Hosted by

Introductions
Christopher Cognetta Practice Manager Client Field Engineering Microsoft Dynamics CRM MVP chris.cognetta@tribridge.com CRMUG Chairperson Miami & Tampa Co Chair 250+ Dynamics CRM Implementations & Upgrades - 80+ with ADFS & IFD Infrastructure /Application Architecture Guru BLOG: www.cognettacloud.com TWITTER: @ccognetta

Agenda

What is ADFS?
Active Directory Federated Services (ADFS) is Microsofts Security Token Service (STS) designed to provide or federate (SSO Single Sign On) with other security providers (AD, Windows Live, Office 365, and many others). Mobile and Cloud based ISV add-ons often require your CRM to be ADFS/IFD (Internet Facing Deployment) enabled.

So why is ADFS so challenging to implement?

ADFS interacts with most of the following technologies: Active Directory PKI Firewall Domain Name Service Proxy Servers Certificate Authority SSL Internet Facing Deployment (IFD) IIS Certificates Server\Desktop Outlook Clients DMZ Ports Hosts Claims Authentication NTLM Kerberos SPNS ACL Reservations Cloud Various technologies make ADFS challenging to implement by an organization. Pre-Planning and Team work are essential to a successful ADFS implementation.

ADFS Diagrams
Standard Authentication

Internal ADFS

Other Identity Stores, AD, Windows Live, Oracle Etc

Preparation
Internal and External DNS Entries Deployment Options CRM and ADFS Installation Tips ADFS Screen Shots Quick Check List Tips and Tricks

Internal & External DNS

Optional (Dev.domain.com)

Internal & External DNS

External DNS Entries at ISP or HOST External IP Firewall

Firewall Overview
Internal IP
Port Forward All URLs

Web Server

CRM Port 443

ADFS Port 444 ADFS Port 443

ADFS Server

All URLs except ADFS will port forward to the CRM webserver port 443 . ADFS will be configured as a separate website under port 444. Recommend ADFS Standalone server under port 443.
ADFS must be the default website - Site #1 in shown IIS Sites CRM must be installed on a port, and not on the default site if Implementing ADFS and CRM on the same server.

ADFS Deployment Options

OPTION 1 OPTION 2

OPTION 3
FIREWALL

External IP

D M Z

ADFS Server Proxy FIREWALL

P Web Server

ADFS Server Proxy

Web Server

ADFS Server ADFS Port 443

Web Backend Server

CRM ADFS Port 443 Port 444

Internal IP

Certificates Required

Some security teams do not want to use wildcard certificates like *.domainname.com

Certificate Warnings
HTTPS://crm.domain.com
ALL SYSTEMS GO

Managing SSL Certificates

ADFS & CRM Installation Tips

http://www.Microsoft.com/download/en/details.aspx?id=10909

Configuring CRM URL for HTTPS

Use CRM deployment manager to configure the CRM internal URLs. Set the HTTPS, naming the web address to match your certificate setting. Manually Set the HTTPS 443 binding and SSL certificate in IIS, Restart IIS Changes in this section require an IIS Restart to take effect. Once ADFS is deployed internal users will use the https://internalcrm.domainname.c om URL for SSO access.

ADFS Installation Tips

Tip: Pre-configure the ADFS Server/Website IIS binding and certificate prior to install. Once ADFS installs, the configuration wizard will appear: ADFS will prompt for the name of your federation service. Should match ADFS URL. ADFS.domainname.com

The following URL is be provided in order to test the ADFS Federation Service is working: https://adfs.domain.com/FederationMetadata/2007-06/FederationMetadata.xml Note: Port is required in the URL if not running under 443.

ADFS Installation Testing

The following URL is be provided in order to test the ADFS Federation Service is working: https://adfs.domain.com/FederationMetadata/2007-06/FederationMetadata.xml Note: Port is required in the URL if not running under 443.

Configure Claims Wizard

From the CRM deployment manager we can start to configure Claims based Auth: Make sure to test this URL in your browser for no certification errors. Select IIS SSL Certificate used for CRM URL will be provided at the end of the ADFS installation. Save as favorite, trusted or intranet site. Receive the XML metadata from the URL the ADFS service is working correctly. Common Errors like 503 require an IISReset.

