Hosted by
Introductions Christopher Cognetta Practice Manager Client Field Engineering Microsoft Dynamics CRM MVP chris.cognetta@tribridge.com CRMUG Chairperson Miami & Tampa Co Chair 250+ Dynamics CRM Implementations & Upgrades - 80+ with ADFS & IFD Infrastructure /Application Architecture Guru BLOG: www.cognettacloud.com TWITTER: @ccognetta
Agenda
What is ADFS? Active Directory Federated Services (ADFS) is Microsoft s Security Token Service (STS) designed to provide or federate (SSO Single Sign On) with other security providers (AD, Windows Live, Office 365, and many others). Mobile and Cloud based ISV add-ons often require your CRM to be ADFS/IFD (Internet Facing Deployment) enabled. So why is ADFS so challenging to implement? ADFS interacts with most of the following technologies: Active Directory PKI Firewall Domain Name Service Proxy Servers Certificate Authority SSL Internet Facing Deployment (IFD) IIS Certificates Server\Desktop Outlook Clients DMZ Ports Hosts Claims Authentication NTLM Kerberos SPNS ACL Reservations Cloud Various technologies make ADFS challenging to implement by an organization. Pre-Planning and Team work are essential to a successful ADFS implementation.
ADFS Diagrams Internal ADFS Standard Authentication Other Identity Stores, AD, Windows Live, Oracle Etc
Preparation Internal and External DNS Entries Deployment Options CRM and ADFS Installation Tips ADFS Screen Shots Quick Check List Tips and Tricks
Internal & External DNS Optional (Dev.domain.com)
Internal & External DNS
ADFS must be the default website - Site #1 in shown IIS Sites CRM must be installed on a port, and not on the default site if Implementing ADFS and CRM on the same server. External DNS Entries at ISP or HOST External IP Firewall Port Forward All URL s Firewall Overview Web Server Internal IP CRM Port 443 ADFS Port 444 ADFS Server ADFS Port 443 All URL s except ADFS will port forward to the CRM webserver port 443. ADFS will be configured as a separate website under port 444. Recommend ADFS Standalone server under port 443.
ADFS Deployment Options OPTION 1 OPTION 2 OPTION 3 F I R E W A L L External IP D M Z ADFS Server Proxy Web Server P ADFS Server Proxy F I R E W A L L Web Server ADFS Server Web Backend Server Internal IP CRM Port 443 ADFS Port 444 ADFS Port 443
Certificates Required Some security teams do not want to use wildcard certificates like *.domainname.com
Certificate Warnings HTTPS://crm.domain.com ALL SYSTEMS GO
Managing SSL Certificates
ADFS & CRM Installation Tips http://www.microsoft.com/download/en/details.aspx?id=10909
Configuring CRM URL for HTTPS Use CRM deployment manager to configure the CRM internal URLs. Set the HTTPS, naming the web address to match your certificate setting. Manually Set the HTTPS 443 binding and SSL certificate in IIS, Restart IIS Changes in this section require an IIS Restart to take effect. Once ADFS is deployed internal users will use the https://internalcrm.domainname.c om URL for SSO access.
ADFS Installation Tips Tip: Pre-configure the ADFS Server/Website IIS binding and certificate prior to install. Once ADFS installs, the configuration wizard will appear: ADFS will prompt for the name of your federation service. Should match ADFS URL. ADFS.domainname.com The following URL is be provided in order to test the ADFS Federation Service is working: https://adfs.domain.com/federationmetadata/2007-06/federationmetadata.xml Note: Port is required in the URL if not running under 443.
ADFS Installation Testing The following URL is be provided in order to test the ADFS Federation Service is working: https://adfs.domain.com/federationmetadata/2007-06/federationmetadata.xml Note: Port is required in the URL if not running under 443.
Configure Claims Wizard From the CRM deployment manager we can start to configure Claims based Auth: Make sure to test this URL in your browser for no certification errors. Select IIS SSL Certificate used for CRM URL will be provided at the end of the ADFS installation. Save as favorite, trusted or intranet site. Receive the XML metadata from the URL the ADFS service is working correctly. Common Errors like 503 require an IISReset.
