Freigeben über

Configuring IFD for CRM 2011

  • Artikel

Aishwarya C Ramachandran - Click for blog homepageConfiguring IFD in Dynamics CRM 2011 for the first time? It can be quite confusing,  I completely agree . But with this article it no longer is!

STEPS TO BE COMPLETED BEFORE FOLLOWING THIS ARTICLE
 
Install ADFS 2.0 on the default site in any machine within the domain
www.microsoft.com/en-us/download/details.aspx?id=10909
 
Dynamics CRM 2011 must be on another port if ADFS 2.0 is installed in the same machine .
 
Get a wildcard certificate
It is recommended to have the wildcard certificate associated with the CRM website so that we can associate the same certificate  when we have an environment with multiple organizations in CRM 

 
 
WHAT WE AIM TO ACHIEVE
 
Browse CRM 2011 through the internet  with this URL <orgname>.<domain>.com:<port number>
 
Lets begin.

STEP 1 : BIND A CERTIFICATE TO THE ADFS WEBSITE (DEFAULT WEBSITE)
 
Open up IIS manager
 
Default website  ==> Click on 'Bindings' on the right hand navigation bar ==>Add==>  Type : https ; Port :443 ==>SSL certificate Wildcard Certificate 

STEP 2 : BIND A CERTIFICATE TO THE CRM WEBSITE
 
Open IIS manager
 
Default website  ==> Click on 'Bindings' on the right hand navigation bar ==>Add==>  Type : https ; Port :444 ==>SSL certificate Wildcard Certificate
 
Please Note : The number 444 is a random number used for the purpose of this demonstration 
 

 
STEP 3 : CREATION OF DNS ENTRIES
 
Start ==> Administrative Tools ==>DNS ==> <Name of your machine>  ==> Forward Lookup Zones==> <Domain Name>.com
 
Right click ==> New  Host (A or AAAA) 

ADFS     Point it to the  machine that has ADFS 2.0 installed on it
<CRM  organization name> Point it to the  machine that has CRM 2011
Dev Point it to the  machine that contains the discovery web service
Auth Point it to the  machine that has CRM 2011 installed on it
Internalcrm Point it to the  machine that has CRM 2011

STEP 4 : LET'S CONFIGURE AD FS 2.0!
 
Open up AD FS 2.0 console
 

 
Click on 'Create a new Federation Service'


 
Click on 'Stand-Alone Federation Server' after reading the description that is given . 
 

 
Please ensure to give the same name as specified in the DNS Forward Look-up Zone 
 

 
This next page of the wizard will show you the summary of what is about to be installed. Click Next to continue.
 
 

Wait for the configuration process to complete and click the Close button.
 

STEP 4 : CONFIGURING CLAIMS-BASED AUTHENTICATION ON THE CRM DEPLOYMENT MANAGER
 
CRM Deployment manager==>Select the “Microsoft Dynamics CRM”==> Right click ==> properties ==> choose the “Web Address” section

Choose the Binding type as “HTTPS” and enter the entry created for accessing CRM internally within the domain . In our example it is : Internalcrm: <port number>
Click on 'Apply'
 

 
Launch the Deployment manager on the CRM server and click on the “Configure claims based Authentication” that is on the right hand navigation tool bar. 
 

 
Type in the ADFS URL federation metadata. 


 
Choose the wildcard certificate associated with the ADFS URL.  


 
This step validates the federation metadata URL and then click Next to continue.
 

Click the Apply button.


   
STEP 5 : ADDING THE ACCOUNT THAT IS RUNNING THE CRM APPLICATION POOL TO THE WILDCARD CERTIFICATE
 
You may have to add the account that is running the CRM application pool account the “Read” privilege against the certificate used for the security token service. To perform this:
 
Launch the MMC console and go to File menu and select Add-Remove Snap In


 
Select Certificates from the available snap-ins.
 

Choose the Computer Account and click Next in the Certificates Snap-In window. 

Click Finish on the next window.

Right click on the wild card certificate and select All Tasks >> Manage Private Keys. 

At this step add the identity which is running the CRM application pool. 


 
STEP 6 : ADDING A RELYING PARTY TO ADFS 2.0

Click on the Add Relying Party Trust link under the Actions menu and click on the Start button.

Click on the Start button in the Add Relying Party Trust Wizard window.

Give in the federation metadata of the internal CRM URL

Enter the display name and any applicable notes.

Select the option "Permit all users to access this relying party" and click on the Next button. 

Click on the Next button again.

Now let us go ahead and edit the claim rules for our internal crm URL .

There are 3 rules we must add:

  1. User Principle Name
  2. Primary SID
  3. Windows account name to name

Click on the Add Rule button to create the rule for the User Principle Name.

Select the Claim rule template as "Pass Through or Filter an Incoming Claim" and click on the Next button.

Enter the Claim Rule Name as UPN and the Incoming claim type as UPN and choose the option as "Pass through all claim values" and click on the Finish button to save the rule.

 Click on the Add Rule button to create the rule for the Primary SID. Select the Claim rule template as "Pass Through or Filter an Incoming Claim" and click on the Next button.

Enter the Claim Rule Name as Primary SID and the Incoming claim type as Primary SID and choose the option as "Pass through all claim values" and click on the Finish button to save the rule.

Click on the Add Rule button to create the rule for the Windows Account name to name. Select the Claim rule template as "Pass Through or Filter an Incoming Claim" and click on the Next button.

Enter the Claim Rule Name as Windows Account name to name and the Incoming claim type as Windows Account name to name and choose the option as "Pass through all claim values" and click on the Finish button to save the rule.

 This page would give a summary of the rules added to the system .

