team to create new leads in CRM from a website. however every time I send a request I returned me with lot of errors I tried every possibility however no success and I was getting following message.


0x80040216   An unexpected error occurred.   Platform

upon further investigation I come to a point where I got following error

System.Web.Services.Protocols.SoapException The Microsoft Dynamics CRM 4.0 (2007) Web service endpoint is not supported in this release

this error lead me to a situation where I found the resolution of my problem., actually

The 2007 service endpoint was deprecated in the Microsoft Dynamics CRM 2011 release. Extensions that use the 2007 endpoint will not be supported and will not work in the next major release of Microsoft Dynamics CRM. Note the following more detailed information:

  • Microsoft Dynamics CRM Online customers using the Microsoft account identity provider can continue to use extensions that require the 2007 endpoint after upgrade. However, prior to the transition of your organization to Microsoft online services (MOS), you will need to upgrade or remove those extensions that require the 2007 endpoint. For more information about this transition, refer to the Microsoft Dynamics CRM Transition Center.
  • Microsoft Dynamics CRM Online customers using the Microsoft online services (MOS) identity provider will see no change in service. The 2007 endpoint has not been supported in organizations using the MOS identity provider.
  • When Microsoft Dynamics CRM 2011 on-premises and IFD customers try to upgrade their server to the next major release of Microsoft Dynamics CRM, the upgrade process will detect extensions that are using the 2007 endpoint or legacy Microsoft Dynamics CRM 4.0 features. If any of these extensions are found, the Environmental Diagnostic Wizard will report an error and you will not be able to continue the upgrade until those extensions are removed or upgraded to use the 2011 endpoint.

    this simply means we have upgrade out application to meet new standards by Microsoft.

    IIS 7.0 and 7.5 Not Rendering CSS Files or other static content

    During a deployment for a client today of a custom ASP.NET application, IIS 7 refused to render external css files correctly – just spitting out Error 500 or blank content.  This happens because IIS 7 and 7.5 do NOT render static content by default – which is a little surprising but not completely unexpected.
    To fix for Windows Server 2008:

    1. Open up Start – Administrative Tools – Server Manager on the Front End web server in question.
    2. Select Web Server (IIS) under Roles
    3. Click on “Add Role Services”

    4. Enable the “Static Content” checkbox.
    5. In IIS 7, Click on the Website and double click Handler Mappings

    6. Right click on “StaticFile” and click “Edit” .

    7. In the Module Field add “StaticFileModule,DefaultDocumentModule” and click OK
    8. DONE – FIXED!

    The official support document for this on the MS site can be found here:


    CRM 2011 Virtualization, Replica and IDF Guide

    Recently I have been working to start and activity related to virtualization of a live CRM server and then create its replica to initiate the activity of internet facing deployment. things are still out of my hand I am trying to share as much knowledge I can during the course of activities. First of all I would recommend not to change name of CRM server machine because if you change the name you have to change the SQL server instance Name use Drop Server and Add Server command I share in a pervious post. then you have to reinstall CRM server 2011 and if your machine have traces of previous version of CRM server. it just goofs up. it does not register any of the assembly that is supposed to be registered by installer. so following are some steps I have done so far and by this time I have bee able to see the interface CRM server.

    1. Make a copy of production VM and start working on it for IFD deployment because that the only scenario you can reduce the down time.
    2. Change Machine name because if both machine comes up live same time it will just mess up you production environment. if you have already done that mistake. delete machine account from AD and try to rejoin production machine. do make sure you have already changes the name of new machine.
    3. from this point to onwards all discussion will be focused on new machine. so don’t confuse.
    4. uninstall CRM server because CRM will not work its machine name has been changed.
    5. check SQL server instance name if it has new name or not by using Print @@servername
    6. if it not the new machine run SP_dropServer and SP_server to you SQL server instance name. it will not show up until you restart the machine.
    7. once restarted go to SQL server Reporting services configuration and check it report server name and report manager names are updated if not then you have to change these name otherwise CRM installation will not proceed.
    8. once report server URL is change its better to restart your machine again. once back proceed with installation.
    9. install CRM server 2011 and import the organization, make sure you have install the Rollups which were actually installed previously. if not then your organization will not import.
    10. since you are now going live its better to Rollup till later version which is now 8. I am planning to do that shortly.
    11. however when tried to access the CRM website I realized I may have been made a biggest mistake, because I had no clue what is happening. because it was not working.
    12. finally I concluded that I have to re-register all assemblies with in GAC, because each time I was getting method not found exception. which has the simplest meaning that its calling DLL/assembly is not register. I developed a simple batch to server the purpose. which is mentioned blow.
      FOR %%a IN (“D:\Program Files\Microsoft Dynamics CRM\CRMWeb\bin\*.dll”) DO GACUTIL /i “%%a”

    now I am going to install Rollups, on the same token I have created a new machine for ADFS deployment, on that machine I have configured IIS and installed SQL Server 2008 R2. I will try to keep updated everyone.