If you are using an Internet Facing Deployment for your CRM there is always that time every 1, 3, or X years where you receive the message to renew your SSL Certificate. With ADFS 3.0 no longer dependent on IIS like its previous version were it changes the process a little bit. It is not very difficult to do but it took me a little research to piece together all the steps in the right order. I wanted to share this information so that the process goes as smooth as possible and you aren’t stuck with your environment being down as you scramble to figure out how to get the CRM and ADFS applications working together again.
You will first want to remove the old certificate from the ADFS and CRM servers. If the certificate is not removed then this will cause problems later down the line.
Install Certificate on the ADFS server
Add the new certificate to the ADFS server and import it into the Computer’s Personal Store. Make sure you have the private key that goes with the certificate. To access the console open MMC, open the File menu, and select Add/Remove Snap-ins. Select Certificates and click on Add. In the pop up window select Computer account and on the next screen select Local computer and finish. Click ok to access the Certificates console.
To add the certificate expand the Certificates (Local Computer) and Personal folders. Right click on the Certificates folder and select All Tasks then Import.
You will also need to add permissions to the Private Key. The ADFS Service account will need “Full” permissions and the CRM App Pool account will require at least “Read” permissions. To add permissions right click on the certificate you just imported and select All Tasks then Manage Private Keys. From here you can the two accounts and their permissions.
Install Certificate on the CRM server
On the CRM server add the new certificate and import it into the Computer’s Personal Store just as you did on the ADFS server. When adding permissions to the Certificate only the CRM App Pool account will be needed.
Next, bind the new certificate to https in IIS. When you open IIS, right click the Microsoft Dynamics CRM website and select Edit Bindings. On the pop up select HTTPS and click Edit. Here you can select the new SSL certificate and click OK to complete it. You will need to perform an IIS reset from the CMD line.
Configure ADFS service
Going back to the ADFS server you will need to update the Service Communication certificate in ADFS Management. Open ADFS Management and expand the Service and Certificates folders. In the right hand console panel select Set Service Communications Certificate. A pop up should come up with the new certificate to select and click OK.
You will need to set the ADFS SSL Certificate in PowerShell with the certificate’s thumbprint. To obtain the thumbprint right click the certificate in ADFS management and select View Certificate. On the Certificate window open the Details tab and scroll down to locate the Thumbprint. Copy the thumbprint to notepad and remove all of the spaces in it. Next, open Windows PowerShell as an Administrator. Run the following command inserting the thumbprint in place of the X’s:
“Set-AdfsSslCertificate –Thumbprint XXXXXXXXXXXXX”
Open Services from the computer’s Administrative Tools and restart the Active Directory Federation Services service.
Reconfigure Claims-Based Authentication
Open the CRM Deployment Manager and select Configure Claims-Based Authentication which will bring up the wizard. Advance through the wizard to the Certificate page. Select the new certificate in the lookup and continue through the configuration to complete it.
Update Relying Party Metadata in ADFS Management
The final step is to update the metadata that was just reconfigured in the claims-based authentication. In ADFS Management expand Trust Relationships and select Relying Party Trusts. Right click on each relying party, select Update from Federation Metadata, and select Update.
As always, be sure to test your connection to CRM to make sure the certificate renewal was successful.
Have questions on this How To? Contact Scott, one of our CRM experts, at 301.360.0001
SCOTT FLORANCE | CRM Business Software Consultant
Scott Florance is one of the CRM Consultants at KTL and has proven his value as a member of the team since September 2013. Whether implementing a new CRM organization or adding to existing configurations, Scott has engaged clients with a positive and enthusiastic demeanor to help them meet their organizational needs. With four plus years of experience, Scott is familiar with CRM as both a power user and administrator. Scott received his bachelor’s degree in business administration from the University of Central Florida. He is a Microsoft Certified Technology Specialist for Dynamics CRM as well as a Certified Scribe Technician.