A Straight-Forward Approach for IFD Configuration in MS Dynamics CRM 2011 (Part 2)

Once you have confirmed that the internal URL works and authenticates properly using Claims-Based Authentication (See Part 1 of this series), then it is time to begin the actual IFD setup.

In order to ensure that the server’s authenticate properly, the following SPN’s need to be added.  The values in {} need to be replaced with appropriate values for the particular environment.

  • setspn -a http/{servername}  {domain}{crmservername}$
  • setspn -a http/auth.contoso.com  {domain}{crmservername}$
  • setspn -a http/dev.contoso.com  {domain}{crmservername}$
  • setspn -a http/sts.contoso.com  {domain}{crmservername}$
  • setspn -a http/crm.contoso.com  {domain}{crmservername}$
  • setspn -a http/orgname1.contoso.com  {domain}{crmservername}$

With the SPN’s setup, we move on to configure the CRM Server for Internet-Facing Deployment (IFD).

  • Open the CRM Deployment Manager and run “Configure Internet-Facing Deployment Wizard”
  • Click Next and then enter the following values into the Server Domain fields and click Next
    • Web App – contoso.com
    • Organization Web – contoso.com
    • Discovery Web – dev.contoso.com


  • Enter external domain for authentication – “auth.contoso.com”


  • Click Next and then the setup will verify the URLs that were entered.
  • Click Apply –> Finish to confirm the changes.
  • Open IE and try to navigate to the CRM Authentication Endpoint URL (https://auth.contoso.com/federationmetadata/2007-06/federationmetadata.xml). Verify that no certificate-related warnings appear, and you should get a XML response in the browser.

Next Steps

The ADFS server now needs to be setup to appropriately handle and authenticate external claims from the CRM server. This is accomplished by setting up another Relying Party Trust between the CRM and ADFS servers.

  • Open Administrative tools –> ADFS 2.0 Management
  • Expand Trust Relationships
  • Select Relying Party Trusts folder, click Add Relying Trust
  • Click Start
  • On the Select Data Source page, click “Import data about the relying party published online or on a local network” and type the URL to locate the federationmetadata.xml file
  • Click Next.
  • On the Specify Display Name page, type a display name, such as “CRM IFD Relying Party” and click Next.
  • On the Choose Issuance Authorization Rules page, click “Permit all users to access this relying party” and click Next.
  • On the Ready to Add Trust page, on the Identifiers tab, verify that Relying party identifiers has identifiers such as the following:
    • https://auth.contoso.com
    • https://dev.contoso.com
    • identifiers for each organization currently setup
      • https://orgname1.contoso.com
      • https://orgname2.contoso.com
  • If your identifiers differ from the above example, click Previous in the wizard and check the Federation metadata address.
  • Click Next then Close.

With the Trust established, we need to add Claim Rules to tell ADFS what to do when an external authentication request is received from the CRM Server.  There are 3 rules that need to be added.

  • If the Rules Editor appears, click Add Rule. Otherwise, in the Relying Party Trusts list, right-click the relying party object that you created, click Edit Claims Rules, and then click Add Rule.
  • Add “Pass through UPN” Rule
    • On the Issuance Transform Rules tab, Click Add Rule, select “Pass Through or Filter an Incoming Claim”
    • Enter name “Pass through UPN”
    • Set incoming claim type as UPN
    • Click Finish
  • Add “Pass through Primary SID” Rule
    • On the Issuance Transform Rules tab, Click Add Rule, select “Pass Through or Filter an Incoming Claim”
    • Enter name “Pass through Primary SID”
    • Set incoming claim type as Primary SID
    • Click Finish
  • Add “Transform Windows Account Name to Name” Rule
    • On the Issuance Transform Rules tab, Click Add Rule, select “Transform an Incoming Claim”
    • Enter name “Transform Windows Account Name to Name”
    • Set incoming claim type as Windows Account Name
    • Set outgoing claim type as *Name
    • Click Finish
  • Close the Rule Editor by clicking OK

Final Steps

We are now ready to test external access to CRM via IFD.

  • Go to another machine outside of the CRM Server’s domain and launch IE.
  • Enter the external URL into the address bar (https://orgname1.contoso.com).
  • If everything is setup correctly, you should see the prompt below from ADFS to enter your username & password.


  • After entering your credentials, CRM should appear in your browser.

VOILA!!  IFD should be up and running!

It can be a daunting task, but following these steps should get your CRM On-Prem instance up and running with IFD in relatively no time.

Have other questions about this other Dynamics CRM processes? Reach out to us. We can share our experience, and even help you get the most out of your Dynamics CRM platform.

Phone: 312-602-4000
Email: marketing@westmonroepartners.com
222 W. Adams
Chicago, IL 60606
Show Buttons
Share On Facebook
Share On Twitter
Share on LinkedIn
Hide Buttons