Single Server
On an existing domain
Running true IFD ready for customer access.
The last point it telling, as all the Microsoft examples give a self 
generated SSL cert, that really is an example of a DEV environment only.
 We want to test the “real deal”, and don’t mind spending a few $ on a 
real Certificate to see this in a true working environment.
The Existing Setup
Because this is a test environment, we are running the server on a 
Hyper V server. A single VM machine, that is running a fully patched 
version of:
- Windows 2008 R2 SP1 64 Bit
- SQL 2008 R2 64 Bit
- Microsoft CRM 2011 64 Bit
Interesting enough, something that always takes me 15 min, it 
ensuring I download the correct version of the ISO files from MSDN. I 
get it that I am somewhat lame, but if you get a wrong version you can 
waste a load of time and energy later.

With a list looking like this it can be painful. Anyway, these are the files we used for install:

For those who care, the VM was set to run with 6000 MB ram, and fold out to use more.
 
Importantly
When we setup CRM, we selected the option to NOT use the default 
website, but configure a new one with the default settings of port 5555.
 This is necessary as you will see later.
Backup First
In all things Microsoft world, it is vital what you establish a 
working point to avoid unnecessarily installing things all over again. 
To get things working we have started fresh over 4 times.
Hyper V is great for this, as we just stopped the server, and made a 
copy of the VHD file. Then when it is time to start all over, it is just
 a matter of restoring from copy/backup.
Test First
Test that your CRM setup is working. Go to the local computer name (ours is VSERVER08) on the correct port: 
http://vserver08:5555
We called our Deployment of CRM – “CRM2011″ So the URL redirects to: 
http://vserver08:5555/CRM2011/main.aspx
and after being prompted for login, we are in and testing.
 
Apply a Wildcard SSL Certificate
In CRM, the accessing of deployments is handled by the sub domains. 
So if we call a deployment “business1″ we will access that as:  
https://business1.domain.com
For testing, we purchased a standard Wildcard SSL certificate that applied that to the IIS7 server.
We will let you work out that bundle of joy, but a few tips.
1. Godaddy was about as cheap as you find on the net.
2. Setup involves creating a certificate request from within IIS, 
then pasting that text into the online providers order system. They then
 generate the certificates that you then import back into IIS and the 
server.
3.
Application for a certificate
Here, I will be a wildcard certificate, for example, describes how to create a certificate:
1) Open IIS Manager
2) Click the server name in the main screen double click Server Certificates
3) In the right panel, click Create Certificate Request…

4) fill in the following diagram each column, click Next

5) Cryptographic Service Provider Properties page to keep the default, click Next.
6) In the File Name page, enter C: \ req.txt , and then click Finish.
7) Run cmd , run
certreq-submit -attrib “CertificateTemplate: WebServer” C: \ req.txt
8) Select the CA , click OK.
9) the certificate is stored as C: \ Wildcard.cer . ( 7-9 can also be in the CA to complete)
10) back to the IIS Manager, click No. 3)  Step graph Complete Certificate Request …
11) Select the C: \ Wildcard.cer , Friendly name named *. contoso.com , of course, you can take a different name.
12) Click OK.
13) so that we completed the wildcard certificate request.
Additional SSL Certificate Imports
1) RUN MMC at the start / search
2) Select File / Add Remove Snapin – Select Certificates – ADD

Computer Account

 NEXT / Finish
3) Expand the first two folders, and Right Click on the Certificates Folder and select: All Tasks /  Import.
4) Browse to your wildcard SSL certificate file, and import that into the Personal and Trusted Root Certification Authorities.
 
Ensure that you
Binding site for the default SSL certificate
1) Open IIS Manager.
2) In the Connections panel, expand Sites , click Default Web Site.
3) In the Actions pane, click Bindings.

4) In the Site Bindings dialog box, click Add.
5) Type select HTTPS.
6) SSL Certificate , select the certificate you just created *. contoso.com , and then click OK.

