Publishing Dynamics CRM 2011 with AD FS 2.0
Applies To: Unified Access Gateway
This topic describes the general configuration steps required to configure Microsoft Dynamics CRM 2011 with Active Directory Federation Services (AD FS) 2.0 claims-based authentication.
Note
When using claims based authentication and an Internet facing deploying of Dynamics CRM 2011, publishing the Dynamics CRM 2011 application via Forefront UAG is supported only when using claims-based authentication to both the Forefront UAG server and to the Dynamics CRM 2011 server.
To configure Dynamics CRM 2011 with claims-based authentication
On the Dynamics CRM 2011 server, configure claims-based authentication. See Configure the Microsoft Dynamics CRM Server 2011 for claims-based authentication.
On the AD FS 2.0 server configure claims-based authentication. See Configure the AD FS 2.0 server for claims-based authentication
Configure an Internet-facing deployment (IFD). See Configure the Microsoft Dynamics CRM Server 2011 for IFD.
Configure the AD FS 2.0 server for IFD. See Configure the AD FS 2.0 server for IFD.
On the Forefront UAG server in the Forefront UAG Management console, configure an AD FS 2.0 authentication server, specifying the AD FS 2.0 metadata file URL and using UPN as the claims value. See Configuring an AD FS 2.0 authentication repository.
Create an HTTPS trunk or use an existing trunk and configure the authentication on the trunk to use the AD FS 2 authentication server created in the previous step.
Publish the CRM server using the Microsoft Dynamics CRM 2011 template. See Publishing Dynamics CRM 2011.
Note
- On the Web Servers page of the Add Application Wizard, in Addresses enter the internal URL of the CRM server. Click HTTPS port, and enter the port number that you configured in step 3 (default 443). In Public host name enter the organization name.
- On the Authentication page of the wizard, select the Use SSO check box, select the AD FS 2.0 authentication server and click 401 request.
- On the Web Servers page of the Add Application Wizard, in Addresses enter the internal URL of the CRM server. Click HTTPS port, and enter the port number that you configured in step 3 (default 443). In Public host name enter the organization name.
In the Forefront UAG Management console, in the application list, click the AD FS 2.0 application, click Edit, and on the Application Properties dialog box, on the Authentication tab, select the Allow unauthenticated access to web server check box.
On the Forefront UAG server in the Forefront UAG Management console, publish the Microsoft Dynamics CRM Discovery Web Service domain (the default value is dev.<domain>) using the Other Web Application (application specific name) template.
Note
- On the Web Servers page of the Add Application Wizard, in Addresses enter the internal URL of the CRM server hosting the discovery service. Click HTTPS port, and enter the port number that you configured in step 3 (default 443). In Public host name, enter the Discovery Web Service domain prefix.
- On the Authentication page, select the Use SSO check box, select the AD FS 2.0 authentication server and click 401 request.
- On the Portal Link page, clear the Add a portal and toolbar link check box.
- On the Web Servers page of the Add Application Wizard, in Addresses enter the internal URL of the CRM server hosting the discovery service. Click HTTPS port, and enter the port number that you configured in step 3 (default 443). In Public host name, enter the Discovery Web Service domain prefix.
On the Forefront UAG server in the Forefront UAG Management console, publish the external domain selected during configuration of IFD for Microsoft Dynamics CRM (the default value is auth.<domain>) using the Other Web Application (application specific name) template.
Note
- On the Web Servers page of the Add Application Wizard, in Addresses enter the internal URL of the CRM server. Click HTTPS port, and enter the port number that you configured in step 3 (default 443). In Public host name, enter the external domain prefix.
- On the Authentication page, select the Use SSO check box, select the AD FS 2.0 authentication server and click 401 request.
- On the Portal Link page, clear the Add a portal and toolbar link check box.
- On the Web Servers page of the Add Application Wizard, in Addresses enter the internal URL of the CRM server. Click HTTPS port, and enter the port number that you configured in step 3 (default 443). In Public host name, enter the external domain prefix.
In the Forefront UAG Management console, in the Applications list, make sure that the Microsoft Dynamics CRM 2011 application appears in the list above the two new applications.
On the AD FS 2.0 server create a Relying Party Trust for the Forefront UAG server. See Creating a Relying Party Trust Using Federation Metadata.
Add claim rules as described in the procedure ‘Configure relying party trusts’ in the topic Configure the AD FS 2.0 server for claims-based authentication.
On the domain controller, create DNS entries to resolve the external domain, the discovery service domain, and the web application server domain to the Forefront UAG server for remote clients connecting to the application from outside of the organization.