Configure ADFS, Claim-Based Authentication and IFD for MS CRM 2013

By -

Limitation of Active Directory Federation Services (ADFS)

1.       ADFS requires default website & default port like port 80 & 443. On the server where you are going to install & configure ADFS, port no 80 & 443 should be available.
2.       When Claim is enabled HTTPS must be used both for internal & external.

You need wild card certificate for Claim-Based Authentication & IFD


DNS Configuration

You need to create at least 5 host name in DC: Forward Lookup Zone (For DNS Resolution)
1.       ADFS 2.0 URL (External Domain : adfs2. mydomain.com : https://adfs2.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml)
2.       CRM Server IFD URL (CRM IFD Federation endpoint, e.g. crmauth.mydomain.com)
3.       CRM Discovery Service endpoint (crmdiscovery.mydomain.com)
4.       CRM Org URL (myOrg1.mydomain.com)
5.       Internal URL to access the CRM (CRM Claims Federation endpoint, internalCRM.mydomain.com)

Install ADFS on CRM server or on a different server

1.       Go to Server Manager
2.       Add Roles & Features
3.       Select Installation type : Role-based or feature-based installation, then click next
4.       Again next
5.       In Server role section, select “Active Directory Federation Services” then press next.
6.       Then click next.
7.       In the AD FS page click next.
8.       In the confirmation page, click Install.
9.       Wait for installation.
Note: Default site & default port (80, 443) should be available.

Add SSL certificate in ADFS Server

1.       Open IIS
2.       Click on “Default Web Site” & Click on “Bindings” in right navigation
3.       Create new binding for https & port 443
4.       Now select wild card certificate & press OK.

Configure ADFS

1.       Go to Administrative Tools.
2.       Click on AD FS Manager
3.       Click on “ADFS Federation Server Configuration Wizard”
4.       Click on “Create New Federation Service”, then click “Next”
5.       Click on “Stand-alone federation sever”, then click “Next”
6.       You will a SSL certificate on this form & now you need to type federation service name i.e. adfs2. mydomain.com & then press “Next”. (DNS record should be created in DC for adfs2)
7.       After this, you will see some option in left nav. i.e. Services, Trust Relationships. Click on Trust Relationship then click on “Claims Provider Trusts”.
8.       Now click on “Edit Claim Roles” from right nav pan.
9.       There will be default 10 roles in the form. We need to add a new UPN role. Now click on “Add Role”
10.   Select default “Send LDAP Attributes as Claims”. Then press “Next”.
11.   Provide Role Name i.e. UPN (User Principle Name)
12.   Select Attribute Store as “Active Directory” which is default.
13.   Select LDAP Attribute as User-Principle-Name & Outgoing Claim Type as UPN
14.   Now ADFS setup you can check url : https://adfs2. mydomain.com/FederationMetadata/2007-06/FederationMetadata.xml

Configure HTTPS for MS CRM

1.       Open CRM Server
2.       Open IIS Manager
3.       Click on Microsoft Dynamics CRM site, Then click on “Bindings”
4.       Click on “Add” button.
5.       Type should be : https, Port no 443 or 444 & the select your ssl certificate.
6.       Open Deployment Manager
7.       Click on “Properties” under the Action pan.
8.       Now click on Web Address tab
9.       Change Binding Type to HTTPS.
10.   Now change all 4 urls to internalCRM.mydomain.com
11.   Click on OK button

Configure Claim-Based Authentication

1.       Open Deployment Manager
2.       Click on Configure Claim-Based Authentication from Action Pane.
3.       After Open the Wizard, click on the “Next” button.
4.       Put Federation metadata url : https://adfs2. mydomain.com/FederationMetadata/2007-06/FederationMetadata.xml
5.       Click on Next
6.       Now select Certificate & click on Next button.
7.       Wait for system checks for 2 things : Federation Metadata URL , Encryption Certificate
8.       Then click Next & will show you re-cap the information. Now press Apply.
9.       Now click on “View the log file” & go to bottom. You will see a new url there. https://internalcrm. mydomain.com/FederationMetadata/2007-06/ FederationMetadata.xml
10.   Note down this url.

Check Permission for Application Pool Account has access on Certificate on MS CRM Server & ADFS Server

1.       Click on Start
2.       Click on Run
3.       Type MMC & hit enter key.
4.       Go to File -> Add/Remove Snap-In.
5.       Click on Certificates
6.       Click on Add.
7.       Select Computer Account & hit Next
8.       Select Local Computer & hit Finish
9.       You should see Certificates (Local Computer) under the Console Root.
10.   Click OK
11.   Now Click on Console Root -> Certificates (Local Computer) -> Personal -> Certificates -> Click on your previously selected wild card certificate.
12.   Right click on it.
13.   Go to All Tasks -> Manage Private Keys
14.   Your Application Pool Account should have read access here.

Stable Relying Party Trust in ADFS

1.       Before adding Relying Party Trusts, You have to make sure that you have added DNS entry for (MS CRM Server) : internalcrm, crmauth, crmdiscovery, myOrg1
2.       Open ADFS Manager Console
3.       Go to Trust Relationships -> Relying Party Trusts
4.       Click on Add Relying Party Trust in right navigation pane.
5.       On the form, Click on Start button.
6.       On the Select Data Source form, Put the internal url of MS CRM : internalcrm.mydomain.com (port) (It is url what you have copied from “Configure Claim-Based Authentication”
7.       Click on Next Button
8.       On Specify Display Name form : enter display name i.e. Internal Relying Party CRM & hit Next button
9.       On Choose Issuance Authorization Rules page, Select “Permit all users to access this relying party” option and then hit Next.
10.   Now on Ready to Add Trust page. You will see re-cap & go to Identifiers tab and check url.
11.   Go ahead & click next.
12.   Check on the “Open the Edit Claim Rules dialog for this relying party trust when the wizard closes” & then hit close.