 Ours is interactivewebs.com
7) Click Close.
8) Repeat for the Personal certificate folder.
For the CRM 2011 binding site SSL certificate
1) Open IIS Manager.
2) In the Connections panel, expand Sites , click CRM Web Site.
3) In the Actions pane, click Bindings.
4) In the Site Bindings dialog box, click Add.
5) Type select HTTPS.
6) SSL Certificate , select the certificate you just created *. contoso.com .
7) Port to select a different 443 (e.g. 444 ) and port number, and then click OK
8) Click Close.
DNS configuration
For MS CRM 2011 configuration Claims-based authentication, you need 
the DNS to add some records to make CRM 2011 for each breakpoint can be 
resolved correctly.
There are two ways you can achieve the desired result. But first lets understand the desired result.
- We make the assumption that your server is running at least one static IP address.
- Because this is Internet Facing, that IP needs to be accessible to the world.
- That same IP can be used for access to your server both internally 
on the matching we are playing with, and externally form anyone on the 
net.
Lets Get Basic
Start a Command Prompt, and work out what your IP address of the server is.
Click START > RUN > CMD
Type IPCONFIG – Enter
Under the name: IPv4 Address is a number that looks like: 66.34.204.220

That is Your IP Address of the Server.
The DNS Goal
Make sure that when you 
PING xxx.domain.com that it points to that IP address. Both for the world and for you when you do that on your server.
(xxx is the sub domain that we are about to configure.)
To configure CRM, we need some sub domains to point to the server IP.
- sts.domain.com
- auth.domain.com
- dev.domain.com
- Your ORG name.  org.domain.com (Where ORG is the CRM deployment name of your organization or organizations), e.g.

We have two setup here: CRM and CRM2011. So we need to configure crm.interactivewebs.com and crm2011.interactivewebs.com.
Hosting Your Own DNS
If you host your own Domain Name Server (DNS) and you host the domain
 name that you are using to setup IFD. Then configuring an A record for 
the above mentioned sub domains is easy.
START > 
Administrative Tools > 
DNS
Find your Domain Name
Right Click and select 
NEW HOST A
 

Add an A record that points to your servers IP address.
Repeat this process for all of the above mentioned sub domains. auth, sts1, dev, and your own organization names.
Test DNS
You must be able to ping all of those names and get the correct 
server IP address. Both from computers on the internet, and from the 
server.
Note: If you have added the DNS records, but still 
encounter name resolution problems, you can try running on the client 
ipconfig / flushdns to clean up the cache. You can also click the DNS 
server root and click CLEAR CACHE so that the server is responding with 
the latest updates.
 Note: Don’t bother proceeding past this step if you cannot ping your sub domains internally and externally correctly.
Note: Don’t bother proceeding past this step if you cannot ping your sub domains internally and externally correctly.
Firewall configuration
You need to set the firewall to allow the CRM 2011 and the AD FS 2.0 
port used by the incoming data stream. HTTPS (SSL) is the default port 
443.
For Initial setup testing etc. We recommend just turning the thing 
off. Better start from a place where it does not muck you around, then 
turn it all back on after you are successful.
 
Configuration Claim-based authentication -internal access
Configure the internal access Claim-based authentication requires the following steps:
- Install and configure AD FS 2.0 .
- Set Claims-based authentication configuration CRM 2011 server.
- Set the Claims-based authentication configuration AD FS 2.0 server.
- Test claims-based authentication within the access.
Install and configure AD FS 2.0
CRM 2011 with a variety of STS provider ( STS Provider ) together. 
This article uses Active Directory Federation Services (AD FS) 2.0 to 
provide a security token service (security token service ).
Note: AD FS 2.0 will be installed to the default site, so install AD FS 2.0 , you must have CRM 2011 installation in the 
new site. (Remember we said that earlier)
IIS Looks like this if it is correctly installed: 

If you only see the default website with CRM installed in that. Start AGAIN!
Download the AD FS 2.0
From the following link to download the AD FS 2.0
Active Directory Federation Services 2.0 RTW
( 
http://go.microsoft.com/fwlink/?LinkID=204237 ).
Install AD FS 2.0
In the installation wizard, select the federation server role installed, for more information refer to
Install the AD FS 2.0 Software
( 
http://go.microsoft.com/fwlink/?LinkId=192792 ).
Configure AD FS 2.0
1 in the AD FS 2.0 server, click Start , then click 
AD FS 2.0 Management .
2 In the 
AD FS 2.0 Management page , click 
AD FS 2.0 Federation Server Configuration Wizard .

