Using the BDS Snap-in in a distributed environment
As mentioned in the release notes of Business Data Search (BDS) Snap-in - Phase 2 pre-release 4, the snap-in was tested on a single box configuration where-in all the pre-requisites and all the back-office application servers that need to be searched like Microsoft Dynamics CRM 3.0, Microsoft Dynamics AX 4.0 and Microsoft Office SharePoint Services 2007 were installed on the same machine where the BDS server was installed.
When we tested in a distributed environment (i.e. an environment where Microsoft CRM 3.0, Microsoft Dynamics AX 4.0 and Microsoft Office SharePoint Services 2007 were on different machines) under Windows integrated authentication mode, it was found that the snap-in did not work as expected due to a security limitation popularly known as the “double hop issue”. In this issue, the user’s credentials are passed from the client system to the server that is running IIS but they cannot be forwarded by the server to another machine. In case of the BDS snap-in, when a user launches the snap-in from Outlook, the user credentials are passed to the BDS asp.net application residing on the SharePoint server, and these need to be passed to the other services (in this case Microsoft Dynamics CRM 3.0, Microsoft Dynamics AX 4.0 and Microsoft Office SharePoint Services 2007), Which did not happen. This worked perfectly fine when these services were being accessed from the same machine as the double hop issue was not faced in this environment.
Solution
To make the environment distributed i.e. to install the BDS snap-in and SharePoint services on a machine different from the ones hosting Microsoft Dynamics CRM 3.0 or Microsoft Dynamics AX 4.0 servers in a secure fashion, you need to use secure http configuration. The following needs to be configured on the machine where BDS is being setup:
I. Ensure Microsoft IIS 6.0 is installed as this is not default with Windows 2003 installation. Instructions on how to do this can be found at the following link:
II. Install and configure Certificate Authentication (CA) service on Windows Server 2003: This provides extended security by offering Digital Certificates. Instructions on how to do this can be found at the following link:
Note: Once CA service has been activated, ensure that the users of this application enroll for a Digital Certificate.
III. Request a new Server certificate from an online CA. Instructions on how to do this can be found at: http://technet2.microsoft.com/WindowsServer/en/library/87e27bae-a060-4bf9-a4ff-98fbf227cea71033.mspx?mfr=true
IV. Install and Configure the obtained SSL certificate on Microsoft IIS 6.0. The link given below may be referred for this:
http://msdn.microsoft.com/library/en-us/dnmaploc/html/MLSSecur.asp?frame=true#mlssecur_topic3
Finally, there are a few minor steps that need to be followed on the user’s local machine for the solution to work:
- After entering the URL of the BDS website in the Home page tab within the Business Data Lookup folder properties in Outlook, make sure you click at least once on the Browse button.
- In case the user has IE 7.0 browser, then SSL 2.0 should be enabled in the Security section under the Advanced tab in Internet Options.
The steps mentioned above should help you run the BDS snap-in in a real scenario where the back-office application server (Microsoft Dynamics CRM 3.0/Microsoft Dynamics AX 4.0/ Microsoft Dynamics SharePoint 2007 Server) is running on a machine different from the one hosting the BDS Server. In case you have any further doubts or queries, please do post them on the message board on our Sandbox.