Configure Claims Wizard Completion Window after Claims Wizard via deployment manager has been configured: This configures and confirms the CRM federation services are working. The URL shown on screen is at the bottom of the log file. Click view the log file to copy the URL Restart IIS and Test the URL before proceeding to ADFS Setup. This URL will setup the first Relying Party Trust with ADFS for CRM (Internal)
Configure ADFS Relying Party Trust Configure the Claims Provider Trust For Active Directory Select Claims Provider Select Active Directory Select Edit Claim Rules Add Rule UPN Claim Rule Matches the User Principal Name to the UPN field
Configure ADFS Relying Party Trust Configure the Relying Party Provider Trust For Internal Add Relying Party Trust Add URL From Claims Wizard Add 3 Rules Pass Through UPN Pass Through Pri SID Transforms Windows Account Name to Name You can now test Kerberos to claims authentication by https:\\internalcrm link
Configure Internet Facing Deployment IFD Inside deployment manager, you will click configure IFD: Enter ending of domain name Web Application and Org Service should both be the same domainname.com Dev domain is used for the discovery web server and should match your DEV DNS entry. (Could be discovery too!)
Configure Internet Facing Deployment IFD Next you will be prompted for the external domain: This is AUTH.domainname.com address, not ADFS address. The documentation uses the same URL as the STS server which is not correct. The end of the configuration will provide A URL to configure the replying party trust in ADFS.
Configure Internet Facing Deployment IFD Success window for CRM IFD Configuration. Perform an IIS Reset on the CRM Server Now Let s go Back to ADFS and enter the External Claims Provider Trust.
Configure ADFS Relying Party Trust Open ADFS Wizard on ADFS Server: Select Add Relying Party Trust Add URL AUTH address (same as last page of CRM IFD Wizard). Add 3 Rules Pass Through UPN Pass Through Primary SID Transforms Windows Account Name to Name IIS Reset one last time
Configure ADFS Relying Party Trust
Test the CRM Deployment
Overview
Minimum Requirements
Behind the Scenes 3 hrs.
ADFS Pre Configuration Download and deploy the Public SSL Certificate in IIS 7 Deploy AD FS 2.0 on Windows Server 2008 or Windows Server 2008 R2 Configure to use deployed certificate Download and Install the Microsoft Online Services sign-in assistant and Microsoft Online Services Module (for PowerShell) Change Security on Default URL from Anonymous Authentication to Windows Authentication Add Public Domain URL to Local Intranet Zone Run MS Online Services Module Powershell and convert your public domain to Federated: $cred=get-credential Connect-MsolServices -Credential $cred Convert-MsolDomainToFederated -DomainName <domain>
Microsoft Online Services Config
AD Sync Config
Troubleshooting
Checklist Summary 1. 2. 3. 4. 5. Optional Optional
Tips and Tricks Quick Checklist BackConnectionHostNames Registry Changing your ADFS login Name Setting the IFD timeout Multiple HTTPS Bindings Internal Service Error 503 & 505 Updating ADFS Cache 401 Errors Outlook Client V4 with CRM 2011 Caution on Cache
Quick Checklist http://www.microsoft.com/download/en/details.aspx?displaylang =en&id=3621
BackConnectionHostNames http://support.microsoft.com/kb/896861
Changing ADFS Login Name
Changing ADFS Login Name
Setting the ADFS/IFD Timeout
HTTPS Binding Internal Service Error 503 Republish CRM Customizations Restart IIS and/or Reboot Reconfigure via the CRM wizards See www.cognettacloud.com Blog for URL Reservations Issue
Updating the ADFS Cache Updating the ADFS cache is sometimes required when adding new organization and IFD deployment Adding DNS entries or troubleshooting issues. Updating is done from the ADFS configuration tool, while on replying party trusts, you will see the left an option to Update the Federation Metadata. Remember to restart IIS
IFD 404 Error & Workaround A common error reported after IFD is enabled by external access user: This is because ADFS had a copy of the CRM metadata during the install and not the exact copy is cached. The fix is to publish all customizations. If this continues for a specific user, update the user record by removing their name, replace with test name, save, and then replace domain name again. Should be ok after UR 11
CRM Outlook Client 4 http://go.microsoft.com/fwlink/?linkid=210780 http://go.microsoft.com/fwlink/?linkid=205316
Caution on Cache
Closing & Q&A Use of the Microsoft Forums Ask an MVP! http://social.microsoft.com/forums/en-us/category/dynamics Please don t forget to accept the answer that helps you! Use of the Collaborate on the CRMUG forums http://community.crmug.com/home Check with www.cognettacloud.com blog for latest issues & resolutions.