08:25
Dynamics Consulting München
Scenario
We have a CRM server that we need to configure for IFD. We currently
have CRM published internally on http://crm.contoso.com. We have no ADFS server
currently set up so we will be setting that up from scratch.
The below steps will take you through the steps of setting up IFD and
also explain how you can publish the IDS/ADFS Setup via UAG or TMG.
CRM Server Name = CRMSERVER
UAG Server Name = UAGSERVER
ADFS Server Name = ADFSERVER
Pre-Requisites
You will need the following before we start configuring IFD and
ADFS.
Certificate San
Names
A Wildcard certificate will be your best bet for this process but if
this is not an option for you then you will need the following SAN
Names
1. Adfs.contoso.com – URL for ADFS
2. Crm.contoso.com – URL for Internal
CRM
3. Dev.contoso.com – CRM Web Service Discovery
Domain
4. Auth.contoso.com – CRM External
Domain
5. Orgname.contoso.com – URL for External
CRM
6. Adfsportal.contoso.com – UAG Trunk URL (Needed
only if using UAG to Publish)
External IP
Addresses
One
IP address will be needed if you’re publishing via UAG
1. Adfs.contoso.com,
Adfsportal.contoso.com, dev.contoso.com, auth.contoso.com,
orgname.contoso.com
Two IP addresses will be needed
if you’re publish via TMG
1. Adfs.contoso.com
2. dev.contoso.com,
auth.contoso.com,
orgname.contoso.com
External/Internal DNS Records
You will need to create internal and external DNS records for the
following
1. adfs.contoso.com – Point to ADFS server
2. adfsportal.contoso.com- Point to ADFS server (
Only Needed if using UAG)
3. dev.contoso.com – Point to CRM server
4. auth.contoso.com – Point to CRM server
5. orgname.contoso.com – Point to CRM
server
Disable Loopback Check on ADFS
Server
Also disable loopback check on your ADFS server , unless your ADFS URL is the hostname
of your server otherwise ADFS won’t authenticate and you will receive a
401.1
1. Click Start, click Run, type regedit, and then click OK.
2. In Registry Editor, locate and then click the
following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
3. Right-click Lsa, point to New, and then click DWORD Value.
4. Type DisableLoopbackCheck, and then press
ENTER.
5. Right-click DisableLoopbackCheck, and then click
Modify.
6. In the Value data box, type 1, and then click OK.
7. Quit Registry Editor, and then restart your
computer.
How to Set up CRM 2011
IFD
These steps explain what we need to run through in the Setup Wizards
for CRM and ADFS in a chronological order.
ADFS
1. Install ADFS 2.0 on a Separate Server to CRM
named ADFSSERVER
2. Import Certificate from Pre-Reqs onto ADFS site
in IIS
3. Configure ADFS and Choose a Stand-Alone Federation Server
Deployment
4. Choose the Wildcard/SAN certificate that you
requested as part of pre-reqs and select the Federation Service name to be adfs.contoso.com
CRM
1. Open the CRM
Deployment manager
2. Right click properties on Microsoft Dynamics CRM
and go to the Web Address tab
3. Change the binding tab to HTTPS and configure the following
· Web Application Server
i. Crm.contoso.com
· Organization Web Service
i. Crm.contoso.com
· Discovery Web Service
i. Crm.contoso.com
· Deployment Web Service
i. Crm.contoso.com
4. Open IIS and bind the Wildcard/SAN certificate to
CRM Website.
DNS
1. Create a External DNS record for adfs.contoso.com and point it to IP on UAG server
and create an internal record for adfs.contoso.com
and point it to ADFSSERVER
2. Also Create an Internal record for Crm.contoso.com to point to CRMSERVER
CRM
1. Open the CRM Deployment manager
2. Right click properties on Microsoft Dynamics CRM
and configure Claims-Based Authentication
Wizard.
3. The Federation Metadata Url will be https://adfs.contoso.com/federationmetadata/2007-06/federationmetadata.xml
4. Select the Wildcard/SAN certificate to
use
5. Hit Next and Finish
6. Open the Certificate (Local Computer) MMC Snap
in
7. Browse to Wildcard/SAN certificate
8. Right click the certificate, go to all tasks and
manage private keys
9. Add the service account responsible for running
the CRMAppPool and give it read permissions
(Check this by opening IIS on CRMSERVER > Expand
server name > application pools and check the identity responsible for
running the CRMAppPool. May be running under networkservice account
also)
10. Run an IISRESET
ADFS
1. Try browsing to https://crm.contoso.com/federationmetadata/2007-06/federationmetadata.xml
to make sure federation metadata loads.
