Publishing Microsoft CRM 3.0 through ISA Server 2006

1. Introduction

One of our recent cross team collaboration experiences was with the CRM Team (Microsoft Dynamics). We were collaborating with them to make the CRM interface securely available through Internet users.

We narrowed down two main scenarios where ISA Server 2006 could be used to allow the external access and use delegation authentication. The scenarios are:

  • Single CRM Server – CRM, SQL and SRS on one server.
    • For this scenario we can use ISA Server 2006 using NTLM Delegation.
  • Multiple server deployments, for example: one CRM and one SQL/SRS Server.
    • For this scenario should use ISA Server 2006 using Kerberos Constrained Delegation.

The article will guide on the steps that need to be done to accomplish both implementations on the ISA Server side.

2. Adjusting the CRM Server for External Publishing

One of the first steps that we recommend to do for this deployment is to change the parameter AppMode to OFF on the file Web.config. This file is located by default on “C:\Program Files\Microsoft CRM\CRMWeb”. This file is used to modify the behavior of specific Microsoft .NET-based applications. The entry on the file should looks like this:

<add key="AppMode" value="Off"/>

Note: this will show the IE Address and Tool bar in the IE window.

By default the CRM Web Site on IIS is already configured for Integrated Authentication and also the default HTTP port for the site is 5555. You can review those parameters on the IIS console, it should looks like this:

 

Figure 1 – Default Configuration on CRM 3.0 Web site.

3. Configuring the ISA Server 2006 Web publishing rule

Now we need to create the Web publishing rule on the ISA Server. To be able to do that, it is important that we have a certificate installed on the ISA Server 2006 that will be used for the external access. The certificate FQDN needs to match the public name that the Web listener will have. In this scenario, the name will be crm.contoso.com. Follow the steps below to create the Web publishing rule:

1. Right-click on the Firewall Policy, select the option New, and then click Web Site Publishing Rule.

2. Type the name of the rule, and then click Next.

3. On the Select Rule Action window, select the option Allow, and then click Next.

4. On the Publishing Type window,select the option to Publish a single Web Site or load balancer,and then click Next.

5. On the Server Connection Security window, select the option Use SSL to connect to the published web server or server farm, and then click Next.

6. On the Internal Publishing Details page, in the Internal site name box, type the name of the internal site. Select the Use a computer name or IP address to connect to the published server check box, and then, in the Computer name or IP address box, type the server name. If you do not know the name of the server, click Browse to navigate to its location.

7. On the Internal Publishing Details window, in the Path (optional) box, type /* , and then click Next.

8. On the Public Name Details window, from the Accept requests for dropdown list, select This domain name (type below), and then, in the Public name box, type the public name that matches the certificate that was issued for this URL. Click Next.

9. On the Select Web Listener window, click New, type the name for this Web listener, and then click Next.

10. On the Client Connection Security window, select the option Require SSL secured connection with clients, and then click Next.

11. Click to highlight the External interface, and then click in Select IP Address.

12. In the External Network Listener IP Selection dialog box, select the option Specified IP addresses on the ISA Server computer in the selected network. In the Available IP address field, select the IP address, click Add, and then click OK. In the Web Listener IP Addresses window, click Next.

13. On the Listener SSL Certificates window, select Use a single certificate for this Web Listener, and then click Select Certificate. Select the certificate that was installed on this ISA Server 2006 computer, and then click Select.

Note: If you are running ISA Server 2006 Enterprise Manager with multiple nodes in the array, you need to have this certificate installed on both ISA Servers to be considered valid. For more information about SSL Certificate on ISA Server, see “Troubleshooting SSL Certificates” in ISA Server Publishing at Microsoft Technet.

14. In the Authentication Settings window, select HTML Form Authentication. On the Select how ISA Server will Validate the Credentials select Windows (Active Directory) . Click Next.

15. On the Single Sign On Settings window disable the checkbox, click Next, and then click Finish.

16. In the Web Publishing Rule wizard, click Next.

17. In the Authentication Delegation window, select the option NTLM Authentication and then click Next.

Note1: If you want to use Kerberos you can select the option Kerberos Constrained Delegation on this window. However, it is important to be aware of the requirements that you have to be compliant prior to use this option. For a complete list of the requirements check the article Kerberos Constrained Delegation in ISA Server 2006 on Microsoft Technet.

Note2: Based on CRM Team experience almost of the implementation are based on multiple servers, so they strong recommend that on those cases the publishing rule uses Kerberos.

18. On the User Set window, verify that the default option (All Authenticated Users) is selected, click Next, and then click Finish.

19. Right-click on the rule, and then click Properties. In the Form on CWA Properties dialog box, in Bridging tab, change the SSL port to 5555, click OK, and then, in the User Set window, click Apply.

Now that we have everything set up, we can access the site from outside. After logon on the regular ISA Server 2006 Publishing Form Window you will see the screen below:

Figure 2 – CRM 3.0 Web site published by ISA Server.

If you try to logon with a user that doesn’t have privileges on CRM application the following warning will appear:

Figure 3 – CRM warning the user that doesn’t have access to the web site.

4. Troubleshooting Tips

Here some general troubleshooting tips for this scenario:

· For general troubleshooting issues on CRM, use the guideline Troubleshooting general issues in Microsoft Dynamics CRM 3.0 on Microsoft TechNet.

· If you are using Kerberos Constrained Delegation on ISA Server, make sure to apply the hotfix 942637 prior to implement that.

· If the publishing rule works on NTLM and fails on Kerberos, use the article Troubleshooting Kerberos on Microsoft TechNet.

· For the CRM 3.0, review the KB Article 909588 for more details on Kerberos Delegation.

Yuri Diogenes

Security Support Engineer – Microsoft ISA Server Team (Texas)

Microsoft CRM 3.0 reviewed by:

Henning Petersen

Support Engineer – Microsoft CRM Team (Fargo)