章配置微软文稿h

4DynamicsCRM(Configure4DynamicsCRM(ConfigureDynamics4-1CRM向互联网的部署（IFD）（ConfiguringCRMfacingdeploymentDynamicsCRM（on-premises）使用基于声明的身份验证来验证内部用户和使上网不使用外部用户的VPN。配置面向Internet的部署（IFD）可以让用户从网上微软DynamicsCRM，公司防火墙之外，不使用虚拟专用网络（VPN）。(MicrosoftDynamicsCRM(on-premises)usesclaims-basedauthenticationtoauthenticateinternalusersandtoenableInternetaccessforexternalusersnotusingVPN.ConfiguringanInternet-facingdeployment(IFD)letsusersgettoMicrosoftDynamicsCRMfromtheInternet,outsidethecompanyfirewall,withoutusingavirtualprivatenetwork(VPN)).CRMOn-premise的面向互联网的部署（IFD）（ThischaptercoversallthestepsyouhavetofollowtoconfigureInternetdeployment(IFD)foraCRMOn-在我们进行这之前，我们将讨论几个环境的细节。DynamicsCRM服务器安装在视窗服2012ADFS2.1ADFS2012中的一个单独的地方.（BeforeweproceedhereareafewdetailsoftheenvironmentDynamicsCRMServerinstalledonWindowsServer2012ADFS2.1onaseparateboxonWindowsServer2012）ADFS2.1WindowsServer2012作为操作系统的一部分，因此可以安装为从服务器管理器的作用。（ADFS2.1wasreleasedtoWindowsServer2012aspartoftheoperatingsystemandthereforecanbeinstalledasaRolefromServerManager.）DynamicsCRMInstallandconfigureDynamicsCRM2013/2015InstallandconfigureIISontheADFSServerPurchasetheappropriatecertificatesfortheIFDconfigurationorInstallself-signedcertificate）在我的例子中，这将是*。URL。如果你得到一个三证书你需要知道您所有的URL的现在和未来（如果你要添加更多的组织）（Youwillneedtochoosethetypeofcertificatethatwillworkbestinyourenvironment.Mostpeoplehavechosentouseawildcardfortheirexternaldomainsoinmyexampleitwouldbe*.soIcanuseitforalltheURLs.IfyouweretogetaSANcertificateyouwouldneed证书你需要知道您所有的URL的现在和未来（如果你要添加更多的组织）（Youwillneedtochoosethetypeofcertificatethatwillworkbestinyourenvironment.Mostpeoplehavechosentouseawildcardfortheirexternaldomainsoinmyexampleitwouldbe*.soIcanuseitforalltheURLs.IfyouweretogetaSANcertificateyouwouldneedtoknowallofyourURLsnowandfuture(ifyouweregoingtoaddmoreorgs)）ADFSCRM一样，ADFS将需要使用默认的端口，将需要使用别的默认网站。（IfADFSwillbeonthesameserverasCRM,ADFSwillneedtobeonthedefaultwebsiteusingthedefaultportsoCRMwillneedtousesomethingelse.）6个主要部分。(Theentireprocesswillbebreakdowninto5majorWindows2012R2创建自签署证书(Createself-signedcertificatefromWindows2012R2):具有约束力的证书（BindingCertificates）4-1-3:安装ADFS（SetupADFS）:DNS配置（DNS:DynamicsCRM服务器，用于基于要求的认证（ConfiguringCRMserverforclaimsbasedauthentication）:IFDCRM服务器配置（ConfiguringCRMserverfor你要准备两台电脑：第一个是ADFS服务器和第二个是CRM服务器。（Youwillpreparetwocomputers:thefirstoneisADFSserverandthissecondoneisforCRM以下我们开始这些练习。（Thefollowinglabexerciseswillgothroughthesesixmajor[Lab]4-1-1Windows2012R2创建自签署(Createself-signedcertificatefromWindows2012R2)ADFSCRM服务器。（Forthepurposeofthelabexercises,wewillusetheself-signedcertificatesifyoudonothavethe3rdpartycertificate.Youhavecreatedself-signedcertificatesinbothADFSandCRMservers.）1InWindows2012R2AdministrativeToolInternetInformationServices(IIS)2.DoubleclickontheServer3.在这个新窗口中，您可以看到右侧，在该部分中，单击“3.