Hosted by

Introductions
Christopher Cognetta
Practice Manager Client Field Engineering
Microsoft Dynamics CRM MVP
chris.cognetta@tribridge.com
CRMUG Chairperson Miami & Tampa Co Chair
250+ Dynamics CRM Implementations & Upgrades
- 80+ with ADFS & IFD
Infrastructure /Application Architecture Guru
BLOG: www.cognettacloud.com
TWITTER: @ccognetta

Agenda

What is ADFS?
Active Directory Federated Services (ADFS) is Microsofts Security Token Service (STS) designed to provide or
federate (SSO Single Sign On) with other security providers (AD, Windows Live, Office 365, and many
others). Mobile and Cloud based ISV add-ons often require your CRM to be ADFS/IFD (Internet Facing
Deployment) enabled.

So why is ADFS so challenging to implement?

ADFS interacts with most of the following technologies:
Active Directory PKI Firewall Domain Name Service Proxy Servers Certificate Authority SSL
Internet Facing Deployment (IFD) IIS Certificates Server\Desktop Outlook Clients DMZ Ports
Hosts Claims Authentication NTLM Kerberos SPNS ACL Reservations Cloud
Various technologies make ADFS challenging to implement by an organization.
Pre-Planning and Team work are essential to a successful ADFS implementation.

ADFS Diagrams
Standard
Authentication

Other Identity
Stores, AD,
Windows
Live, Oracle
Etc

Internal ADFS

Preparation

Internal and External DNS Entries

Deployment Options
CRM and ADFS Installation Tips
ADFS Screen Shots
Quick Check List
Tips and Tricks

Internal & External DNS

Optional (Dev.domain.com)

Internal & External DNS

External DNS Entries at

ISP or HOST
External IP

Firewall Overview
Internal IP
Port Forward All URLs

Firewall

Web Server

ADFS Server

CRM
Port 443
ADFS
Port 444
ADFS
Port 443

All URLs except ADFS will port forward to the CRM webserver port 443 .
ADFS will be configured as a separate website under port 444.
Recommend ADFS Standalone server under port 443.
ADFS must be the default website - Site #1 in shown IIS Sites
CRM must be installed on a port, and not on the default site if
Implementing ADFS and CRM on the same server.

ADFS Deployment Options

OPTION 3

OPTION 2

OPTION 1

FIREWALL

External IP

D
M
Z

ADFS Server
Proxy

P
Web Server

ADFS
Server
Proxy

FIREWALL

Web Server

CRM
ADFS
Port 443 Port 444
Internal IP

ADFS
Server
ADFS
Port 443

Web
Backend
Server

Certificates Required

Some security teams do not want to use

wildcard certificates like *.domainname.com

Certificate Warnings
HTTPS://crm.domain.com
ALL SYSTEMS GO

Managing SSL Certificates

ADFS & CRM Installation Tips

http://www.Microsoft.com/download/en/details.aspx?id=10909

Configuring CRM URL for HTTPS

Use CRM deployment manager to
configure the CRM internal URLs.
Set the HTTPS, naming the web
address to match your certificate
setting.
Manually Set the HTTPS 443
binding and SSL certificate in IIS,
Restart IIS
Changes in this section require an
IIS Restart to take effect.
Once ADFS is deployed internal
users will use the
https://internalcrm.domainname.c
om URL for SSO access.

ADFS Installation Tips

Tip: Pre-configure the ADFS
Server/Website IIS binding and
certificate prior to install.
Once ADFS installs, the
configuration wizard will
appear:
ADFS will prompt for the name
of your federation service.
Should match ADFS URL.
ADFS.domainname.com

The following URL is be provided in order to test the ADFS Federation Service is working:
https://adfs.domain.com/FederationMetadata/2007-06/FederationMetadata.xml
Note: Port is required in the URL if not running under 443.

ADFS Installation Testing

The following URL is be provided in order to test the ADFS Federation Service is working:
https://adfs.domain.com/FederationMetadata/2007-06/FederationMetadata.xml
Note: Port is required in the URL if not running under 443.

Configure Claims Wizard

From the CRM deployment manager we can
start to configure Claims based Auth:
Make sure to test this URL in your browser
for no certification errors.
Select IIS SSL Certificate used for CRM
URL will be provided at the end of the ADFS
installation.
Save as favorite, trusted or intranet site.
Receive the XML metadata from the URL the
ADFS service is working correctly.
Common Errors like 503 require an IISReset.

