Deployment Guide for Windows Authentication - Maximizer On-Premise 2020 R1

Updated 1 year ago by Niall Clifford

With Maximizer CRM 2020 R1, if you are planning on using Windows Authentication for security, this guide will help you with the new configuration required with Maximizer CRM.

  • The SQL Server and Application Server need to be on the domain.
  • The IIS Server needs to either be on your domain or is in at least a one-way trust with your domain.  

First there are 4 users that are required for Windows Authentication to work:

  1. A user with full administrative rights and sysadmin rights on the SQL Server, Application Server and IIS Server

You need a domain user that is a member of the local Administrators group on all servers involved in the application. This is for installation purposes and running the Windows Administrator module.

We suggest you do Windows Authentication Mapping in your databases as the MASTER user.

  1. A user that will be used for the two IIS application pools and will be a login on the SQL Server

A domain user that will be used for the two IIS application pools that has the same rights set on the IIS Server as those two pools have. The user needs to be a member of the local IIS_IUSRS  group and have full rights to the “..\Maximizer\Portals” folder and sub-directories and the “..\Maximizer\Campaign Manager” folder and sub-directories.

This user should also be added as a login to the SQL Server. We suggest this user be called MaxIIS. You will be mapping this user as dbo on all the Maximizer databases including the MaConfig database. This domain user needs to be mapped to the WEBUSER in your databases in the Windows Authentication tab.

  1. A user to run the Maximizer Service Bus with full rights on both the IIS Server and be a login on the SQL Server

This domain user must be added with full rights to the IIS machine and as a login on the SQL Server. The user also needs to be a member of IIS_IUSRS and have full rights to all Maximizer folders. We suggest this user be called MaxSvcBus.

You will be mapping this user as dbo on all the Maximizer databases including the MaConfig database. You will also be setting the Windows Authentication Mapping in your Maximizer databases as the user you have setup for Notifications in your databases. (Typically called NOTIFYSRV)

  1. A user that will be used for the Email Service that is part of the IIS_IUSRS Group on the IIS Server and is a login on the SQL Server

This domain user must have full rights on the Maximizer Application Server, be part of the IIS_IUSRS Group on the IIS Server and be a login on the SQL Server. Additionally, this user should be the same user that will be used for the Email Service to login to SMTP to allow relay to work properly and needs to be mapped to the EMAILUSER in your databases in the Windows Authentication tab.

We suggest you call this User MaxEmail. Of course, this may need to be something else if you already have an account you use for Maximizer email. This user will need to be mapped as dbo to all Maximizer databases including MaConfig.

 

All the Users should be created and have their rights set before starting any install.

 

 

SQL Server

 

All four of the users above need to be added as logins to the SQL Server. The Administrator user mentioned above needs to have sysadmin rights on the SQL Server, so the install runs correctly and can setup everything required on SQL Server.

 

As for the other 3 logins, you will need after the Application Server install, to add them as users to the MaConfig database and all your Maximizer databases as dbo so they can do their work. Remember to do this after creating new Maximizer databases as well.

 

Application Server Installation

 

  1. Make sure to connect to the SQL Server as the Administrative User mentioned above in 1 with Windows Authentication when connecting to SQL Server.
  2. Use the correct user for the Email Service when asked which was created/chosen above.
  3. Use the same user from the Email Service for the SMTP Server login credentials if you want email relay to work properly.

 

IIS Server install

 

