Heartbleed OpenSSL bug – What you need to know

I thought I would give a plug for Troy Hunt’s blog post as he has taken some time to write it all up. If you want to read about the security ‘Heartbleed OpenSSL bug’ then take a look at the link below. Worth a read!

http://www.troyhunt.com/2014/04/everything-you-need-to-know-about.html 

I also did a blog post about creating OpenSSL certificates for development, but I emphased in that post the following statement:

you should purchase a secure SSL certificate for production environments

Greg Olsen
YellowDuckGuy

Microsoft Dynamics CRM – Create an OpenSSL Self-signed SSL Certificate for your CRM 2013 Dev Environment

The first step in configuring a CRM 2013 environment to be enabled for claims-based authentication and Internet Facing Deployment (IFD) is to have a SSL Certificate available for setup. This blog post will simply outline how to quickly generate and use an OpenSSL certificate to be used with your setup of CRM for claims-based authentication and Internet Facing Deployment.

Before I move on, I do want to emphasize that you should purchase a secure SSL certificate for production environments. I would recommend purchasing them from sites such as godaddy.com, entrust.net, verisign.com, thawte.com etc

 

What is a SSL Certificate?

 

Firstly, the Secure Socket Layer (SSL) protocol ensures secure transactions between web servers and browsers i.e. traffic between you sitting at your PC and the server your interacting with.

Secondly, the protocol uses a third party, a Certificate Authority (CA), to identify one end or both ends of the transactions. SSL certificates are files that connect the security key to an organisation’s details. When the SSL certificate is installed on a web server, it activates the little padlock symbol and the https protocol (which is over port 443) and allows secure connections from a web server to your browser.

 

Creating a OpenSSL Self-Signed SSL Certificate?

 

When you start out with SSL certificates you probably quietly say to yourself “how the hell do I create a local one and not buy one?”. Keep reading as I have an answer for you. But remember, you need to buy one for production environments!

Let’s head to Open SSL website first and get the file(s) you need. To read about OpenSSL, go to http://slproweb.com/products/Win32OpenSSL.html

 

Install the software to create the OpenSSL Certificates:

 

• For all downloads, see: http://slproweb.com/products/Win32OpenSSL.html
• For x86 or 32bit machines, download: Win32 OpenSSL v1.0.1e Light
• For x64 or 64bit machines, download: Win64 OpenSSL v1.0.1e Light

Note:

make sure you install the dll’s in the bin directory when it asks you to in the installer. I found this to be easier.

 

Create the OpenSSL Certificate

 

You will create the OpenSSL Cerificate by using the Command Prompt – yea sorry, no UI in these instructions.

Open a Run Command Prompt with administrator priviledges and then execute the following commands one at a time. Note: change C:\OpenSSL-Win32\bin\ below to match your location of your installation and remember to change Win32 to Win64 if your using the 64bit installation. Also, change itsgrego to a name for your SSL Certificate.

During the process, you will be asked to input a certificate password and a few other organisation details. Don’t worry if you get it wrong on the first occasion as you can do the process again.

set RANDFILE=C:\OpenSSL-Win32\bin\.rnd 
openssl genrsa -out privatekey.pem 1024
openssl req -new -x509 -key privatekey.pem -out publickey.cer -days 1825
openssl pkcs12 -export -out itsgrego.pfx -inkey privatekey.pem -in publickey.cer

During the process, you will be asked to input a certificate password and a few other organisation details. Don’t worry if you get it wrong on the first occasion as you can do the process again. I recommend creating a wildcard certificate with a Common Name (CA) of *.yourdomain , example: *.itsgrego.

Once you are successful creating the OpenSSL Certificate, navigate to your installation directly and obtain OpenSSL Certificate, which will have an extension of .pfx. It will be located in a directly similar to C:\OpenSSL-Win32\bin\ or C:\OpenSSL-Win64\bin\ or depending on where you chose to install the OpenSSL software.

Now that you have your OpenSSL Certificate, you can add it to the Personal and Trusted Root Certificate locations to start using it.

Greg Olsen
YellowDuckGuy

Microsoft Dynamics CRM – Creating SSL Certificates for CRM Test Environment

I thought I would give a plug for Jeremy Morlock’s MSDN blog post regarding creating SSL certificates. There is some useful information in this post which is a good read.

Find the posting here: http://blogs.msdn.com/b/crminthefield/archive/2013/11/27/creating-ssl-certificates-for-crm-test-environment.aspx

Greg Olsen
YellowDuckGuy

Microsoft Dynamics CRM 2011 – Error When Browsing Discovery.svc Service

Today I had to resolve a customer issue where the Dynamics CRM 2011 for Outlook Configuration Wizard could not find the CRM 2011 server and the CRM server did exist on the domain.

I was connecting Microsoft Outlook 2007 to CRM 2011 via the installed add-in Microsoft Dynamics CRM 2011 for Outlook.

