Lync 2013 – Users cannot join meetings – Meeting URL 404 Error

We have a Lync 2013 installation that was recently upgraded from Lync 2010.  In the last couple of days  it was noticed that the meeting URLs were not working and users could not join meetings.  We were pretty sure it was working prior and had no ‘change’ we could point out as being responsible.

In trying to figure out what was going wrong I read a few manuals and blogs but nothing really pointed me to the exact cause.

Going back to basics, I read the “Planning for Simple URLs” article on Technet.  Near the bottom of the page I saw this:

Whenever you change a simple URL name, however, you must run Enable-CsComputer on each Director and Front End Server to register the change.

While I hadn’t actually changed the Simple URLs, I thought it might be worth running the Enable-CSComputer command anyway – perhaps it would reinstall any URL rewrite rules which, I was sure, were causing the Meeting URLs to fail.  Perhaps a Lync server patch caused an issue, or some other configuration or topology change did.

The good news is that running this command on the front end solved the problem and users were once again able to join meetings! 🙂

 

Microsoft Dynamics CRM 2013 – aka ORION – on its way!

Its official!  The next version of CRM, aka Orion, will be know as Microsoft Dynamics CRM 2013.

The anticipated release date will “Fall of 2013” .  For those of us not in the USA, that means September/October.  Other material seen in the wild recently has suggested October.

If you head on over to http://www.microsoft.com/en-us/dynamics/crm-vision.aspx you’ll see some great information on some of the key changes that are coming with this new release.  As you will see, a major focus of this newly reimagined Dynamics CRM 2013 product is the delivery of compelling user experiences.

For all the official updates on the Dynamics CRM 2013 product, keep your eye on the following resources:

• Twitter: MSDynamicsCRM or MSFTDynamics
• Facebook: msftdynamics
• Linked In: Microsoft

Dynamics 2013 Web User Experience

Process guidance in Dynamics CRM 2013

Tablet experience coming to Dynamics CRM 2013 (Windows 8/iPad)

Please Note: The Dynamics CRM 2013 program is in still in beta and i am a signatory to NDA. I’m not going to be able to ‘leak’ any details here, sorry (and please don’t ask!).  All I can do is point you to the official sources of information.

Accessing CRM 2011 in Internet Explorer 11 (Windows 8.1)

so if you’ve downloaded and installed the latest Windows 8.1 release you might have run into issues accessing CRM 2011.  Instead of the regular home page, you get directed to the “Mobile Express” page instead:

CRM 2011 Mobile Express

So how do you fix this?  Three options spring to mind….  (these assume you’re using CRM Online or On-premises Update Rollup 12+)

1. Use the IE Developer Tools to set the browser mode to IE10.
   1. Browse to your CRM URL
   2. Hit F12 key
   3. Select the “Emulation” settings
   4. Set the “User agent string” to “Internet Explorer 10”
   5. Browse back to the CRM URL

IE 11 Developer Toolbar – Emulation Settings

2. Go directly to “main.aspx”  (this is what I normally do)
   1. Instead of navigating to https://myorg.crm.example.com use an explicit path to https://myorg.crm.example.com/main.aspx

3. Install Chrome or Firefox

CRM in IE11 (IE10 Browser Mode)

CRM IFD/Claims, or Office 365 with Federated Identity – Cannot Log In using Chrome

I’m trying combine a solution for accessing both Federated Office 365, and the Internal side of a CRM IFD Claims deployment, from within the Chrome (and maybe also Firefox) browsers here.

Problem Description #1 – CRM IFD Claims Internal URL

Situation:  you have an on-premises CRM Server and you have enabled IFD with both an internal access URL (https://internalcrm.company.com/OrgName) and external access URL (https://orgname.crm.company.com).  You can access the CRM using the External URL OK from within Chrome, but if you try and access the internal URL then you just get an endless loop of credential requests.

Problem Description #2: Office 365 with Federated Login via ADFS and DirSync

Situation: you have an Office 365 deployment.  You attempt to log on to https://login.microsoftonline.com or https://outlook.office365.com from the Chrome browser and you get an endless loop of credential requests.

Chrome: Authention Required Login Box

Solution:

Note: This solution comes via a post on the Office 365 community, so thanks to Lester Zhang for replying to Christian Andersson’s thread with an answer!

There is also a MS KB Article I have since found which goes into why you should look to the change this blog post suggests as a short-term solution, and outlines some other solutions that could be applied.

So the answer was as simple as:

1. Log on to the box where ADFS is installed
2. Start Internet Information Services (IIS) Management (or inetmgr.exe for cmd line junkies)
3. Navigate the Web Site where IIS is installed (Typically “Default Web Site”)
4. Expand out the Default Web Site/adfs/ls and select “ls” node
5. in the “Features View” pane, find and double-click the “Authentication” icon
6. select “Windows Authentication” and click the “Advanced Settings…” link in the actions pane
7. Change the value of the “Extended Protection” drop-down from “Accept” to “Off”
8. Hit OK and go and re-try access via Chrome – should be pretty much instant success 🙂

Updating IIS on ADFS box to disable Extended Protection

Dynamics CRM 2011 SDK Version 5.0.14 – What’s New?

The new 5.0.14 version of the Dynamics CRM SDK was released today and is available here: http://bit.ly/Xp8xfa

There are some new tools and features delivered with this update, some of the main highlights are as follows:

• New Xrm.PageScriptTemplate that is compatible with Visual Studio 2012.  If you’re not familiar with this template, it can used to generate a project in VS2012 that includes Java Script Intellisense for the Xrm.Page functions.
• New topic about Connecting to Yammer.  Note that the Yammer integration is only available in the December 2012 Service Update on CRM Online (Polaris), and hasn’t yet come to on-premises CRM.
• New Solution Down-level Utility: a command line tool that can be used to generate a managed or unmanaged solution file compatible with CRM Systems that are still running on Hotfix Rollup 6 to Hotfix Rollup 11.  This tool is to be used against a system running UR12 or December 2012 Service Update (or later)
• Updates to samples and documentation

Refer to the “SDK Release History for V5.0.14” page for more information.  It is in the SDK you download, or can be found in the online version of the SDK here: http://msdn.microsoft.com/en-us/library/jj916625.aspx

CRM 2011 – Copying a workflow

Have you ever written a complex workflow, and then wanted to copy it?

The Bad News

There is no “Save As” or “Copy To” option in the workflow designer.

The Good News

There is a way!

Step 1: Deactivate the workflow – “Workflow A” – you wish to copy

Step 2: Change the “Activate As” drop-down to “Process Template”

Step 3: Activate the workflow – “Workflow A”

Step 4: Create a new workflow and choose “Workflow A” as the template

Step 5: Open “Workflow A”, deactivate, switch back to activate as “Process” and activate again.

 

CRM 2011 Login Failures in IFD/Claims with ADFS Auto Certificate Rollover

We had a client with CRM 2011 On premises IFD environment that no-one could log in to today – approximately 1 year after deployment.  It turned out that the ADFS Token-decrypting and ADFS token-signing certificates rolled over as the default validity for them is 365 days.  While the new certs were rolled over OK, we were getting authentication errors and no-one could log on to CRM.

The errors we were finding were a bit misleading:

• We had some CAPI errors in the Application Event Log indicating invalid 3^rd party trusts which I assume were related to the recent Microsoft certificate revocation of certificates in reaction to the Flame malware saga.
• We also had token request errors in the ADFS 2.0 Admin Event Log  “the federation service could not satisfy a token request because the accompanying credentials do not meet the authentication type requirement of ‘urn:oasis:names:tc:SAML:1:0:am:password’ for the relying party https://crmorg.crmserver.example.com”.

Location of the ADFS 2.0 Admin Event Log:

I had suspected that the CRM Claims/IFD Configuration had cached some of the token details, including perhaps the certificate thumbprints, and now they were not being accepted.

The resolution is as follows:

• Disable Claims/IFD in CRM Deployment Manager
• Perform an IIS Reset con the CRM Server(s)
• Re-configure Claims & IFD in CRM Deployment Manager (same settings)
• Perform an IIS Reset on the CRM Server(s)
• Manually update the Federation Metadata for each of your CRM Relying Party Trusts for your CRM server in ADFS/Trust Relationships, and clicking the “Update from Federation Metadata …” action.

Hopefully a future CRM Service Release might fix (or have already fixed) this.  If not, then be prepared to either mark this date in your calendar and repeat the process every year, or reconfigure your ADFS to use certificates for signing and decrypting that last a bit longer than the default 365 days.

