Configuring IFD with Microsoft Dynamics CRM 2011


Updated as of 4/5/2011: This is an updated video demonstrating how to configure the RTM Dynamics CRM 2011 deployment with claims-based authentication and IFD access. The recording utilizes internally hosted DNS records and signed Certificates from an internal  CA. The video is unable to cover purchases of third party certificates, external DNS updates or routing through firewalls as there are too many variations and the Dynamics CRM team is unable to endorse one product over the other.

Keep in mind that both the CRM Site and the ADFS site should be exposed through your firewall in order for external clients to access CRM.

As many of our early adopters have learned by now, configuring an Internet-facing deployment (IFD) has changed pretty drastically from Microsoft Dynamics CRM 4.0 to Microsoft Dynamics CRM 2011.

So what changed?

  • First, our dependencies changed. In Dynamics CRM 4.0, we used forms-based authentication for IFD and in Dynamics CRM 2011 we instead take a dependency on claims-based authentication for IFD. Therefore, now it is necessary to install and configure a security token service (such as Active Directory Federation Services 2.0) and also to do more certificate management.
  • Second, our configuration steps changed. In Dynamics CRM 4.0, an administrator had two options for configuring IFD. The first option was to specify the IFD settings in an XML configuration file at server installation time. The second option was to use the IFD Configuration Tool which was released out of band. In Dynamics CRM 2011, we made claims-based authentication and IFD configuration post-installation steps to obviate the need for the XML configuration file and built these wizards into our Deployment Manager tool. Administrators that would prefer to script IFD configuration can do so using our new Dynamics CRM PowerShell cmdlets.
These changes amount to a higher learning curve for configuring IFD for Dynamics CRM 2011 as we have heard in feedback from partners and customers. So to help make this configuration a little easier for folks, Henning Petersen (a Support Escalation Engineer for Dynamics CRM) created a video demonstrating how to configure IFD with AD FS 2.0. In addition to this video, we recommend that people looking to configure IFD first review the Dynamics CRM 2011 Configuring Claims-Based Authentication white paper which is posted on the same page as our Dynamics CRM 2011 Implementation Guide.
This video is  called Introducing Microsoft Dynamics CRM 2011 Claims-based Authentication and covers the end-to-end process for configuring IFD which includes:
  1. Installing AD FS 2.0
  2. Configuring the AD FS 2.0 federation server
  3. Managing certificates
  4. Configuring Dynamics CRM 2011 for claims-based authentication and IFD
  5. Creating the relying party trust for CRM and configuring the claims rules on AD FS 2.0

We hope you find this helpful!

Cheers,
Michael Guthmann

Comments (27)

  1. Simon Hetzel says:

    Thanks very much for this – it's good to see the steps set out as you should see them when you need to do it for yourself

    However – given that this demo all appears to be on one server and uses self-signed certs it would be good if you could add some additional text to explain:

    a) What steps have to be performed on each machine

    b) Additional steps that only have to be performed if using self-signed certs

    c) Any caveats with wildcard certificates (is Windows Mobile still a problem?)

    You say at the end that you hope to produce more documentation soon.  Hopefully fully federated scenarios will be covered?  Home-realm discovery using CRM 2011 is still a mystery – can you do it?

    — Regards, Simon

  2. Nick says:

    Awesome!  This clears up a lot of the mystery.

  3. David says:

    Thank you for this.

    One question… What is the easiest way to create self-signed wildcard certificate?

  4. Jose Curry says:

    I ran into this same question myself. Apparently creating a self-signed wildcard certificate is not possible via IIS7 UI. Any pointers towards the easiest SSL certificate tool for this purpose would be greatly appreciated. Thanks for great video.

  5. c Surieux says:

    Good starting point but I was expecting a detailled documentation and more points covered.

    What to do when you need internal network access AND IFD ? just as it was possible in CRM 4 ? Is it always an option, I hope so ?

    What about securing CRM 2011 with ForeFront TMG ?

    And last but not least: what about a service provider installation ? Even the CRM 4 documentation for this last point was outdated, only documented for no more supported management tools ?

    I am very surprised to see that these points are not covered at 10 days from the official launch of product. Is quality a secondary concern for this product.

    CS

  6. Tayyab says:

    You can use selfssl for creating self signed certificate. You are right it is part of IIS 6 but you can still install it and use it. It is part of windows development kit. I hope this answers your question.

    What about claim based authentication for CRM 2011 online. I await SDK update on that.

  7. crm40 says:

    Hi,

    I have followed the steps mentioned in the video to enable IFD for crm 2011.

    I am facing the below mentioned error.Can you please help me figure out the cause.

    There was a problem accessing the site. Try to browse to the site again.

    If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.

