A Straight-Forward Approach for IFD Configuration in MS Dynamics CRM 2011

So, there is no easy solution to setting up IFD for CRM 2011.  However, if you have CRM and ADFS running on separate servers including an ADFS Proxy, then the steps outlined below should provide a straight-forward process toward setting up IFD on your CRM Instance.

To get started, the following items must be done:

  • ADFS 2.0 installed and configured on Windows Server 2008/2008R2.  (Windows Server 2012 & ADFS 2.1 won’t be supported for IFD until UR13 for Dynamics CRM)
  • Obtain a wildcard certificate for your domain to be used to secure both internal and external SSL access to CRM, as well as ADFS.  (Don’t use a self-signed certificate.)
  • Create DNS host(A) entries for the following URLs under contoso.com ForwardLookup zone, using the IP address of the Server.
URL Direction Description
sts.contoso.com Internal / External ADFS 2.0 server URL
auth.contoso.com Internal / External CRM Server IFD URL (IFD Federation Endpoint)
dev.contoso.com Internal / External CRM Discovery Service Endpoint URL
orgname.contoso.com Internal / External CRM Org URLs (One for each Org)
crm.contoso.com Internal / External CRM Internal Claims Federation Endpoint

Loopback Check on ADFS Server must be disabled.

Confirm that you are able to navigate to the ADFS URL (https://sts.contoso.com). If your certificates are setup properly, you shouldn’t get any certificate errors. Certificate errors must be fixed before starting, because they will cause issues later on.

Moving Foward

First, you will need to configure the CRM website for SSL. 

  • Go into the IIS Manager and edit the bindings for the Microsoft Dynamics CRM site.
  • Add a new binding with HTTPS on port 443
  • Select your wildcard certificate from the “SSL certificate” drop-down menu.

Then, you must grant permissions to the CRMAppPool account. 

  • In IIS, go to the Application Pools and locate the CRMAppPool row.  The Identity column contains the account that needs updated permissions.
  • Open Microsoft Management Console and add the Certificated Snap-in, choosing computer account and local computer.
  • Under Personal Certificates, right-click on the wildcard certificate and select Manage Private Keys on the All Tasks menu.
  • Add the Identity Account with Read permissions.

Next, CRM must be configured to use HTTPS. 

  • Open the CRM Deployment Manager and open the Properties.
  • On the Web Address tab, select HTTPS and update all of the URLs to the new internal URL (crm.contoso.com)

The CRM Server now needs to be configured for Claims-Based Authentication. 

The ADFS server now needs to be setup to appropriately handle and authenticate internal claims from the CRM server.  This is accomplished by setting up a Relying Party Trust between the CRM and ADFS servers.

  • Open Administrative tools –> ADFS 2.0 Management.
  • Expand Trust Relationships.
  • Select Relying Party Trusts folder, click Add Relying Trust.
  • Click Start.
  • Leave topmost radio button selected and enter internal crm address (https://crm.contoso.com) and click Next.
  • Set name as “Internal Relying Party CRM”.
  • Leave selected “Permit all users to access this relying party” and click Next.
  • Click next and close out, leaving the “Open the Edit Claim Rules” box checked.

With the Trust established, we need to add Claim Rules to tell ADFS what to do when a claims request is received from the CRM Server. There are 4 rules that need to be added:

  • Add “Pass through UPN” Rule
  • On the Issuance Transform Rules tab, Click Add Rule, select “Pass Through or Filter an Incoming Claim”.
  • Enter name “Pass through UPN”.
  • Set incoming claim type as UPN.
  • Click Finish.
  • Add “Pass through Primary SID” Rule
  • On the Issuance Transform Rules tab, Click Add Rule, select “Pass Through or Filter an Incoming Claim”.
  • Enter name “Pass through Primary SID”.
  • Set incoming claim type as Primary SID.
  • Click Finish.
  • Add “Transform Windows Account Name to Name” Rule
  • On the Issuance Transform Rules tab, Click Add Rule, select “Transform an Incoming Claim”.
  • Enter name “Transform Windows Account Name to Name”.
  • Set incoming claim type as Windows Account Name.
  • Set outgoing claim type as *Name.
  • Click Finish.
  • Add “Send UPN from AD to Claims” Rule
  • Expand Trust Relationships.
  • Go to Claims Provide Trusts and right click on Active Directory and choose edit claim rules.
  • Click Add Rule, select “Send LDAP Attributes as Claims”.
  • Enter name “Send UPN from AD to Claims”.
  • Set Attribute store to “Active Directory”.
  • Select “User-Principal-Name” in LDAP Attribute column.
  • Select “* UPN” in Outgoing Claim Type column.
  • Click Finish.
  • Click OK.

You are now ready to test internal access to CRM via Claims-Based Authentication. 

  • Go to another machine within the same domain as the CRM Server and launch IE.
  • Open IE security and add “*.contoso.com” as a trusted site. (This will need to be done for all clients.)
  • Enter the internal URL into the address bar (https://crm.contoso.com).

If everything is configured properly, you should notice a momentary redirect to https://sts.contoso.com as your windows credentials are authenticated against ADFS, then back to https://crm.contoso.com and CRM should open.

Stay tuned for Part 2 of this article series, where we will go through the actual IFD setup to enable external access to CRM. In the meantime, if you have other questions about this process or Dynamics CRM, reach out to us. We can share our experience, and even help you get the most out of your Dynamics CRM platform.

Phone: 312-602-4000
Email: marketing@westmonroepartners.com
222 W. Adams
Chicago, IL 60606
Show Buttons
Share On Facebook
Share On Twitter
Share on LinkedIn
Hide Buttons