Configuring IFD for CRM 2011

Aishwarya C Ramachandran - Click for blog homepageConfiguring IFD in Dynamics CRM 2011 for the first time? It can be quite confusing,  I completely agree . But with this article it no longer is!

STEPS TO BE COMPLETED BEFORE FOLLOWING THIS ARTICLE
 
Install ADFS 2.0 on the default site in any machine within the domain
www.microsoft.com/en-us/download/details.aspx?id=10909
 
Dynamics CRM 2011 must be on another port if ADFS 2.0 is installed in the same machine .
 
Get a wildcard certificate
It is recommended to have the wildcard certificate associated with the CRM website so that we can associate the same certificate  when we have an environment with multiple organizations in CRM 

 
 
WHAT WE AIM TO ACHIEVE
 
Browse CRM 2011 through the internet  with this URL <orgname>.<domain>.com:<port number>
 
Lets begin.

STEP 1 : BIND A CERTIFICATE TO THE ADFS WEBSITE (DEFAULT WEBSITE)
 
Open up IIS manager
 
Default website  ==> Click on 'Bindings' on the right hand navigation bar ==>Add==>  Type : https ; Port :443 ==>SSL certificate Wildcard Certificate 

STEP 2 : BIND A CERTIFICATE TO THE CRM WEBSITE
 
Open IIS manager
 
Default website  ==> Click on 'Bindings' on the right hand navigation bar ==>Add==>  Type : https ; Port :444 ==>SSL certificate Wildcard Certificate
 
Please Note : The number 444 is a random number used for the purpose of this demonstration 
 

 
STEP 3 : CREATION OF DNS ENTRIES
 
Start ==> Administrative Tools ==>DNS ==> <Name of your machine>  ==> Forward Lookup Zones==> <Domain Name>.com
 
Right click ==> New  Host (A or AAAA) 

ADFS     Point it to the  machine that has ADFS 2.0 installed on it
<CRM  organization name> Point it to the  machine that has CRM 2011
Dev Point it to the  machine that contains the discovery web service
Auth Point it to the  machine that has CRM 2011 installed on it
Internalcrm Point it to the  machine that has CRM 2011

STEP 4 : LET'S CONFIGURE AD FS 2.0!
 
Open up AD FS 2.0 console
 

 
Click on 'Create a new Federation Service'


 
Click on 'Stand-Alone Federation Server' after reading the description that is given . 
 

 
Please ensure to give the same name as specified in the DNS Forward Look-up Zone 
 

 
This next page of the wizard will show you the summary of what is about to be installed. Click Next to continue.
 
 

Wait for the configuration process to complete and click the Close button.
 

STEP 4 : CONFIGURING CLAIMS-BASED AUTHENTICATION ON THE CRM DEPLOYMENT MANAGER
 
CRM Deployment manager==>Select the “Microsoft Dynamics CRM”==> Right click ==> properties ==> choose the “Web Address” section

Choose the Binding type as “HTTPS” and enter the entry created for accessing CRM internally within the domain . In our example it is : Internalcrm: <port number>
Click on 'Apply'
 

 
Launch the Deployment manager on the CRM server and click on the “Configure claims based Authentication” that is on the right hand navigation tool bar. 
 

 
Type in the ADFS URL federation metadata. 


 
Choose the wildcard certificate associated with the ADFS URL.  


 
This step validates the federation metadata URL and then click Next to continue.
 

Click the Apply button.


   
STEP 5 : ADDING THE ACCOUNT THAT IS RUNNING THE CRM APPLICATION POOL TO THE WILDCARD CERTIFICATE
 
You may have to add the account that is running the CRM application pool account the “Read” privilege against the certificate used for the security token service. To perform this:
 
Launch the MMC console and go to File menu and select Add-Remove Snap In


 
Select Certificates from the available snap-ins.
 

Choose the Computer Account and click Next in the Certificates Snap-In window. 

Click Finish on the next window.

Right click on the wild card certificate and select All Tasks >> Manage Private Keys. 

At this step add the identity which is running the CRM application pool. 


