Introductions
Christopher Cognetta
Practice Manager – Client Field Engineering
Microsoft Dynamics CRM MVP
• CRMUG Chairperson Miami & Tampa – Co Chair • 250+ Dynamics CRM Implementations & Upgrades
- 80+ with ADFS & IFD
• Infrastructure /Application Architecture Guru
BLOG: www.cognettacloud.com
What is ADFS?
Active Directory Federated Services (ADFS) is Microsoft’s Security Token Service (STS) designed to provide or ”federate” (SSO – Single Sign On) with other security providers (AD, Windows Live, Office 365, and many
others). Mobile and Cloud based ISV add-ons often require your CRM to be ADFS/IFD (Internet Facing Deployment) enabled.
So why is ADFS so challenging to implement?
ADFS interacts with most of the following technologies:
Active Directory PKI Firewall Domain Name Service Proxy Servers Certificate Authority SSL Internet Facing Deployment (IFD) IIS Certificates Server\Desktop Outlook Clients DMZ Ports
Hosts Claims Authentication NTLM Kerberos SPNS ACL Reservations Cloud
Various technologies make ADFS challenging to implement by an organization. Pre-Planning and Team work are essential to a successful ADFS implementation.
ADFS Diagrams
Standard Authentication Internal ADFS Other Identity Stores, AD, Windows Live, Oracle EtcPreparation
•
Internal and External DNS Entries
•
Deployment Options
•
CRM and ADFS Installation Tips
•
ADFS Screen Shots
•
Quick Check List
•
Tips and Tricks
Internal & External DNS
Optional (Dev.domain.com) Internal & External DNS
Firewall Overview
Firewall Web Server
External DNS Entries at ISP or HOST CRM Port 443 ADFS Port 444
Port Forward All URL’s
All URL’s except ADFS will port forward to the CRM webserver port 443 .
ADFS will be configured as a separate website under port 444.
Recommend ADFS Standalone server under port 443.
ADFS must be the default website - Site #1 in shown IIS Sites CRM must be installed on a port, and not on the default site if Implementing ADFS and CRM on the same server.
External IP Internal IP
ADFS Server ADFS
D M Z
F I R E W A L L
Web Server
ADFS Deployment Options
F I R E W A L L
CRM
Port 443 Port 444ADFS Internal IP ADFS Server ADFS Port 443 ADFS Server Proxy External IP ADFS Server P Proxy Web Server
OPTION 1 OPTION 2 OPTION 3
Web Backend
Certificates Required
Some security teams do not want to use
wildcard certificates like *.domainname.com
Certificate Warnings
HTTPS://crm.domain.com
ADFS & CRM Installation Tips
http://www.Microsoft.com/download/en/details.aspx?id=10909
Use CRM deployment manager to
configure the CRM internal URLs.
Set the HTTPS, naming the web
address to match your certificate setting.
Manually Set the HTTPS 443
binding and SSL certificate in IIS, Restart IIS
Changes in this section require an
IIS Restart to take effect.
Once ADFS is deployed internal
users will use the
https://internalcrm.domainname.c om URL for SSO access.
ADFS Installation Tips
Tip: Pre-configure the ADFS Server/Website IIS binding and certificate prior to install.
Once ADFS installs, the
configuration wizard will appear:
ADFS will prompt for the name
of your federation service. Should match ADFS URL.
ADFS.domainname.com
The following URL is be provided in order to test the ADFS Federation Service is working:
https://adfs.domain.com/FederationMetadata/2007-06/FederationMetadata.xml
ADFS Installation Testing
The following URL is be provided in order to test the ADFS Federation Service is working:
https://adfs.domain.com/FederationMetadata/2007-06/FederationMetadata.xml
Configure Claims Wizard
From the CRM deployment manager we can start to configure Claims based Auth:
Make sure to test this URL in your browser
for no certification errors.
Select IIS SSL Certificate used for CRM
URL will be provided at the end of the ADFS
installation.
Save as favorite, trusted or intranet site.
Receive the XML metadata from the URL the
ADFS service is working correctly.
Configure Claims Wizard
Completion Window after Claims Wizard via deployment manager has been
configured:
This configures and confirms the CRM
federation services are working.
