Best practices for server-side synchronization

 

Updated: November 28, 2016

Applies To: Dynamics 365 (online), Dynamics 365 (on-premises), Dynamics CRM 2016, Dynamics CRM Online

Consider the following when planning and deploying server-side synchronization.

By default, the Microsoft Exchange Online email server profile is created for Dynamics 365 (online) organizations and should be your first choice. If you want to use your own profile, you use Dynamics 365 (online), and Exchange Online, and both services are on the same tenant, use the following settings in your email server profile (Settings > Email Configuration > Email Server Profiles).

Settings

Recommendation

Auto Discover Server Location

Yes

Incoming Connection

Authenticate Using

Server to Server Authentication

Use Impersonation

No

Use same settings for Outgoing

Yes

Using one account to process email to all mailboxes is easier to maintain but requires using an account that has access to all mailboxes in Outlook or Exchange. The account must have impersonation rights on Exchange. If that single account is compromised, all mailboxes using that account are compromised. Use the following settings in your email server profile (Settings > Email Configuration > Email Server Profiles to use a single account for email processing.

Settings

Recommendation

Incoming Connection

Authenticate Using

Credentials Specified in Email Server Profile

User Name

The administrator’s user name

Password

The administrator’s password

Use Impersonation

Yes

Use same settings for Outgoing

Yes

Delegation (Use Impersonation = No) is not supported for syncing Appointments, Contacts, and Tasks.

An alternative to a single account to process emails is using individual accounts. This method requires more maintenance effort but does not focus security on a single account. If you want each user account to synchronize with Outlook or Exchange and you’re not using the Microsoft Exchange Online email server profile, use the following settings (Settings > Email Configuration > Email Server Profiles).

Settings

Recommendation

Incoming Connection

Authenticate Using

Credentials Specified by a User or Queue

Use Impersonation

No

Use same settings for Outgoing

Yes

Set the following in each user mailbox.

Settings

Recommendation

Credentials

Allow to Use Credentials for Email Processing

Yes

User Name

The user name for the mailbox

Password

The password for the mailbox

By default, Microsoft Dynamics 365 doesn’t allow users to enter their email address or password when it detects that the credentials may be transmitted over a non-secure channel, such as HTTP. Dynamics 365 enforces this by disabling the ability to select “Yes” next to “Allow to Use Credentials for Email Processing” on the user mailbox form.

Allow to Use Credentials for Email Processing

However, if your deployment is using SSL offloading where Dynamics 365 can’t detect the offloading, you can configure Dynamics 365 on-premises versions to allow the transmission of email credentials. This work around is only available with Microsoft Dynamics CRM 2013 and later on-premises versions.

System_CAPS_warningWarning

Before you execute the following SQL statement, back up your configuration and organization database. More information: Back up the Microsoft Dynamics 365 System

USE MSCRM_CONFIG 
GO
IF EXISTS (SELECT ColumnName, BitColumn FROM DeploymentProperties WHERE ColumnName = ‘AllowCredentialsEntryViaInsecureChannels’ AND BitColumn=0)
BEGIN
Update DeploymentProperties set BitColumn=1 where ColumnName=’AllowCredentialsEntryViaInsecureChannels’
END

© 2016 Microsoft. All rights reserved. Copyright

Community Additions

ADD
Show: