Most CRM deployments require using both host headers and SSL certificates. As small a requirement as it may seem, making this happen can be a bit tricky and I’ve personally had my share of late nights here and there just to get this to work. As a result, I’ve decided to put together this short article to document the steps required to resolve this issue, and at the same time be of help to anyone ‘out there’ who might encounter the same problem.
A typical error that comes with using multiple host headers for the same port (or the attempt thereof) is as follows:
System.ServiceModel.ServiceActivationException: The service ‘/orgName/XRMServices/2011/Organization.svc’ cannot be activated due to an exception during compilation. The exception message is: This collection already contains an address with scheme http. There can be at most one address per scheme in this collection. If your service is being hosted in IIS you can fix the problem by setting ‘system.serviceModel/serviceHostingEnvironment/multipleSiteBindingsEnabled’ to true or specifying ‘system.serviceModel/serviceHostingEnvironment/baseAddressPrefixFilters’.
Most times when working at client sites, encountering errors like this requires some Microsoft guidance. The last time I worked with Microsoft Support, I received the following reply:
- CRM 2011s WCF service architecture has restricted multiple bindings by design and is a limitation with the .Net WCF
- CRM 2011 implementation guide warns you that the web site deployed should have one single binding. It is unsupported to use multiple bindings to either protocols (HTTPS or HTTP).
- There is no workaround available to allow this.
However, we have identified a 3 step process to use in our deployments that resolves the issue above, and at the same time ensures that:
- Discovery and Organization service will continue to work so custom apps and integrations work
- Outlook client will continue to work either by using the configured hostname or the CRM servers FQDN.
The 3 steps are:
- Install SSL Cert into IIS 7 on your application server
- Bind the host header names to your site
- Bind the SSL Cert to your site
Step 1 - Install SSL Cert into IIS 7 on Your Application Server
I will not go into details on how to install a cert here as this is fairly simple to anyone familiar with CRM.
Step 2 – Binding the Host Header Names to Your Site
Binding the hostname is accomplished by using the appcmd tool. By running the following command, the tool creates a binding to your web application and to the preferred hostname:
Your website binding configuration would have looked like this before running the command:
The goal is to be able to define a hostname and use port 443 for your CRM website.
After running the command above, the appcmd tool has created two bindings for the same port. One is using your chosen hostname and the other is just a copy of your old binding.
You actually don’t need the binding with no hostname listed, so go ahead and remove it.
Step 3 - Binding the SSL Certificate to Your Website
The first step in binding the SSL Cert is accomplished by running the following netsh command: netsh http show sslcert.
This command shows all certs currently in use on your web application server.
The example above shows a list of Certificate Hashes and Application IDs from my CRM Server. Note that for security reasons, I have removed the Hashes/ App IDs. When you run the command, you should be able to find them.
Once you get the Hash and Application IDs, you are ready to bind the certificate to your website, which by now should have the hostname bound as well.
Command:
netsh http add sslcert ipport=0.0.0.0:443 certhash=baf9999b999e9999999b5e6287c97973dcd54874 appid={zz9x99y7-9916-99z3-bc6e-991z4ce4b999}
Note: replace the certhash with the Certificate Hash from the cert list; and replace the appid with the Application ID from the cert list.
Running this command should get you to the screenshot below.
Now that your SSL Cert and hostnames have been bound you are good to go.
Happy CRMing…
Written by
Dexter Domingo, Senior Consultant