    Reference number: 4d8848a0-d5e7-468a-8177-462ca8c52e27

  8. Matt Wittemann says:

    @crm40: This error can occur for a variety of reasons. However, the first time you setup IFD with Claims-Based Authentication, you might see this error if you haven't properly configured DNS so that the URLs for CRM are accessible. You'll need to have your external DNS set so you can hit your CRM server at the orgname.crmserver.com address. I also found it was easiest to edit the hosts file on my CRM server so the URLs resolved internally while I was testing my configurations in the Deployment Manager.

  9. Sensino says:

    what about single signin in Sharepoint integration with CRM2011 ifd?

    Is it possible?

  10. Michael Guthmann says:

    Thanks for the comments and questions. I'll do my best to answer what I can right now and then follow up on other ones and try to post back later.

    For Simon's questions:

    a) With multiple machines (say you have multiple front end machines), you will need to have the encryption cert in the cert store for each machine. That way each CRM server can encrypt the messages passed between CRM (the relying party) and AD FS 2.0 (the identity provider).

    b) You only have to put the certs in the trusted root certification authorities store if you are using self-signed certificates.

    For David and Jose:

    I like to use MakeCert to create my self-signed wildcard certificates. msdn.microsoft.com/…/aa386968%28v=VS.85%29.aspx

    For c Suriex:

    We had some limitations in RC around internal and IFD coexistence. This is something that we have worked to improve for RTM. We'll disclose more details at that time.

    And concerning service provider documentation, this is something that is on our radar.

  11. Jose Curry says:

    Thanks for your answers Michael. I got a little bit confused while doing the installation per your video because you had DC and CRM servers in the same box. I ran into problems when trying to add the trusts to ADFS and I think I have the "auth" endpoint configured incorrectly. Is it possible to have a documentation in which this installation is specified to an environment in which DC and CRM servers are two separate machines?

    Thanks.

  12. ADFS with CRM Online 2011 says:

    Is it possible to make CRM 2011 Online to authenticate against your own ADFS? Or WindowsLive is the only option for authentication?

  13. Is it possible to install MS CRM 2011 with IFD on windows small business server 2008?

    Facing problem during AD FS 2.0 installation on windows small business server 2008.

  14. Jan says:

    Hi, I would like to know when CRM 2011 Service provider documentation will be available? Or if it is already available where can I find it?

  15. BlackBilly says:

    I am also wondering about this:

    "Is it possible to make CRM 2011 Online to authenticate against your own ADFS? Or WindowsLive is the only option for authentication?"

  16. Tahir Shah says:

    How to configure IFD without certificate, we are testing it in our lab where we need to setup without ssl… 2011 make thing difficult for users. Crm 4 was very easy to setup and manage.

  17. Mike H says:

    Really aggravated at how much more complex and inflexible the on-premise deployment has become. Need much better and detailed documentation on setting these things up. Need to easily provide support for internal and external users, single sign on for Windows, SharePoint and CRM.

  18. Hi,

    Great Tutorial Video – i just tried to set it up in our CRM Test enviroment

    I have :

    1 DC

    1 IIS & ADFS & DC

    1 CRM Server

    Everythings runs as mentioned in the video up to 11:51

    I'm stuck after configuring the claim rules – so at 11'51" when i try to test the URL i get the credential prompt, but am unable to commit any valid credentials !? I've tried several combinations like

    DOMAINusername

    username

    username@domain.tld

    it just won't accept any of those.

    Any hint on where to look for these errors to resolve them ? Maybe on of those added rules ?

    All i want to do is to test the CRM System with the Outlook Client 🙁

  19. Jamie says:

    For those of you that have deployed this, are there issues any issues with setting up On-premise with internal and IFD use?

    Thanks

  20. EuroMaverick says:

    Purely from a technical point of view: CRM 2011 works right out of the box over the internet using standard Windows authentication, right? It would of course not run over SSL but besides that technically it would just run fine?

  21. H says:

    Hi! Where is the video? Thank you

  22. Right, I have spent 12 hours on this today and external IFD is still not  working!

    Internal CBA is working, but external will not complete the configuration when setting up the rules on adfs. It errors out – details to follow.

    Enabling the IFD in CRM is easy, just need clarification what external url's need to be published to external dns and pointed into the internal CRM server in a single crm server design with adfs on a separate server? Any help greatly appreciated and would love to get to the bottom of this!

    Many thanks

    Mark

  23. David Finley says:

    We created a step by step blog about this.

    http://www.interactivewebs.com/…/microsoft-crm-2011-how-to-configure-ifd-hosted-setup

    hope it helps others.

  24. David Finley says:

    We made a great little step by step guide here on how to setup IFD in a new CRM 2011. Check it out here:

    http://www.interactivewebs.com/…/microsoft-crm-2011-how-to-configure-ifd-hosted-setup

  25. Hi

    The content here in this Blog is really useful. Great!  Thank you

    And David the step by step guide is Crystal Clear.

    Thank you

Skip to main content