My list of areas to troubleshoot this issue was as follows:

• Check CRM 2011 server is running ok. Can I browse it from the CRM Server?
• Check I can ping the CRM server from the Outlook client PC
• Check I can browse to CRM from the web browser on the Outlook client PC
• Check I can resolve the Discovery.svc service. CRM for Outlook Configuration tool uses this.
• Check the registry settings for the Configuration settings of CRM for Outlook

The Issue

Going through this list I found I could not resolve the Discovery.svc service from the Outlook client PC. You should be able to resolve the Discovery.svc service using the following URL. http://%5Byourcrmserver%5D/XRMServices/2011/Discovery.svc

You should see a page similar to below when you can successfully render the Discovery Service.

So I thought I had a possible IIS issue as I couldn’t render the service on the CRM server as well. I decided to check the Event Viewer first for any clues. Below is the error message I received.

WebHost failed to process a request.
Sender Information: System.ServiceModel.ServiceHostingEnvironment+HostingManager/63835064
Exception: System.ServiceModel.ServiceActivationException: The service ‘/XRMServices/2011/Discovery.svc’ cannot be activated due to an exception during compilation.  The exception message is: This collection already contains an address with scheme http.  There can be at most one address per scheme in this collection. If your service is being hosted in IIS you can fix the problem by setting ‘system.serviceModel/serviceHostingEnvironment/multipleSiteBindingsEnabled’ to true or specifying ‘system.serviceModel/serviceHostingEnvironment/baseAddressPrefixFilters’.
Parameter name: item. —> System.ArgumentException: This collection already contains an address with scheme http.  There can be at most one address per scheme in this collection. If your service is being hosted in IIS you can fix the problem by setting ‘system.serviceModel/serviceHostingEnvironment/multipleSiteBindingsEnabled’ to true or specifying ‘system.serviceModel/serviceHostingEnvironment/baseAddressPrefixFilters’.
Parameter name: item
at System.ServiceModel.UriSchemeKeyedCollection.InsertItem(Int32 index, Uri item)
at System.Collections.Generic.SynchronizedCollection`1.Add(T item)
at System.ServiceModel.UriSchemeKeyedCollection..ctor(Uri[] addresses)
at System.ServiceModel.ServiceHost..ctor(Type serviceType, Uri[] baseAddresses)
at Microsoft.Crm.Sdk.V5.DiscoveryServiceHostFactory.CreateServiceHost(String constructorString, Uri[] baseAddresses)
at System.ServiceModel.ServiceHostingEnvironment.HostingManager.CreateService(String normalizedVirtualPath)
at System.ServiceModel.ServiceHostingEnvironment.HostingManager.ActivateService(String normalizedVirtualPath)
at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath)
— End of inner exception stack trace —
at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath)
at System.ServiceModel.ServiceHostingEnvironment.EnsureServiceAvailableFast(String relativeVirtualPath)
Process Name: w3wp
Process ID: 4116

From this error message it seems their is a http bindings issue within IIS. Then it came to me! One of our infrastructure guys had created another port binding for CRM to be on port 80 for some other unrelated testing.

Resolution

Therefore to resolve this I had to remove the extra http binding in the Microsoft Dynamics CRM website within IIS.

To change or investigate your site bindings, click on Bindings… under Edit Site in IIS as shown below.

You should only have one http binding in the list as shown below. Note: I have removed the binding which was causing the problem in the image below.

Its possible to have multiple http bindings, but you will need to change some web.config values which contain multipleSiteBindingsEnabled and set it to true. See the error message earlier for more information.

Hope that helps!

Greg Olsen
Yellow Duck Guy

Windows 2008 Server – IIS v7.0.6000.16386 UI Quick Look

Moving towards the new version of Internet Information Services (IIS) on Windows Server 2008 will show a new user interface look and feel. Most options you see are the same but just displayed slightly different.  I have got use to the new layout pretty quickly.

The new actions section on the right is quite helpful and removes the need for all those right-click options! 

I’m sure if you have worked with IIS before you will find the new layout easy to use.

Here is a quick image look at the new user interface:
(I have removed the machine name in the black areas for privacy)

Greg Olsen
Yellow Duck Guy

IIS – Configuration Error …

I got this error again today and thought "how do I fix this again?" after checking out IIS remembered that I need to enable the folder/location as an IIS application – error messages mentions this!

OK, so this is the error message:

Configuration Error

Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

Parser Error Message: It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.

Source Error:

Line 49:   ...
Line 50:   -->
Line 51:   <authentication mode="Windows" />
Line 52:   <!--   AUTHORIZATION

Cause:
The Web.Config is telling IIS to treat this as an application but it has not been set up as an application in IIS - hence the error message.

Solution:

1. Run/Open IIS (under Control Panel > Administrative Tools  for most Operating Systems)
2. Find the project in the list of projects. (Open up your computer in the list and look under "Default Web Site").
3. Bring up its properties (Right click > Properties).
4. If the "application name" (under "Application Settings" on the "Directory" tab) is greyed out then click '[Create]' and then '[OK]'.

Now if you refresh or reload your browser to the address of your website or webservice you should see it!

Greg Olsen
Yellow Duck Guy