Tip #419: How to sign out from ADFS in one click

Single CRM installation is capable of hosting multiple organizations. As administrator, you probably have some test accounts handy to login as normal users. Many + many sometimes does not end up well:

Incorrect login

This is what you see when you do have an Active Directory login but it’s not mapped into this organization. “That’s cool”, I hear, “I’ll just sign out and come back as another mighty user”. Ahm, do you see a sign out button? You can try restarting the browser, deleting cookies, etc. Some things work in some browsers, some – in others. There is an easier way, just enter a sign out URL:

<your ADFS login server>/adfs/ls/?wa=wsignout1.0

And you’ll see the soothing

You have signed out.
For improved security, we recommend that you close all browser windows at the end of your online session.

So the next time you sign out from CRM, make sure to bookmark the URL. Even if you do remember all the logins, this shortcut will be just one click away and not two when you use sign out link in CRM.

Tip #418: 3 ways to find the blocking attribute

Dynamics CRM TipperShan “Smoke ’em” McArthur wonders during another mini truck stop if there is any way to find a blocking attribute using nothing but its id.

The error message usually looks like this:

A managed solution cannot overwrite the Attribute component with Id=e7840116-dead-beef-a5e5-8b5cb27e9509 for the CRM org noneofyourbusiness.crm.dynamics.com

That said, I have no way of looking up this field. That Guid is not referenced in the managed solution file that I am trying to import that is throwing that error, and the field ID is not displayed in any UI in CRM. With on-premise, I have to break out SQL tools, but at least I can look it up. It is different with every deployment so I can’t just look it up in a reference CRM implementation either.

Good

Joel couldn’t resist dropping in his $0.02:

If you go to customization and open a field customization, you can find it by replacing the attribute id in the URL.

You might have to try different entity id’s, but I’ve been able to find one that way

<crmurl>/tools/systemcustomization/attributes/manageAttribute.aspx?
appSolutionId=%7bFD140AAF-BEEF-DEAD-BD17-0019B9312238%7d
&attributeId=%7bE388A767-F00D-BEEF-BF28-D3E7E7AD1EB8%7d
&entityId=%7ba359f963-DEED-4a32-b607-bada5522b678%7d

Better

Adam “Escalate This” Fish suggested the supported and a much shorter, I must say, path:

Would the Metadata Browser help?

https://msdn.microsoft.com/en-us/library/hh547411.aspx

Best

Not convinced, Jim “Mr SDK” Daly pointed out the futility of the exercise and directed us all to learn C#:

You should be able to use metadata query for this.

Metadata browser wouldn’t be helpful unless you already know the entity it belongs to.

With metadata query you need to return all entities and all attributes, but then include the filter criteria for the specific attribute metadataid.
Then loop through all the entities looking for the one where the attributes collection length is 1.

Disclaimer

No GUIDs were harmed or reused during this stop.

Bonus Double Dip

Episode 3 of the CRM Audio podcast is out now. We stage an exciting prize fight between CRM Online and On Premises, and Mitch Milam explains what’s the big deal with the new CRM Online web API. Listen here: http://crm.audio/episode-3-the-dynamics-crm-death-match/

Tip #417: Cancel waiting instances in style

We have posted multiple times about waiting workflows, and one of the big challenges surrounding them is that when you update a workflow definition, there is no way to cancel the waiting instances of the workflow in bulk. Also, jobs may go into waiting state if there is a condition that prevents the step from completing. For example, if you have a step to send email to a contact, and the contact doesn’t have an email address, the workflow will go into an indefinite wait status.

Gap Consulting from the UK has filled this gap with the latest update to their excellent Workflow Essentials solution. Their Workflow Executor tool in the solution now has the ability to select a workflow and in bulk cancel or retry all waiting instances of that workflow.

This will be helpful to clear out the waiting instances when you change a workflow definition, but also when you have a data condition that makes a bunch of workflows go into indefinite wait status, you can use the tool to retry the workflows after you have fixed the data issue.

Read more on the Gap Consulting blog.

Tip #416: You have OAuth token, now what?

You went through all the motions of authorization endpoints, return URIs, codes and whatsnot and finally got the magic mushroom authorization token. Now what?

Option 1

Use HttpClient to send requests to the CRM endpoints, add authorization token to the header of every request:

HttpClient httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = 
   new AuthenticationHeaderValue("Bearer", accessToken);

Once reply is received, go through the pain of manually parsing the return values.

Option 2

Download CSDL file for OrganizationService, manually add a service reference to your project, generate custom organization context, then add some fairy dust:

var service = new CrmOrgContext(new Uri(ODataUrl));
service.SendingRequest2 += (sender, args) => 
   args.RequestMessage.SetHeader("Authorization", 
        "Bearer " + token);

// active accounts
var accounts = service.AccountSet.Where(
   a => a.StateCode.Value == 0);

Better but manual processing will still be required in some cases and we’ll have to refactor all our existing data access code.

