Configure the Microsoft Dynamics CRM Server for claims-based authentication


Applies To: Dynamics CRM 2016

After you have installed AD FS, you need to set the Microsoft Dynamics CRM Server binding type and root domains before you enable claims-based authentication.

  1. On the Microsoft Dynamics CRM server, start the Deployment Manager.

  2. In the Actions pane, click Properties.

  3. Click the Web Address tab.

  4. Under Binding Type, select HTTPS.

  5. Verify that the web addresses are valid for your TLS/SSL certificate and the TLS/SSL port bound to the Microsoft Dynamics CRM website. Because you are configuring Microsoft Dynamics CRM Server to use claims authentication for internal access, use the host name for the root domain web addresses.

    For example, for a * wildcard certificate, you would use for the web addresses.

    If you install AD FS and Microsoft Dynamics CRM Server on separate servers, do not specify port 443 for the Web Application Server, Organization Web Service, or Discovery Web Service.

    Configure the web address
  6. Click OK.


    If Dynamics CRM for Outlook clients were configured using the old binding values, these clients will need to be configured with the new values.

The certificate you specify in the Configure Claims-Based Authentication Wizard is used by AD FS to encrypt security tokens issued to the Microsoft Dynamics CRM Server client. The CRMAppPool account of each Microsoft Dynamics CRM web application must have read permission to the private key of the encryption certificate.

  1. On the Microsoft Dynamics CRM server, create a Microsoft Management Console (MMC) with the Certificates snap-in console that targets the Local computer certificate store.

  2. In the console tree, expand the Certificates (Local Computer) node, expand the Personal store, and then click Certificates.

  3. In the details pane, right-click the encryption certificate specified in the Configure Claims-Based Authentication Wizard, point to All Tasks, and then click Manage Private Keys.

  4. Click Add, (or select the Network Service account if that is the account you used during Setup) add the CRMAppPool account, and then grant Read permissions.


    You can use IIS Manager to determine what account was used during setup for the CRMAppPool account. In the Connections pane, click Application Pools, and then check the Identity value for CRMAppPool.

    IIS Application Pools
  5. Click OK.

Run the Configure Claims-Based Authentication Wizard to enable claims authentication on your Microsoft Dynamics CRM Server.

  1. On the Microsoft Dynamics CRM server, start the Deployment Manager.

  2. In the Deployment Manager console tree, right-click Microsoft Dynamics CRM, and then click Configure Claims-Based Authentication.

  3. Review the contents of the page, and then click Next.

  4. On the Specify the security token service page, enter the federation metadata URL, such as

    This data is typically located on the website where Active Directory Federation Services is running. To verify the correct URL, open an Internet browser and view the federation metadata URL. Verify that no certificate-related warnings appear.

    You may need to turn on Compatibility View in Internet Explorer.

  5. Click Next.

  6. On the Specify the encryption certificate page, specify the encryption certificate in one of two ways:

    • In the Certificate box, type the complete common name (CN) of the certificate by using the format CN=certificate_subject_name.

    • Under Certificate, click Select, and then select a certificate.

    This certificate is used by AD FS to encrypt authentication security tokens that are issued to the Microsoft Dynamics CRM client.


    The Microsoft Dynamics CRM service account must have Read permissions for the private key of the encryption certificate. For more information, see “The CRMAppPool account and the Microsoft Dynamics CRM encryption certificate” above.

  7. Click Next.

    The Configure Claims-Based Authentication Wizard verifies the token and certificate that you specified.

  8. On the System Checks page, review the results, perform any steps required to fix problems, and then click Next.

  9. On the Review your selections and then click Apply page, verify your selections, and then click Apply.

  10. Note the URL you must use to add the relying party to the security token service. View and save the log file for later reference.

  11. Click Finish.

  1. On the Microsoft Dynamics CRM server, open a Windows PowerShell prompt.

  2. Add the Microsoft Dynamics CRM Windows PowerShell snap-in:

    PS > Add-PSSnapin Microsoft.Crm.PowerShell 
  3. Get the claims-based authentication settings:

    PS > $claims = Get-CrmSetting -SettingType "ClaimsSettings" 
  4. Configure the claims-based authentication object:

    PS > $claims.Enabled = 1 (or $true) PS > $claims.EncryptionCertificate = certificate_namePS > $claims.FederationMetadataUrl = federation_metadata_URL


    • 1 = "true".

    • certificate_name is the name of the encryption certificate.

    • federation_metadata_URL is the federation metadata URL for the security token service. (For example,

  5. Set the claims-based authentication values:

    PS > Set-CrmSetting $claims

If you are installing AD FS on a separate server, verify the account used for the ADFSAppPool application pool has Read permissions. See the preceding topic “The CRMAppPool account and the Microsoft Dynamics CRM encryption certificate” for the process steps.

© 2016 Microsoft. All rights reserved. Copyright

Community Additions