Part 1: Requesting, creating and importing a new certificate

Part 2: Configuring the new certificate in Dynamics and AD FS

CONTEXTUALIZATION AND SCENARIO:

In this article we will cover the standard procedures for replacing an expired certificate in a Dynamics 365 CE environment with federation through Active Directory Federation Services.
It is common (and expected) that in a scenario similar to this, the environment stops responding due to the fact that the certificate is expired, a fundamental security criterion of the federation.

For the purposes of scenario, I used a single pre-existing virtual machine in Hyper-V running Windows Server 2012 R2 Datacenter Edition with SQL Server 2014 SP2 Enterprise Edition and Dynamics 365 v8.2 as FULL SERVER. As it is a laboratory for educational purposes and with only one virtual machine, it obviously performs all services, including domain controller, DNS, certificate and federation.

Dynamics and AD FS-specific services run under the context of a service user, here called SVC_DYN. Therefore, we assumed that the environment was completely configured and functional until the certificate expiration date. We will not address the creation of infrastructure from scratch, but the procedures for replacing the certificate in order to restore the operation of the services in a pre-existing environment. It therefore requires that the reader already have prior knowledge of configuring AD FS, certificates and Dynamics itself.

As both Dynamics and AD FS are running on the same server, we specify the Dynamics HTTPS port at 444 insted and leave the AD FS port at 443 as the default.

In the federation of our lab, we have the internal relying-party as "internalcrm" and external as the name of the CRM organization itself in addition to "dev". Therefore, the expected access URLs are (remember, they won't work outside this lab):

Internal:

https://internalcrm.crmadmin.com.br:444

 

External:

https://microsoft-dynamics.crmadmin.com.br:444/

https://dev.crmadmin.com.br:444

Our organization is called Microsoft-Dynamics. The internal access will support SSO, while the external will ask for credentials. We will issue a new certificate from a self-authority but in real scenarios you may acquire a valid one from a trusted Certificate Authority.

Ok, that's said, let's start the lab.

CHECKING THE ISSUES

Figure 1: user unable to access Dynamics from internal or external URLs

In our scenario it happens (fig 1) due the certificate expired. The same occurs in both internal or external URLs. We can see that Dynamics is working well if we use the localhost:5555 URL (fig 2). It means, when we use localhost:[port] we are using without HTTPS, so the platform responds but only internally and without the proper security:

Figure 2: Dynamics working well using localhost:[port]

Let's take a look at the certificate in some places. First, opening the IIS, pointing to the CRM Website and clicking in Bindings we can see that the certificate is really expired (fig 3):

Figure 3: IIS Dynamics Website with expired certificate bound

As we're using a Wildcard certificate, the same certificate is applied to AD FS, so we can check also there (fig 4 and 5):

    

Figures 4 and 5: AD FS with expired certificate bound

CREATING A NEW CERTIFICATE

As the first step, open Manage Computer Certificates, or just CTRL+R and certlm.msc and then Go to Certificates -> Local Computer -> Personal -> Certificates -> All Tasks -> Advanced Operations -> Create Custom Request… (fig 6):

Figure 6: Certificates

In the Certificate Enrollment screen -> Before You Begin, click Next. In the next screen, in Select Certificate Enrollment Policy, select Proceed without enrollment policy under Custom Request (fig 7):

Figure 7: Custom Request -> Proceed without enrollment policy

In the next screen, in Template, select (no template) Legacy key and leave Request format as PKCS #10 (fig 8). CAUTION: the CNG key is incompatible with Dynamics CRM when creating custom certificate requests and should not be used.

Figure 8: Custom Request -> legacy key and request format

In Certificate Information, expand Details then click Properties (fig 9):

Figure 9: Custom Request -> Details -> Properties

In Certificate Properties -> General tab -> provide values for Friendly name and Description (fig 10):

Figure 10: Certificate Properties -> General tab

In Subject tab, select the attributes to customize in the certificate, enter the value of the attribute and click Add (fig 11). In this example, we are generating a wildcard certificate, so make sure that in Subject name you have a CN line (Common Name) with the proper value in the format like *.domain.com: this will be the the wildcard value:

Figure 11: Certificate Properties -> Subject tab -> custom attributes

In Extensions tab, expand Key usage and add Digital signature and Key encipherment and then click Apply (fig 12):

Figure 12: Certificate Properties -> Extensions tab

In Private Key tab, expand Key Options and select the value 2048 in Key size and check Mark private key exportable. Expand Key type and select Exchange (fig 13):

Figure 13: Certificate Properties -> Private Key tab

Click Apply and OK. In the next screen of Certificate Information click Next (fig 14):

Figure 14: Certificate Enrollment -> Certificate Information

 

Provide a location and name to save the certificate request file. In File Format, select Base 64 and then click Finish (fig 15):

Figure 15: Certificate Enrollment -> Save certificate request

Once the certificate request file is saved, open it in Notepad, press CTRL+A to select all and copy the content to clipboard (fig 16):

Figure 16: Copying certificate request file content

As I told in the beginning, our environment has everything we need to proceed with certificate request and creation. So let's access the Active Directory Certificate Services via web browser, typing in the address bar http://localhost/certsrv and then clicking in Request a certificate (fig 17):

Figure 17: Requesting a certificate

In the next screen, click in advanced certificate request (fig 18):

Figure 18: Advanced certificate request

In the next screen, click in Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file (fig 19):

Figure 19: Submitting a certificate request...

In Saved Request, paste the content you've copied from Notepad in the figure 16. In Certificate Template, select Web Server then click Submit (fig 20):

Figure 20: Submit a certificate request

After submitted, select Base 64 encoded and click Download certificate (fig 21):

Figure 21: Downloading the certificate file

Provide a name and location to save the certificate file (fig 22):

Figure 22: Saving the certificate file

Good! You've created the new certificate file self-issued and valid for 2 years.

IMPORTING THE NEW CERTIFICATE

Open Manage Computer Certificates or just CTRL+R and type certlm.msc like you did before. Before import the new certificate you may see the old certificate in place yet. In order to avoid confusion delete it, as it is expired and unable to use anymore (fig 23):

Figure 23: Saving the certificate file

Go to Certificate Manager -> Certificates (Local Computer) -> Personal -> Certificates -> All Tasks -> Import...  (fig 24):

Figure 24: Importing new certificate

You will see a Welcome screen with store location set as Local Machine and unable to change. Click Next. In the next screen, browse and select the certificate file you've downloaded and click Next (fig 25):

Figure 25: Selecting the certificate file

In the Certificate Store screen, select Place all certificates in the following store and select Personal, then click Next (fig 26). In the next screen, click Finish:

Figure 26: Selecting the store

Now you'll be able to see the new certificate imported (fig 27):

Figure 27: Certificate imported successfully

In the Part 2 we will cover the procedures to configure the new certificate to work properly in Dynamics and AD FS.

Walter Carlin

Senior Customer Engineer - Dynamics 365 Customer Engagement - Microsoft Corp.