Step by Step: Configuring CRM 2013 Internet facing deployment (IFD)

This blog covers all the steps you have to follow to configure Internet facing deployment (IFD) for a CRM 2013 Onpremise deployment                                                    

Before we proceed here are a few details of the environment.

CRM Server 2013 Installed on Windows Server 2012

ADFS 2.1 on a separate box on Windows Server 2012

Important:

With AD FS 2.0, you had to download and install the AD FS 2.0 software to deploy your AD FS server infrastructure.

ADFS 2.1 was released to Windows Server 2012 as part of the operating system and therefore can be installed as a Role from Server Manager.

Prerequisites

  1. Install and configure Dynamics CRM 2013
  2. Install and configure IIS on the ADFS Server
  3. Purchase the appropriate certificates for the IFD configuration
  4. You will need to choose the type of certificate that will work best in your environment. Most people have chosen to use a wildcard for their external domain so in my example it would be *.fabrikam.com so I can use it for all the URLs. If you were to get a SAN certificate you would need to know all of your URLs now and future (if you were going to add more orgs)
  5. If ADFS will be on the same server as CRM, ADFS will need to be on the default website using the default port so CRM will need to use something else.

I will break down the entire process into 5 major sections.

Section 1: Binding Certificates

Section 2: Setup ADFS

Section 3: DNS Configuration

Section 4: Configuring CRM server for claims based authentication

Section 5: Configuring CRM server for IFD

Alright, let’s get this started.

Section 1: Binding Certificates

After you have obtained and installed a certificate, the certificate must be bound to the default Web site before you can use AD FS

On the ADFS Server

Step1: Open IIS Manager and in the Connections pane, expand the Sites node in the tree, and then click the Default Web Site

image

Step2: In the Actions pane, click Bindings.

image

Step3: In the Site Bindings dialog box, click Add

Under Type, select https.

Under SSL certificate, select your SSL certificate and then click OK and then Close

image

On the CRM 2013 Server

When enabling claims-based authentication, the Dynamics CRM Server 2013 Web site must be accessible via HTTPS. You must bind your SSL certificate to the Dynamics CRM Server 2013 Web site.

Step4: Open IIS Manager and in the Connections pane, expand the Sites node in the tree, and then click the Microsoft Dynamics CRM Web site

image

Step5: In the Actions pane, click Bindings.

image

Step6: In the Site Bindings dialog box, click Add.  

Under Type, select https.

Under SSL certificate, select your SSL certificate and then click OK and then Close

image

Step 7: The CRMAppPool account and the Microsoft Dynamics CRM encryption certificate

The CRMAppPool account will need to have rights to the certificate being used for the CRM website. If the application pool is running as Network Service as in the example then you will need to give Network Service read rights to that certificate.

You can use IIS Manager to determine what account was used during setup for the CRMAppPool account. In the Connections pane, click Application Pools, and then check the Identity value for CRMAppPool.

Launch the MMC console and go to File menu and select Add-Remove Snap In

image

Select Certificates from the available snap-ins and click Add

image

Select Computer Account and click Next in the Certificates Snap-In window.

image

Click Finish on the next window and then click Ok

image

Expand Certificates->Personal->Certificates ->Right click on Manage Private keys

image

Add the identity which is running the CRM application pool and give it read permissions and then Ok

In my case its Network Service.

image

You are now done configuring the certificates.

Section 2: Setup ADFS

Step1: Launch Server manager and click on Add roles and features

image

Step2: Click Next on the first page in the wizard

image

Step3: Select Role-based or feature based installation and click Next

image

Step4: Select a server from the server pool and click Next

image

Step5: Select Active Directory Federation Services

image

Step6: Click on Add Features and then click Next

image

Step7: Continue to click on Next until you reach the Confirmation page and then click Install.

image

Now that we have installed ADFS, lets go ahead and configure it.

Step8: Launch Administrative tools and then select ADFS management.

image

Step9: Click on ADFS Federation Server Configuration Wizard and on the welcome page select Create a new Federation Service

image

Step10: Select Stand Alone or Farm Deployment.

Depending upon your requirement you can choose the appropriate option. The wizard explains each of the options.

I will choose Stand-alone federation server.

image

Step11: Specify the Federation Service Name

image

Step12: Shows you the summary of what is about to be installed. Click Next to continue

image

Step13: Wait for the configuration process to complete and click the Close button.

image

Section3: DNS Configuration

You should configure your domain records in DNS so the various Dynamics CRM Server endpoints resolve correctly.

Step1: Open DNS Manager by clicking Start, pointing to Administrative Tools, and then clicking DNS.

image

Step2: Expand Forward lookup Zones and then select the <Domain name>.com and create the below CNAME records.

Name

IP Address

Description

auth

Point it to the machine that as CRM 2013 installed

This record will be used by the AD FS server when retrieving the Microsoft Dynamics CRM IFD federationmetadata.xml file
Dev

Point it to the machine that contains the discovery web service

Microsoft Dynamics CRM Discovery Web Service domain
Internalcrm

Point it to the machine that as CRM 2013 installed

Internal URL used to access Microsoft Dynamics (for example, internalcrm.fabrikam.com).

