I then prepared the x509 certificate required for the server-side authentication. In particular:
- I logged on to the CRM Server as an administrator, run MMC and added the Certificates snap-in. When prompted I chose Computer Account and, then, Local Computer.
- Under the Personal certificate storage I located the wild card certificate and exported it twice. The first time I set not to export the private key to obtain a DER encoded binary X.509 (.cer) certificate that I saved to a .cer file under the C:\ folder as c:\Personalcertfile.cer. Then I exported the same certificate along with the private key (to obtain a .pfx file) keeping the default options and duly noting the password for a later import. The .pfx file was saved as c:\Personalcertfile.pfx
Installing Microsoft Online Services Sign-In Assistant for IT Professionals Beta was not required as it was already there while I had to set up the Azure Active Directory Module for Windows PowerShell (64-bit version).
According to the guide I located the CertificateReconfiguration.ps1 file and started the Azure Active Directory Module for Windows PowerShell moving to the file path. I launched exactly the commands on the guide:
$CertificateScriptWithCommand = “.\CertificateReconfiguration.ps1 -certificateFile c:\Personalcertfile.pfx -password THEPWDNOTEDABOVE -updateCrm -certificateType S2STokenIssuer -serviceAccount DOMAINNAME\USERNAME -storeFindType FindBySubjectDistinguishedName”
Invoke-Expression -command $CertificateScriptWithCommand
Please note that THEPWDNOTEDABOVE was the password I chose when I exported the .pfx certificate. DOMAINNAME\USERNAME is the credential of the administrative single user I used to carry out the configuration.
The actual configuration was pretty straightforward. I was all about locating and launching the ConfigureCrmServerSideSync.ps1 script with the right parameters.
|rootDomainName||The server url as configured in the IFD (without https://)|
|cerFilePath||c:\Personalcertfile.cer created above|
|pfxFilePath||c:\Personalcertfile.pfx created above|
|organizationName||The name our CRM organization.|
|O365AdminEmail||The Office 365 tenant email address ALIAS@DOMAIN.onmicrosoft.com|
I was prompted for the ALIAS@DOMAIN.onmicrosoft.com and the rest of the process was completed by the script.
Once performed the steps above, our CRM was ready for the server side (Hybrid) configuration.
In CRM, I created an email server profile going to Settings > Email Configuration > Email Server Profiles.
I then clicked New > Exchange Online (Hybrid). The tenant ID was already there and I only had to set a meaningful name for the profile.
With the server profile in place I configured the existing mailboxes to use the newly created profile. For each mailbox I selected test and enable.