Monday, 26 May 2014

Configure Claim Based authentication in Ms Dynamics CRM 2013 using ADFS 3.0 ( Windows Server 2012 R2) part 2

On part 1, I described how to install and configure ADFS on a Windows 2012 R2 server and in this post I will describe how to configure Ms Dynamics CRM 2013 to use claim based authentication.

  • A wildcard certificate with private key installed.
The first step is to ensure that the Ms Dynamics CRM 2013 website is configured to use HTTPS, so from the IIS Manager (Windows Key + R -> inetmgr):

Add New Binding
Note that IIS will display the certificate friendly name here, you can always click view to ensure that you have the correct certificate here.

Click Ok and then Click Close.
Ms Dynamics CRM 2013 should now be available on HTTPS :)

Now we need to ensure that the service account for the CRM website, i.e. the account that run CRMAppPool, has access to the private key of the wildcard certificate, so from a certificate console  (Windows Key + R -> mmc -> ctrl + M -> Certificates -> Computer Account):

Note how because I'm using Network Service to run the CRMAppPool, that is the account that needs to be able to read the private key.

The next step is to configure Ms Dynamics CRM 2013 for Claim based authentication.
First we need to ensure that the binding type is set to HTTPS.

From the Deployment Manager.

Set Binding Type to HTTPS (There is no need to have the port number)

Make sure you that you click Apply.

Click on Configure Claim Based Authentication and follow the wizard.

It is possible to copy the URL for the relying party by opening the log file and scrolling down to the bottom of the file.
From the ADFS server, start the ADFS Management Console (Server Manager -> Tools -> AD FS Management). We need to ensure that Forms Authentication will be allowed from the internal network. Click on Authentication Policies, then on Edit.

Tick Forms Authentication and click Ok.

 A claim rule is needed to obtain the UPN from the Active Directory domain, so from Claim Provider Trust, select Active Directory and click on Edit Claim Rules..

Click Add Rule

We are now ready to add a relying party trust, so on the Relying Party Trust menu, click on Add Relying Party Trust.

Note how this is the URL the Claims Based authentication wizard tells us to use for configuring a relying trust, it's https://<FQDN>/FederationMetadata/2007-06/FederationMetadata.xml.

Once the wizard completes (just click Next until you get to the end), it is necessary to add three Issuance Transform Rules.

A Pass Through Rule for UPN:

A Pass Through Rule for Primary SID:

A Transform  Rule for Windows Account Name:

At this point I hit another snag. I tried to add a new user with UPN format, e.g. sts@taleb.local and I had this error:

The solution was to turn Auto Group Management Off, which is done via a registry key:


Default value is 0, i.e. Auto Group Management is On

It can be turned off by setting it to 1.
Having done this, I was able to add a new user in UPN format and successfully sign in:

Configure Claim Based authentication in Ms Dynamics CRM 2013 using ADFS 3.0 ( Windows Server 2012 R2) part 1

I decided to set up a dev environment on my shiny new laptop for those rare occasions when I'm on the road without access to the office servers.

I thought it would be a breeze but there are a few gotchas, so I thought I would document the process here. On part 1 I describe how to install and test ADFS on Windows 2012 R2 and in part 2, I describe how to configure Ms Dynamics CRM 2013 to use claim based authentication.

  • A working installation of MS Dynamics CRM 2013.
  • A wildcard certificate with private key.
  • A separate server for ADFS.
  • A domain account with domain administrator privileges.
  • Host (A) Record on DNS Server for Federation Server Name.
If you don't have a wildcard certificate, the simplest way to generate one is by using IIS Manager, see this for details.

It is possible to host ADFS on the same server as Dynamics and since ADFS doesn't use IIS anymore (I think, I'm not 100% sure on this), there are no requirements for ADFS to be on the default site, however, you will need to have different host headers for ADFS and MS Dynamics CRM 2013.

Installing ADFS is really simple, just run a PowerShell console with elevated permissions (i.e. Run as Administrator) then run the following commands:
Import-Module ServerManager

Add-WindowsFeature -Name ADFS-Federation

You should see something like this:

I will configure it through the GUI rather than with the PowerShell command as it should make a few things clearer.

On the Server Manager Dashboard click on Notifications and then on configure the federation service on this server.
This will bring up the ADFS Configuration Wizard.

Accept the default and click Next.

If the account you are logged in to the server with has the correct privileges then click Next, otherwise change the account and press Next.

If the wildcard certificate is already installed then there is no need to import it, just selected from the drop down menu.

It's worth stressing here that the Federation Service Name MUST be different from the FQDN of the server. The reason for this is that the following SPN will be set against the service account:
host/Federation Service Name 
In my example it will be:
If this is the same as the FQDN of the server, this SPN will not be set as it's already set against the server account and ADFS will not work correctly.

As I said on the pre-reqs, an A Record is needed for this name in your DNS Server.

Select the Service Account and Click Next.

Accept the default and click Next.

I've skipped the Confirm Overwrite step as I've had to do it agains to take the screenshots. Anyway, at this point you can see the script that can be use to reproduce the GUI installation.

Click Configure and after a short while, you should then see this screen:

Time to ensure that ADFS is working correctly.

 On clicking Sign In, you'll get a prompt like this:

And now you've signed in to ADFS :)

This part has mostly concentrated on ADFS, in part 2 I discuss how to configure Ms Dynamics CRM 2013 for claims based authentication.

