Configure server-based authentication with Microsoft Dynamics 365 (on-premises) and SharePoint Online

Dynamics CRM 2016
 

Updated: November 28, 2016

Applies To: Dynamics 365 (on-premises), Dynamics CRM 2016

This topic describes how to configure server-based authentication between Dynamics 365 (on-premises) and Microsoft SharePoint Online. The following diagram illustrates the communication between Dynamics 365 (on-premises), Azure AD Domain Services, and SharePoint Online.

CRM (on-premises) and SharePoint Online

Microsoft Dynamics 365

  • System Administrator security role. This is required to run the Enable Server-Based SharePoint Integration wizard in Microsoft Dynamics 365.

  • If you are using a self-signed certificate for evaluation purposes, you must have local Administrators group membership on the computer where Microsoft Dynamics 365 Server is running.

SharePoint Online

  • Office 365 Global Administrators membership. This is required for administrative-level access to the Office 365 subscription and to run the Microsoft AzurePowerShell cmdlets

Follow the steps in the order provided to set up Dynamics 365 (on-premises) with SharePoint Online.

System_CAPS_importantImportant
  • The steps described here must be completed in the order provided. If a task is not completed, such as a Windows PowerShell command that returns an error message, the issue must be resolved before you continue to the next command, task, or step.

  • After you enable server-based SharePoint integration, you can’t revert to the previous client-based authentication method. This means you can’t use the Microsoft Dynamics CRM List Component after you have configured your Dynamics 365 organization for server-based SharePoint integration.

  • To connect multiple Dynamics 365 (on-premises) organizations in the same Dynamics 365 deployment to more than one SharePoint Online site, the SharePoint Online sites must be in the same Microsoft Office 365 tenant.

Before you configure Dynamics 365 (on-premises) and SharePoint Online for server-based authentication, the following prerequisites must be met:

  • The Dynamics 365 (on-premises) deployment must already be configured and available through the Internet. More information: Configure IFD for Microsoft Dynamics 365

  • Microsoft Dynamics 365 Hybrid Connector. The Microsoft Dynamics 365 Hybrid Connector is a free connector that lets you use server-based authentication with Dynamics 365 (on-premises) and SharePoint Online. More information: Microsoft Dynamics CRM Hybrid Connector

  • An x509 digital certificate issued by a trusted certificate authority that will be used to authenticate between Dynamics 365 (on-premises) and SharePoint Online. If you are evaluating server-based authentication, you can use a self-signed certificate.

The following software features are required to run the Windows PowerShell cmdlets described in this topic.

System_CAPS_importantImportant

At the time of this writing, there is an issue with the RTW version of Microsoft Online Services Sign-In Assistant for IT Professionals. Until the issue is resolved, we recommend that you use the Beta version. More information: Microsoft Azure Forums: Cannot install Azure Active Directory Module for Windows PowerShell. MOSSIA is not installed.

Set up server-based authentication

  1. On the Microsoft Dynamics 365 Server where the deployment tools server role is running, start the Azure Active Directory Module for Windows PowerShell.

    System_CAPS_importantImportant

    The computer where you run the following PowerShell commands must have the prerequisite software features described earlier in Verify prerequisites.

  2. Prepare the certificate.

    $CertificateScriptWithCommand = “.\CertificateReconfiguration.ps1 -certificateFile c:\Personalcertfile.pfx -password personal_certfile_password -updateCrm -certificateType S2STokenIssuer -serviceAccount contoso\CRMAsyncService -storeFindType FindBySubjectDistinguishedName”
    
    Invoke-Expression -command $CertificateScriptWithCommand
    
  3. Prepare the PowerShell session.

    The following cmdlets enable the computer to receive remote commands and add Office 365 modules to the PowerShell session. For more information about these cmdlets see Windows PowerShell Core Cmdlets.

    Enable-PSRemoting -force
    New-PSSession
    Import-Module MSOnline -force
    Import-Module MSOnlineExtended -force
    
    
  4. Connect to Office 365.

    When you run the Connect-MsolService command, you must provide a valid Microsoft account that has Office 365 Global Administrator membership for the SharePoint Online license that is required.

