Replacing an expired certificate in Dynamics 365 CE environment with AD FS - part 1
Share
ReportPart 1: Requesting, creating and importing a new certificate
Part 2: Configuring the new certificate in Dynamics and AD FS
CONTEXTUALIZATION AND SCENARIO:
In this article we will cover the standard procedures for replacing an expired certificate in a Dynamics 365 CE environment with federation through Active Directory Federation Services.
It is common (and expected) that in a scenario similar to this, the environment stops responding due to the fact that the certificate is expired, a fundamental security criterion of the federation.
For the purposes of scenario, I used a single pre-existing virtual machine in Hyper-V running Windows Server 2012 R2 Datacenter Edition with SQL Server 2014 SP2 Enterprise Edition and Dynamics 365 v8.2 as FULL SERVER. As it is a laboratory for educational purposes and with only one virtual machine, it obviously performs all services, including domain controller, DNS, certificate and federation.
Dynamics and AD FS-specific services run under the context of a service user, here called SVC_DYN. Therefore, we assumed that the environment was completely configured and functional until the certificate expiration date. We will not address the creation of infrastructure from scratch, but the procedures for replacing the certificate in order to restore the operation of the services in a pre-existing environment. It therefore requires that the reader already have prior knowledge of configuring AD FS, certificates and Dynamics itself.
As both Dynamics and AD FS are running on the same server, we specify the Dynamics HTTPS port at 444 insted and leave the AD FS port at 443 as the default.
In the federation of our lab, we have the internal relying-party as "internalcrm" and external as the name of the CRM organization itself in addition to "dev". Therefore, the expected access URLs are (remember, they won't work outside this lab):
Internal:
https://internalcrm.crmadmin.com.br:444
External:
https://microsoft-dynamics.crmadmin.com.br:444/
https://dev.crmadmin.com.br:444
Our organization is called Microsoft-Dynamics. The internal access will support SSO, while the external will ask for credentials. We will issue a new certificate from a self-authority but in real scenarios you may acquire a valid one from a trusted Certificate Authority.
Ok, that's said, let's start the lab.
CHECKING THE ISSUES
Figure 1: user unable to access Dynamics from internal or external URLs
In our scenario it happens (fig 1) due the certificate expired. The same occurs in both internal or external URLs. We can see that Dynamics is working well if we use the localhost:5555 URL (fig 2). It means, when we use localhost:[port] we are using without HTTPS, so the platform responds but only internally and without the proper security:
Figure 2: Dynamics working well using localhost:[port]
Let's take a look at the certificate in some places. First, opening the IIS, pointing to the CRM Website and clicking in Bindings we can see that the certificate is really expired (fig 3):
Figure 3: IIS Dynamics Website with expired certificate bound
As we're using a Wildcard certificate, the same certificate is applied to AD FS, so we can check also there (fig 4 and 5):
Figures 4 and 5: AD FS with expired certificate bound
CREATING A NEW CERTIFICATE
As the first step, open Manage Computer Certificates, or just CTRL+R and certlm.msc and then Go to Certificates -> Local Computer -> Personal -> Certificates -> All Tasks -> Advanced Operations -> Create Custom Request… (fig 6):
Figure 6: Certificates
In the Certificate Enrollment screen -> Before You Begin, click Next. In the next screen, in Select Certificate Enrollment Policy, select Proceed without enrollment policy under Custom Request (fig 7):
Figure 7: Custom Request -> Proceed without enrollment policy
In the next screen, in Template, select (no template) Legacy key and leave Request format as PKCS #10 (fig 8). CAUTION: the CNG key is incompatible with Dynamics CRM when creating custom certificate requests and should not be used.
Figure 8: Custom Request -> legacy key and request format
In Certificate Information, expand Details then click Properties (fig 9):
Figure 9: Custom Request -> Details -> Properties
In Certificate Properties -> General tab -> provide values for Friendly name and Description (fig 10):
Figure 10: Certificate Properties -> General tab
In Subject tab, select the attributes to customize in the certificate, enter the value of the attribute and click Add (fig 11). In this example, we are generating a wildcard certificate, so make sure that in Subject name you have a CN line (Common Name) with the proper value in the format like *.domain.com: this will be the the wildcard value:
Figure 11: Certificate Properties -> Subject tab -> custom attributes
In Extensions tab, expand Key usage and add Digital signature and Key encipherment and then click Apply (fig 12):
Figure 12: Certificate Properties -> Extensions tab
In Private Key tab, expand Key Options and select the value 2048 in Key size and check Mark private key exportable. Expand Key type and select Exchange (fig 13):
Figure 13: Certificate Properties -> Private Key tab
Click Apply and OK. In the next screen of Certificate Information click Next (fig 14):
Figure 14: Certificate Enrollment -> Certificate Information
Provide a location and name to save the certificate request file. In File Format, select Base 64 and then click Finish (fig 15):
Figure 15: Certificate Enrollment -> Save certificate request
Once the certificate request file is saved, open it in Notepad, press CTRL+A to select all and copy the content to clipboard (fig 16):
Figure 16: Copying certificate request file content
As I told in the beginning, our environment has everything we need to proceed with certificate request and creation. So let's access the Active Directory Certificate Services via web browser, typing in the address bar http://localhost/certsrv and then clicking in Request a certificate (fig 17):
Figure 17: Requesting a certificate
In the next screen, click in advanced certificate request (fig 18):
Figure 18: Advanced certificate request
In the next screen, click in Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file (fig 19):
Figure 19: Submitting a certificate request...
In Saved Request, paste the content you've copied from Notepad in the figure 16. In Certificate Template, select Web Server then click Submit (fig 20):
Figure 20: Submit a certificate request
After submitted, select Base 64 encoded and click Download certificate (fig 21):
Figure 21: Downloading the certificate file
Provide a name and location to save the certificate file (fig 22):
Figure 22: Saving the certificate file
Good! You've created the new certificate file self-issued and valid for 2 years.
IMPORTING THE NEW CERTIFICATE
Open Manage Computer Certificates or just CTRL+R and type certlm.msc like you did before. Before import the new certificate you may see the old certificate in place yet. In order to avoid confusion delete it, as it is expired and unable to use anymore (fig 23):
Figure 23: Saving the certificate file
Go to Certificate Manager -> Certificates (Local Computer) -> Personal -> Certificates -> All Tasks -> Import... (fig 24):
Figure 24: Importing new certificate
You will see a Welcome screen with store location set as Local Machine and unable to change. Click Next. In the next screen, browse and select the certificate file you've downloaded and click Next (fig 25):
Figure 25: Selecting the certificate file
In the Certificate Store screen, select Place all certificates in the following store and select Personal, then click Next (fig 26). In the next screen, click Finish:
Figure 26: Selecting the store
Now you'll be able to see the new certificate imported (fig 27):
Figure 27: Certificate imported successfully
In the Part 2 we will cover the procedures to configure the new certificate to work properly in Dynamics and AD FS.
Walter Carlin
Senior Customer Engineer - Dynamics 365 Customer Engagement - Microsoft Corp.
*This post is locked for comments