在这个新窗口中，您可以看到右侧，在该部分中，单击“创建自签名证书”(InthisnewwindowyoucouldseeActionsinrightside.InthatsectionsclickonCreateSelf-Signed你会看到下面类似的屏幕YouwillseethefollowingsimilarADFSADFSADFSADFSCRM服务器，您可以使用“CRM(Enterafriendlynameforthecertificate.Forexample,inADFSserver,youcanuse‘ADFSCertificate’.IntheCRMServer,Youcanuse“CRMWildcardCertificate.Youwillseethefollowingsimilar4-1-2绑定具有约束力的证书（BindingADFS（Afteryouhaveobtainedandinstalledacertificate,thecertificatemustbeboundtothedefaultWebsitebeforeyoucanuseADFS）ADFS服务器（OntheADFSServer,WeareassumedthattheOSisWindows2012InWindows2012R2AdministrativeToolInternetInformationServices(IIS)（OpenIISManagerandintheConnectionspane,expandtheSitesnodeinthetree,andthenclicktheDefaultWebSite）（IntheActionspane(ontherighthandsideofyourscreen),click（IntheSiteBindingsdialogbox,clickAdd.）（UnderType,select（UnderSSLcertificate,selectyourSSLcertificateandthenclickOKandthenDynamicsCRM服务器（OntheCRM当启用基于声明的身份验证，DynamicsCRM当启用基于声明的身份验证，DynamicsCRMHTTPS。你必须把你的SSL证书的DynamicsCRM网站服务器。（Whenenablingclaims-basedauthentication,theDynamicsCRMServerWebsitemustbeaccessibleviaHTTPS.YoumustbindyourSSLcertificatetotheDynamicsCRMServerWebsite.）IIS管理器，在连接窗格中，展开树中的站点，然后单击“DynamicsCRM网站(OpenIISManagerandintheConnectionspane,expandtheSitesnodeinthetree,andthenclicktheMicrosoftDynamicsCRMWebsite)在“操作”窗格中，单击“绑定”。(IntheActionspane,click(IntheSiteBindingsdialogbox,clickAdd.(UnderType,select（UnderSSLcertificate,selectyourSSLcertificateandthenclickOKandthenCRMAppPoolDynamicsCRM(TheCRMAppPoolaccountandtheMicrosoftDynamicsCRMencryptionCRMAppPoolCRM网站的权利。如果应用程序池正在运行作为网(TheCRMAppPoolaccountwillneedtohaverightstothecertificatebeingusedfortheCRMwebsite.IftheapplicationpoolisrunningasNetworkServiceasintheexamplethenyouwillneedtogiveNetworkServicereadrightstothatcertificate.)IISCRMAppPool帐户。在连接窗格中，单击“应用程序池，然后检查CRMAppPool价值认同。(YoucanuseIISManagertodeterminewhataccountwasusedduringsetupfortheCRMAppPoolaccount.IntheConnectionspane,clickApplicationPools,andthenchecktheIdentityvalueforCRMAppPool.)MMC控制台，到文件菜单并选择“(LaunchtheMMCconsoleandgotoFilemenuandselectAdd-RemoveSnap(SelectCertificatesfromtheavailablesnap-insandclick(SelectComputerAccountandclickNextintheCertificatesSnap-Inwindow.(ClickFinishonthenextwindowandthenclick扩展证书个人>证书-(ExpandCertificates->Personal->Certificates->RightclickonManagePrivateDynamicsCRMDynamicsCRM应用程序池的标识，然后给它读权限，然后确定(AddtheidentitywhichisrunningtheCRMapplicationpoolandgiveitreadpermissionsandthenOkInmycaseitsNetworkService.(Youarenowdoneconfiguringthecertificates.4-1-3ADFS(Setup(LaunchServermanagerandclickonAddrolesand(ClickNextonthefirstpageinthe(SelectRole-basedorfeaturebasedinstallationandclick(SelectaserverfromtheserverpoolandclickNext)(SelectActiveDirectoryFederation(ClickonAddFeaturesandthenclick(ContinuetoclickonNextuntilyoureachtheConfirmationpageandthenclickInstallADFS(NowADFS(NowthatwehaveinstalledADFS,letsgoaheadandconfigureit.)(LaunchAdministrativetoolsandthenselectADFSmanagement.(Click(ClickonADFSFederationServerConfigurationWizardandonthewelcomepageselectCreateanewFederationService)10（Step10）：(SelectStandAloneorFarmDeployment.务器。(Dependinguponyourrequirementyoucanchoosetheappropriateoption.Thewizardexplainseachoftheoptions.IwillchooseStand-alonefederationserver.)(SpecifytheFederationService(Showsyouthesummaryofwhatisabouttobeinstalled.ClickNextto(WaitfortheconfigurationprocesstocompleteandclicktheClose4-1-4DNS配置4-1-4DNS配置(DNSDNSDynamicsCRM服务器端点的正确的解决。(YoushouldconfigureyourdomainrecordsinDNSsothevariousDynamicsCRMServerendpointsresolvecorrectly.)