Best practices for server-side synchronization

Статия
11/28/2016

Applies To: Dynamics 365 (online), Dynamics 365 (on-premises), Dynamics CRM 2016, Dynamics CRM Online

Consider the following when planning and deploying server-side synchronization.

Best practices for configuring server-side synchronization

If you use Microsoft Dynamics 365 (online) and Microsoft Exchange Online

By default, the Microsoft Exchange Online email server profile is created for Dynamics 365 (online) organizations and should be your first choice. If you want to use your own profile, you use Dynamics 365 (online), and Exchange Online, and both services are on the same tenant, use the following settings in your email server profile (Settings > Email Configuration > Email Server Profiles).

Settings	Recommendation
Auto Discover Server Location	Yes
Incoming Connection
Authenticate Using	Server to Server Authentication
Use Impersonation	No
Use same settings for Outgoing	Yes

If you want to use one set of credentials to process emails with Outlook or Exchange

Using one account to process email to all mailboxes is easier to maintain but requires using an account that has access to all mailboxes in Outlook or Exchange. The account must have impersonation rights on Exchange. If that single account is compromised, all mailboxes using that account are compromised. Use the following settings in your email server profile (Settings > Email Configuration > Email Server Profiles to use a single account for email processing.

Settings	Recommendation
Incoming Connection
Authenticate Using	Credentials Specified in Email Server Profile
User Name	The administrator’s user name
Password	The administrator’s password
Use Impersonation	Yes
Use same settings for Outgoing	Yes

Delegation (Use Impersonation = No) is not supported for syncing Appointments, Contacts, and Tasks.

If you want to use individual credentials to process emails with Outlook or Exchange

An alternative to a single account to process emails is using individual accounts. This method requires more maintenance effort but does not focus security on a single account. If you want each user account to synchronize with Outlook or Exchange and you’re not using the Microsoft Exchange Online email server profile, use the following settings (Settings > Email Configuration > Email Server Profiles).

Settings	Recommendation
Incoming Connection
Authenticate Using	Credentials Specified by a User or Queue
Use Impersonation	No
Use same settings for Outgoing	Yes

Set the following in each user mailbox.

Settings	Recommendation
Credentials
Allow to Use Credentials for Email Processing	Yes
User Name	The user name for the mailbox
Password	The password for the mailbox

How to allow email credentials over a non-secure channel (on-premises versions only)

By default, Microsoft Dynamics 365 doesn’t allow users to enter their email address or password when it detects that the credentials may be transmitted over a non-secure channel, such as HTTP. Dynamics 365 enforces this by disabling the ability to select “Yes” next to “Allow to Use Credentials for Email Processing” on the user mailbox form.

Allow to Use Credentials for Email Processing

However, if your deployment is using SSL offloading where Dynamics 365 can’t detect the offloading, you can configure Dynamics 365 on-premises versions to allow the transmission of email credentials. This work around is only available with Microsoft Dynamics CRM 2013 and later on-premises versions.

Warning

Before you execute the following SQL statement, back up your configuration and organization database. More information: Back up the Microsoft Dynamics 365 System

USE MSCRM_CONFIG 
GO
IF EXISTS (SELECT ColumnName, BitColumn FROM DeploymentProperties WHERE ColumnName = ‘AllowCredentialsEntryViaInsecureChannels’ AND BitColumn=0)
BEGIN
Update DeploymentProperties set BitColumn=1 where ColumnName=’AllowCredentialsEntryViaInsecureChannels’
END

Споделяне чрез