Thursday, August 30, 2012

Field Level Security in MS CRM 2011

Hi ,

as we all know one of the bingo from MS CRM 2011 we got is the field level security.
this is quite good and interesting, also something we need to look for it.
1st i will go through the details of it then will put what are the things need to be considered.

we need to be familiar with the below screens
1. this is setting area and the item which we need to create the Field Security Profile
2. then the creating screen contains the

    a. General : the basic details
    b. Team: which teams belongs to this role, this is new in 2011
    c. Users : which users own this role
    d. Filed Permission: here it will list out the list of fileds where the Field Security is enabled, to enable the filed level security follow the below figure (note: field security can not be changed for the system attributes)
3. not you can edit the Field Security as below screen
the above details are as follows:
a. Allow Read: this means, if it is YES it will allow to read in the form, also in the all the grids, if u add as column. else it not allow to read in form(only dotted lines will come), in grid even though you can add the column, the values wil not be displayed.
in advancefind, in the list of columns you will be able to find the filed.
b. Allow Update: if it is YES, it will allow the user to update the field in the update mode.
So you might be thinking, if the Allow Update is YES, automatically it should have Allow Read YES? No it does behave like this. So if Allow Read is NO and Allow Update is YES, then the user can edit that field, but he can read it before and after the update. (Is it wiered?) O_o
c. Allow Create: If it is YES, then the user can enter data only in create mode. So it will just follow the rest on the option straight.
 
the below is the screen how it looks if we add the field to the form..., this is in Design View
as you might be noticing a key symbol get added, this show that the filed is enabled for Filed Security.

how it lloks in the form, if user does not have read access...
So it has only dotted marks... NOTE: it means even if no value is there also u ll get dotted lines..
So user even can not know if value is there or not

K here are few points:


1.       If we apply field level security for any attribute and put on form level, it will be in form but with dotted data, means we cannot completely remove the filed from the form by configurations, also it will be visible in the advance find list and in the advanced find View, even though the value can be controlled in the view

2.       System attributes cannot be configured for Field Level Security, so for the uncommon attributes we need to keep in mind and create custom attributes

3.       Any security role we have assigned is not only in form level, it also has impact Programmatically , like if we registered any Plugin by Calling user, then it will throw exception, if the user belongs to the Field Level Security group which has not update permission or read etc.

4.       Also it’s not so simple(but not impossible) to manage for a lot of fields.


May be i put things here there... but just try to put ...

Hope this can help...

Regards,
Sudhanshu
 
 
 


Monday, August 27, 2012

the account specified to run the Microsoft Dynamics CRM application does not have Performance Counter permission , MS CRM 2011

While installing MS CRM 2011 with different accounts for different services....
i created 4 domain accounts for the 4 services as in the screen....
then i started with next -> next...
then i got the error message in the env validation page... as ..
 
 
this means the domain accounts should be added to the "Performance Log Users" group...
just go to Server Manager -> Configuration -> Local Users and Groups -> Groups .
Add the two domain accounts used for  "Application Service" and "Asyn Service"...

Then it will not give any error....

Regards,
Sudhanshu

CRM 2011 splash screen has stopped working

while installing in a server , tot to start from the "Splash".. while double clicked it, i got the below screen












and after clicking "Install Microsoft Dynamics CRM Server".... got the below error screen and the details are as


"[Window Title]
Microsoft CRM Splash Screen
[Main Instruction]
Microsoft CRM Splash Screen has stopped working
[Content]
Windows can check online for a solution to the problem.
[^] Hide problem details  [Check online for a solution and close the program] [Close the program]"

cause
if you have IE9 in the server then this will come up.
So uninstall the component and then run it, it will not crash.
to uninstall go to control panel and find the "view installed updates", there you will get the IE 9. then uninstall that component.
then run the splash... it should work...
after installation of the ms crm and rest of the components you can install IE 9.
but with our splash, you can iinstall the server component, but difficult to find the rest of the components and install... so its good to install using splash... also it says the sequence of the components to be installed...

Regards,
Sudhanshu

Friday, August 24, 2012

Error "The sandboxed code execution request was refused because the Sandboxed Code Host Service was too busy to handle the request" while Activating "crmlistcomponent.wsp" shaprepoint component MS CRM 2011

As in my previous post MS CRM 2011 and Sharepoint 2010 dadely Integration  i have mentioned how to integrate MS CRM 2011 with SharePoint for Doc library.

