Configure server-based authentication with Dynamics 365 Online and SharePoint on-premises.

1. Following the documentation https://technet.microsoft.com/en-us/library/dn894709.aspx

1.1. Configure SharePoint 2016 (Single-Server Farm)
1.2. Service applications after the configuration of the server:
Dynamics365_01

1.3. SharePoint website must be accessible via the Internet. A reverse proxy may also be required for SharePoint authentication. More information: Configure a reverse proxy device for SharePoint Server 2016 hybrid

2. Azure
2.1 Get your Tenant ID
example: 12345678-0000-0000-0000-000000000000

2.2. Run the script
Enable-PSRemoting -force
New-PSSession
Import-Module MSOnline -force
Import-Module MSOnlineExtended -force

$msolcred = get-credential
connect-msolservice -credential $msolcred

$HostName = "crmdocs.domain.com" - the created site in SharePoint (hosting the documents)
$SPOAppId = "00000003-0000-0ff1-ce00-000000000000"
$SPOContextId = (Get-MsolCompanyInformation).ObjectID
if don,t work
$SPOContextId = "TenantID"
$SharePoint = Get-MsolServicePrincipal -AppPrincipalId $SPOAppId
$ServicePrincipalName = $SharePoint.ServicePrincipalNames

Set-MsolServicePrincipal -AppPrincipalId $SPOAppId -ServicePrincipalNames $ServicePrincipalName

$metadataEndpoint = "https://accounts.accesscontrol.windows.net/TenantID/metadata/json/1"
$acsissuer = "00000001-0000-0000-c000-000000000000@TenantID"
$issuer = "00000007-0000-0000-c000-000000000000@TenantID"

New-SPAzureAccessControlServiceApplicationProxy -Name "Internal" -MetadataServiceEndpointUri $metadataEndpoint -DefaultProxyGroup

3. SharePoint 2016

3.1 Run the scripts:

Get-SPAuthenticationRealm # backup the GUID

Set-SPAuthenticationRealm -Realm "TenantID"

$metadataEndpoint = "https://accounts.accesscontrol.windows.net/" + "TenantID" + "/metadata/json/1"

$acsissuer = "00000001-0000-0000-c000-000000000000@" + "TenantID"
$issuer = "00000007-0000-0000-c000-000000000000@" + "TenantID"

New-SPAzureAccessControlServiceApplicationProxy -Name "ACS" -MetadataServiceEndpointUri $metadataEndpoint -DefaultProxyGroup

New-SPTrustedSecurityTokenIssuer –Name "ACS" –IsTrustBroker:$true –MetadataEndpoint $metadataEndpoint -RegisteredIssuerName $acsissuer

Get-SPTrustedSecurityTokenIssuer | Select RegisteredIssuername

$site = Get-SPSite "https://crmdocs.domain.com/sites/crmdocuments"

Register-SPAppPrincipal -site $site.RootWeb -NameIdentifier $issuer -DisplayName "Dynamics365"

$app = Get-SPAppPrincipal -NameIdentifier $issuer -Site "https://crmdocs.domain.com/sites/crmdocuments"

Set-SPAppPrincipalPermission -AppPrincipal $app -Site $site.Rootweb -Scope "sitecollection" -Right "FullControl"

$map1 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming

3.2. Service applications after running the scripts:
Dynamics365_02

3.3. In my case there was a change necessary in the user properties mapping in the User Profile Service Application + Full sync
(by default, the claims-based authentication mapping will use the user’s Microsoft account email address and the user’s SharePoint on-premises work email address for mapping. When you use this, the user’s email addresses must match between the two systems)
Dynamics365_03

4. Dynamics 365
4.1. Uninstall CRM List component
4.2. Deactivate all sites remove absolute URLs, if existing
4.3. List component is installed should be checked (otherwise it will complain about absolute urls)
4.4. Enable Server-Based SharePoint IntegrationS

Bugfixing:
Check https://portal/sites/crmdocuments/_layouts/15/appprincipals.aspx

https://community.dynamics.com/enterprise/b/dynamics365apps/archive/2017/01/29/integration-troubleshooting-dynamics-365-online-sharepoint-on-premises-failed-authentication-401-unauthorized-error

Advertisements
This entry was posted in Dynamics 365, SharePoint 2016. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s