(OpenDNSManagerbyclickingStart,pointingtoAdministrativeTools,andthenclickingDNS.)展开正向查找区域，然后选择<域名>。comCNAME(ExpandForwardlookupZonesandthenselectthe<Domainname>.comandcreatethebelowCNAMErecords.)DNS记录创建屏幕截图(HereisascreenshotofalltheDNSrecordDNS记录创建屏幕截图(HereisascreenshotofalltheDNSrecordDynamicsDynamicsCRM2013AD服务的端口上使用的入站流量(YoumustalsosetyourfirewalltoallowinboundtrafficontheportsusedforDynamicsCRMServer2013andADFS2.1)4-1-5配置DynamicsCRM服务器，用于基于要求的认证(ConfiguringCRMserverforclaimsbasedauthentication)ADFSCRMDynamicsCRM(OnceADFSissetupandthecertificate/sareboundtothewebsites,youwillneedtoprepareCRMforClaimsAuthentication.)OnTheCRM(SetMicrosoftDynamicsCRMServer2013bindingtoHTTPSandconfiguretherootdomainWebaddresses)启动部署管理器操作窗格属性>网络地址标签HTTPSIPPointittothemachinethatasCRM2013ThisrecordwillbeusedbytheADFSserverwhenretrievingtheMicrosoftDynamicsCRMIFDfederationmetadata.xmlfilePointittothemachinethatcontainsthediscoverywebserviceMicrosoftDynamicsCRMDiscoveryWebServicedomainPointittothemachinethatasCRM2013InternalURLusedtoaccessMicrosoftDynamics(forexample,PointittothemachinethatasCRM2013ExternalURLusedtoaccessMicrosoftDynamics–WebApplicationServerdomain(forexample,).PointittothemachinethathasADFSinstalledADFS2.1(StarttheDeployment(StarttheDeploymentManager=>Actionspane=>Properties=>WebAddresstab=>BindingTypeselectHTTPS.)DynamicsCRM。这将是该网址，用户可以使用，如果他们想访问DynamicsCRM系统在网络中不被提示凭据。点击“申请”(YoucannowenteryourinternalURLforCRM.ThiswillbetheURLthatuserscanuseiftheywanttoaccessCRMwithinthenetworkwithoutbeingpromptedforcredentials.Clickon‘Apply’)Dynamics关系管理，然后单击“配置要求”为基础的验(IntheDeploymentManagerconsoletree,right-clickMicrosoftDynamicsCRM,andthenclickConfigureClaims-BasedAuthentication.ClickNextontheWelcomepage)在“URL，如(OntheSpecifythesecuritytokenservicepage,entertheFederationmetadataURL,suchas/federationmetadata/2007-06/federationmetadata.xml.)此数据通常位于活动目录服务（AD）2.1正在运行的网站上。要验证正确的网址，打开一(ThisdataistypicallylocatedontheWebsitewheretheActiveDirectoryFederationServices(ADFS)2.1isrunning.ToverifythecorrectURL,openanInternetbrowserbyusingtheURLtoviewthefederationmetadata.Verifythatnocertificate-relatedwarningsappear.)(OnSpecifytheencryptioncertificatepage,specifytheencryptioncertificate(OntheSystemCheckspage,reviewtheresults,performanystepsrequiredtofixproblems,andthenclickNext.)(OntheReviewyourselectionsandthenclickApplypage,verifyyourselections,andthenclickApply.)URL(ClickViewlogfileandscrolltothebottomandcopytheFederationmetadataURLtoavoidtyposURLCRMADFS2.1宣(YouwillneedtousethefederationmetadataURLthatwascreatedduringClaims-BasedAuthenticationconfigurationinCRMtosetuptheRelyingPartyTrustinADFS2.1(OnTheADFSAD(Afterenablingclaims-basedauthentication,thenextstepisaddandconfigureclaimsprovidertrustsandrelyingpartytrustsinADFS2.1)AD2.1管理。在“导航窗格”中，展开“信任关系”，然后单击“宣称提供程序”。在要求(StartADFS2.1Management.IntheNavigationPane,expandTrustRelationships,andthenclickClaimsProviderTrusts.UnderClaimsProviderTrusts,right-clickActiveDirectory,andthenclickEditClaimsRules.)