To see how your ADFS Server is configured in respect to Certificate Auto Rollover, try the following powershell commands:

Add-PSSnapin Microsoft.ADFS.PowerShell
Get-ADFSProperties

and check the following settings:

AutoCertificateRollover        : True
CertificateCriticalThreshold   : 2
CertificateDuration            : 365
CertificateGenerationThreshold : 20
CertificatePromotionThreshold  : 5
CertificateRolloverInterval    : 720
CertificateSharingContainer    : 
CertificateThresholdMultiplier : 1440

 From these settings you can read that ADFS will generate a new certificate for decrypting/signing that will be:

• Automatically rolled over
• valid for 365 days
• be re-geneated 20 days before expiry
• be promoted to be the primary cert 5 days before expiry (this is when CRM will start failing)

Outlook Client for CRM 2011 on Windows 8 Consumer Preview

So I was running the Windows 8 Consumer Preview and rather than rebooting to my Windows 7 instance (dual vhd boot), I thought i’d install the CRM Outlook Client and give it a go.

First, I downloaded the latest client installer from here: http://www.microsoft.com/download/en/details.aspx?id=27821

Second, I installed the latest Client Rollup (HFRU7) from here: http://www.microsoft.com/download/en/details.aspx?id=29221

I then went about my normal method to configure CRM when presented with the dialog after restarting outlook.  Instead of the normal “configuring” dialog I expected, I got the generic:
 "Cannot connect to Microsoft Dynamics CRM server because we cannot authenticate your credentials.  Check your connection or contact your administrator for more help."

OK, so I tried supplying my credentials in other ways:  user.name@domain.com, domain\user.name, user.name on its own.  No luck.

Next I tried the internal claims URL of the server https://internalcrm.companyname.com/orgname.  Still no luck.  I again tried the IFD (internet facing deployment URL) of https://orgname.crm.companyname.com.  Yup, still no luck.

At this point, I switched on tracing via the “Diagnostics” tool that is installed with the CRM client.  I again attempted to log on and then navigated to the CRM trace directory that is located ion a different place for Windows 8 CP:

%userprofile%\AppData\Local\Microsoft\MSCRM\Traces

looking through the trace, I see the following snippet in the error message:

Exception during Signin System.IO.FileNotFoundException: Could not load file or assembly 'Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The system cannot find the file specified.

Aha!  Now I see the problem.  Windows Identity Framework  was not installed along with CRM as is the case on Windows 7.

So, how do you add it to Windows 8 Consumer Preview?  Its ‘built in’ now, so you just go to “select programs and features”to add it.

Step 1: Hit the windows key to access your metro start menu, and start typing “programs and” and then click the “Settings” that appears:

Step 2: Select “Programs and Features” from the main pane

Step 3: Select “Turn Windows Features on or off”

Step 4: Select “Windows Identity Foundation 3.5” from the list and hit OK

Step 5: Restart Outlook and try configuring CRM again!

CRM 2011: Invalid Trace Directory Error 17203 in Application Event Log

It seems i’m getting this error on a lot of CRM servers that are being deployed.  Clients hate any sort of error appearing in their event logs, even if they dont represent a real issue, so i like to eliminate them where possible.

To get rid of this error, set the trace directory.

To set the trace directory, the easiest way is to run this powershell script (changing the Trace directory path, if necessary) from the powershell command on the CRM Application server:

Add-PSSnapin Microsoft.Crm.PowerShell
$setting = Get-CrmSetting TraceSettings
$setting.Directory="C:\Program Files\Microsoft Dynamics CRM\Trace"
Set-CrmSetting $setting
Get-CrmSetting TraceSettings

When you run this, you should see the output as shown here, and the event should stop appearing in your event log:

CRM 2011 Enabling Claims Based Authentication – An error occurred… browsing FederationMetadata

So you’ve just gone and configured your CRM 2011 Server for Claims Based Authentication, you go to test the Federation Metadata URL – https://mycrmserver.example.com/FederationMetadata/2007-06/FederationMetadata.xml – on the CRM box, and you receive:

Digging a little deeper you find the following event in the Application Event Log:

Exception information:    
Exception type: CryptographicException    
Exception message: Keyset does not exist

at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)    ….

What is probably going on here is that the CRM App Pool user does not have access to read the private key on your SSL Certificate.  To verify, load up your Certificates MMC, browse to the SSL certificate, right-click and select “Manage Private Keys…”

Then add permissions for your CRM App Pool user (e.g. Network Service) to READ the certificate private key:

Now when you browse that Federation Metadata, hopefully you will see an XML file returned instead of an error: