Active Directory and network requirements for Microsoft Dynamics CRM
Active Directory directory service is a component of the Microsoft Windows Server operating systems. Active Directory provides a directory and security structure for network applications such as Microsoft Dynamics CRM.
As with most applications that rely on a directory service, Microsoft Dynamics CRM has dependencies that are important for operation, such as use of Active Directory to store user and group information and to create application security.
Microsoft Dynamics CRM should only be installed on a Windows Server that is a domain member or, if you are installing on Microsoft Small Business Server, a domain controller. The domain where the server is located must be running in one of the following Active Directory modes:
- Windows 2000 Mixed Mode
- Windows 2000 Native
- Windows Server 2003 Native
- Windows Server 2003 Interim
- All Windows Server 2008 Modes
- All Active Directory forest modes are supported. For more information about Active Directory domain and forest modes, see:
Federation and claims-based authentication support
When you configure Microsoft Dynamics CRM for Internet-facing access, Microsoft Dynamics CRM 2011 requires federated services that support claims-based authentication. We recommend Active Directory Federation Services 2.0 (AD FS 2.0).
Active Directory Federation Services 2.0
Active Directory Federation Services is a highly secure, highly extensible, and Internet-scalable identity access solution that allows organizations to authenticate users from partner organizations. Using Active Directory Federation Services 2.0 in Windows Server 2008, you can simply and very securely grant external users access to your organization’s domain resources. AD FS can also simplify integration between untrusted resources and domain resources within your own organization.
AD FS 2.0 is a feature in Windows Server 2008 R2 and earlier versions that can be downloaded and installed (see the AD FS 2.0 RTW download link in table below).
AD FS 2.0 requires two types of digital certificates:
- Claims encryption. Claims-based authentication requires identities to provide an encryption certificate for authentication. This certificate should be trusted by the computer where you are installing Microsoft Dynamics CRM Server 2011 so it must be located in the local Personal store where the Configure Claims-Based Authentication Wizard is running.
- SSL (HTTPS) encryption. The certificates for SSL encryption should be valid for host names similar to org.contoso.com, auth.contoso.com, and dev.contoso.com. To satisfy this requirement you can use a single wildcard certificate (*.contoso.com), a certificate that supports Subject Alternative Names, or individual certificates for each name. Individual certificates for each host name are only valid if you use different servers for each Web server role. Multiple IIS bindings, such as a Web site with two HTTPS or two HTTP bindings, is not supported for running Microsoft Dynamics CRM. For more information about the options that are available to you, contact your certificate authority service company or your certificate authority administrator.
To meet these requirements, your organization should have a public key infrastructure or a contract with a digital certificate provider such as VeriSign, GoDaddy, or Comodo.
For more information about Active Directory, see the resources in the following table.
Active Directory Domain Services
Planning an Active Directory Deployment Project (Windows Server 2003)
Active Directory Site Design (Windows Server 2003)
Domain Controller Roles (Windows Server 2003)
Active Directory Federation Services
AD FS 2.0 RTW Download
Digital certificates overview
Microsoft Dynamics CRM 2011 works with IPv6 either alone or together with IPv4 within environments that have networks where IPv6 is supported.