<CRM   organization name>

Point it to the machine that as CRM 2013 installed

External URL used to access Microsoft Dynamics - Web Application Server domain (for example, orgname.contoso.com).

ADFS   

Point it to the machine that has ADFS installed

AD FS 2.1 server         

Here is a screen shot of all the DNS records created

image

You must also set your firewall to allow inbound traffic on the ports used for Dynamics CRM Server 2013 and AD FS 2.1

Section 4: Configuring CRM server for claims based authentication

Once ADFS is setup and the certificate/s are bound to the websites, you will need to prepare CRM for Claims Authentication.

On The CRM Server

Step1: Set Microsoft Dynamics CRM Server 2013 binding to HTTPS and configure the root domain Web addresses

Start the Deployment Manager=>Actions pane=>Properties=>Web Address tab=>Binding Type select HTTPS.

You can now enter your internal URL for CRM. This will be the URL that users can use if they want to access CRM within the network without being prompted for credentials. Click on 'Apply'

image

Step2: In the Deployment Manager console tree, right-click Microsoft Dynamics CRM, and then click Configure Claims-Based Authentication. Click Next on the Welcome page

image

Step3: On the Specify the security token service page, enter the Federation metadata URL, such as https://adfs.fabrikam.com/federationmetadata/2007-06/federationmetadata.xml.

This data is typically located on the Web site where the Active Directory Federation Services (AD FS) 2.1 is running. To verify the correct URL, open an Internet browser by using the URL to view the federation metadata. Verify that no certificate-related warnings appear.

image

Step4: On Specify the encryption certificate page, specify the encryption certificate

image

Step5: On the System Checks page, review the results, perform any steps required to fix problems, and then click Next.

image

Step6: On the Review your selections and then click Apply page, verify your selections, and then click Apply.

image

Step7: Click View log file and scroll to the bottom and copy the Federation metadata URL to avoid typos

You will need to use the federation metadata URL that was created during Claims-Based Authentication configuration in CRM to setup the Relying Party Trust in ADFS 2.1

image

On The ADFS Server

After enabling claims-based authentication, the next step is add and configure claims provider trusts and relying party trusts in AD FS 2.1

Step8: Start AD FS 2.1 Management. In the Navigation Pane, expand Trust Relationships, and then click Claims Provider Trusts. Under Claims Provider Trusts, right-click Active Directory, and then click Edit Claims Rules.

image

Step9: In the Rules Editor, click Add Rule, In the Claim rule template list, select the Send LDAP Attributes as Claims template, and then click Next

image

Step10: Create the following rule

Claim rule name: UPN Claim Rule (or something descriptive)

Attribute store: Active Directory

LDAP Attribute: User Principal Name

Outgoing Claim Type: UPN

Click Finish, and then click OK to close the Rules Editor

image

After you enable claims-based authentication, you must configure Dynamics CRM Server 2013 as a relying party to consume claims from AD FS 2.1 for authenticating internal claims access.

Step11: Start AD FS Management. On the Actions menu located in the right column, click Add Relying Party Trust. In the Add Relying Party Trust Wizard, click Start.

image

Step12: On the Select Data Source page, click Import data about the relying party published online or on a local network, and then type the URL you copied earlier from the log file. So that will be https://internalcrm.fabrikam.com/FederationMetadata/2007-06/FederationMetadata.xml. Verify that no certificate-related warnings appear by opening it in the browser.

image

Step13: On the Specify Display Name page, type a display name, such as CRM Claims Relying Party, and then click Next.

image

Step14: On the Choose Issuance Authorization Rules page, leave the Permit all users to access this relying party option selected, and then click Next.

image

Step15: On the Ready to Add Trust page, click Next, and then click Close.

image

Step16: If the Rules Editor appears, click Add Rule. Otherwise, in the Relying Party Trusts list, right-click the relying party object that you created, click Edit Claims Rules, and then click Add Rule.

image

Step17: In the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next.

image

Step18: Create the following Rule #1

Claim rule name: Pass Through UPN (or something descriptive)

Incoming claim type: UPN

Pass through all claim values

Click Finish.

image

Step19: In the Rules Editor, click Add Rule, in the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next

image

Step20: Create the following Rule #2

Claim rule name: Pass Through Primary SID (or something descriptive)

Incoming claim type: Primary SID

Pass through all claim values

Click Finish

image

Step21: In the Rules Editor, click Add Rule. In the Claim rule template list, select the Transform an Incoming Claim template, and then click Next.

image

Step22: Create the following rule #3

Claim rule name: Transform Windows Account Name to Name (or something descriptive)

Incoming claiming type: Windows account name

Outgoing claim type: Name

Pass through all claim values

Click Finish, and when you have created all three rules, click OK to close the Rules Editor.

image

So now we have claims setup for CRM.