2. In ADFS Console add
a Trust Relying Party
3. Choose the option Import data about the relying
party published online or on a local network
Federation Metadata address - https://crm.contoso.com/federationmetadata/2007-06/federationmetadata.xml
4. Choose the Display Name to “Internal CRM”
5. Select “Permit all
users to access this relying party”
6. Press Finish and know we will need to add a few
Transform Claim Rules
7. Choose “Pass Through
or Filter an incoming claim” Template
· Claim Rule Name: Pass Primary
SID
· Incoming Claim Type: Primary
SID
· Pass through all claim values
8. Choose the “Pass
Through or Filter an incoming claim” Template
· Claim Rule Name: Pass
UPN
· Incoming Claim Type: UPN
· Pass through all claim values
9. Choose the “Transform an Incoming Claim ”
Template
· Claim Rule Name: Transform Windows
Account Name to Name
· Incoming Claim Type: Windows Account
Name
· Outgoing Claim Type: Name
· Pass through all claim values
10. Press Finish now expand Trust Relationships
11. Go to Claims Provide Trusts and right click on
Active Directory and choose edit claim
rules
12. Now hit Add Rule
13. Choose the “Send
LDAP Attributes as Claims ” Template
· Claim rule name: Send UPN from AD to
Claims
· Attribute store: Active
Directory
· LDAP Attribute: User Principal
Name
· Outgoing Claim Type: UPN
CRM
1. Try browsing to https://crm.contoso.com and you
should notice an ADFS screen flicker up and then disappear
2. Now choose Configure Internet-Facing
Deployment
· Web Application Server Domain: Contoso.com
· Organization Web Service Domain: Contoso.com
· Discover Web Service Domain: dev.contoso.com
3. Hit Next and use
auth.contoso.com for the External domain
DNS
1. Create a External
DNS record for auth.contoso.com and
point it to the
UAGSERVER/TMGSERVER
2. Create a External
DNS record for dev.contoso.com and
point it to the UAGSERVER/TMGSERVER
3. Create a External
DNS record for orgname.contoso.com
and point it to the UAGSERVER/TMGSERVER
4. Create a Internal
DNS record for auth.contoso.com and
point it to the CRMSERVER
5. Create a Internal
DNS record for dev.contoso.com and
point it to the CRMSERVER
6. Create a Internal
DNS record for orgname.contoso.com
and point it to the CRMSERVER
ADFS
1. In ADFS Console add a Trust Relying Party
2. Choose the option Import data about the relying
party published online or on a local network
Federation Metadata address- https://auth.contoso.com/federationmetadata/2007-06/federationmetadata.xml
4. Choose the Display Name to “External CRM”
5. Select “Permit all
users to access this relying party”
6. Choose “Pass Through
or Filter an incoming claim” Template
· Claim Rule Name: Pass Primary
SID
· Incoming Claim Type: Primary
SID
· Pass through all claim values
7. Choose the “Pass
Through or Filter an incoming claim” Template
· Claim Rule Name: Pass
UPN
· Incoming Claim Type:
UPN
· Pass through all claim values
8. Choose the “Transform an Incoming Claim ”
Template
· Claim Rule Name: Transform Windows
Account Name to Name
· Incoming Claim Type: Windows Account
Name
· Outgoing Claim Type: Name
· Pass through all claim values.
We now have a
decision on how we want to publish CRM 2011 IFD, either by UAG or
TMG
Option 1 = UAG
Option 2 = TMG
Option 1 –
UAG
UAG
Create Authentication
Repository
1. Now if we Open the UAG console we need to
configure an ADFS authentication repository
2. In the Forefront UAG console, on the Admin menu,
click Authentication and Authorization
Servers
3. On the Authentication and Authorization Servers
dialog box click Add
4. Choose ADFS
2.0 as Server type and on the Add Authentication Server
· Server Name: ADFSSERVER
· Url of Metadata File: https://adfs.contoso.com/FederationMetadata/2007-06/federationmetadata.xml
5. Choose Retrieve Metadata
6. Select the Claim Type Name from the
list.
