Microsoft Dynamics CRM 2011 & ADFS Suggestions

  • Article

Below are some suggestions and considerations to take into account when using Microsoft Dynamics CRM 2011 with ADFS.

If Dynamics CRM and ADFS are on the same server:
Use port 443 for ADFS server and another for CRM
On the CRM Website, remove extra bindings (related to some WCF services) and only keep HTTP and HTTPS ones.

Multiple bindings: not supported by WCF

Note that Custom STS can be used (WIF and ADFS Sdk).

Check the Certificate in use and the permission granted to the CRMAppPool identity.

Check the DNS configuration.

If you create a New Org, update the FederationMetadata through ADFS wizard to take that into consideration straight away.

 

Check Proxy /Firewall Server settings, Antivirus and also if  .PAC  file  is in use

https://support.microsoft.com/kb/2664157

Policy can limit the size of the Token (Kerberos or SAML).
Policy can limit some SOAP request and FetchXML.

Rules to publish through ISA or TMG: Allow the STS URL / Dev URL, Auth and Org URL’s.

On Client machine:
Check  Credentials Manager
Check the Windows Client Firewall
Check LAN settings - Auto detect Proxy

Useful links are at the below:

https://msdn.microsoft.com/en-us/library/gg188579.aspx

https://www.youtube.com/watch?v=ZD5qaa-G99E

https://technet.microsoft.com/en-us/library/hh490315.aspx

Also, to avoid 404 & 401 errors with CRM & ADFS, below are notes on this, which is for best practice:

Host A resource records: Associate computer names to IP address for resolution in a domain.
CNAME or canonical names: Allows you to use more than one name to point to a single host defined.

Associate alias to a domain.

The way it works is if you defined a CNAME so the DNS needs to find the domain zone then machine name then IP, so it consumes more DNS resource.
If during this process it failed you may receive a 404 error, and Host A is quickly resolved than CNAME.

The main reason it is better to declare host A instead of CNAME is to make sure about the Windows Integrated Authentication for Internal access and avoid 401 errors (as Kerberos ticket can be asked for the alias or the hostname) .

So the below can be done:
Create HOST (A) record in the DNS
DisableLoopbackCheck=1 reg key
Then define HOST/adfsspn in the AD as SPN

Best Regards

Dynamics CRM Team