Professional Documents
Culture Documents
Best Practices ADFS
Best Practices ADFS
Introductions
Christopher Cognetta
Practice Manager Client Field Engineering
Microsoft Dynamics CRM MVP
chris.cognetta@tribridge.com
CRMUG Chairperson Miami & Tampa Co Chair
250+ Dynamics CRM Implementations & Upgrades
- 80+ with ADFS & IFD
Infrastructure /Application Architecture Guru
BLOG: www.cognettacloud.com
TWITTER: @ccognetta
Agenda
What is ADFS?
Active Directory Federated Services (ADFS) is Microsofts Security Token Service (STS) designed to provide or
federate (SSO Single Sign On) with other security providers (AD, Windows Live, Office 365, and many
others). Mobile and Cloud based ISV add-ons often require your CRM to be ADFS/IFD (Internet Facing
Deployment) enabled.
ADFS Diagrams
Standard
Authentication
Other Identity
Stores, AD,
Windows
Live, Oracle
Etc
Internal ADFS
Preparation
Optional (Dev.domain.com)
Firewall Overview
Internal IP
Port Forward All URLs
Firewall
Web Server
ADFS Server
CRM
Port 443
ADFS
Port 444
ADFS
Port 443
All URLs except ADFS will port forward to the CRM webserver port 443 .
ADFS will be configured as a separate website under port 444.
Recommend ADFS Standalone server under port 443.
ADFS must be the default website - Site #1 in shown IIS Sites
CRM must be installed on a port, and not on the default site if
Implementing ADFS and CRM on the same server.
OPTION 2
OPTION 1
FIREWALL
External IP
D
M
Z
ADFS Server
Proxy
P
Web Server
ADFS
Server
Proxy
FIREWALL
Web Server
CRM
ADFS
Port 443 Port 444
Internal IP
ADFS
Server
ADFS
Port 443
Web
Backend
Server
Certificates Required
Certificate Warnings
HTTPS://crm.domain.com
ALL SYSTEMS GO
http://www.Microsoft.com/download/en/details.aspx?id=10909
The following URL is be provided in order to test the ADFS Federation Service is working:
https://adfs.domain.com/FederationMetadata/2007-06/FederationMetadata.xml
Note: Port is required in the URL if not running under 443.
This is AUTH.domainname.com
address, not ADFS address.
The documentation uses the same
URL as the STS server which is not
correct.
The end of the configuration will
provide A URL to configure the
replying party trust in ADFS.
Overview
Minimum Requirements
AD Sync Config
Troubleshooting
Checklist Summary
1.
2.
3.
4.
5.
Optional
Optional
Quick Checklist
BackConnectionHostNames Registry
Changing your ADFS login Name
Setting the IFD timeout
Multiple HTTPS Bindings
Internal Service Error 503 & 505
Updating ADFS Cache
401 Errors
Outlook Client V4 with CRM 2011
Caution on Cache
Quick Checklist
http://www.microsoft.com/download/en/details.aspx?displaylang
=en&id=3621
BackConnectionHostNames
http://support.microsoft.com/kb/896861
HTTPS Binding
http://go.microsoft.com/fwlink/?LinkID=210780
http://go.microsoft.com/fwlink/?LinkId=205316
Caution on Cache