Hybrid NTLM Server Side Sync and Exchange 2013 Cert secrets

Hybrid NTLM Server Side Sync and Exchange 2013 Cert secrets

The server side sync is a technology for connecting Dynamics 365 CE to an Exchange server. When connecting an Online Dynamics 365 to an onprem Exchange there are some requirement that need to be met. These can be found here: https://technet.microsoft.com/sv-se/library/mt622059.aspx

Piping data to and from Exchange and Dynamics
By Quartl [CC BY-SA 3.0], from Wikimedia Commons

However, I just had a meeting with Microsoft and based on the version shown 2018-09-05, they have now added some new features that they haven’t had time to get into the documentation yet.

Some of the most interesting parts of the integration is that the it requires Basic Authentication for EWS (Exchange Web Service). Of the three types of authentication available Kerberos, NTLM and Basic, Basic Authentication is, as the name might hint, the least secure. Hence it is also not very well liked by many Exchange admins and may be a blocker for enabling Server Side Sync in Dynamics 365.

In the meeting I just had with Microsoft, they mentioned that they now support NTLM as well! That is great news as that will enable more organizations to enable Server Side Sync.

There is still a requirement on using a user with Application Impersonation rights which might be an issue as that can be viewed as having too high rights within the Exchange server. For this there is currently no good alternative solution. I guess making sure that the Dynamics Admins are trustworthy and knowing that the password is encrypted in Dynamics might ease some of that. But if the impersonation user is compromised, then a haxxor with the right tool or dev skills could compromise the entire Exchange server.

Microsoft also mentioned another common issue that can arise with the Outlook App when using SSS and hybrid connection to an Exchange 2013 onprem. It will show a quick alert saying “Can’t connect to Exchange” but it will be able to load the entire Dynamics parts.

This might be caused by the fact, according to Microsoft, that Exchange 2013, doesn’t automatically create a self-signed certificate that it can use for communication. Hence this has to be done.

This can be fixed by first creating a self signed certificate and then modify the authorization configuration using instruction found here . Lastly publish the certificate. It can also be a good idea to check that the certificate is still valid and hasn’t expired.

I will see if I can create a more detailed instruction on this later.

Gustaf Westerlund
MVP, Founder and Principal Consultant at CRM-konsulterna AB
www.crmkonsulterna.se

IFD on Windows Server 2008 R2 problem with plugin registration

A customers system I was working on today has just been reconfigured to and IFD setup. The server is a Windows Server 2008 R2 and I had made sure that it worked on port 80 with NTLM/AD internally. However, when I tried to connect the plugin registration wizard in the normal manner, it just gave me an error:

“Request IP Address has different address family from network address.”

I found and interesting thread on Egghead café where some guys had run in to the same problem.
http://www.eggheadcafe.com/software/aspnet/31655329/-crm-4-on-2008-server–ipv6-related-problem.aspx

So I did as they suggested, added the servername to the hosts-file to the IP 127.0.0.1. If you don’t know what this means, it works as a local DNS. The IP 127.0.0.1 is assigned to always be the local computer and “localhost” is usually directed to this adress. You can try by browsing to it if you havn’t tried.

The hosts file can be found in C:WindowsSystem32Driversetchosts. There are usually an entry or two in there so you can usually figure it out, the syntax is simple:

127.0.0.1 servername

If you tried pinging the servername before doing this, you would get the IP v6 address, after doing this, you will get an answer from 127.0.0.1 and after confirming this, you should have no problems getting it up and running.

Gustaf Westerlund
CEO, Chief Architect and co-Founder at CRM-konsulterna AB

www.crmkonsulterna.se