3 In the 
Welcome page , select 
Create a new Federation Service , and then click 
Next.

4 In the 
Select Deployment Type page , select 
Stand-alone Federation Server , and then click 
Next.

5 Choose your SSL certificate (the choice of a certificate created *.
 contoso.com ) ,add a Federation Service name ( for example , 
sts1.contoso.com), and then click 
Next.
 Note:
Note: Only you as the AD FS 2.0 sites when using the wildcard certificate, only need to add the Federation Service name.
6 Summary page, click 
Next.

7 Click 
Close to close the AD FS 2.0 Configuration Wizard.
 Note:
Note: If you have not added ( sts1.contoso.com ) to add DNS records, then do it now.
Verify the AD FS 2.0 is working
Follow the steps below to verify that the AD FS 2.0 is working :
1 Open Internet Explorer.
2 Enter the federation metadata of the URL , for example:
https://sts1.contoso.com/
federationmetadata/2007-06/federationmetadata.xml
3. to ensure that no certificate associated with the warning appears.
 
Claims-based authentication configuration CRM 2011server
After you install and configure the AD FS 2.0 , we need to configure 
the Claims-based authentication before setting CRM 2011 binding types ( 
Binding type ) and the root domain (root Domains) .
According to the following steps to set up CRM 2011 bound for the HTTPS and configure the root domain address :
1 Open the CRM Deployment Manager.
2 In the 
Actions pane , click 
Properties .

3 Click the 
Web Address page .
4 In the 
Binding Type , select 
HTTPS .
5. Ensure that the network address for the binding CRM 2011 site SSL 
certificate and SSL ports. Because you configured for internal access to
 Claims-based authentication, so the address of the host for the root 
domain name. Port number must IIS in CRM 2011 is set in the port the 
same site.
6 For example, *. contoso.com wildcard certificate, you can useinternalcrm.contoso.com: 444 as the network address.

7 Click 
OK .
Note: If the CRM Outlook client configuration using 
the old binding value, then the need to be updated to use the new value.
 + Make sure you have a DNS entry for: internalcrm.
From the CRM 2011 is passed to the AD FS 2.0 of Claims data you need 
to use the Claims-Based Authentication Configuration Wizard (described 
below) specified in the certificate for encryption. Therefore, CRM Web 
application CRMAppPool account must have read the certificate’s private 
key encryption ( Read ) permissions.According to the following steps to 
give this permission:
1 in CRM 2011 server , run the Microsoft Management Console (Start => Run MMC).
2 Click Files => Add / Remove Snap-in …
3 left panel, select Certificates , click Add to add to the right panel.
4 In the pop-up window, select Computer account .
5 next page, select Local Computer , click Finish .
6 Click OK .
7 Expand the Certificates ( Local Computer ) => Personal, select Certificates .
8. In the middle panel, right-click you will be in the Claims-Based 
Authentication Configuration Wizard to specify the encryption 
certificate (in this case *. contoso.com ), click All Tasks => Manage
 Private Keys.

9 Click Add , add CRMAppPool account (if you are using Network 
Service , select the account directly), and then give Read permissions.
 Note:
Note: You can use IIS Manager to view CRMAppPool what account to use. In the 
Connections panel , click 
Application Pools , and then see CRMAppPool 
under 
Identity .

10 Click OK .
Configure Claims-Based Authentication
Below, we setup 
Claims-Based Authentication Configuration Wizard
 ( Configure Claims-Based Authentication Wizard ) to configure the 
Claims-Based Authentication. To learn how PowerShell to configure 
Claims-Based Authentication, refer to the English original.
1) Open the Deployment Manager.
2) on the left navigation panel, right-click 
Microsoft Dynamics CRM , and then click 
Configure Claims-Based Authentication.

3) click 
Next.

4) In the 
Specify the security token service page , enter the Federation metadata URL, such as
https://sts1.interactivewebs.com/federationmetadata/2007-06/federationmetadata.xml
 Note:
Note: The data is usually in the AD FS 2.0 website. 
Can this URL copied into IE to seeFederation metadata , to ensure that 
this is the correct URL . Using IE to access the URL can not have a 
certificate-related warnings (Ignore that crap!)

5) Click 
Next .
6) In the 
Specify the encryption certificate page , click on Select…
7) select a certificate, where we choose *.interactivewebs.com.
 

8) This certificate is used to encrypt the transmitted AD FS 2.0 authentication security token service security token.
Note: Microsoft Dynamics CRM service account must have the private key encryption certificate Read permission.
10 Click 
Next . Claims-Based Authentication Configuration Wizard validates the token and certificate you specified.

11 In the 
System Checks page, if the test passed, click 
Next .
12 In the 
Review your selections and then click Apply page , just to confirm the input, and then click 
Apply .

13. On this page, note which of the URL , because then, you will use 
this URL to add a trusted party ( Relying Party ) to the security token 
service.
 

14 
IMPORTANT – Click View Log File
15 Scroll to the end, and Copy the URL from the bottom of the file.

-
 This will be used in the next configuration. Note that this is 
different to the URL used in step 4 above, as it represents the internal
 URL. Subtle but vital (and the cause of frustration the first 10 times 
we tried this).
16 Click 
Finish.
17 Validate that you can browse to the URL above. If you cannot view 
this in a browser, then have a look again at your permissions on the 
certificate in relation to the account on the application pool in IIS 
for CRM. Read above: 
Claims-based authentication configuration CRM 2011server.
18. Once you can browse this URL, you are done here.
Claims-based authentication configuration AD FS 2.0server
After completion of the previous step, the next step we need AD FS 
2.0 to add and configure the statement provider trust ( claims Provider 
trusts ) and the relying party trust ( Relying Party trusts ).
Configure claims provider trusts
You need to add a claims rule come from Active Directory to obtain 
user ‘s UPN (user principal name) and then as a UPN delivered to MS CRM .
 Follow these steps to configure the AD FS 2.0 to UPN LDAP attribute as a
 claim is sent to the relying party ( Relying Party ):
1 installed in the AD FS 2.0 on the server , open AD FS 2.0 Management.
2 In the 
Navigation Pane , expand the 
Trust Relationships , and then click the 
Claims Provider Trusts.
3 In the 
Claims Provider Trusts under , right-click 
Active Directory , and then click 
Edit Claims Rules.

4 in the Rules Editor , click 
Add Rule.

5. In 
Claim rule template list , select the 
Send LDAP Attributes as Claims template ,and then click 
Next.

6 Create the following rule:
- Claim rule name: UPN Claim Rule ( or other descriptive name )
· Add the following mapping:
- Attribute Store: Active Directory
- LDAP Attribute: User Principal Name
- Outgoing Claim Type: UPN  
7 Click 
Finish , then click 
OK close the Rules Editor.
Configuration relying party trusts
In the open claims-based authentication, you must ensure CRM 2011 
server configured as a relying party to use from the AD FS 2.0 statement
 to internal access claims certification.
1 Open AD FS 2.0 Management.
2 In the 
Actions menu, click 
Add Relying Party Trust.

3 In the 
Add Relying Party Trust Wizard , click 
Start.

4 In the 
Select Data Source page , click 
Import Data about the Relying Party Online or published on a local Network , enter the positioning federation metadata.xml file URL.

Federation metadata is set Claims when created. Use 
Claims-Based Authentication Configuration Wizard. The URL used here is 
IMPORTANT
 – Read point 14 in the above section. It is the URL retrieved from the 
VIEW LOG FILE That we did when  from configuration of Claims Based 
Authentication:  In this case
 https://internalcrm.interactivewebs.com:444/FederationMetadata/2007-06/FederationMetadata.xml
Note:
https://internalcrm.interactivewebs.com:444/FederationMetadata/2007-06/FederationMetadata.xml
Note: Ensure that no certificate-related warnings appear when hitting the URL.
5 Click 
Next .
6 In the 
Specify Display Name page , enter a display name, such as 
CRM Claims Relying Party , and then click 
Next.

7 In the 
Choose Issuance Authorization Rules page , choose 
Permit All users to access this Relying Party , and then click 
Next.

8 In the 
Ready to Add Trust page , click 
Next , then click 
Close .
9. When the Rule Editor appears , click 
Add Rule . Otherwise , the 
Relying Party Trusts list , right-click you create a relying party objects, click the 
Edit Claims Rules , and then click 
Add Rule.

10. In 
Claim rule template list , select the 
Pass Through or Filter an Incoming Claim template, and then click 
Next.

11 create the following rule:
· Claim rule name: 
Pass Through UPN ( or other descriptive name )
· Add the following mapping:
- Incoming claim type: UPN
- Pass through All claim values

12 Click 
Finish .
13 In the 
Rule Editor , click 
Add Rule , in 
Claim rule template list , select the 
Pass Through or Filter an Incoming Claim template , and then click 
Next :
· Claim rule name: Pass Through Primary SID ( or other descriptive name )
· Add the following mapping:
-      Incoming claim type: Primary SID
-      Pass through All claim values

14 Click 
Finish .
15 In the 
Rule Editor , click 
Add Rule
16. In 
Claim rule template list , select the 
Transform an Incoming Claim template , and then click 
Next.

17 create the following rule:
· Claim rule name: 
Transform Windows Account Name to Name ( or other descriptive name )
- Incoming claim type: Windows account name
- Outgoing claim type: Name
- Pass through All claim values

18 Click 
Finish , to create a good three rule later , click 
OK close the Rule Editor
 
Test claims-based authentication within the access
You should now be able to use the claims certified to the internal access CRM 2011 a
1 Open the Deployment Manager.
2 Expand the 
Deployment Manager node , and then click on 
Organizations .
3 Right-click your organization , and then click 
Browse . so you can open the CRM web page of ( for example: 
https://internalcrm.contoso.com:444 ).
 
Trouble Shooting
If the CRM web page can not be displayed, then run the following iisreset and then try again.

If the CRM web page still does not show, then you may need to setup 
AD FS 2.0 server setup a SPN (Service Principal Name) . Re-run the 
Claims-Based Authentication Wizard, and then browse to the 
Specify the security token service page, note the AD FS 2.0 server in the Federation metadata URL in the name. (In this case sts1.interactivewebs.com )
http://blogs.msdn.com/b/crm/archive/2009/08/06/configuring-service-principal-names.aspx

1 Open a command line tool .
2 Enter the following command : ( application, in your own environment, substitute the name of the name of the command line )
c: \> 
setspn -a http/sts1.interactivewebs.com fserver4\VSERVER08$
fserver4\VSERVER08 = the domain and machine name of the server.

c: \> 
iisreset
3 and then re-access the Microsoft Dynamics CRM Server 2011 site, so 
you should be able to successfully access to the CRM 2011 Web page.
http://technet.microsoft.com/en-us/library/gg188614.aspx
If you receive ADFS – sts1 errors.
There was a problem accessing the site. Try to browse to the site again.
If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.
Reference number: xxx
And or if you look in your log files under ADFS 2.0 You will see errors like this.

In our case, this was because we used the external Metadata URL and 
not the Internal URL that we should have copied from the “View Log File”
 When configuring the Claims Based Authentication. Step 14 in the 
section above.
 

Note the difference between this:
https://internalcrm.interactivewebs.com:444/FederationMetadata/2007-06/FederationMetadata.xml
and the original meta data check we did with:
https://sts1.interactivewebs.com/federationmetadata/2007-06/federationmetadata.xml
We incorrectly figured it would be pulling the same XML data. It does NOT!
Configuration Claim-based authentication -external access
Open to the CRM 2011 Data Claims-based authentication of external access, you need to do the following steps:
1 complete contents of the previous section: Configuring Claim-based authentication- internal access.
2 for the IFD configuration CRM 2011 server.
3 for the IFD configuration AD FS 2.0 server.
4 Test claims-based authentication external access.
The IFD configuration CRM 2011 server
When opening Claims certified internal access, you can open by IFD external claims visited. The following describes using the 
IFD Configuration Wizard to configure, if you want to learn how to use PowerShell to be configured, refer to the English original.
1 Open the Deployment Manager.
2 In the tree structure , right-click 
Microsoft Dynamics CRM , and then click 
Configure Internet-Facing Deployment.

3 Click 
Next.

4 Fill in the correct domain information for the Web Application, 
Org, and Discovery Web services. Remembering here that in our case: 
*.interactivewebs.com was the name of the wildcard certificate used, and
 that PORT 444 was the port we configured for the CRM Web Instance in 
the bindings for IIS.
Thus we use:
- Web Application Server Domain: interactivewebs.com:444
- Organization Web Service Domain: interactivewebs.com:444
- Web Service Discovery Domain: dev.interactivewebs.com:444  
Note –Enter the domain name, rather than the server name .
- If the CRM installed on the same server or servers are installed in 
the same domain, then the Web Application Server Domain and Organization
 Web Service Domain should be the same .
- Web Service Discovery Domain must be a Web Application Server Domain
 as a subdomain like the  “dev.” that we setup in DNS earlier.
- domain name must be on the SSL certificate name
Domain examples :
- Web Application Server Domain: contoso.com: 444
- Organization Web Service Domain: contoso.com: 444
- Web Service Discovery Domain: dev.contoso.com: 444
For more information on the website, please refer to Install Microsoft Dynamics CRM Server 2011 on multiple computers( http://go.microsoft.com/fwlink/?LinkID=199532 )
5 In the 
Enter the external domain where your Internet-facing servers are located input box , enter for your internet to CRM 2011 server located outside the domain of information, and then click 
Next .

You must specify the domain specified in the previous step Web 
Application Server Domain sub-domains . default , will be “auth.” added 
to the Web Application Server Domain before.
Domain examples :
- External Domain: auth.contoso.com: 444
6 In the 
System Checks page , if there is no problem, click 
Next.

7 In 
Review your selections and then click Apply page , confirm your input , and then click 
Apply.

8 Click 
Finish .

9. Open a command line tool, run: 
iisreset
The IFD configuration AD FS 2.0 server
To open CRM 2011 on the IFD , you need to add AD FS 2.0 server for 
the IFD to create a relying party endpoints. Follow these steps:
1 open AD FS 2.0 Management .
2 In the 
Actions menu, click 
Add Relying Party Trust.

3 In the 
Add Relying Party Trust Wizard , click 
Start .
4 In the 
Select Data Source page , click 
Import Data about the Relying Party Online or published on a local Network , enter the positioning federation metadata.xml file URL.
Note – This is almost the same URL as we used previously, but has the
 .auth sub domain that we used in point 4 above. For use the Federation 
metadata is configured IFD when created. In this case 
https://auth.interactivewebs.com:444/FederationMetadata/2007-06/FederationMetadata.xml .
Check in your browser the URL, to ensure that no certificate-related warnings appear.

5 Click 
Next.
6 In the 
Specify Display Name page , enter the display name , such as 
CRM IFD Relying Party , and then click 
Next.

7 In the 
Choose Issuance Authorization Rules page , select the 
Permit all users to access this relying party options , and then click 
Next.

8 In the 
Ready to Add Trust page , click 
Next , then click 
Close .
9. If the Rule Editor appears , click Add Rule. Otherwise , the 
Relying Party Trusts list ,right-click you create a relying party 
objects, click the Edit Claims Rules, and then click 
Add Rule.

10. In Claim rule template list , select the 
Pass Through or Filter an Incoming Claim template, and then click Next.

11 create the following rule:
· Claim rule name: 
Pass Through UPN ( or other descriptive name )
· Add the following mapping:
-     Incoming claim type: UPN
-     Pass through All claim values  
12 Click 
Finish .
13 In the 
Rule Editor , click 
Add Rule , in 
Claim rule template list , select the 
Pass Through or Filter an Incoming Claim template , and then click 
Next :
· Claim rule name: 
Pass Through Primary SID ( or other descriptive name )
· Add the following mapping:
-     Incoming claim type: Primary SID
-     Pass through All claim values  
14 Click 
Finish .
15 in the 
Rules Editor , click 
Add Rule ,
16. In 
Claim rule template list , select the 
Transform an Incoming Claim template , and then click 
Next .
17 create the following rule:
· Claim rule name: 
Transform Windows Account Name to Name ( or other descriptive name )
-     Incoming claim type: Windows account name
-     Outgoing claim type: Name
-     Pass through All claim values
18 Click 
Finish , you have created three rule later , cl

ick 
OK close the Rule Editor .
Test claims-based authentication to access external
Now, you should use the claims certified external access CRM 2011 a. 
In IE the browser CRM 2011 external address (for example: 
https://org.contoso.com:444 ), you will see the following pages:

Enter the user name password, log CRM 2011.
Final Notes
Like anything Microsoft, this was not easy. It took us over 10 
attempts drawing on over a dozen resources to get this worked out. For 
us, the main tripping points related the the meta data URL’s used in 
configuring the endpoints. Our fault, but it also appears to be a common
 error to other administrators on the net.
To Microsoft – you documentation sucks badly! If I never read another White Paper it will be too soon!