Enabling AD FS 2.0 token signing

  • Article

By default, Microsoft Dynamics CRM Server 2011 does not check for the presence or validity of the AD FS 2.0 token signing certificate and does not use AD FS 2.0 token signing. To enable validation and use of the AD FS 2.0 token-signing certificate, create the TrustedIssuerCertificateValidation registry entry on all Front End Servers.

To create the TrustedIssuerCertificateValidation registry

  1. Click Start, click Run, type regedit, and then press Enter.

  2. Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM

  3. Create the following registry entry:

    Value name: TrustedIssuerCertificateValidation

    Value type: String

    Value data: (one of the following)

    Value Data Description

    None

    No validation of the certificate is done.

    PeerTrust

    The certificate is valid if it is in the trusted people store.

    PeerOrChainTrust

    The certificate is valid if the chain builds to a certification authority in the trusted root store.

    PeerOrChainTrust

    The certificate is valid if it is in the trusted people store, or if the chain builds to a certification authority in the trusted root store.

    Note

    The Custom value is not supported in Microsoft Dynamics CRM Server 2011.

  4. Close the Registry Editor.

For more information, see X509CertificateValidationMode Enumeration (https://go.microsoft.com/fwlink/?LinkID=209771).

Note the following information regarding enabling AD FS 2.0 token signing:

  • By default, AD FS 2.0 creates a self-signed certificate for signing tokens.

    Note

    If token signing is enabled, when the signing certificate expires AD FS 2.0 creates a new signing certificate. The new signing certificate will need to be moved to the Trusted Root Certification Authorities store of all Microsoft Dynamics CRM Server 2011 servers.

  • To use the self-signed certificate, do the following:

    Export the signing certificate.

    1. On the AD FS 2.0 server, open AD FS 2.0 Management, expand Service, and then expand Certificates.

    2. Double-click the token-signing certificate, click the Details tab, and then click Copy to File.

    3. Proceed through the Certificate Export Wizard using default values and save the certificate.

    Import the signing certificate.

    1. On the Microsoft Dynamics CRM Server 2011 server, open MMC and add the Certificates Manager snap-in.

    2. Import the token-signing certificate into the Trusted Root Certification Authorities store.

  • You can use a signed certificate from a trusted CA instead of the self-signed certificate generated by AD FS 2.0.

For more information, see Certificate Requirements for Federation Servers (https://go.microsoft.com/fwlink/?LinkId=182466).

Send comments about this article to Microsoft.

© 2012 Microsoft Corporation. All rights reserved.