 
STEP 6 : ADDING A RELYING PARTY TO ADFS 2.0

Click on the Add Relying Party Trust link under the Actions menu and click on the Start button.

Click on the Start button in the Add Relying Party Trust Wizard window.

Give in the federation metadata of the internal CRM URL

Enter the display name and any applicable notes.

Select the option "Permit all users to access this relying party" and click on the Next button. 

Click on the Next button again.

Now let us go ahead and edit the claim rules for our internal crm URL .

There are 3 rules we must add:

  1. User Principle Name
  2. Primary SID
  3. Windows account name to name

Click on the Add Rule button to create the rule for the User Principle Name.

Select the Claim rule template as "Pass Through or Filter an Incoming Claim" and click on the Next button.

Enter the Claim Rule Name as UPN and the Incoming claim type as UPN and choose the option as "Pass through all claim values" and click on the Finish button to save the rule.

 Click on the Add Rule button to create the rule for the Primary SID. Select the Claim rule template as "Pass Through or Filter an Incoming Claim" and click on the Next button.

Enter the Claim Rule Name as Primary SID and the Incoming claim type as Primary SID and choose the option as "Pass through all claim values" and click on the Finish button to save the rule.

Click on the Add Rule button to create the rule for the Windows Account name to name. Select the Claim rule template as "Pass Through or Filter an Incoming Claim" and click on the Next button.

Enter the Claim Rule Name as Windows Account name to name and the Incoming claim type as Windows Account name to name and choose the option as "Pass through all claim values" and click on the Finish button to save the rule.

 This page would give a summary of the rules added to the system .

Once these rules are added let us go ahead and edit the claim rules for Active Directory.

Right click on Active Directory and select Edit Claim Rules.

 The claim rule template in this case would be : Send LDAP Attributes as claims

 The Attribute Store  is : Active Directory and the Claim Rule name is :UPN . LDAP Attrbute : User-Principal-Name ;Outgoing Claim type : UPN

After an IISRESET on the CRM server, you should be able to access the CRM server with the internal URL for the CRM:

IFD CONFIGURATION

STEP 1 : CONFIGURE INTERNET FACING DEPLOYMENT IN THE DEPLOYMENT MANAGER

Click on 'Configure internet facing deployment' that is on the right hand corner of the window .

Follow the snapshots given below. Click on the Next button.

 Enter the URLs for the Web Application Server Domain, Organization Web Service Domain and the Discovery Web Service Domain and click on the Next button.

Enter the external domain where your Internet-facing servers are located and click on the Next button. 

This step checks the federation metadata entered.

STEP 2 : ADD RELYING PART TRUST IN AD FS 2.0

Click on the Add Relying Party Trust link from the Actions menu.

Click on the Start button.

Enter the federation meta data address and click on the Next button. 

 

Enter the display name and click Next button.

 

Choose the option "Permit all users to access this relying party" and click on the Next button.

 

Review the trust details and click on the Next button.

 

Right click on the relying party trust which you have created and click on the Edit Claim Rules menu.

Click on the Add Rule button to create the rule for the User Principle Name.

Select the Claim rule template as "Pass Through or Filter an Incoming Claim" and click on the Next button.

Enter the Claim Rule Name as UPN and the Incoming claim type as UPN and choose the option as "Pass through all claim values" and click on the Finish button to save the rule.

 Click on the Add Rule button to create the rule for the Primary SID. Select the Claim rule template as "Pass Through or Filter an Incoming Claim" and click on the Next button.

Enter the Claim Rule Name as Primary SID and the Incoming claim type as Primary SID and choose the option as "Pass through all claim values" and click on the Finish button to save the rule.

Click on the Add Rule button to create the rule for the Windows Account name to name. Select the Claim rule template as "Pass Through or Filter an Incoming Claim" and click on the Next button.

Enter the Claim Rule Name as Windows Account name to name and the Incoming claim type as Windows Account name to name and choose the option as "Pass through all claim values" and click on the Finish button to save the rule. 

Perform an IIS Reset . Browse your CRM using <org name>.<domain>.com

Update 08/21/2012 - Updated the name of the server which the Auth URL should point to. Please refer the table.

 

VOILA! You have your IFD in place! :)