While doing for a different server i got a stragne error, while Activating the Solution in SharePoint.
The error is as follows..
same issue i faced few months ago in a VPC.
tried many things, but gave up... :(
this time luckily got one link and i tried and it worked this time... :)

for me the crl.microsoft.com work around works... i did as follows...
A. There is a registry key that is used by the sandboxed solution infrastructure and sometimes gets the wrong value. To ensure that it is set to the correct value, take these steps on all servers that are running the sandboxed host service :
  1. On the server, click Start -> Administrative Tools ->Services.
  2. On the Services dialog, scroll to SharePoint 2010 User Code Host.
  3. Note the full user name in the Log On As column. You will need this information later.
  4. see the image
  5. Open SharePoint Management Shell.
  6. Enter the following at the command prompt, including all punctuation.
(Get-SPManagedAccount –Identity “username”).Sid.Value
Replace username with the name you obtained in step 3. E.g., MSCRM\SPFarm
This will return the user’s SID (Security ID , something like S-1-5-21-2482537914-923999840-652071091-1197), which you will use in a later step.
6. Open the registry editor and navigate to:
HKEY_USERS\SID you obtained earlier\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\SoftwarePublishing
7. Be sure the State key value is set to 0x00023e00. in my case it was 0x00023c00
8. Restart the sandboxed host service on all servers on which it is to run. even i restarted the IIS (iisreset \noforce)

B. You can redirect these attempts by adding the following line to the end of the hosts file located at C:\Windows\System32\drivers\etc:
127.0.0.1 crl.microsoft.com
This must be done on all servers running the sandboxed host service. Then restart the SharePoint 2010 User Code Host service on all these servers. even i restarted the IIS (iisreset \noforce)

there can be any reason for this for any env.
there are other work arounds in the link
http://blogs.msdn.com/b/sharepointdev/archive/2011/02/08/error-the-sandboxed-code-execution-request-was-refused-because-the-sandboxed-code-host-service-was-too-busy-to-handle-the-request.aspx

Regards,
Sudhanshu

Wednesday, August 22, 2012

the import organisation wizard cannot connect to the SQL Server or cannot find an organisation on "DB instance" MS CRM 2011 Deployment Manager

while importing organisations by using deployment manager, i faced the below error message after clicking the Import link on the action section of deployment manager.
this message is clear that there it could not connect to db or not instance is there in the DB to be imported.
So in the 2nd scenario, may be the deployment manager tool did not find any DB with ended "_MSCRM". this is the new featue in the DM tool in MS CRM 2011.
So make sure that while restoring the DB you have named it as "XXXX_MSCRM" i.e. ended with _MSCRM. then only the DM tool will fetch it automatically, provided its not already and Organisation in CRM.

Regards,
Sudhanshu
 

Tuesday, August 21, 2012

Install exception.System.Exception: Action Microsoft.Crm.Setup.Server.InstallConfigDatabaseAction failed. MS CRM 2011

while installing ms crm 2011 i got the below error while it was installing , although it has passes the environment checks.
while opening the log file, i got the error part as below

