Recently for a proof of concept I needed to supply a CRM installation installed to Microsoft’s best practices – i.e. a 2 server environment, SSL (HTTPS) and each service running under a separate service account. Here are some notes on what was required to make this work.
If you miss some of these steps the common symptoms are:
- Can only access CRM directly on the CRM server
- CRM Reports don’t work
- Outlook Client does not Configure
- Authentication prompts appear as you try and access CRM
Environment: VirtualBox
- Machine 1 = Domain Controller and SQL Server,
- Machine 2 = CRM Server
Steps:
- Install Windows Server 2008 R2 64-bit on both Machines, create C and D drive partitions (install all application software on the D drive)
- Promote Machine 1 to be a Domain Controller
- Create service accounts for SQL Server and SSRS
- Install SQL and SSRS on Machine 1
- Add Machine 2 to the domain
- Create an installer account: crmadmin
- Create service accounts: crmservice, crmdeploy, crmemail, crmasync, crmsandbox
- Grant minimum permissions per the CRM Implementation Guide’s instructions
- Logon as the installer account and install CRM Server on Machine 2
- Test CRM access over HTTP via Internet Explorer on Machine 2
- Install CRM SSRS Data Connector on Machine 1
- Install latest rollup packs for CRM Server and SSRS Data Connector
- Create a self signed certificate on Machine 2 (in IIS)
- Go into CRM Deployment Manager, go to Servers, disable the CRM Server
- Go to IIS and edit the Bindings for the CRM Web Site, enable HTTPS, disable HTTP
- Back in CRM Deployment Manager, right-click on “Microsoft Dynamics CRM” and select Properties, then on the Web Address tab select HTTPS and enter the URLs
- Re-enable the CRM server in Deployment Manager
- Test CRM access over HTTPS via Internet Explorer on Machine 2
- Create an SPN for the CRM service account (the identity running the CRM app pool) (e.g. setspn –A HTTP/VBOXCRM gtdomain\crmservice) (command should always be HTTP even when HTTPS is enabled)
- In Active Directory Users & Computer grant the Trust for Delegation permission to the CRM service account and the CRM server Computer Name (you need to do a Run As Administrator in order for the Delegation tab to appear when editing the properties of the Computer account)
- Shutdown Machine 2, reboot Machine 1, restart Machine 2
- Test CRM access over HTTPS via Internet Explorer on Machines 1 and 2
- Test CRM Reports on Machines 1 and 2
- Test the CRM Async Service by creating and triggering a simple workflow
- Test the Deployment Service by creating a second CRM Organisation
- Install the CRM Email Router and its Rollup Pack, configure and test
- Machine 1, install Outlook, configure an email profile (perhaps connect to a Hotmail account) and then install the CRM Outlook Client and its Rollup Pack, configure and test
Done
UPDATE 1: The configuration of the Outlook Client in the above HTTPS environment failed for us (“Could not establish trust relationship for the SSL/TLS secure channel“) we think due to the use of the Self Signed Certificate. Installing an Enterprise Certificate Authority and creating both a Root Certificate and a Certificate for the CRM Web site along with an additional SPN solved that problem for us (setspn –A HOST/VBOXCRM gtdomain\crmservice)
UPDATE 2: If you are not able to run Fetch XML reports or Report Wizard reports (which are Fetch XML reports) then you are likely suffering a firewall issue as described here. Thanks to my colleague Farooq for finding this post and thanks Jim for writing it!