Configure Microsoft Dynamics CRM for Outlook to use claims-based authentication

 

Applies To: Dynamics CRM 2013

In an environment that supports claims-based authentication, a client (such as CRM for Outlook) can use federated AD FS to connect to the Microsoft Dynamics CRM Server. The client obtains credentials through federated AD FS and uses these credentials to be authenticated on the same or a different Active Directory domain to connect to the Microsoft Dynamics CRM Server.

You can connect CRM for Outlook on one Active Directory domain to a Microsoft Dynamics CRM server in a different Active Directory domain. You can do this when the credentials that CRM for Outlook uses on its own domain are authenticated by a server on the other domain. To make this work, use AD FS.

After federation is established, the client can use either its current domain credentials or different domain credentials when attempting to connect to the Microsoft Dynamics CRM Server. You specify which domain and which Active Directory to use through the home realm - an identity provider that authenticates the user.

Note

For external claims-based authentication deployments, use the Microsoft Dynamics CRM Server website's external address (for example: https://orgname.contoso.com) for the Server URL connection setting.

Set up a client for claims-based authentication

In the following procedure, you create a registry key on a single client computer. You may also want to consider using group policy so that you can make this registry change on multiple client computers.

  1. Make sure that a web browser on the client can reach the Microsoft Dynamics CRM Server URL with no certificate errors. If you use a self-signed certificate, you will need to import it to avoid certificate errors. After you import any needed certificates, you should be able to connect to the organization by using non-federated credentials.

  2. To use federated credentials, specify HomeRealmUrl in the Windows registry, as shown here:

    Note

    This registry key is only needed if the claims provider server is different from the claims provider server used by Microsoft Dynamics CRM Server; for example, the Microsoft Dynamics CRM client authenticates across realms to a different domain.

    1. With Administrator privileges, open the Registry Editor.

    2. Open the registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MSCRMClient.

    3. Create the registry string HomeRealmUrl.

    4. Enter the value data of the federated AD FS. This URL will end in /adfs/services/trust/mex. For example, https://adfs.contoso.com/adfs/services/trust/mex.

    5. Close the Registry Editor.

    6. Configure CRM for Outlook. For more information, see Task 2: Configure Microsoft Dynamics CRM for Outlook in the Microsoft Dynamics CRM Installing Guide.

You should now be able to connect CRM for Outlook to Microsoft Dynamics CRM Server by using claims-based authentication.

Use an administrative template (.adm) file

Modify the following sample data to create an .adm file to use group policy to publish the HomeRealmUrl registry setting.

CLASS MACHINECATEGORY "Microsoft Dynamics CRM"    KEYNAME "Software\Policies\Microsoft\MSCRMClient"   POLICY "Home Realm URL"      EXPLAIN "Allow Administrator to specify the Home Realm URL for federated domains."      PART "Specify Home Realm URL (example: https://adfs.contoso.com/adfs/services/trust/mex" EDITTEXT REQUIREDVALUENAME "HomeRealmUrl"      END PART   END POLICYEND CATEGORY

For more information, see Administrative Template File Format.

See Also

Install CRM for Outlook for Microsoft Dynamics CRM 2013 and Dynamics CRM Online
Configure IFD for Microsoft Dynamics CRM 2013