在规则编辑器中，单击“LDAP属性要求的(IntheRulesEditor,clickAddRule,IntheClaimruletemplatelist,selecttheSendLDAPAttributesasClaimstemplate,andthenclickNext)(Createthe(Createthefollowing宣称规则名称：UPN宣称规则（或者描述(Claimrulename:UPNClaimRule(orsomething（Attributestore:Active（LDAPAttribute:UserPrincipal（OutgoingClaimType:（ClickFinish,andthenclickOKtoclosetheRules2013AD2.1(Afteryouenableclaims-basedauthentication,youmustconfigureDynamicsCRMServer2013asarelyingpartytoconsumeclaimsfromADFS2.1forauthenticatinginternalclaimsaccess.)AD管理。在“行动”菜单上的“右栏”中，单击“添加依赖方信任”。在“添加依赖方信任(StartADFSManagement.OntheActionsmenulocatedintherightcolumn,clickAddRelyingPartyTrust.IntheAddRelyingPartyTrustWizard,clickStart.)（OntheSelectDataSourcepage,clickImportdataabouttherelyingpartypublishedonlineoronalocalnetwork,andthentypetheURLyoucopiedearlierfromthelogfile.Sothatwillbe/FederationMetadata/2007-（Verifythatnocertificate-relatedwarningsappearbyopeningitinthebrowser.在指定的显示名页上，键入显示名称，如DynamicsCRM请求，然后单击“下一步”。(OntheSpecifyDisplayNamepagetypeadisplaynamesuchasCRMClaimsRelyingParty,andthenclickNext.)(OntheChooseIssuanceAuthorizationRulespage,leavethePermitalluserstoaccessthisrelyingpartyoptionselected,andthenclickNext.)(OntheReadytoAddTrustpage,clickNext,andthenclick(IftheRulesEditorappears,clickAddRule.Otherwise,intheRelyingPartyTrustslist,right-clicktherelyingpartyobjectthatyoucreated,clickEditClaimsRules,andthenclickAddRule.)(IntheClaimruletemplatelistselectthePassThroughorFilteranIncomingClaimtemplate,andthenclickNext.)创建以下规则#(CreatethefollowingRule(Claimrulename:PassThroughUPN(orsomething(Incomingclaimtype:UPN)(Passthroughallclaim(Click(IntheRulesEditor,clickAddRule,intheClaimruletemplatelist,selectthePassThroughorFilteranIncomingClaimtemplate,andthenclickNext)创建以下规则创建以下规则#(CreatethefollowingRulePrimarySID（或者描述(Claimrulename:PassthroughPrimarySID(orsomething输入类型：Primary(Incomingclaimtype:Primary(Passthroughallclaim(IntheRulesEditor,clickAddRule.IntheClaimruletemplatelist,selecttheTransformanIncomingClaimtemplate,andthenclickNext.)创建以下规则#(Createthefollowingrule(Claimrulename:TransformWindowsAccountNametoName(orsomethingIncomingclaimingtype:WindowsaccountnameOutgoingclaimtype:NamePassthroughallclaimClickFinish,andwhenyouhavecreatedallthreerules,clickOKtoclosetheRulesDynamicsCRM(SonowwehaveclaimssetupforCRM.)在服务器（ADFSCRM）IE浏览器->工具->选项->安全->IEIntranet网站->添加内部URL和URL（ADFS和）ADFSCRM可Kerberos没有提示的凭据做票。(InbothServers(ADFSandCRM)gotoIE->tools->->tools->IEoptions->security->localintranet->sites->addinternalURLandADFSURL(and)ThiswouldhavetodoneonanymachinesthatareaccessingtheinternalaccesspointssothatADFSandCRMcanpassthoseKerberosticketswithoutbeingpromptedforcredentials.)CRMURL：ADFS然后DynamicsCRM页面。(TypetheinternalurlinCRMserver:seehowithitstheADFSandthenlaunchestheCRMpage.)4-1-6IFDCRM服务(ConfiguringCRMServerforDynamicsCRM2013部署经理。在DynamicsCRM服务器(NowyouarereadytoconfigureInternet-FacingDeploymentwithintheMicrosoftDynamicsCRM2013DeploymentManager.)OnTheCRM1：启动部署管理器。在部署管理器树中，右键单击“Dynamics关系管理”，然后单击“配置”互联网部署。单击“下一步”。(Step1:StarttheDeploymentManager.IntheDeploymentManagerconsoletree,right-clickMicrosoftDynamicsCRM,andthenclickConfigureInternet-FacingDeployment.ClickNext.)一步”(Step2:EntertheURLsfortheWebApplicationServerDomain,OrganizationOrganizationWebServiceDomainandtheDiscoveryWebServiceDomainandclickontheNextbutton.)Web服务的域名必须解析的主机名和不是一个根域。