Once these rules are added let us go ahead and edit the claim rules for Active Directory.

Right click on Active Directory and select Edit Claim Rules.

 The claim rule template in this case would be : Send LDAP Attributes as claims

 The Attribute Store  is : Active Directory and the Claim Rule name is :UPN . LDAP Attrbute : User-Principal-Name ;Outgoing Claim type : UPN

After an IISRESET on the CRM server, you should be able to access the CRM server with the internal URL for the CRM:

IFD CONFIGURATION

STEP 1 : CONFIGURE INTERNET FACING DEPLOYMENT IN THE DEPLOYMENT MANAGER

Click on 'Configure internet facing deployment' that is on the right hand corner of the window .

Follow the snapshots given below. Click on the Next button.

 Enter the URLs for the Web Application Server Domain, Organization Web Service Domain and the Discovery Web Service Domain and click on the Next button.

Enter the external domain where your Internet-facing servers are located and click on the Next button. 

This step checks the federation metadata entered.

STEP 2 : ADD RELYING PART TRUST IN AD FS 2.0

Click on the Add Relying Party Trust link from the Actions menu.

Click on the Start button.

Enter the federation meta data address and click on the Next button. 

 

Enter the display name and click Next button.

 

Choose the option "Permit all users to access this relying party" and click on the Next button.

 

Review the trust details and click on the Next button.

 

Right click on the relying party trust which you have created and click on the Edit Claim Rules menu.

Click on the Add Rule button to create the rule for the User Principle Name.

Select the Claim rule template as "Pass Through or Filter an Incoming Claim" and click on the Next button.

Enter the Claim Rule Name as UPN and the Incoming claim type as UPN and choose the option as "Pass through all claim values" and click on the Finish button to save the rule.

 Click on the Add Rule button to create the rule for the Primary SID. Select the Claim rule template as "Pass Through or Filter an Incoming Claim" and click on the Next button.

Enter the Claim Rule Name as Primary SID and the Incoming claim type as Primary SID and choose the option as "Pass through all claim values" and click on the Finish button to save the rule.

Click on the Add Rule button to create the rule for the Windows Account name to name. Select the Claim rule template as "Pass Through or Filter an Incoming Claim" and click on the Next button.

Enter the Claim Rule Name as Windows Account name to name and the Incoming claim type as Windows Account name to name and choose the option as "Pass through all claim values" and click on the Finish button to save the rule. 

Perform an IIS Reset . Browse your CRM using <org name>.<domain>.com

Update 08/21/2012 - Updated the name of the server which the Auth URL should point to. Please refer the table.

 

VOILA! You have your IFD in place! :)

Comments

  • Anonymous
    August 10, 2012
    Great article...very detailed!
  • Anonymous
    August 20, 2012
    Shouldn't Auth point to the machine that has CRM 2011 instead of the machine that has ADFS 2.0?
  • Anonymous
    August 21, 2012
    Thank you Paul for pointing that out. I have updated the table to reflect the right server. Appreciate it. :)
  • Anonymous
    June 19, 2013
    Well.....detailed explanation....
  • Anonymous
    August 11, 2013
    Hi Team,if i don't have wildcard certificate then what alternate solution...
  • Anonymous
    August 11, 2013
    Hey GopalIf you don't intend on purchasing a wildcard, the other option would be to go for a SAN certificate that you can obtain from sites such as godaddy.comOr else if this is for pure testing purposes you can go for a self signed certificates.This MSDN article would give you more details on the same.technet.microsoft.com/.../gg188582.aspxAishwarya
  • Anonymous
    September 13, 2013
    Very good Article, Aishwarya
  • Anonymous
    September 19, 2013
    Glad the article was of help to you Atif... :)
  • Anonymous
    October 31, 2013
    Awesome Article Aishwarya! This is very useful!! :)
  • Anonymous
    May 28, 2014
    I am not able to login in crm , after configuring IFD CRM login page comes but after entering username and password i am not able to access to open crm , it gives an error page like "There was a problem accessing the site. Try to browse to the site again.
    If the problem persists, contact the administrator of this site and provide the reference number to identify the problem."
  • Anonymous
    August 26, 2014
    Thank you very much
  • Anonymous
    September 24, 2014
    thank you so much for best guid ever,i finally did it.but i have one small problem. before that i had to say i create certificate by Makecert (wild Certificate) and everything work fine for test enviroment(VMWare).domain controller and CRM and AFDS , all of them installed on one Virtual machine Windows server 2008 R2.other client with out problem can connect to internalcrm.company.local but i can't log in to crm by server itself.i mean when i enter user and password for loging to CRM don't accept it and give me error "HTTP Error 401.1 - Unauthorized"
    "You do not have permission to view this directory or page using the credentials that you supplied"

    but these same user and password work perfectly on another computer machin in network.
    i hope someone here can help me to fix it and can log in to internalcrm from server computer.
  • Anonymous
    September 25, 2014
    thank you so much for guide.but i have one small problem. before that i had to say i create certificate by Makecert (wild Certificate) and everything work fine for test enviroment(VMWare).domain controller and CRM and AFDS , all of them installed on one Virtual machine Windows server 2008 R2.other client with out problem can connect to internalcrm.company.local but i can’t log in to crm by server itself.i mean when i enter user and password for loging to CRM don’t accept it and give me error “HTTP Error 401.1 – Unauthorized”
    “You do not have permission to view this directory or page using the credentials that you supplied”

    but these same user and password work perfectly on another computer machin in network.
    i hope someone here can help me to fix it and can log in to internalcrm from server computer.
  • Anonymous
    October 07, 2014
    The comment has been removed