Microsoft SharePoint Server is a collaboration and content management application that simplifies how people store, find, and share information. It helps people to collaborate effectively by having secure access to documents and information that they require to make business decisions.
The SharePoint integration feature enables you to store and manage documents on SharePoint in the context of a Microsoft Dynamics 365 record, and use the SharePoint document management abilities in Microsoft Dynamics 365, such as checking the document in and out, viewing version history, and changing document properties.
Microsoft Dynamics 365 supports two types of integration with SharePoint: client-to-server and server-to-server (server-based).
After the integration the users can use the SharePointSite and SharePointDocumentLocation entities to store and manage the SharePoint Server location records in Dynamics 2016 or Dynamics 365.
This document explain about dynamics 2016 and SharePoint 2016 OnPremise Server Based Integration.
Following configurations should be completed as prerequisites before enabling the server side integration.
Microsoft Dynamics CRM
- System Administrator security role – this is required to run the Enable Server-Based SharePoint Integration wizard in Microsoft Dynamics 365.
- If using a self-signed certificate for evaluation purposes, the user must have local Administrators group membership on the computer where Microsoft Dynamics 365 Server is running.
- Join the windows server 2012 to the same active directory domain of dynamics CRM.
- Install and complete the SharePoint 2016 server with single server farm installation
- Create a site collection to store dynamics CRM documents
- Configure the SharePoint Site with HTTPS(SSL)
Certificate from a public certificate provider is recommended but for practise we can use the self-signed certificate.
Steps to follow
- Create Self signed certificate from Internet Information Services manager
- Open MMC from Run
- From File Menu select Add/Remove Snap-in
- Select Certificates and Add
- Certificate Snap-in wizard will open and select Computer Account and Local Computer
- Open Personal Folder and Certificates and Export the created certificate in .PFX format (Personal Information Exchange) also assign a password to the exported file.
- Install the certificate to the trusted root Certification by double clicking on exported file.
- Copy the certificate to the CRM server and Install it to trusted root certification.
- Edit the binding of the SharePoint site and enable https
- Open SharePoint 2016 Central Administration and Configure alternate access mappings
- Edit public URLs and Select the SharePoint site from “Alternate Access Mapping Collection”
- Enter the new Https URL as default URL
- Add Internal mapping and enter the http Url with port number
- System Admin DB role to the CRM domain administrator or DB Owner for the SP Content DB
- Add Dynamics CRM site Administrator to SharePoint Site Owner Group.
- Farm Administrators group
membership – this is required to run most of the Windows PowerShell commands on
the SharePoint server
- Open SharePoint Central Administration
- Under Security open “Manage the Farm Administrators group ”
- Add CRM domain Admin to the Group
- Get SharePoint Authentication Realm
Open SharePoint Management Shell and Run “Get-SPAuthenticationRealm” and Note the Guid. This is required to complete the Integration configuration
- SharePoint must be configured for a single farm deployment only.
- SharePoint and CRM should be part of same Active directory Domain
- The SharePoint website must be configured to use TLS/SSL (HTTPS)
- The App Management Service
Application Proxy must be created and started. More information: Configure
an environment for apps for SharePoint
- Configure DNS forward lookup zone for the new domain Name. For example, ContosoApps.com
- When an app is provisioned, it provisions a unique DNS domain name (for example, Apps- 12345678ABCDEF.ContosoApps.com, where 12345678ABCDEF is a unique identifier for the app). You need a wildcard Canonical Name (CNAME) entry for your DNS domain to support these unique names.
- Create a wildcard Alias (CNAME) record for the new domain name. For example, *. ContosoApps.com and to the fully qualified domain name (FQDN) for target host box, type the FQDN of the server that hosts the SharePoint Server sites. For example, SharePoint.Contoso.com.
- Create a new wildcard SSL certificate
If you are using Secure Sockets Layer (SSL) for the SharePoint Server sites in your environment, or if you use any apps that use data external to the SharePoint Server sites, you should use SSL for your apps. To use SSL, you create an SSL certificate for your app domain (for example, ContosoApps.com).
The domain should be added in the form of a wildcard (for example, *.ContosoApps.com). You need a wildcard certificate instead of individual certificates because each installed app has its own subdomain.
Note that in order to allow support for SSL offloading with SharePoint Server App Domains you must enable support for multiple app domains by using the following Microsoft PowerShell commands:
Open SharePoint management Shell
$contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService
$contentService.SupportMultipleAppDomains = $true
- Configure the Subscription Settings and App Management service applications
Apps rely on the App Management and Microsoft SharePoint Foundation Subscription Settings service applications. Use the following procedures to configure them.
- In Central Administration,
under System Settings, click Manage services in this farm.