例如：Web服务领域不应该是：DynamicsCRMDNSDynamicsCRM(Importantthingsto.Specifydomains,notIfyourdeploymentisonasingleserveroronserversthatareinthesamedomain,theWebApplicationServerDomainandOrganizationWebServiceDomainwillbeTheDiscoveryWebServiceDomainmustbearesolvablehostnameandnotarootdomain.Forexample:.TheDiscoveryWebServicedomainmustnotmatchanorganization’sfullyqualifieddomainname(FQDN).Forexample,theDiscoveryWebServiceDomainshouldnotbe:ThedomainsmustbevalidfortheSSLcertificate’scommonnameorThedomainsmustbesettoresolvecorrectlyinDNStoyourMicrosoftDynamicsCRMserversholdingtheserverroles.ThedomainscanbeinadifferentdomainthanthedomainwhichtheMicrosoftDynamicsCRMserversreside.)步骤3步骤3：在进入你的互联网面向服务器的外部域中，输入你的互联网所面临的微软DynamicsDynamicsCRM2013(Step3:IntheEntertheexternaldomainwhereyourInternet-facingserversarelocatedbox,typetheexternaldomaininformationwhereyourInternet-facingMicrosoftDynamicsCRMServer2013serversarelocated,andthenclickNext.)您指定的域必须是在前一步骤中指定的网络应用程序服务器域的子域。默认情况下，“授”是预挂起Web应用服务器的域。emnouytea-minofebApicaionrnspiidntest.yfl,."dtotebltionr重要的事情要考虑(ImportantthingstoADFSDynamicsCRMIFDfederationmetadata.xml文件DNSDynamicsCRMWeb应用服务器的(·TheexternaldomainisusedbytheADFSserverwhenretrievingtheMicrosoftDynamicsCRMIFDfederationmetadata.xmlfile.TheexternaldomainmustnotcontainanorganizationTheexternaldomainmustnotcontainanunderscorecharacterTheexternaldomainmustbevalidfortheSSLcertificate’scommonnameor·The·TheexternaldomainmustbesettoresolvecorrectlyinDNStoyourMicrosoftDynamicsCRMserverholdingtheWebApplicationServerrole.)4：在系统检查页面，检查结果，解决问题，然后单击“下一步”(Step4:OntheSystemCheckspage,reviewtheresults,fixanyproblems,andthenclickNext.)5：回顾你的选择，然后点击应用页面，验证你的选择，然后点击应用和完成(Step5:5：回顾你的选择，然后点击应用页面，验证你的选择，然后点击应用和完成(Step5:OntheReviewyourselectionsandthenclickApplypageverifyyourselections,andthenclickApplyandFinish)ADFSDynamicsCRMIFD能够运转，您将需要创建一个依赖方为了IFDendpoint。ADFS管理。在“行动”菜单上的“右栏”中，单击“添加依赖方信任”。在“添(Step6:Runthefollowingcommandatacommandprompt:iisresetOntheADFSServerAfteryouhaveenabledIFDontheMicrosoftDynamicsCRMServer2013youwillneedtocreatearelyingpartyfortheIFDendpointontheADFSserver.StartADFSManagement.OntheActionsmenulocatedintherightcolumn,clickAddRelyingPartyTrust.IntheAddRelyingPartyTrustWizard,clickStart.）federationmetadata.xmlIFD创建同时创建。（Step7:OntheSelectDataSourcepage,clickImportdataabouttherelyingpartypublishedonlineoronalocalnetwork,andthentypetheURLtolocatethefederationmetadata.xmlfile.ThisfederationmetadataiscreatedduringIFDSetup.Forexample,/FederationMetadata/2007-TypethisURLinyourbrowserandverifythatnocertificate-relatedwarnings8CRMIFD依赖方，然后单击“下一步”（Step8:OntheSpecifyDisplayNamepage,typeadisplayname,suchasCRMIFDRelyingParty,andthenclickNext）“下一步”（Step9:OntheChooseIssuanceAuthorizationRulespage,leavethePermitalluserstoaccessthisrelyingpartyoptionselected,andthenclickNext.）10：在“准备添加信任页”上，单击“下一步”，然后单击“关闭”（Step10OntheReadytoAddTrustpage,clickNext,andthenclickClose.）步骤11步骤11：如果规则编辑器出现，请单击“添加规则”。否则，在“依赖方信任列表”（Step11:IftheRulesEditorappears,clickAddRule.Otherwise,intheRelyingPartyTrustslist,right-clicktherelyingpartyobjectthatyoucreated,clickEditClaimsRules,andthenclickAddRule）步骤1