Configure Claims Wizard

Completion Window after Claims Wizard via deployment manager has been configured: This configures and confirms the CRM federation services are working. The URL shown on screen is at the bottom of the log file. Click view the log file to copy the URL Restart IIS and Test the URL before proceeding to ADFS Setup. This URL will setup the first Relying Party Trust with ADFS for CRM (Internal)

Configure ADFS Relying Party Configure the Claims Trust

Provider Trust For Active Directory Select Claims Provider Select Active Directory Select Edit Claim Rules Add Rule UPN Claim Rule Matches the User Principal Name to the UPN field

Configure ADFS Relying Party Trust

Configure the Relying Party Provider Trust For Internal Add Relying Party Trust Add URL From Claims Wizard Add 3 Rules Pass Through UPN Pass Through Pri SID Transforms Windows Account Name to Name You can now test Kerberos to claims authentication by https:\\internalcrm link

Configure Internet Facing Deployment IFD

Inside deployment manager, you will click configure IFD: Enter ending of domain name Web Application and Org Service should both be the same domainname.com Dev domain is used for the discovery web server and should match your DEV DNS entry. (Could be discovery too!)

Configure Internet Facing Deployment IFD

Next you will be prompted for the external domain:

This is AUTH.domainname.com address, not ADFS address.

The documentation uses the same URL as the STS server which is not correct. The end of the configuration will provide A URL to configure the replying party trust in ADFS.

Configure Internet Facing Deployment IFD

Success window for CRM IFD Configuration. Perform an IIS Reset on the CRM Server Now Lets go Back to ADFS and enter the External Claims Provider Trust.

Configure ADFS Relying Party Trust

Open ADFS Wizard on ADFS Server: Select Add Relying Party Trust Add URL AUTH address (same as last page of CRM IFD Wizard). Add 3 Rules Pass Through UPN Pass Through Primary SID Transforms Windows Account Name to Name IIS Reset one last time

Configure ADFS Relying Party Trust

Test the CRM Deployment

Overview

Minimum Requirements

Behind the Scenes

3 hrs.

ADFS Pre Configuration

Download and deploy the Public SSL Certificate in IIS 7 Deploy AD FS 2.0 on Windows Server 2008 or Windows

Server 2008 R2 Configure to use deployed certificate Download and Install the Microsoft Online Services sign-in assistant and Microsoft Online Services Module (for PowerShell) Change Security on Default URL from Anonymous Authentication to Windows Authentication Add Public Domain URL to Local Intranet Zone Run MS Online Services Module Powershell and convert your public domain to Federated:
$cred=Get-Credential Connect-MsolServices -Credential $cred Convert-MsolDomainToFederated -DomainName <domain>

Microsoft Online Services Config

AD Sync Config

Troubleshooting

Checklist Summary
1. 2. 3. 4. 5.

Optional Optional

Tips and Tricks

Quick Checklist BackConnectionHostNames Registry Changing your ADFS login Name Setting the IFD timeout Multiple HTTPS Bindings Internal Service Error 503 & 505 Updating ADFS Cache 401 Errors Outlook Client V4 with CRM 2011 Caution on Cache

Quick Checklist
http://www.microsoft.com/download/en/details.aspx?displaylang

=en&id=3621

BackConnectionHostNames

http://support.microsoft.com/kb/896861

Changing ADFS Login Name

Changing ADFS Login Name

Setting the ADFS/IFD Timeout

HTTPS Binding

Internal Service Error 503

Republish CRM Customizations Restart IIS and/or Reboot Reconfigure via the CRM wizards See www.cognettacloud.com Blog for URL Reservations Issue

Updating the ADFS Cache

Updating the ADFS cache is sometimes required when adding new organization and IFD deployment Adding DNS entries or troubleshooting issues. Updating is done from the ADFS configuration tool, while on replying party trusts, you will see the left an option to Update the Federation Metadata. Remember to restart IIS

IFD 404 Error & Workaround

A common error reported after IFD is enabled by external access user: This is because ADFS had a copy of the CRM metadata during the install and not the exact copy is cached. The fix is to publish all customizations. If this continues for a specific user, update the user record by removing their name, replace with test name, save, and then replace domain name again. Should be ok after UR 11

CRM Outlook Client 4

http://go.microsoft.com/fwlink/?LinkID=210780

http://go.microsoft.com/fwlink/?LinkId=205316

Caution on Cache

Closing & Q&A

Use of the Microsoft Forums Ask an MVP! http://social.microsoft.com/Forums/en-US/category/dynamics Please dont forget to accept the answer that helps you! Use of the Collaborate on the CRMUG forums http://community.crmug.com/home Check with www.cognettacloud.com blog for latest issues & resolutions.