- For the Microsoft SharePoint Foundation Subscription Settings Service, click Enable Auto Provision
Next, create a Subscription Settings service application and proxy. These must be created by using Microsoft PowerShell. Use the example script provided at New-SPSubscriptionSettingsServiceApplication.
Use the New-SPSubscriptionSettingsServiceApplication cmdlet to create a subscription settings service application that can be used to store settings that are shared across all site collections in a single site subscription. This cmdlet is used only in an environment where site subscriptions are used to delegate administration or partition services that are used for storing settings that are shared across all site collections in a single site subscription. This cmdlet is used only in an environment where site subscriptions are used to delegate administration or partition services.
$sa = New-SPSubscriptionSettingsServiceApplication -ApplicationPool ‘SharePoint Web Services Default’ -Name ‘Subscriptions Settings Service Application’ -DatabaseName ‘Subscription’
You also need an App Management service application. The following procedures provide the steps to configure it.
To create a App Management service application
- In Central Administration, under Application Management, click Manage service applications.
- Click New, and then click App Management Service.
- Type a name for the service application in the Service Application Name box.
- Under Application Pool, choose SharePoint Web Services Default from the Use existing application pool list.
- Click OK.
- Specify the app domain and app prefix
In this section, you specify the app domain and app prefix to use for apps in your environment. The app URL points to your app domain and a prefix that determines how each app is named.
Use the following procedure to configure app URLs.
To configure app URLs
- In Central Administration, click Apps.
- On the Apps page, click Configure App URLs.
- In the App domain box, type the isolated domain that you created for hosting apps (for example, ContosoApps.com).
- In the App prefix box,
type a name to use for the URL prefix for apps.
- (For example, you could use “apps” as the prefix, and you would see a URL for each app such as “apps- 12345678ABCDEF.ContosoApps.com”.)
- Click OK.
- If you will install apps and you have changed the App prefix (also known as the site subscription name), you must perform additional steps that involve restarting the World Wide Web Publishing Service (WWW Service) that hosts the apps.
- A User Profile Service Application must be configured and started
- For document sharing, the SharePoint search service must be enabled
- For document management functionality when using Microsoft Dynamics 365 mobile apps, the on-premises SharePoint server must be available through the Internet.
- To allow users the ability to
create SharePoint document libraries from Dynamics 365, the following
permissions and configurations are required:
- The Dynamics 365 user Active Directory account must be a member of the Site Members group on the SharePoint site collection where the documents are stored.
- By default, the claims-based authentication mapping will use the user’s Dynamics 365 primary email address and the user’s SharePoint On-Premises work email address for mapping. When this mapping is used, the user’s email addresses must match between the two systems
The CertificateReconfiguration.ps1 is a Windows PowerShell script that installs a certificate to the local certificate store, grants the specified Microsoft Dynamics 365 Asynchronous Processing Service identity access to the certificate, and updates Microsoft Dynamics 365 Server to use the certificate.
- Open Power shell on Dynamics CRM server
- Change your location to the <drive>:\Program Files\Microsoft Dynamics CRM\Tools folder.
- Run the
CertificateReconfiguration.ps1 Windows PowerShell script as explained here:
- certificateFile path\Personalcertfile.pfx . Required parameter that specifies the full path to the personal information exchange file (.pfx). More information: Working with digital certificates
- password personal_certfile_password. Required parameter that specifies the private certificate password.
- certificateType S2STokenIssuer. Required parameter that specifies the type of certificate. For Microsoft Dynamics 365 and SharePoint server-based integration, only S2STokenIssuer is supported.
- serviceAccount ‘DomainName\UserName’ or ‘Network Service’.
- For December 2016 Service Pack for Microsoft Dynamics 365 (on-premises) and later versions:
- serviceAccount ‘contoso\CRMWebAppServer’ or ‘Network Service’. Required parameter that specifies the identity for the Web Application Server role. The identity is either a domain user account, such as contoso\CRMWebAppServer, or Network Service. The identity will be granted permission to the certificate.
- For Microsoft Dynamics CRM 2016 Service Pack 1 versions and earlier:
- serviceAccount ‘contoso\CRMAsyncService’ or ‘Network Service’. Required parameter that specifies the identity for the Asynchronous Service. The identity is either a domain user account, such as contoso\CRMAsyncService, or Network Service. The identity will be granted permission to the certificate.
- updateCrm. Adds the certificate information to the Microsoft Dynamics 365 configuration database.
