Add the AD FS website to the Local intranet security zone

  • Article

 

Applies To: Dynamics CRM 2013

Because the AD FS website is loaded as a FQDN, Internet Explorer places it in the Internet zone. By default, Internet Explorer clients do not pass Kerberos tickets to websites in the Internet zone. You must add the AD FS website to the Intranet zone in Internet Explorer on each client computer accessing Microsoft Dynamics CRM data internally.

Add the AD FS server to the Local intranet zone

  1. In Internet Explorer, click Tools, and then click Internet Options.

  2. Click the Security tab, click the Local intranet zone, and then click Sites.

  3. Click Advanced.

  4. In Add this website to the zone, type the URL for your AD FS server, for example, https://sts1.contoso.com.

  5. Click Add, click Close, and then click OK.

  6. Select the Advanced tab. Scroll down and verify that under Security Enable Integrated Windows Authentication is checked.

  7. Click OK to close the Internet Options dialog box.

You will need to update the Local intranet zone on each client computer accessing Microsoft Dynamics CRM data internally. To use Group Policy to push this setting to all domain-joined internal client computers do the following.

To use Group Policy to update the Local intranet zone

  1. Use Internet Explorer to add the AD FS server to the Local intranet zone following the preceding steps. You will import these settings in your Group Policy Object (GPO).

  2. Click Start, click Administrative Tools, and then click Group Policy Management.

  3. Right-click the Group Policy Object (GPO) you use to publish changes to client computers in your domain and then click Edit.

  4. Under User Configuration, expand Policies, expand Windows Settings, expand Internet Explorer Maintenance, click Security, and then double-click Security Zones and Content Ratings.

  5. Under Security Zones and Privacy select Import the current security zones and privacy settings.

    Read the information about enhanced security configuration carefully. If the local intranet zone is considered a trusted zone without enhanced security configuration, click Continue. If the local intranet zone requires enhanced security, follow the directions on this screen and click Cancel.

  6. Click OK.

  7. Group Policy setting will refresh after 90 minutes. Clients can refresh immediately by running gpupdate /force.

See Also

Implement claims-based authentication: internal access