In both Servers (ADFS and CRM) go to IE -> tools -> IE options -> security-> local intranet -> sites -> add internal URL and ADFS URL (https://internalcrm.fabrikam.com and https://adfs.fabrikam.com ) This would have to done on any machines that are accessing the internal access points so that ADFS and CRM can pass those Kerberos tickets without being prompted for credentials.

Type the internal url in CRM server: https://internalcrm.fabrikam.com see how it hits the ADFS and then launches the CRM page.

Section 5: Configuring CRM server for IFD

Now you are ready to configure Internet-Facing Deployment within the Microsoft Dynamics CRM 2013 Deployment Manager.

On The CRM Server

Step1: Start the Deployment Manager. In the Deployment Manager console tree, right-click Microsoft Dynamics CRM, and then click Configure Internet-Facing Deployment. Click Next.

image

Step2: Enter the URLs for the Web Application Server Domain, Organization Web Service Domain and the Discovery Web Service Domain and click on the Next button.

Important things to consider

. Specify domains, not servers.

· If your deployment is on a single server or on servers that are in the same domain, the Web Application Server Domain and Organization Web Service Domain will be identical.

· The Discovery Web Service Domain must be a resolvable host name and not a root domain. For example: dev.fabrikam.com.

· The Discovery Web Service domain must not match an organization's fully qualified domain name (FQDN). For example, the Discovery Web Service Domain should not be: orgname.fabrikam.com.

· The domains must be valid for the SSL certificate's common name or names.

· The domains must be set to resolve correctly in DNS to your Microsoft Dynamics CRM servers holding the server roles.

· The domains can be in a different domain than the domain which the Microsoft Dynamics CRM servers reside.

image

Step3: In the Enter the external domain where your Internet-facing servers are located box, type the external domain information where your Internet-facing Microsoft Dynamics CRM Server 2013 servers are located, and then click Next.

The domain you specify must be a sub-domain of the Web Application Server Domain specified in the previous step. By default, "auth." is pre-pended to the Web Application Server Domain.

Important things to consider

· The external domain is used by the AD FS server when retrieving the Microsoft Dynamics CRM IFD federationmetadata.xml file.

· The external domain must not contain an organization name.

· The external domain must not contain an underscore character (“_”).

· The external domain must be valid for the SSL certificate's common name or names.

· The external domain must be set to resolve correctly in DNS to your Microsoft Dynamics CRM server holding the Web Application Server role.

image

Step4: On the System Checks page, review the results, fix any problems, and then click Next.

image

Step5: On the Review your selections and then click Apply page, verify your selections, and then click Apply and Finish

image

Step6: Run the following command at a command prompt: iisreset

On the ADFS Server

After you have enabled IFD on the Microsoft Dynamics CRM Server 2013 you will need to create a relying party for the IFD endpoint on the AD FS server.

Step6: Start AD FS Management. On the Actions menu located in the right column, click Add Relying Party Trust. In the Add Relying Party Trust Wizard, click Start.

image

Step7: On the Select Data Source page, click Import data about the relying party published online or on a local network, and then type the URL to locate the federationmetadata.xml file. This federation metadata is created during IFD Setup.

For example, https://auth.fabrikam.com/FederationMetadata/2007-06/FederationMetadata.xml.

Type this URL in your browser and verify that no certificate-related warnings appear.

image

Step8: On the Specify Display Name page, type a display name, such as CRM IFD Relying Party, and then click Next

image

Step9: On the Choose Issuance Authorization Rules page, leave the Permit all users to access this relying party option selected, and then click Next.

image

Step10: On the Ready to Add Trust page, click Next, and then click Close.

image

Step11: If the Rules Editor appears, click Add Rule. Otherwise, in the Relying Party Trusts list, right-click the relying party object that you created, click Edit Claims Rules, and then click Add Rule

image

Step12: In the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next.

image

Step13: Create the following rule#1

Claim rule name: Pass Through UPN (or something descriptive)

Incoming claim type: UPN

Pass through all claim values

Click Finish

image

Step14: In the Rules Editor, click Add Rule, and in the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next

image

Step15: Create the following rule#2

Claim rule name: Pass Through Primary SID (or something descriptive)

Incoming claim type: Primary SID

Pass through all claim values

Click Finish

image

Step16: In the Rules Editor, click Add Rule. In the Claim rule template list, select the Transform an Incoming Claim template, and then click Next.

image

Step17: Create the following rule #3

Claim rule name: Transform Windows Account Name to Name (or something descriptive)

Incoming claim type: Windows account name

Outgoing claim type: Name

Pass through all claim values

Click Finish, and when you have created all three rules, click OK to close the Rules Editor.

image

Test external claims-based authentication

You should now be able to access Microsoft Dynamics CRM Server 2013 externally using claims authentication. Browse to your Microsoft Dynamics CRM Server 2013 Web site's external address (for example: https://orgname.fabrikam.com). You should see a screen like the following

image

Sign in and verify that you have external access to Microsoft Dynamics CRM Server 2013

tada….

image

You have successfully configured Internet facing deployment for Dynamics CRM 2013.

Hope this article was useful.