Option 3

Spend 10 minutes reading What’s new for developers in CRM 2015, find new namespace Microsoft.Xrm.Sdk.WebServiceClient containing OrganizationWebProxyClient and change your code to:

var orgService = new OrganizationWebProxyClient(
   new Uri(serviceUrl), false)
   {
      HeaderToken = token,
      SdkClientVersion = "7.0"
   };
var userId = ((WhoAmIResponse)orgService.Execute(
   new WhoAmIRequest())).UserId;

These classes support executing message requests through the /web endpoint of the Discovery.svc or Organization.svc when authenticated with OAuth

Now old code works without any changes and authorization is transparent. Which is exactly what we’ve been trying to do all these years.

Tip #415: When deleting email enabled entities

If you remove a custom entity that is email enabled (allowing it to be selected as email recipient), you may run into the following issue after the entity is removed.

When going to an account and selecting the “Activity” tab of the activity/social pane, the following error appears

error

The trace log will reveal an error referencing the OTC of the entity that was deleted. The problem is that when the entity is removed, activities remain in the system that have activity parties associated with records from the now deleted entity. When the activity pane renders for an account, if there are any activities regarding that account that have activity parties from the deleted entity, the activity pane will throw an error. The solution is to delete all activity party records where the OTC of the partyid equals the OTC of the deleted entity.

Thanks to Scott Jung for this tip.

 

Tip #414: If Bing does not show up

Sometimes we all can suffer from a bit of scotoma — inability to see things right in front of your eyes. Today’s tip is from Matt Johnson is a timely reminder. Looks like some default settings in CRM may be subject to change without a notice (and without us noticing).

Bing settingsRecently we provisioned a CRM Online (2015 Update 1) site. After adding Bing maps onto the form they just wouldn’t show up. In fact, if you added them to the form in another section that was already there it made the whole section invisible.

After asking Microsoft what was wrong, they pointed out a (possible new) setting in Settings | Administration | General tab, which is called Enable Bing maps on forms. This was set to No by default. Maybe this tip will help someone else if they come across the same thing?

Tip #412: CRM by proxy

tl;dr

For CRM application proxying, load balancing and other magic like IP filtering, use Application Request Routing. To securely publish ADFS and CRM servers to the internet, use Web Application Proxy.

Eye-watering details

If you’ve been following our posts on inventive use of ARR, you know that this technique is specific to IIS. If you have strict rules that prohibit placing any domain members in DMZ, this technology does not help you to publish ADFS server that would be a part of any IFD deployment. The good news is that IFD bible has just been updated to include official confirmation that Web Application Proxy, available in Windows Server 2012 R2, can be used to securely expose your CRM deployment to the world.

WAP can do things that are out of reach of ARR, like preauthentication which is exactly what allows it to act as an ADFS proxy. On the other hand, ARR is smart when it comes to understanding http requests which allows it to do things like load-balancing.

Tip #411: The New Dynamics CRM LinkedIn Integration

LinkedIn recently released a new Dynamics CRM integration for LinkedIn Sales Navigator. This solution allows users to send InMail directly from Dynamics CRM and access company and profile data from CRM accounts, leads, and contacts.

What you need to know

The LinkedIn Sales Navigator integration for Dynamics CRM requires users to have a Sales Navigator Team membership. This is $1,200/user per year. If your salespeople are Sales Navigator users, you may want to check out the solution. If not all CRM users are Sales Navigator users, I recommend creating a form for Sales Navigator users that contains the LinkedIn tab and hiding or removing it from the non Sales Navigator’s form.

MVP Neil Benson wrote a post on LinkedIn recently about some of the changes to LinkedIn’s free service.

LinkedIn has made an important change to their service. Your searches in LinkedIn are now limited and when you’ve hit the monthly limit, you will no longer be able to search for 2nd or 3rd degree contacts. LinkedIn isn’t specifying what the monthly “commercial use” limit is. I hit 70% of the limit yesterday (15th of the month) and hit the hard limit today (16th of the month) with a couple more searches so I’m guessing the limit is one or two searches per day.

Read the rest of Neil’s post here: https://www.linkedin.com/pulse/linkedin-cripples-its-free-service-neil-benson

Tip #410: How to create non-interactive user while saving foot from injury

Non-interactive users (available in CRM Online only) are defined as the users that “… can access the system but only through the Web service”. That makes them perfect for use as integration accounts. That and a small fact that they do not consume a CRM license (in quantities five or less).

To create non-interactive user in CRM Online:

  1. Create new integration security role by copying one of the existing system roles and remove all privileges leaving only the bare minimum.
  2. Create new user in O365 administration portal
  3. Switch to CRM, wait if you are unlucky for this user to be created in CRM and then assign the integration role to that user
  4. Change user’s access mode to Non-interactive
  5. Switch to O365 and remove CRM license from that user

The typical administrative Spießrutenlaufen-worthy action is assigning of the system administrator role to the non-interactive accounts which begs the question “Why”? If your integration is only limited to displaying and updating contact data (say, for a self-service portal) then grant exactly that, no less, no more.

If you (as a developer) receive a security error, carefully look what privilege is required and add it to the integration role, no less, no more.

If you are not receiving security errors during development, it means your security role is too broad.

Make this iterative process part of your development lifecycle and in the end (i.e. prior to a release) you will have a very sharp and finely tuned security role, guaranteed.