7. Now select ok and close
Create Portal Trunk
1. In the Forefront UAG Management console,
right-click HTTPS Connections then click New
Trunk
2. Trunk Type will be Portal Trunk click next
3. Settings for the trunk
· Trunk Name – ADFS
· Public Host name- Adfsportal.contoso.com
· Ip Address – External IP address of your choice that has the
appropriate DNS records pointing to it.
4. Add ADFS
Authentication Server created above and hit next
5. Choose the Wildcard/SAN certificate and choose
next
6. Choose use UAG Forefront Endpoint
Policies
7. Hit Finish and Activate Settings (Make a note of
Metadata file) “https://adfs.contoso.com/InternalSite/ADFSv2Sites/ADFS/FederationMetadata/2007-06/FederationMetadata.xml”
ADFS
1. Click Start, point to Programs, point to
Administrative Tools, and then click AD FS 2.0
Management.
2. Under the AD FS 2.0\Trust Relationships folder,
right-click Relying Party Trusts, and then click Add Relying Party Trust to open the Add Relying
Party Trust Wizard.
3. On the Welcome page, click Start.
4. On the Select Data Source page, do one of the
following:
5. Use Federation metadata URL “https://UAGSERVER.contoso.com/InternalSite/ADFSv2Sites/ADFS/FederationMetadata/2007-06/FederationMetadata.xml”
6. On the Specify Display Name page, in Display name
type UAG and then click Next.
7. On the Choose Issuance Authorization Rules page,
click Permit all users to access this relying
party, and then click Next.
8. Click Next to save your relying party trust
information.
9. On the Finish page, click Close. This action
automatically displays the Edit Claim Rules dialog box.
10. Choose “Pass
Through or Filter an incoming claim” Template
· Claim Rule Name: Pass Primary
SID
· Incoming Claim Type: Primary
SID
· Pass through all claim values
11. Choose the “Pass Through or Filter an incoming
claim” Template
· Claim Rule Name: Pass UPN
· Incoming Claim Type: UPN
· Pass through all claim values
12. Choose the “Transform an Incoming Claim” Template
· Claim Rule Name: Transform Windows
Account Name to Name
· Incoming Claim Type: Windows Account
Name
· Outgoing Claim Type:
Name
· Pass through all claim values
13. Press Finish now expand Trust
Relationships
14. Go to Claims Provide Trusts and right click on
Active Directory and choose edit claim rules
15. Now hit Add Rule
16. Choose the “Send
LDAP Attributes as Claims ” Template
· Claim rule name: Send UPN from AD to
Claims
· Attribute store: Active
Directory
· LDAP Attribute: User Principal
Name
· Outgoing Claim Type: UPN
UAG
Publish CRM 2011
1. Open the UAG Console
2. Publish the CRM server using the Microsoft
Dynamics CRM 2011 template
3. In the main portal properties page on the ADFS
Trunk, in Applications, click Add.
4. On the Select Application page of the Add
Application Wizard, select Web, and then select Microsoft Dynamics CRM 2011. Then click
Next.
5. On the Configure Application page, specify the
name CRM 2011. This name will appear in the
portal. Then click next.
6. Choose Configure an Application Server
7. On the web servers page the Address should be the
internal URL of CRM which is crm.contoso.com
8. The public hostname will be the Organization host
name of “Orgname.contoso.com”
9. On the Authentication select the ADFS 2.0 Authentication Server and choose 401 Request
10. In the Forefront UAG Management console, in the
application list, click the AD FS 2.0 application, click Edit, and on the
Application Properties dialog box, on the Authentication tab, select the Allow unauthenticated access to web server check
box.
11. On the Forefront UAG server in the Forefront UAG
Management console, publish the Microsoft Dynamics CRM Discovery Web Service
domain “dev.contoso.com” using the Other Web
Application (application specific name) template.
12. On the web servers page the Address should be
the internal URL of crm.contoso.com
13. The public hostname will be the External Url
“dev.contoso.com”
14. On the Authentication select the ADFS 2.0 Authentication Server and choose 401 Request
15. On the Portal Link page, clear the Add a portal
and toolbar link check box.
