Configure the Microsoft Dynamics CRM Server for claims-based authentication

 

Applies To: Dynamics CRM 2013

After you have installed AD FS, you need to set the Microsoft Dynamics CRM Server binding type and root domains before you enable claims-based authentication.

Set Microsoft Dynamics CRM Server binding to HTTPS and configure the root domain web addresses

  1. On the Microsoft Dynamics CRM server, start the Deployment Manager.

  2. In the Actions pane, click Properties.

  3. Click the Web Address tab.

  4. Under Binding Type, select HTTPS.

  5. Verify that the web addresses are valid for your SSL certificate and the SSL port bound to the Microsoft Dynamics CRM website. Because you are configuring Microsoft Dynamics CRM Server to use claims authentication for internal access, use the host name for the root domain web addresses.

    For example, for a *.contoso.com wildcard certificate, you would use internalcrm.contoso.com for the web addresses.

    If you install AD FS and Microsoft Dynamics CRM Server on separate servers, do not specify port 443 for the Web Application Server, Organization Web Service, or Discovery Web Service.

    Configure Web Address

  6. Click OK.

    Warning

    If CRM for Outlook clients were configured using the old binding values, these clients will need to be configured with the new values.

The CRMAppPool account and the Microsoft Dynamics CRM encryption certificate

The certificate you specify in the Configure Claims-Based Authentication Wizard is used by AD FS to encrypt security tokens issued to the Microsoft Dynamics CRM Server client. The CRMAppPool account of each Microsoft Dynamics CRM web application must have read permission to the private key of the encryption certificate.

  1. On the Microsoft Dynamics CRM server, create a Microsoft Management Console (MMC) with the Certificates snap-in console that targets the Local computer certificate store.

  2. In the console tree, expand the Certificates (Local Computer) node, expand the Personal store, and then click Certificates.

  3. In the details pane, right-click the encryption certificate specified in the Configure Claims-Based Authentication Wizard, point to All Tasks, and then click Manage Private Keys.

  4. Click Add, (or select the Network Service account if that is the account you used during Setup) add the CRMAppPool account, and then grant Read permissions.

    Note

    You can use IIS Manager to determine what account was used during setup for the CRMAppPool account. In the Connections pane, click Application Pools, and then check the Identity value for CRMAppPool.

    IIS Application Pools

  5. Click OK.

Configuring claims-based authentication using the Configure Claims-Based Authentication Wizard

Run the Configure Claims-Based Authentication Wizard to enable claims authentication on your Microsoft Dynamics CRM Server.

  1. On the Microsoft Dynamics CRM server, start the Deployment Manager.

  2. In the Deployment Manager console tree, right-click Microsoft Dynamics CRM, and then click Configure Claims-Based Authentication.

  3. Review the contents of the page, and then click Next.

  4. On the Specify the security token service page, enter the federation metadata URL, such as https://sts1.contoso.com/federationmetadata/2007-06/federationmetadata.xml.

    This data is typically located on the website where Active Directory Federation Services is running. To verify the correct URL, open an Internet browser and view the federation metadata URL. Verify that no certificate-related warnings appear.

  5. Click Next.

  6. On the Specify the encryption certificate page, specify the encryption certificate in one of two ways:

    • In the Certificate box, type the complete common name (CN) of the certificate by using the format CN=certificate_subject_name.

    • Under Certificate, click Select, and then select a certificate.

    This certificate is used by AD FS to encrypt authentication security tokens that are issued to the Microsoft Dynamics CRM client.

    Note

    The Microsoft Dynamics CRM service account must have Read permissions for the private key of the encryption certificate. For more information, see “The CRMAppPool account and the Microsoft Dynamics CRM encryption certificate” above.

  7. Click Next.

    The Configure Claims-Based Authentication Wizard verifies the token and certificate that you specified.

  8. On the System Checks page, review the results, perform any steps required to fix problems, and then click Next.

  9. On the Review your selections and then click Apply page, verify your selections, and then click Apply.

  10. Note the URL you must use to add the relying party to the security token service. View and save the log file for later reference.

  11. Click Finish.

Configuring claims-based authentication using Windows PowerShell

  1. On the Microsoft Dynamics CRM server, open a Windows PowerShell prompt.

  2. Add the Microsoft Dynamics CRM Windows PowerShell snap-in:

    PS > Add-PSSnapin Microsoft.Crm.PowerShell 
    
  3. Get the claims-based authentication settings:

    PS > $claims = Get-CrmSetting -SettingType "ClaimsSettings" 
    
  4. Configure the claims-based authentication object:

    PS > $claims.Enabled = 1 (or $true) PS > $claims.EncryptionCertificate = certificate_namePS > $claims.FederationMetadataUrl = federation_metadata_URL
    

    Where:

  5. Set the claims-based authentication values:

    PS > Set-CrmSetting $claims
    

Set Read permissions for the ADFSAppPool account

If you are installing AD FS on a separate server, verify the account used for the ADFSAppPool application pool has Read permissions. See the preceding topic “The CRMAppPool account and the Microsoft Dynamics CRM encryption certificate” for the process steps.

See Also

Implement claims-based authentication: internal access