The URL shown on screen is at the
bottom of the log file. Click view the log file to copy the URL
Restart IIS and Test the URL before
proceeding to ADFS Setup.
This URL will setup the first Relying
Party Trust with ADFS for CRM (Internal)
Configure ADFS – Relying Party
Trust
Configure the ClaimsProvider Trust For Active Directory
Select Claims Provider Select Active Directory Select Edit Claim Rules Add Rule
UPN Claim Rule Matches the User
Principal
Configure ADFS – Relying Party Trust
Configure the Relying Party Provider Trust For Internal Add Relying Party Trust Add URL From Claims
Wizard
Add 3 Rules
Pass Through UPN Pass Through Pri SID Transforms Windows
Account Name to Name You can now test Kerberos to claims authentication by
Configure Internet Facing Deployment IFD
Inside deployment manager, you
will click configure IFD:
Enter ending of domain name
Web Application and Org
Service should both be the
same domainname.com
Dev domain is used for the
discovery web server and
should match your DEV DNS
entry. (Could be discovery too!)
Configure Internet Facing Deployment IFD
Next you will be prompted for the external domain:
This is AUTH.domainname.com
address, not ADFS address.
The documentation uses the same
URL as the STS server which is not correct.
The end of the configuration will
provide A URL to configure the replying party trust in ADFS.
Configure Internet Facing Deployment IFD
Success window for CRM IFD Configuration. Perform an IIS Reset on the CRM Server Now Let’s go Back to ADFS and enter the
Configure ADFS Relying Party Trust
Open ADFS Wizard on ADFS Server: Select Add Relying Party Trust
Add URL AUTH address (same as
last page of CRM IFD Wizard).
Add 3 Rules
Pass Through UPN
Pass Through Primary SID
Transforms Windows Account Name
to Name
Minimum Requirements
Behind the Scenes
ADFS Pre Configuration
Download and deploy the Public SSL Certificate in IIS 7 Deploy AD FS 2.0 on Windows Server 2008 or Windows
Server 2008 R2 – Configure to use deployed certificate
Download and Install the Microsoft Online Services sign-in
assistant and Microsoft Online Services Module (for PowerShell)
Change Security on Default URL from Anonymous
Authentication to Windows Authentication
Add Public Domain URL to Local Intranet Zone
Run MS Online Services Module Powershell and convert your
public domain to Federated:
$cred=Get-Credential
Connect-MsolServices -Credential $cred
AD Sync Config
Checklist Summary
1. 2. 3. 4. 5.Optional
Optional
Tips and Tricks
Quick Checklist
BackConnectionHostNames Registry
Changing your ADFS login Name
Setting the IFD timeout
Multiple HTTPS Bindings
Internal Service Error 503 & 505
Updating ADFS Cache
401 Errors
Outlook Client V4 with CRM 2011
Caution on Cache
Quick Checklist
http://www.microsoft.com/download/en/details.aspx?displaylang =en&id=3621 BackConnectionHostNames
http://support.microsoft.com/kb/896861
Setting the ADFS/IFD Timeout
HTTPS Binding
Internal Service Error 503
Republish CRM Customizations
Restart IIS and/or Reboot
Reconfigure via the CRM wizards
Updating the ADFS Cache
Updating the ADFS cache is
sometimes required when adding new organization and IFD
deployment
Adding DNS entries or
troubleshooting issues.
Updating is done from the ADFS
configuration tool, while on replying party trusts, you will see the left an option to Update the Federation Metadata.
IFD 404 Error & Workaround
A common error reported after IFD is enabled by external access user:
This is because ADFS had a
copy of the CRM metadata during the install and not the exact copy is cached.
The fix is to publish all
customizations.
If this continues for a specific
user, update the user record by removing their name,
replace with test name, save, and then replace domain name again.
CRM Outlook Client 4
http://go.microsoft.com/fwlink/?LinkID=210780 http://go.microsoft.com/fwlink/?LinkId=205316 Caution on Cache
Closing & Q&A
Use of the Microsoft Forums – Ask an MVP!
http://social.microsoft.com/Forums/en-US/category/dynamics
Please don’t forget to accept the answer that helps you! Use of the Collaborate on the CRMUG forums
http://community.crmug.com/home