Make sure to connect to the SQL Server as the Administrative User mentioned above with Windows Authentication when connecting to SQL Server.
Use the correct user for the Maximizer Service Bus when asked created above
if you choose to use an SSL or non-SSL setup during the install as you will have to configure some files later differently depending on which is chosen.
  1. When the installation is complete, open the IIS Manager and go to Application Pools.
  2. Click on the Maximizer 64bit Application Pool and on the right, under Edit Application Pool, select Advanced Settings.
  3. Under Process Model, find Identity and click on the ellipses beside the Application Pool Identity.
  4. Select Custom Account and set the username prefixed with domain name and password to the one created above for the IIS User.
  5. Click OK to save this change and OK to the Advanced Settings dialog to close it.
  6. Repeat steps 2 to 5 for the Maximizer 32bit Application Pool.
  7. Still in the IIS Manager, go to the Campaign web site.
  8. Under IIS on the right open Authentication.
  9. Right click on Anonymous and choose Enabled.
  10. Right Click on Anonymous again and choose Edit.
  11. Change Anonymous User Identity to Application Pool Identity and click OK.
  12. Right Click on ASP.NET Impersonation and choose Enabled.  If you get an error when doing this do the following:
    1. In File Explorer, browse to the “..\Maximizer\Campaign Manager\Statistics” folder
    2. Right-click the Web.config file and choose Properties
    3. Check the Attributes and uncheck Read-only then click OK. You should be able to enable ASP.NET Impersonation now.
  13. Right click on ASP.NET Impersonation and choose Edit…
  14. Make sure Specific User is selected and click Set…
  15. Set the username prefixed with domain name and password to the one created above for the Email Service User then press OK.
  16. Press OK to save these changes
  17. Right click on Windows Authentication and choose Disable.
  18. Still in the IIS Manager, go to the MaximizerWebAuthentication web site.
  19. Under IIS on the right, open Authentication.
  20. Right click on Anonymous and choose Edit…
  21. Set Anonymous User Identity to Application Pool Identity and click OK.
  22. Right click on ASP.NET Impersonation and chose Enable.
  23. Leave Windows Authentication enabled.

 

You will need to add all domain users that will be logging into Maximizer to the IIS Servers Local IIS_IUSRS group. This can be done individually, or by adding an existing domain group containing the domain users you want to be able to login to Maximizer.

 

  1. Go to the "..\Maximizer\Portals\Employee\Feeds\Services” folder.
    1. Delete the existing Web.config file.
    2. Rename the Web_win.config.bak to Web.config.
  2. Go to the “..\Maximizer\Portals\Employee\Services\OutlookSync” folder.
    1. Delete the existing Web.config file.
    2. Rename the Web_win.config.bak to Web.config.
  3. Go to the “..\Maximizer\Portals\MaximizerWebData” folder.
    1. Delete the existing Web.config file.
    2. Rename the Web_win.config.bak to Web.config.
  4. Recycle the Maximizer 64-bit Application Pool and the Maximizer 32-bit Application Pool.
  5. Go to the “..\Maximizer\Notification Service” folder
    1. Delete the Maximizer.ServiceBus.Controller.exe.config file
    2. Rename the Maximizer.ServiceBus.Controller.exe_win.config.bak file to Maximizer.ServiceBus.Controller.exe.config
    3. Re-start the Maximizer Service Bus.

 

  1. Go to the “..\Maximizer\Portals\Employee\Feeds\Services” folder.
    1. Delete the existing Web.Config file.
    2. Rename the Web_win_ssl.config.bak to Web.config.
  2. Go to the “..\Maximizer\Portals\Employee\Services\OutlookSync” folder.
    1. Delete the Web.Config file.
    2. Rename the Web_win_ssl.config.bak file to Web.config.
  3. Go to the "..\Maximizer\Portals\Employee” folder.
    1. Delete the existing Web.config file
    2. Rename the Web_ssl.config.bak file to Web.config.
  4. Go to the “..\Maximizer\Portals\MaximizerAdmin” folder.
    1. Delete the existing Web.config file.
    2. Rename the Web_ssl.config.bak file to Web.config
  5. Go to the “..\Maximizer\Portals\MaximizerWebData” folder.
    1. Delete the existing Web.config file.
    2. Rename the Web_win_ssl.config.bak to Web.config.
  6. Go to the “..\Maximizer\Portals\Wireless” folder.
    1. Delete the existing Web.config file.
    2. Rename the Web_ssl.config.bak file to Web.config.
  7. Recycle the Maximizer 64-bit Application Pool and the Maximizer 32-bit Application Pool.
  8. Go to the “..\Maximizer\Notification Service” folder.
    1. Delete the Maximizer.ServiceBus.Controller.exe.config file.
    2. Rename the Maximizer.ServiceBus.Controller.exe_win_ssl.config.bak file to Maximizer.ServiceBus.Controller.exe.config.
  9. Re-start the Maximizer Service Bus.

