Deploy and configure AD FS
Applies To: CRM 2016 on-prem
A variety of identity providers can be used with Microsoft Dynamics CRM Server. This document uses Active Directory Federation Services (AD FS) for the security token service. For information on configuring identity federation deployment between AD FS and other identity providers, see: AD FS 2.0 Step-by-Step and How To Guides.
If you are deploying on Windows Server 2012, and you are installing AD FS on the same server as Microsoft Dynamics CRM, AD FS installs on the default website. Before installing AD FS, you must create a new website for Microsoft Dynamics CRM Server.
This does not apply to Windows Server 2012 R2 as AD FS in Windows Server 2012 R2 does not depend on IIS.
To configure AD FS as a stand-alone federation server for Microsoft Dynamics CRM Server claims authentication, do the following:
Open the Windows Server 2012 R2 Add Roles and Features Wizard and add the Active Directory Federation Services server role.
Proceed through the wizard. Click Configure the federation service on this server.
On the Welcome page in the Active Directory Federation Services Configuration Wizard, choose an option for a federation server, and then click Next.
Proceed through the wizard. On the Specify Service Properties page, select your TLS/SSL certificate, enter a Federation Service Name, and then enter a Federation Service Display Name.
You only add the federation service name if you are using a wildcard certificate for the AD FS website.
If you install AD FS and Microsoft Dynamics CRM Server on the same server, do not use the same URL for the Federation Service name and internal claims access to Microsoft Dynamics CRM Server. For example, if you use sts1.contoso.com for the Federation Service name, do not use https://sts1.contoso.com for internal Microsoft Dynamics CRM data access.
Proceed through and complete the Active Directory Federation Services Configuration Wizard. Close the Add Roles and Features Wizard.
If you have not created a host record in DNS for the federation server name you specified in Step 4 previously, do so now.
For more information, see Configure a Federation Server.
Use the following steps to verify the AD FS installation:
On the AD FS server, open Internet Explorer.
Browse to the URL of the federation metadata. For example, https://sts1.contoso.com/federationmetadata/2007-06/federationmetadata.xml
You may need to turn on Compatibility View in Internet Explorer.
Verify that no certificate-related warnings appear. If necessary, check your certificate and DNS settings.
© 2016 Microsoft Corporation. All rights reserved. Copyright