16:10:20|   Info| Installing Sql Jobs ...
16:10:20|   Info| Name = .HardDelete, Description = Add hard delete job, Target = All
16:10:21|   Info| Name = .SiteWideCleanup, Description = Add site-wide cleanup job, Target = All
16:10:23|   Info| CrmAction execution time; InstallConfigDatabaseAction; 00:00:13.7592882
16:10:23|  Error| Installer Complete: ConfigDBInstaller - Error encountered
16:10:23|Warning| Error reported while configuring _Deployment. Attempting rollback
16:10:23|   Info| ConfigDBInstaller: Beginning uninstall operation
16:10:23|   Info| Executing Uninstall action: Microsoft.Crm.Setup.Server.UnregisterRoleAction
16:10:23|   Info| UnregisterRoleAction does not apply since _Deployment is not a explicit server role.
16:10:23|   Info| CrmAction execution time; UnregisterRoleAction; 00:00:00
16:10:23|   Info| ConfigDBInstaller:  Uninstall completed
16:10:23|  Error| Install exception.System.Exception: Action Microsoft.Crm.Setup.Server.InstallConfigDatabaseAction failed. ---> System.DirectoryServices.ActiveDirectory.ActiveDirectoryServerDownException: The server is not operational.
Name: "xxxxxxx" (here xxxxxx is the domain name)
 ---> System.Runtime.InteropServices.COMException: The server is not operational.
   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_AdsObject()
   at System.DirectoryServices.PropertyValueCollection.PopulateList()
   at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
   at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
   at System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(DirectoryContext context, DirectoryEntry directoryEntry, String propertyName)
   --- End of inner exception stack trace ---
   at System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(DirectoryContext context, DirectoryEntry directoryEntry, String propertyName)
   at System.DirectoryServices.ActiveDirectory.Domain.GetDomain(DirectoryContext context)
   at Microsoft.Crm.Admin.AdminService.ConfigDBSecurity.SystemUserService.GetCaseSafeName(String domain, String accountName)
   at Microsoft.Crm.Admin.AdminService.ConfigDBSecurity.SystemUserService.GetCaseSafeName(String name)
   at Microsoft.Crm.Admin.AdminService.ConfigDBSecurity.SystemUserService.Create(String name, Guid defaultOrganizationId)
   at Microsoft.Crm.Setup.Database.StandardConfigSqlStrategy.AddInitialUser()
   at Microsoft.Crm.Setup.Database.DatabaseInstallerBase.Install()
   at Microsoft.Crm.Setup.Server.InstallConfigDatabaseAction.Do(IDictionary parameters)
   at Microsoft.Crm.Setup.Common.CrmAction.ExecuteAction(CrmAction action, IDictionary parameters, Boolean undo)
   --- End of inner exception stack trace ---
   at Microsoft.Crm.Setup.Common.CrmAction.ExecuteAction(CrmAction action, IDictionary parameters, Boolean undo)
   at Microsoft.Crm.Setup.Common.Installer.Install(IDictionary stateSaver)
   at Microsoft.Crm.Setup.Server.ServerRoleInstaller.Install(IDictionary stateSaver)
   at Microsoft.Crm.Setup.Common.ComposedInstaller.InvokeInstall(Installer installer, IDictionary stateSaver)
   at Microsoft.Crm.Setup.Common.ComposedInstaller.InternalInstall(IDictionary stateSaver)
   at Microsoft.Crm.Setup.Common.ComposedInstaller.Install(IDictionary stateSaver)
   at Microsoft.Crm.Setup.Server.ServerSetup.Install(IDictionary data)
   at Microsoft.Crm.Setup.Common.SetupBase.ExecuteOperation()
16:10:23|Verbose| Method exit: Microsoft.Crm.Setup.Server.ServerSetup.ExecuteOperation
16:10:23|   Info| ActivatePage(ServerSetupFinishPage)

it seems its related to AD.
but i could not find anything.
in AD i saw there are few security groups created already for other installations.
btw the above i was installing without creating the security groups, tot installer will create it as the account i was using has AD admin privilege.

then i tot of installing with minimum credential (install ms crm with minimum credentials ).
So i just created the groups and then started installing by creating the config xml file.
then it just installed smoothly.

over internet i got few errors related to this, but some are while accesing crm and some while installing rollup.

hope this can help some one some where sometime :p

Regards,
Sudhanshu

Wednesday, August 15, 2012

Security considerations for Microsoft Dynamics CRM account services

Minimum permissions required for Microsoft Dynamics CRM Setup, services, and components

Microsoft Dynamics CRM is designed so that its components can run under separate identities. By specifying a domain user account that is granted only the permissions necessary to enable a particular component to function, you help secure the system and reduce the likelihood of exploitation.
This topic describes the minimum permissions that are required by the user account for Microsoft Dynamics CRM services and components.

Microsoft Dynamics CRM Server Setup

The user account used to run Microsoft Dynamics CRM Server Setup that includes the creation of databases requires the following minimum permissions:
  • Be a member of the Active Directory Domain Users group. By default, Active Directory Users and Computers adds new users to the Domain Users group.
  • Be a member of the Administrators group on the local computer where Setup is running.
  • Have Local Program Files folder read and write permission.
  • Be a member of the Administrators group on the local computer where the instance of SQL Server is located that will be used to store the Microsoft Dynamics CRM databases.
  • Have sysadmin membership on the instance of SQL Server that will be used to store the Microsoft Dynamics CRM databases.
  • Have organization and security group creation permission in Active Directory. Alternatively, you can use a Setup XML configuration file to install Microsoft Dynamics CRM Server 2011 when security groups have already been created. For more information, see Use the Command Prompt to Install Microsoft Dynamics CRM in the Installing Guide.
  • If Microsoft SQL Server Reporting Services is installed on a different server, you must add the Content Manager role at the root level for the installing user account. You must also add the System Administrator Role at the site-wide level for the installing user account.

Services and CRMAppPool IIS application pool identity permissions

The user account that is used for the Microsoft Dynamics CRM services and IIS application pools require the following permissions:
ImportantImportant
Microsoft Dynamics CRM services and application pool (CRMAppPool) identity accounts must not be configured as a Microsoft Dynamics CRM user. Doing so can cause authentication issues and unexpected behavior in the application for all Microsoft Dynamics CRM users. For more information, see Problems in CRM when the CRMAppPool user account is a CRM user.
Managed service accounts, introduced in Windows Server 2008 R2, are not supported for running Microsoft Dynamics CRM services.