 

If you are new to Maximizer and have installed with Windows Authentication Settings and are ready to create a Maximizer database, you should do the following:

  1. To be logged into the Application Server as the domain user you installed with, launch the Maximizer CRM Administrator for Windows module. (Found under the Maximizer CRM program group)
  2. When presented with the Open Database dialog click the Cancel button.
  3. Click File > New Address Book…
  4. If necessary, change the Database Server field to your SQL servers name and click Next.
  5. Change Connect Using to Windows Authentication and click Next.
  6. Type in a name for your database in the Address Book Name field and click Next.
  7. Click the Start button to start the process of the database getting created.
  8. When the process completes, click Close.
  9. When you get control back, click File > Open Address Book…
  10. Select your new Address Book and click Open. The Address Book will now be open in the Administrator module.

 

If you are new to Maximizer or if this was an upgrade from a previous version of Maximizer CRM be sure of the following before proceeding:

  1. You have mapped the 4 system accounts to both the MaConfig and other Maximizer databases
  2. You have configured your IIS Server as mentioned above

 

If you are upgrading from a previous version of Maximizer CRM where SQL Authentication was enabled and now you have installed as Windows Authentication with Maximizer CRM there are some additional steps you need to do:

 

  1. You need to run the following Query against the MaConfig database:

UPDATE MaConfig SET eValue = 'yes' WHERE eKey = 'USE_NT_AUTHENTICATION'

 

  1. For every database you intend to now use with Windows Authentication you need to do the following. This is required so you can login as MASTER with Windows Authentication:
    1. Open the Maximizer CRM Administrator module for Windows. (Found under the Maximizer CRM program group)
    2. Cancel any attempt to login to an Address Book if it comes up.
    3. Click File > Open Address Book…
    4. Select the Address Book you want to login to with Windows Authentication and click Remove.
    5. Click Yes to remove the Address Book from the list.
    This will not delete your database.
    1. Click Close to close the Open Address Book dialog.
    2. Click File > New Address Book…
    3. If necessary, change the Database Server field to your SQL servers name and click Next.
    4. Change Connect Using to Windows Authentication and click Next.
    5. Change Target action to Employ an existing Maximizer database.
    6. In the Database name drop down, pick the database you just removed and click Next.
    7. Click the Start button to start the process of re-deploying the database with Windows Authentication.
    8. When the process completes, click Close.
    9. When you get control back, click File > Open Address Book…
    10. Select your re-deployed Address Book and click Open. The Address Book will now be open in the Administrator module.
    11. Repeat these steps for any additional Maximizer Address Books you want to open with Windows Authentication

 

You should be able to login to Web Access at this time with the domain user you mapped to the MASTER Maximizer user.

 

At this time, you should ensure you have mapped your domain Service users to the correct Maximizer Users. Do the following:

  1. Login to the database you are working on in the Maximizer CRM Web Administrator.
  2. Click on the Users link in the navigation panel.
  3. Click on the EMAILUSER user.
  4. Click on the Windows Authentication tab.
  5. If the domain user you are using for the Maximizer Email Service is not here yet, do the following:
    1. Click Add.
    2. In the Corresponding Windows user name field type in the domain users name for the Email Service in the format <Domain Name>\Username
    3. Turn on the checkbox Enabled and click Save.
    4. Click Save to save this change.
    5. Repeat the steps a) through d) above for the WEBUSER to map the IIS domain user account and the NOTIFYSRV to map the Maximizer Service Bus domain user account.

 

If you are new to Maximizer or upgraded from a version on SQL Authentication you should use steps a) through d) above to map domain users to their corresponding Maximizer users as well. This will be required before those users will be able to successfully login to the database.

 


How did we do?