    For detailed information about each of the Azure Active DirectoryPowerShell commands listed here, see MSDN: Manage Azure AD using Windows PowerShell.

    $msolcred = get-credential
    connect-msolservice -credential $msolcred
    
    
  5. Set the certificate.

    $STSCertificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList c:\Personalcertfile.pfx, personal_certfile_password
    $PFXCertificateBin = $STSCertificate.GetRawCertData()
    $Certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
    $Certificate.Import(“c:\Personalcertfile.cer”)
    $CERCertificateBin = $Certificate.GetRawCertData()
    $CredentialValue = [System.Convert]::ToBase64String($CERCertificateBin)
    
  6. Set the Azure Active Directory Service Principal Name (SPN) in SharePoint.

    Replace *.contoso.com with the domain name where Microsoft Dynamics 365 Server is located.

    
    $RootDomain = “*.contoso.com”
    $CRMAppId = "00000007-0000-0000-c000-000000000000" 
    New-MsolServicePrincipalCredential -AppPrincipalId $CRMAppId -Type asymmetric -Usage Verify -Value $CredentialValue
    $CRM = Get-MsolServicePrincipal -AppPrincipalId $CRMAppId
    $ServicePrincipalName = $CRM.ServicePrincipalNames
    $ServicePrincipalName.Remove("$CRMAppId/$RootDomain")
    $ServicePrincipalName.Add("$CRMAppId/$RootDomain")
    Set-MsolServicePrincipal -AppPrincipalId $CRMAppId -ServicePrincipalNames $ServicePrincipalName
    
    
  7. Configure the Microsoft Dynamics 365 Server for server-based authentication with SharePoint.

    Add-PSSnapin Microsoft.Crm.PowerShell 
    $setting = New-Object "Microsoft.Xrm.Sdk.Deployment.ConfigurationEntity"
    $setting.LogicalName = "ServerSettings"
    $setting.Attributes = New-Object "Microsoft.Xrm.Sdk.Deployment.AttributeCollection"
    $attribute1 = New-Object "System.Collections.Generic.KeyValuePair[String, Object]" ("S2SDefaultAuthorizationServerPrincipalId", "00000001-0000-0000-c000-000000000000")
    $setting.Attributes.Add($attribute1)
    $attribute2 = New-Object "System.Collections.Generic.KeyValuePair[String, Object]" ("S2SDefaultAuthorizationServerMetadataUrl", "https://accounts.accesscontrol.windows.net/metadata/json/1")
    $setting.Attributes.Add($attribute2)
    Set-CrmAdvancedSetting -Entity $setting
    

  1. In the Microsoft Dynamics 365 app, go to Document Management.

  2. In the Document Management area, choose Enable server-based SharePoint integration.

  3. Review the information and then click Next.

  4. For the SharePoint sites, click Online, and then click Next.

  5. On the Prepare Sites stage, enter the following information.

    • Enter the SharePoint Online site collection URL, such as https://contoso.sharepoint.com/sites/salesteam.

    • Enter the tenant ID. More information: Get the SharePoint online tenant ID

  6. Click Next.

  7. The validate sites section appears. If all sites are determined to be valid, click Enable. If one or more sites are determined to be invalid, see Troubleshooting Dynamics 365 Server (on-premises) to SharePoint Server On-Premises server-based integration.

Use PowerShell

  1. In the Azure Active Directory module for Windows PowerShell shell, run the following commands.

    $CRMContextId = (Get-MsolCompanyInformation).ObjectID
    $CRMContextId
    
    
  2. Copy the GUID that is displayed to the clipboard.

Use site settings

  1. Sign in to the SharePoint site collection that you will use for document management with Microsoft Dynamics 365.

  2. Go to Site settings > Site app permissions.

    The tenant ID is displayed under App Identifier, to the right of the @ sign. Copy and paste in only the GUID. Do not paste in any part of the identifier to the left of @.

Failed Authentication. This error can be returned when the certificate used for server-to-server authentication is missing or invalid.

© 2016 Microsoft. All rights reserved. Copyright

Community Additions

ADD
Show: