Configuring IFD in Dynamics CRM 2011 for the first time? It can be quite confusing, I completely agree . But with this article it no longer is!
STEPS TO BE COMPLETED BEFORE FOLLOWING THIS ARTICLE Install ADFS 2.0 on the default site in any machine within the domainhttp://www.microsoft.com/en-us/download/details.aspx?id=10909 Dynamics CRM 2011 must be on another port if ADFS 2.0 is installed in the same machine . Get a wildcard certificateIt is recommended to have the wildcard certificate associated with the CRM website so that we can associate the same certificate when we have an environment with multiple organizations in CRM
WHAT WE AIM TO ACHIEVE Browse CRM 2011 through the internet with this URL <orgname>.<domain>.com:<port number> Lets begin.
STEP 1 : BIND A CERTIFICATE TO THE ADFS WEBSITE (DEFAULT WEBSITE) Open up IIS manager Default website ==> Click on 'Bindings' on the right hand navigation bar ==>Add==> Type : https ; Port :443 ==>SSL certificate Wildcard Certificate
STEP 2 : BIND A CERTIFICATE TO THE CRM WEBSITE Open IIS manager Default website ==> Click on 'Bindings' on the right hand navigation bar ==>Add==> Type : https ; Port :444 ==>SSL certificate Wildcard Certificate Please Note : The number 444 is a random number used for the purpose of this demonstration STEP 3 : CREATION OF DNS ENTRIES Start ==> Administrative Tools ==>DNS ==> <Name of your machine> ==> Forward Lookup Zones==> <Domain Name>.com Right click ==> New Host (A or AAAA)
STEP 4 : LET'S CONFIGURE AD FS 2.0! Open up AD FS 2.0 console Click on 'Create a new Federation Service'
Click on 'Stand-Alone Federation Server' after reading the description that is given . Please ensure to give the same name as specified in the DNS Forward Look-up Zone This next page of the wizard will show you the summary of what is about to be installed. Click Next to continue.
Wait for the configuration process to complete and click the Close button.
STEP 4 : CONFIGURING CLAIMS-BASED AUTHENTICATION ON THE CRM DEPLOYMENT MANAGER CRM Deployment manager==>Select the “Microsoft Dynamics CRM”==> Right click ==> properties ==> choose the “Web Address” section
Choose the Binding type as “HTTPS” and enter the entry created for accessing CRM internally within the domain . In our example it is : Internalcrm: <port number>Click on 'Apply' Launch the Deployment manager on the CRM server and click on the “Configure claims based Authentication” that is on the right hand navigation tool bar. Type in the ADFS URL federation metadata.
Choose the wildcard certificate associated with the ADFS URL.
This step validates the federation metadata URL and then click Next to continue.
Click the Apply button.
STEP 5 : ADDING THE ACCOUNT THAT IS RUNNING THE CRM APPLICATION POOL TO THE WILDCARD CERTIFICATE You may have to add the account that is running the CRM application pool account the “Read” privilege against the certificate used for the security token service. To perform this: Launch the MMC console and go to File menu and select Add-Remove Snap In
Select Certificates from the available snap-ins.
Choose the Computer Account and click Next in the Certificates Snap-In window.
Click Finish on the next window.
Right click on the wild card certificate and select All Tasks >> Manage Private Keys.
At this step add the identity which is running the CRM application pool.
STEP 6 : ADDING A RELYING PARTY TO ADFS 2.0
Click on the Add Relying Party Trust link under the Actions menu and click on the Start button.
Click on the Start button in the Add Relying Party Trust Wizard window.
Give in the federation metadata of the internal CRM URL
Enter the display name and any applicable notes.
Select the option "Permit all users to access this relying party" and click on the Next button.
Click on the Next button again.
Now let us go ahead and edit the claim rules for our internal crm URL .
There are 3 rules we must add:
Click on the Add Rule button to create the rule for the User Principle Name.
Select the Claim rule template as "Pass Through or Filter an Incoming Claim" and click on the Next button.
Enter the Claim Rule Name as UPN and the Incoming claim type as UPN and choose the option as "Pass through all claim values" and click on the Finish button to save the rule.
Click on the Add Rule button to create the rule for the Primary SID. Select the Claim rule template as "Pass Through or Filter an Incoming Claim" and click on the Next button.
Enter the Claim Rule Name as Primary SID and the Incoming claim type as Primary SID and choose the option as "Pass through all claim values" and click on the Finish button to save the rule.
Click on the Add Rule button to create the rule for the Windows Account name to name. Select the Claim rule template as "Pass Through or Filter an Incoming Claim" and click on the Next button.
Enter the Claim Rule Name as Windows Account name to name and the Incoming claim type as Windows Account name to name and choose the option as "Pass through all claim values" and click on the Finish button to save the rule.
This page would give a summary of the rules added to the system .
Once these rules are added let us go ahead and edit the claim rules for Active Directory.
Right click on Active Directory and select Edit Claim Rules.
The claim rule template in this case would be : Send LDAP Attributes as claims
The Attribute Store is : Active Directory and the Claim Rule name is :UPN . LDAP Attrbute : User-Principal-Name ;Outgoing Claim type : UPN
After an IISRESET on the CRM server, you should be able to access the CRM server with the internal URL for the CRM:
IFD CONFIGURATION
STEP 1 : CONFIGURE INTERNET FACING DEPLOYMENT IN THE DEPLOYMENT MANAGER
Click on 'Configure internet facing deployment' that is on the right hand corner of the window .
Follow the snapshots given below. Click on the Next button.
Enter the URLs for the Web Application Server Domain, Organization Web Service Domain and the Discovery Web Service Domain and click on the Next button.
Enter the external domain where your Internet-facing servers are located and click on the Next button.
This step checks the federation metadata entered.
STEP 2 : ADD RELYING PART TRUST IN AD FS 2.0
Click on the Add Relying Party Trust link from the Actions menu.
Click on the Start button.
Enter the federation meta data address and click on the Next button.
Enter the display name and click Next button.
Choose the option "Permit all users to access this relying party" and click on the Next button.
Review the trust details and click on the Next button.
Right click on the relying party trust which you have created and click on the Edit Claim Rules menu.
Perform an IIS Reset . Browse your CRM using <org name>.<domain>.com
Update 08/21/2012 - Updated the name of the server which the Auth URL should point to. Please refer the table.
VOILA! You have your IFD in place! :)
Great article...very detailed!
Shouldn't Auth point to the machine that has CRM 2011 instead of the machine that has ADFS 2.0?
Thank you Paul for pointing that out. I have updated the table to reflect the right server. Appreciate it. :)
When configuring "Internal CRM" on the "Windows Account Name to Name" rule the Outgoing Claim Type drop down did not list "Name" as is shown in your example. Instead it had "* Name". What is the significance of this preceeding asterisk?
Of the five DNS names noted which need to public? ADFS and Auth seem fairly obvious to me but I'm not sure about <CRM Organization name> or Dev. I also don't understand how these last two are used.
Now for what I suspect is just personal preference...
Wouldn't "Auth" be a better name for the ADFS server? This way another service (SharePoint perhaps) using claims based auth could also point to the adfs server at Auth.MyDomain.com. Having Auth go to CRM what would I use for the second claims based app, Auth2?
With Auth pointing to the ADFS server wouldn't CRM be the most logical DNS name for the CRM server?