Before Renewal
1. Disable CRM Organization in Deployment Manager:
- Log in to the CRM APP server with CRM Admin (Local admin) rights.
- Launch Deployment Manager (found in the Start menu or by searching).
- In Deployment Manager, expand "Deployment Management" on the left.
- Click "Organizations" to view the list of CRM organizations.
- Locate "crmaws" in the list, right-click, and select "Disable."
2. Stop Default Website and MS CRM Website in IIS:
- Open IIS Manager:
- Press Win + R, type "inetmgr," and press Enter.
- Stop Default Website:
- In the left pane, expand your server to see websites.
- Find "Default Web Site," right-click, and choose "Stop."
- Stop Microsoft Dynamics Website:
- In the Connections pane, find your Dynamics website, right-click, and select "Stop."
3. Stop CRM/ADFS Services in Windows Services:
- Open Windows Services (services.msc).
- Identify CRM-related services (e.g., "Microsoft Dynamics CRM Asynchronous Processing Service") and stop each one.
- Also, stop the "Active Directory Federation Services" service.
After Renewal
4. Install Renewed Certificate to Local Certificate Store:
- Log in to the server with local admin privileges.
- Copy the renewed certificate (PFX or CER format) to the server.
- Open MMC (Run > mmc), add the Certificates snap-in for the local computer, and import the certificate.
5. Grant Access to the Certificate:
- In MMC, locate the certificate, right-click, and manage private keys.
- Add the identities used by the Microsoft Dynamics 365 Asynchronous Processing Service (e.g., NETWORK SERVICE and CRM Admin) with "Full" permissions.
6. Re-Start/Enable the Services Mentioned in "Before Steps" One by One.
7. Update Dynamics 365 Server to Use the New Certificate:
- Open Dynamics 365 Deployment Manager.
- Select "Microsoft Dynamics 365" on the left.
- Under the Action menu, choose "Update or Repair Dynamics 365."
- Follow the wizard, selecting the renewed certificate.
- Complete the update, ensuring Dynamics 365 Server restarts if needed.
8. Refresh OWA-CRM Integration & CRM-Exchange (Hybrid) Integration:
- Paste a copy of .pfx (dir and file name: “C:\certs\certificate.pfx”) and .cer(dir and file name “C:\certs\wildcard_cert.cer”) files on the CRM App server.
- Run the provided PowerShell script, adjusting paths, passwords, and org names as needed.
###Reference: https://learn.microsoft.com/en-us/previous-versions/dynamicscrm-2016/administering-dynamics-365/mt703269(v=crm.8)?redirectedfrom=MSDN
###SOLUTION: OWA-CRM Integration & CRM-EXCHANGE (Hybrid) Integration | ERROR: [MailApp] Client loader timed out
###NOTE: Use CRM ADMIN user with global admin, exchange admin, and Office 365 rights. You must have a valid certificate available in .pfx (with password) and .cer OR .crt (binary encoded) format. Use MMC to export the certificate files. In the below script, change the certificate file path, password, and CRM org name wherever applicable. Run the below script on the CRM App server using PowerShell.
# (0) Pre-requisites: Update variables and paths below
$CRMToolsDir = "C:\Program Files\Microsoft Dynamics CRM\tools"
$CertificateScriptPath = ".\CertificateReconfiguration.ps1"
$PFXCertificatePath = "c:\certs\certificate.pfx"
$CERCertificatePath = "c:\certs\certificate.crt"
$CertificatePassword = "1234"
$CertificateType = "S2STokenIssuer"
$ServiceAccount = "domain\crmadmin"
$StoreName = 'My'
$StoreLocation = 'LocalMachine'
$StoreFindType = 'FindBySubjectDistinguishedName'
$RootDomain = "*.domain.com"
$CRMAppId = "00000007-0000-0000-c000-000000000000"
$OrganizationName = "crmaws"
cd $CRMToolsDir
Add-PSSnapin Microsoft.Crm.PowerShell
# (1) Certificate Script Execution
$CertificateScriptWithCommand = "$CertificateScriptPath -certificateFile $PFXCertificatePath -password $CertificatePassword -updateCrm -certificateType $CertificateType -serviceAccount $ServiceAccount -storeFindType $StoreFindType"
Invoke-Expression -command $CertificateScriptWithCommand
# (2) Set Wildcard Certificate
Set-CrmCertificate –DataFile $CERCertificatePath –StoreName $StoreName –CertificateType $CertificateType –StoreLocation $StoreLocation –StoreFindType $StoreFindType
# (3) Configure MSOnline
Enable-PSRemoting -force #If this command gives error, AVOID and move to next
New-PSSession
Import-Module MSOnline -force
Import-Module MSOnlineExt -force
connect-msolservice
$STSCertificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList $PFXCertificatePath, $CertificatePassword
$PFXCertificateBin = $STSCertificate.GetRawCertData()
$Certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$Certificate.Import($CERCertificatePath)
$CERCertificateBin = $Certificate.GetRawCertData()
$CredentialValue = [System.Convert]::ToBase64String($CERCertificateBin)
$ServicePrincipalName = Get-MsolServicePrincipal -AppPrincipalId $CRMAppId | Select-Object -ExpandProperty ServicePrincipalNames
$ServicePrincipalName.Remove("$CRMAppId/$RootDomain")
$ServicePrincipalName.Add("$CRMAppId/$RootDomain")
Set-MsolServicePrincipal -AppPrincipalId $CRMAppId -ServicePrincipalNames $ServicePrincipalName
# (4) Set CRM Advanced Settings
$setting = New-Object "Microsoft.Xrm.Sdk.Deployment.ConfigurationEntity"
$setting.LogicalName = "ServerSettings"
$setting.Attributes = New-Object "Microsoft.Xrm.Sdk.Deployment.AttributeCollection"
$attribute1 = New-Object "System.Collections.Generic.KeyValuePair[String, Object]" ("S2SDefaultAuthorizationServerPrincipalId", "00000001-0000-0000-c000-000000000000")
$setting.Attributes.Add($attribute1)
$attribute2 = New-Object "System.Collections.Generic.KeyValuePair[String, Object]" ("S2SDefaultAuthorizationServerMetadataUrl", "https://accounts.accesscontrol.windows.net/metadata/json/1")
$setting.Attributes.Add($attribute2)
Set-CrmAdvancedSetting -Entity $setting
$CRMContextId = (Get-MsolCompanyInformation).ObjectID
$CRMContextId
# (5) Set S2STenantId
$orgInfo = Get-CrmOrganization -Name $OrganizationName
if ($orgInfo) {
Set-CrmAdvancedSetting -ID $orgInfo.ID -configurationEntityName "Organization" -setting "S2STenantId" -value $CRMContextId
}
# (6) Refresh ClaimsSettings
Add-PSSnapin Microsoft.Crm.PowerShell
$ClaimsSettings = Get-CrmSetting -SettingType OAuthClaimsSettings
$ClaimsSettings.Enabled = $true
Set-CrmSetting -Setting $ClaimsSettings
# (7) Restart Services
Stop-Service adfssrv
Start-Service adfssrv
iisreset
Ensure you follow these steps carefully to successfully renew your certificates for Dynamics CRM (v8.2) On-Premise. Always maintain proper backups and consider the impact on your CRM environment before making any changes.