16. On the Forefront UAG server in the Forefront UAG
Management console, publish the external domain selected during configuration of
IFD for Microsoft Dynamics CRM which is auth.contoso.com using the Other Web Application
(application specific name) template.
17. On the web servers page the Address should be
the internal URL of crm.contoso.com
18. The public hostname will be the External Url
“auth.contoso.com”
19. On the Authentication select the ADFS 2.0 Authentication Server and choose 401 Request
20. On the Portal Link page, clear the Add a portal
and toolbar link check box.
21. Make Sure the CRM 2011 application is above the
External domain and discovery service
domain
Option 2 –
TMG
TMG
1. On TMG create a Web listener called CRM IFD
2. Select “Require SSL
secure connection with clients”
3. Select External and assign the 2 IP’s to the
listener that you have assigned for “auth.contoso.com, dev.contoso.com , orgname.contoso.com
and adfs.contoso.com”
4. Assign the “Appropriate Wildcard Certificate or San
Certificate”
5. Make sure the Web Listener is set to “No Authentication”
6. Hit Next and Finish
7. Now we need to create a publishing rule, press
“Publish Web Sites” in the Firewall policy
tasks column
8. Name the rule “Publish CRM Organization IFD”
9. Select “Allow”
10. Choose “Publish a
Single Web Site or Load Balancer”
11. Now choose “Use SSL
to connect to the published Web server or server farm”
12. Internal Site name will be “Orgname.contoso.com” (make sure you have created
an internal DNS record for this or it wont work” also select use a computer name
and type in the name of your CRM server “CRMSERVER”
13. Don’t enter a path and just press next
14. The public name will be “https://orgname.contoso.com” and again leave the path blank
15. Select the web listener you created earlier
“CRM IFD”
16. Select “No
Delegation, and client cannot authenticate directly”
17. Make sure the rule applies to “All Users” and hit next and finish
Now we need to create 3 more Web
Publishing Rules for auth, dev.contoso.com and
adfs.contoso.com
Auth.contoso.com
1. Press “Publish Web
Sites” in the Firewall policy tasks column
2. Name the rule “Publish CRM Auth IFD”
3. Select “Allow”
4. Choose “Publish a
Single Web Site or Load Balancer”
5. Now choose “Use SSL
to connect to the published Web server or server farm”
6. Internal Site name will be “Auth.contoso.com” (make sure you have created an
internal DNS record for this or it wont work” also select use a computer name
and type in the name of your CRM server “CRMSERVER”
7. Don’t enter a path and just press next
8. The public name will be “https://Auth.contoso.com” and again leave the path
blank
9. Select the web listener you created earlier
“CRM IFD”
10. Select “No
Delegation, and client cannot authenticate directly”
11. Make sure the rule applies to “All Users” and hit next and finish
Dev.contoso.com
1. Press “Publish Web
Sites” in the Firewall policy tasks column
2. Name the rule “Publish CRM Discovery IFD”
3. Select “Allow”
4. Choose “Publish a
Single Web Site or Load Balancer”
5. Now choose “Use SSL
to connect to the published Web server or server farm”
6. Internal Site name will be “Dev.contoso.com” (make sure you have created an
internal DNS record for this or it wont work” also select use a computer name
and type in the name of your CRM server “CRMSERVER”
7. Don’t enter a path and just press next
8. The public name will be “https://Dev.contoso.com” and again leave the path
blank
9. Select the web listener you created earlier
“CRM IFD”
10. Select “No
Delegation, and client cannot authenticate directly”
11. Make sure the rule applies to “All Users” and hit next and finish
Adfs.contoso.com
1. Press “Publish Web
Sites” in the Firewall policy tasks column
2. Name the rule “Publish ADFS”
3. Select “Allow”
4. Choose “Publish a
Single Web Site or Load Balancer”
5. Now choose “Use SSL
to connect to the published Web server or server farm”
6. Internal Site name will be “Adfs.contoso.com”
7. Don’t enter a path and just press next
8. The public name will be “https://Adfs.contoso.com” and again leave the path
blank
9. Select the web listener you created earlier
“CRM IFD”
10. Select “No
Delegation, and client cannot authenticate directly”
11. Make sure the rule applies to “All Users” and hit next and finish
You should now have CRM IFD all published and Working 
Posted in: CRM 2011 und IFD - ADFS 2.0
