Server-Based Integration Setup – SharePoint Online and CRM OnPremise


Server-based authentication process can be done by following the steps from below URL.

Reference URL

Pre-step – 1: Verify prerequisites before starting the process.
Pre-step – 2: Two softwares are to be installed before starting the configuration.

  1. Online services Sign-in
  2. Azure Active Directory Module PowerShell

The whole process including software installation has to be done in server where CRM is installed and with the user and Deployment administrator rights.

Remember to run the command shell in administrator mode and navigate to the folder below:
Drive:\Program Files\Microsoft Dynamics CRM\tools“.

Step-1: Certificate exporting

Export the trusted certificate to the local folder, once with Private Key and then without (x509, Base64 format). Make a note of the Password that you are giving.

Step-2: Adding certificate to service account

.\CertificateReconfiguration.ps1 -certificateFile <Your-CertificatePath>
-password <Certificate-PrivateKey> -updateCrm -certificateType S2STokenIssuer 
-serviceAccount <Service-AccountName> -storeFindType 

Update the tags in above commands with the below-specified content before running them.

  1. Certificate (exported with the Private Key) path has to be specified here. (.pfx)
  2. Private key for the above certificate has to be provided here.
  3. Service account name has to be provided here.

In our case, with service account name domain configuration for some accounts was set to and for few others, it was empty – this caused issue.

Check the username for the service account and update with the exact value.

Step-3: Set PowerShell to accept Office 365 cmdlets

Enable-PSRemoting -force
Import-Module MSOnline -force
Import-Module MSOnlineExtended -force

Now PowerShell is ready to accept cmdlets, but the connection has to be established for the cmdlets to take effect on Azure and SharePoint.

$msolcred = get-credential
connect-msolservice -credential $msolcred

Provide the credentials of the user who has global admin privileges in Office 365 once the pop-up appears.

Step-5: Now set the certificate for server-based authentication

$STSCertificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList <Your-CertificatePathWithPrivateKey>, <Certificate-PrivateKey>
$PFXCertificateBin = $STSCertificate.GetRawCertData()
$Certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$CERCertificateBin = $Certificate.GetRawCertData()
$CredentialValue = [System.Convert]::ToBase64String($CERCertificateBin)

Update the tags in above commands the below-specified content before running them.

  1. Certificate path (With Private key)
  2. Private key
  3. Certificate path (Without Private Key)

Step-6: Linking Azure to SharePoint

$RootDomain = "*"
$CRMAppId = "00000007-0000-0000-c000-000000000000" 
New-MsolServicePrincipalCredential -AppPrincipalId $CRMAppId -Type asymmetric 
-Usage Verify -Value $CredentialValue
$CRM = Get-MsolServicePrincipal -AppPrincipalId $CRMAppId
$ServicePrincipalName = $CRM.ServicePrincipalNames
Set-MsolServicePrincipal -AppPrincipalId $CRMAppId -ServicePrincipalNames 

While linking, when we updated CRMAPPId with the CRM Id from Solutions > Customizations> Developers Resources from CRM, it resulted in – service account not found.

To remedy the above error, do not update the CRMAppId. Leave it as it is. Only update “RootDomain” to your server domain name.

Step-7: Configure CRM with SharePoint for server-based authentication.

Add-PSSnapin Microsoft.Crm.PowerShell 
$setting = New-Object "Microsoft.Xrm.Sdk.Deployment.ConfigurationEntity"
$setting.LogicalName = "ServerSettings"
$setting.Attributes = New-Object "Microsoft.Xrm.Sdk.Deployment.AttributeCollection"
$attribute1 = New-Object "System.Collections.Generic.KeyValuePair[String, Object]" ("S2SDefaultAuthorizationServerPrincipalId", "00000001-0000-0000-c000-000000000000")
$attribute2 = New-Object "System.Collections.Generic.KeyValuePair[String, Object]" ("S2SDefaultAuthorizationServerMetadataUrl", "")
Set-CrmAdvancedSetting -Entity $setting

Once CRM is configured, then everything from server side is completed. Rest has to be done in CRM.

Step – 8: This is the last step in the process and it has to be done in CRM.

  1. Navigate to Document Management.
  2. Click on Enable server-base SharePoint Integration.
  3. Next > Select Online and proceed.
  4. In the screen that comes up, enter SharePoint site full url and Sharepoint Tenant ID.
    –  To get tenant ID, run the following commands in the PowerShell in server.
    – This gives a GUID. Copy that.

    $CRMContextId = (Get-MsolCompanyInformation).ObjectID
  5. Click Next to Validate the Site validity.

Possible Issues

Issue 1: Site is shown as invalid, with 401 unauthorized exception.

To fix the above issue, mapping of the users has to be done. User record will have a field named “SharePoint Email Address” and this must match with one of the logins of SharePoint. If this is not the case, update with any of the existing users.

Now, repeat step-8 once again and you can see the configuration happening successfully.
For another user to sync, just update the SharePoint Email field with login email.

Posted By: Jugal Kishore, Osmosee

Are you interested? follow us and get notified of new posts

Leave A Reply

five − 2 =