Monday, 19 May 2014

Do NOT change signing key for workflow library in MS Dynamics CRM

In my last post I discussed how to build in Jenkins a library signed by a password protected key, I noted that it would be unnecessary to do the whole procedure if password less signing was used, which is what I did last week.

Unfortunately, I did not have the foresight of testing it (hangs head in shame) so today I had to scramble to get back the old key and re-sign the assembly as with the new key I could not update the assembly.

So DO NOT change the signing key of your custom workflow assemblies, same thing applies to plug-ins by the way.

Monday, 12 May 2014

Cannot import the keyfile myfile.pfx - error 'The keyfile may be password protected'

I've been doing some work to use Jenkins for CI and last week when we added our first plug-in (MS Dynamics CRM) to the project, the build broke.

Plug-ins are libraries that need to be strongly signed so I had added a password protected signing key, which is just a PKCS#12 certificate, myfile.pfx.

This is the error I got:
Cannot import the following key file: myfile.pfx. The key file may be password protected. To correct this, try to import the certificate again or manually install the certificate to the Strong Name CSP with the following key container name: VS_KEY_A422D1337C0DEFF95
The solution was quite simple, I installed the key in the Jenkins server:
sn -i myfile.pfx VS_KEY_A422D1337C0DEFF95
sn is the .NET Framework Strong Name Utility and can be found here:

C:\Program Files (x86)\Microsoft SDKs\Windows\v8.0A\bin\NETFX 4.0 Tools\sn.exe

Since I try to keep the build server as clean as possible, I just copied the tool to the server, be sure to copy the 1033 folder too.

Note that if you don't use password protected signing keys this problem will not occur.

Monday, 5 May 2014

Generating Federation Metadata for ADFS WCF Services with FedUtil

Fedutil is probably one of the worst tools ever produced by Microsoft, it is used to generate Federation Metadata for claim authenticated Web services.

I say it's one of the worst tools because it fails rather a lot, which is fine, but sometimes it's tricky to work out why it's failing.

At any rate, Fedutil comes with the WIF SDK and MUST be run with elevated permissions.

The first thing to note is that the certificate in the behaviours section of your web.config, see below, must be installed, with private key in the machine you are running Fedutil from.

Another interesting tidbit is that the Endpoint address needs to be populated and finally, if you are encrypting your appSettings section decrypt it first.

If you have done all the above then it's just a simple case of running:
 fedutil /u <pathtoconfigfile>
This will generate your federation metadata file.

Sample configuration file below
<?xml version="1.0"?>
    <section name="log4net" type="log4net.Config.Log4NetConfigurationSectionHandler, log4net, Version=, Culture=neutral, PublicKeyToken=1b44e1d426115821"/>
    <section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
    <appender name="RollingLogFileAppender" type="log4net.Appender.RollingFileAppender">
      <param name="File" value="WorkingHours.log"/>
      <param name="AppendToFile" value="true"/>
      <param name="MaxSizeRollBackups" value="5"/>
      <param name="MaximumFileSize" value="5MB"/>
      <param name="ImmediateFlush" value="true"/>
      <param name="RollingStyle" value="Size"/>
      <param name="StaticLogFileName" value="true"/>
      <layout type="log4net.Layout.PatternLayout">
        <param name="ConversionPattern" value="%d{dd/MM HH:mm:ss:fff}|%-5p|%m%n"/>
    <appender name="TraceAppender" type="log4net.Appender.TraceAppender">
      <layout type="log4net.Layout.PatternLayout">
        <conversionPattern value="%date [%thread] %-5level %logger [%property{NDC}] - %message%newline"/>
        <conversionPattern value="%date %-5level - %message%newline"/>
      <!-- The "priority" element specifies the level of information reported that will be logged -->
      <priority value="ALL"/>
      <appender-ref ref="RollingLogFileAppender"/>
      <appender-ref ref="TraceAppender"/>
    <add key="ProvisionCacheTimeMilliseconds" value="86400000"/>
    <add key="FederationMetadataLocation" value=""/>
    <add key="Organisation" value="c4wsandpit"/>
  <location path="FederationMetadata">
        <allow users="*"/>
    <compilation debug="true" targetFramework="4.0">
        <add assembly="Microsoft.IdentityModel, Version=, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
    <serviceHostingEnvironment multipleSiteBindingsEnabled="true"/>
        <binding name="customBinding0">
          <security authenticationMode="IssuedTokenOverTransport" messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10">
            <issuedTokenParameters keyType="SymmetricKey"/>
      <service behaviorConfiguration="Service.Service1Behavior" name="Service.WorkingHours">
        <endpoint address="" binding="customBinding" contract="Service.IWorkingHours" bindingConfiguration="customBinding0"/>
        <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
        <behavior name="Service.Service1Behavior">
          <federatedServiceHostConfiguration name="Service.WorkingHours"/>
          <serviceMetadata httpGetEnabled="true"/>
          <serviceDebug includeExceptionDetailInFaults="true"/>
            <serviceCertificate findValue="AC123A8A913584818F789E3BB3B09D40E12A50BA" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint"/>
        <behavior name="">
          <serviceMetadata httpGetEnabled="true"/>
          <serviceDebug includeExceptionDetailInFaults="false"/>
        <add name="federatedServiceHostConfiguration" type="Microsoft.IdentityModel.Configuration.ConfigureServiceHostBehaviorExtensionElement, Microsoft.IdentityModel, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
    <service name="Service.WorkingHours">
        <add value=""/>
      <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
          <add thumbprint="AC123A84E5A209F3FEE5190B44B1797414F68A77B" name=""/>
      <certificateValidation certificateValidationMode="None"/>