Microsoft Dynamics CRM Sandbox Processing Service

  • Domain Users membership.
  • That account must be granted the Logon as service permission in the Local Security Policy.
  • Folder read and write permission on the Trace, by default located under \Program Files\Microsoft Dynamics CRM\Trace, and user account %AppData% folders on the local computer.
  • Read permission to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM subkey in the Windows registry.
  • The service account may need an SPN for the URL used to access the website that is associated with it. To set the SPN for the Sandbox Processing Service account, run the following command at a command prompt on the computer where the service is running.

    SETSPN –a MSCRMSandboxService/<ComputerName> <service account>

Microsoft Dynamics CRM Asynchronous Processing Service and Microsoft Dynamics CRM Asynchronous Processing Service (maintenance) services

  • Domain Users membership.
  • Performance Log Users membership.
  • That account must be granted the Logon as service permission in the Local Security Policy.
  • Folder read and write permission on the Trace folder, by default located under \Program Files\Microsoft Dynamics CRM\, and user account %AppData% folder on the local computer.
  • Read and write permission to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM and HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MSCRMSandboxService subkeys in the Windows registry.
  • The service account may need an SPN for the URL used to access the website that is associated with it.

Deployment Web Service (CRMDeploymentServiceAppPool Application Pool identity)

  • Domain Users membership.
  • That account must be granted the Logon as service permission in the Local Security Policy.
  • Local administrator group membership is required to perform organization database operations (such as create new or import organization) only if the following conditions are true:

    • The Microsoft SQL Server specified for the organization database is on the same computer as the Deployment Web Service server role.
    • The Web Application Server server role is running on the same computer as the Deployment Web Service server role.
  • Local administrator group membership on the computer where the Deployment Web Service is running.
  • Local administrator group membership on the computer where SQL Server is running.
  • Sysadmin permission on the instance of SQL Server to be used for the configuration and organization databases.
  • Folder read and write permission on the Trace and CRMWeb folders, by default located under \Program Files\Microsoft Dynamics CRM\, and user account %AppData% folder on the local computer.
  • Read and write permission to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM and HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MSCRMSandboxService subkeys in the Windows registry.
  • CRM_WPG group membership. This group is used for IIS worker processes. The group is created and the membership is added during Microsoft Dynamics CRM Server Setup.
  • The service account may need an SPN for the URL used to access the website that is associated with it.

Application Service (CRMAppPool IIS Application Pool identity)

  • Member of the Active Directory Domain Users group.
  • Member of the Active Directory Performance Log Users group.
  • Folder read and write permission on the Trace and CRMWeb folders, by default located under \Program Files\Microsoft Dynamics CRM\, and user account %AppData% folder on the local computer.
  • Read and write permission to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM and HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MSCRMSandboxService subkeys in the Windows Registry.
  • CRM_WPG group membership. This group is used for IIS worker processes. The group is created and the membership is added during Microsoft Dynamics CRM Server Setup.
  • The service account may need an SPN for the URL used to access the website that is associated with it.

regards,
yes.sudhanshu

Sunday, August 5, 2012

Difference between Attachment and Document library in MS CRM 2011

As we all know Document Library (Sharepoint) integration is a very big hit in MS CRM 2011.
That means we can very easily use the advantage of Sharepoint, by using the component.
Also the OTB attachment facility it still available in MS CRM 2011.

So what are the basic differences in these two?
below table will make it a bit clear...
so its upto the users and the implementors how to use it as per the requirements..
mainly if we need any version system to the docs then better go for Sharepoint, even if it will cost extra.

MS CRM 2011
File Attachments
SharePoint Integration
Need user Account & Licenses
only need for MS CRM
need for MS CRM as well as for Sharepoint
Stores documents in Microsoft Dynamics CRM database
Yes
No
Can take documents offline with Microsoft Dynamics CRM for Outlook with Offline Access
Yes
No
Uses Microsoft Dynamics CRM security roles and settings
Yes
No, SharePoint security settings must be configured separately for the corresponding site. so need users to be added.
Single backup process with other Microsoft Dynamics CRM data for documents
Yes
No, Sharepoint must need to back up in addition to MS CRM and restored and configure.
Additional software required
No
Yes, Microsoft Office SharePoint Server
Check in and check out Facility
No
Yes
Version Controland revision tracking
No
Yes
Can search for content within documents
No
Yes
Can configure alerts for modifications
No
Yes

Regards,
Sudhanshu