Configure Claims Wizard

Completion Window after Claims Wizard
via deployment manager has been
configured:
This configures and confirms the CRM
federation services are working.
The URL shown on screen is at the
bottom of the log file. Click view the
log file to copy the URL
Restart IIS and Test the URL before
proceeding to ADFS Setup.
This URL will setup the first Relying
Party Trust with ADFS for CRM
(Internal)

Configure ADFS Relying Party

Configure the Claims
Trust

Provider Trust For Active

Directory
Select Claims Provider
Select Active Directory
Select Edit Claim Rules
Add Rule
UPN Claim Rule
Matches the User
Principal
Name to the UPN field

Configure ADFS Relying Party Trust

Configure the Relying Party
Provider Trust For Internal
Add Relying Party Trust
Add URL From Claims
Wizard
Add 3 Rules
Pass Through UPN
Pass Through Pri SID
Transforms Windows
Account Name to Name
You can now test Kerberos to
claims authentication by
https:\\internalcrm link

Configure Internet Facing Deployment IFD

Inside deployment manager, you
will click configure IFD:
Enter ending of domain name
Web Application and Org
Service should both be the
same domainname.com
Dev domain is used for the
discovery web server and
should match your DEV DNS
entry. (Could be discovery too!)

Configure Internet Facing Deployment IFD

Next you will be prompted for the
external domain:

This is AUTH.domainname.com
address, not ADFS address.
The documentation uses the same
URL as the STS server which is not
correct.
The end of the configuration will
provide A URL to configure the
replying party trust in ADFS.

Configure Internet Facing Deployment IFD

Success window for CRM IFD Configuration.
Perform an IIS Reset on the CRM Server
Now Lets go Back to ADFS and enter the
External Claims Provider Trust.

Configure ADFS Relying Party Trust

Open ADFS Wizard on ADFS Server:
Select Add Relying Party Trust
Add URL AUTH address (same as
last page of CRM IFD Wizard).
Add 3 Rules
Pass Through UPN
Pass Through Primary SID
Transforms Windows Account Name
to Name
IIS Reset one last time

Configure ADFS Relying Party Trust

Test the CRM Deployment

Overview

Minimum Requirements

Behind the Scenes

3 hrs.

ADFS Pre Configuration

Download and deploy the Public SSL Certificate in IIS 7
Deploy AD FS 2.0 on Windows Server 2008 or Windows

Server 2008 R2 Configure to use deployed certificate

Download and Install the Microsoft Online Services sign-in
assistant and Microsoft Online Services Module (for
PowerShell)
Change Security on Default URL from Anonymous
Authentication to Windows Authentication
Add Public Domain URL to Local Intranet Zone
Run MS Online Services Module Powershell and convert your
public domain to Federated:
$cred=Get-Credential
Connect-MsolServices -Credential $cred
Convert-MsolDomainToFederated -DomainName <domain>

Microsoft Online Services Config

AD Sync Config

Troubleshooting

Checklist Summary
1.
2.
3.
4.
5.

Optional
Optional

Tips and Tricks

Quick Checklist
BackConnectionHostNames Registry
Changing your ADFS login Name
Setting the IFD timeout
Multiple HTTPS Bindings
Internal Service Error 503 & 505
Updating ADFS Cache
401 Errors
Outlook Client V4 with CRM 2011
Caution on Cache

Quick Checklist

http://www.microsoft.com/download/en/details.aspx?displaylang

=en&id=3621

BackConnectionHostNames

http://support.microsoft.com/kb/896861

Changing ADFS Login Name

Changing ADFS Login Name

Setting the ADFS/IFD Timeout

HTTPS Binding

Internal Service Error 503

Republish CRM Customizations

Restart IIS and/or Reboot
Reconfigure via the CRM wizards
See www.cognettacloud.com Blog for URL Reservations Issue

Updating the ADFS Cache

Updating the ADFS cache is
sometimes required when adding
new organization and IFD
deployment
Adding DNS entries or
troubleshooting issues.
Updating is done from the ADFS
configuration tool, while on replying
party trusts, you will see the left an
option to Update the Federation
Metadata.
Remember to restart IIS

IFD 404 Error & Workaround

A common error reported after
IFD is enabled by external access
user:
This is because ADFS had a
copy of the CRM metadata
during the install and not the
exact copy is cached.
The fix is to publish all
customizations.
If this continues for a specific
user, update the user record
by removing their name,
replace with test name, save,
and then replace domain
name again.
Should be ok after UR 11

CRM Outlook Client 4

http://go.microsoft.com/fwlink/?LinkID=210780

http://go.microsoft.com/fwlink/?LinkId=205316

Caution on Cache

Closing & Q&A

Use of the Microsoft Forums Ask an MVP!
http://social.microsoft.com/Forums/en-US/category/dynamics
Please dont forget to accept the answer that helps you!
Use of the Collaborate on the CRMUG forums
http://community.crmug.com/home
Check with www.cognettacloud.com blog for latest issues & resolutions.