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
.\CertificateReconfiguration.ps1 -certificateFile c:\Personalcertfile.pfx -password personal_certfile_password -updateCrm -certificateType S2STokenIssuer -serviceAccount Domain\UserName -storeFindType FindBySubjectDistinguishedName
Set-ExecutionPolicy Undefined -scope currentuser
- Get the Dynamics 365 Realm ID
- Start the Enable Server-Based SharePoint Integration wizard. Go to Settings > Document Management.
- Click Next, click On-Premises, and then Next.
- The ID is displayed next to Dynamics 365 Realm Id on the page.
Save the Dynamics 365 Realm ID in a text file on a secure network share or cloud-based storage. Then you can easily retrieve it from the location where you run the Enable Server-Based SharePoint Integration wizard.
- Prepare the SharePoint server for Dynamics 365 Server authentication
If you are using a PowerShell management shell that is not the SharePoint Management Shell, you must register the SharePoint module using the following command
Enable the PowerShell session to make changes to the security token service for the SharePoint farm.
$c = Get-SPSecurityTokenServiceConfig
$c.AllowMetadataOverHttp = $true
- Create the trusted security token service object, where OrganizationName is the unique name of the Microsoft Dynamics 365 organization and CrmServer is the name of the IIS web server where the Microsoft Dynamics 365 web application server role is installed, and -Name “crm” is used to name the security token server (STS).
- Connecting more than one Microsoft Dynamics 365 organization to a single Microsoft SharePoint 2013 server farm is not supported. However, you can connect more than one Microsoft Dynamics 365 organization to a SharePoint 2016 server farm.
- When you run the New-SPTrustedSecurityTokenIssuer PowerShell command you must specify HTTPS for the Microsoft Dynamics 365 metadata endpoint when the Microsoft Dynamics 365 application web site has only HTTPS or both HTTPS and HTTP bindings, like the following example.
New-SPTrustedSecurityTokenIssuer –Name “crm” –IsTrustBroker:$false –MetadataEndpoint https://CrmServer/XrmServices/2015/metadataendpoint.svc/json?orgName=OrganizationName
- Register Microsoft Dynamics 365 with the SharePoint site collection.
To run the following commands, you must specify two parameters:
- The SharePoint On-Premises site collection URL. In the example here, https://sharepoint.contoso.com/sites/crm/ is used for the site collection URL.
- The CrmRealmId is the ID of the Microsoft Dynamics 365 organization you want to use for document management with SharePoint. More information: Get the Dynamics 365 Realm ID
- To complete these commands, the SharePoint App Management Service Application Proxy must exist and be running
$CrmRealmId = “CRMRealmId”
$Identifier = “00000007-0000-0000-c000-000000000000@” + $CrmRealmId
$site = Get-SPSite https://sharepoint.contoso.com/sites/crm/
Register-SPAppPrincipal -site $site.RootWeb -NameIdentifier $Identifier -DisplayName “crm”
- Grant the Microsoft Dynamics 365 application access to the SharePoint site.
In the example below, the Microsoft Dynamics 365 application is granted permission to the specified SharePoint site collection by using the –Scope sitecollection parameter. The Scope parameter accepts the following options. Use the scope that is most appropriate for your SharePoint configuration:
site. Grants the Dynamics 365 application permission to the specified SharePoint website only. It doesn’t grant permission to any subsites under the named site.
sitecollection. Grants the Dynamics 365 application permission to all websites and subsites within the specified SharePoint site collection.
sitesubscription. Grants the Dynamics 365 application permission to all websites in the SharePoint farm, including all site collections, websites, and subsites.
$app = Get-SPAppPrincipal -NameIdentifier $Identifier -Site $site.Rootweb
Set-SPAppPrincipalPermission -AppPrincipal $app -Site $site.Rootweb -Scope “sitecollection” -Right “FullControl” -EnableAppOnlyPolicy
#”Set up claims-based authentication mapping”
New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress” -IncomingClaimTypeDisplayName “EmailAddress” -SameAsIncoming
- In the Microsoft Dynamics 365 app, go to Settings > Document Management.
- In the Document Management area, click Enable Server-Based SharePoint Integration.
- Review the information and then click Next.
- For the SharePoint sites, click On-Premises, and then click Next.
- On the Prepare Sites stage, enter the following
- SharePoint On-Premises site collection URL, such as https://sharepoint.contoso.com/sites/crm. The site must be configured for TLS/SSL.
- SharePoint Realm ID. Get the SharePoint realm ID
- Click Next.
- The validate sites section appears. If all sites are valid, click Enable
- Select the entities that you want to include in document management
By default, Account, Article, Lead, Product, Quote, and Sales Literature entities are included. You can add or remove the entities that will be used for document management with SharePoint in Document Management Settings in Microsoft Dynamics 365. Go to Settings > Document Management.
Open an account record and select Documents submenu from navigation and set a document location and Upload document