Active Directory and network requirements for Microsoft Dynamics CRM

Previous Topic

Next Topic

Active Directory directory service is a component of the Microsoft Windows Server operating systems. Active Directory provides a directory and security structure for network applications such as Microsoft Dynamics CRM.

As with most applications that rely on a directory service, Microsoft Dynamics CRM has dependencies that are important for operation, such as use of Active Directory to store user and group information and to create application security.

Microsoft Dynamics CRM should only be installed on a Windows Server that is a domain member or, if you are installing on Microsoft Small Business Server, a domain controller. The domain where the server is located must be running in one of the following Active Directory modes:

Federation and claims-based authentication support

When you configure Microsoft Dynamics CRM for Internet-facing access, Microsoft Dynamics CRM 2011 requires federated services that support claims-based authentication. We recommend Active Directory Federation Services 2.0 (AD FS 2.0).

Active Directory Federation Services 2.0

Active Directory Federation Services is a highly secure, highly extensible, and Internet-scalable identity access solution that allows organizations to authenticate users from partner organizations. Using Active Directory Federation Services 2.0 in Windows Server 2008, you can simply and very securely grant external users access to your organization’s domain resources. AD FS can also simplify integration between untrusted resources and domain resources within your own organization.

AD FS 2.0 is a feature in Windows Server 2008 R2 and earlier versions that can be downloaded and installed (see the AD FS 2.0 RTW download link in table below).

Digital Certificates

AD FS 2.0 requires two types of digital certificates:

  • Claims encryption. Claims-based authentication requires identities to provide an encryption certificate for authentication. This certificate should be trusted by the computer where you are installing Microsoft Dynamics CRM Server 2011 so it must be located in the local Personal store where the Configure Claims-Based Authentication Wizard is running.
  • SSL (HTTPS) encryption. The certificates for SSL encryption should be valid for host names similar to,, and To satisfy this requirement you can use a single wildcard certificate (*, a certificate that supports Subject Alternative Names, or individual certificates for each name. Individual certificates for each host name are only valid if you use different servers for each Web server role. Multiple IIS bindings, such as a Web site with two HTTPS or two HTTP bindings, is not supported for running Microsoft Dynamics CRM. For more information about the options that are available to you, contact your certificate authority service company or your certificate authority administrator.

To meet these requirements, your organization should have a public key infrastructure or a contract with a digital certificate provider such as VeriSign, GoDaddy, or Comodo.

For more information about Active Directory, see the resources in the following table.



Active Directory Domain Services

Active Directory Domain Services for Windows Server 2008 R2

Planning an Active Directory Deployment Project (Windows Server 2003)

Overview of Planning an Active Directory Deployment Project

Active Directory Site Design (Windows Server 2003)

Designing the Site Topology

Domain Controller Roles (Windows Server 2003)

FSMO placement and optimization on Active Directory domain controllers

Active Directory Federation Services

Active Directory Federation Services 2.0

AD FS 2.0 RTW Download

Active Directory Federation Services 2.0 RTW

Digital certificates overview


IPv6 Support

Microsoft Dynamics CRM 2011 works with IPv6 either alone or together with IPv4 within environments that have networks where IPv6 is supported.