Configure “Edit Claim Rules for Internal Relaying Party CRM”

1.       Make sure you are on Issuance Transform Rules tab.
2.       Click on Add Role
3.       On the Choose Rule Type page, Select Claim Role Template to :  “Pass Through or Filter an Incoming Claim” and Press Next.
4.       On the Configure Claim Rule form , Type “Pass Through UPN” under Claim rule name.
5.       Now Incoming Claim type should be “UPN” and select “Pass Through all claim values”
6.       Press Finish.
7.       Click on Add Role
8.       On the Choose Rule Type page, Select Claim Role Template to :  “Pass Through or Filter an Incoming Claim” and Press Next.
9.       On the Configure Claim Rule form, Type “Pass Through Primary SID” under Claim rule name.
10.   Now Incoming Claim type should be “Primary SID” and select “Pass Through all claim values”
11.   Press Finish.
12.   Click on Add Role
13.   On the Choose Rule Type page, Select Claim Role Template to:  “Transform an Incoming Claim” and Press Next.
14.   On the Configure Claim Rule form, Type “Transform Windows Account Name to Name” under Claim rule name.
15.   In “In coming Claim Type”, select “Windows account name”.
16.   In “Outgoing claim type”, select “* Name”
17.   Select “Pass Through all claim values”
18.   Press Finish.
19.   Finally Click OK button
20.   Switch to any other machine & test the url : https://internalcrm.mydomain.com

 

Configure IFD on CRM Server

1.       Open Deployment Manager.
2.       Click on Configure Internet-Facing Deployment.
3.       Click on Next on Welcome screen
4.       Type “mydomain.com :port#” under Web Application Server Domain
5.       Type “mydomain.com :port#” under Organization Web Service Domain
6.       Type “crmdiscovery.mydomain.com: port#” under Discovery Web Service Domain.
7.       Type “crmauth.mydomain.com:port#” under “Enter the external domain where your Internet-facing servers are located:”
8.       Then click Next.
9.       Now system will do system checks for External Domain URL and Root Domains.
10.   Click Next
11.   Now click on Apply.

Stable Relying Party Trust in ADFS

1.       Open ADFS Manager Console
2.       Go to Trust Relationships -> Relying Party Trusts
3.       Click on Add Relying Party Trust in right navigation pane.
4.       On the form, Click on Start button.
5.       On the Select Data Source form, Put the internal url of MS CRM : crmauth.mydomain.com (port) (It is url what you have copied from “Configure Claim-Based Authentication”
6.       Click on Next Button
7.       On Specify Display Name form : enter display name i.e. External Relying Party CRM & hit Next button
8.       On Choose Issuance Authorization Rules page, Select “Permit all users to access this relying party” option and then hit Next.
9.       Now on Ready to Add Trust page. You will see re-cap & go to Identifiers tab and check url.
10.   Go ahead & click next.
11.   Check on the “Open the Edit Claim Rules dialog for this relying party trust when the wizard closes” & then hit close.

Configure “Edit Claim Rules for External Relaying Party CRM”

1.       Make sure you are on Issuance Transform Rules tab.
2.       Click on Add Role
3.       On the Choose Rule Type page, Select Claim Role Template to:  “Pass Through or Filter an Incoming Claim” and Press Next.
4.       On the Configure Claim Rule form, Type “Pass Through UPN” under Claim rule name.
5.       Now Incoming Claim type should be “UPN” and select “Pass Through all claim values”
6.       Press Finish.
7.       Click on Add Role
8.       On the Choose Rule Type page, Select Claim Role Template to:  “Pass Through or Filter an Incoming Claim” and Press Next.
9.       On the Configure Claim Rule form, Type “Pass Through Primary SID” under Claim rule name.
10.   Now Incoming Claim type should be “Primary SID” and select “Pass Through all claim values”
11.   Press Finish.
12.   Click on Add Role
13.   On the Choose Rule Type page, Select Claim Role Template to:  “Transform an Incoming Claim” and Press Next.
14.   On the Configure Claim Rule form, Type “Transform Windows Account Name to Name” under Claim rule name.
15.   In “In coming Claim Type”, select “Windows account name”.
16.   In “Outgoing claim type”, select “* Name”
17.   Select “Pass Through all claim values”
18.   Press Finish.
19.   Finally Click OK button
20.   Switch to any other machine & test the url : https://myOrg1.mydomain.com
Do the setting for IE Tool -> Security -> Local Intranet

Download PDF

Comments

Post a Comment

Popular Posts

SharePoint Interview Questions and Answers

By -
SharePoint Interview Questions and Answers Get More Questions and Answers Q What is SharePoint? Ans SharePoint is a browser based document collaboration platform given by Microsoft. Q What are features of SharePoint 2010? Ans Some features are : ·          Document Collaboration ·          Enterprise Search FAST Search ·          New Enhance Web Part ·          Ready made Silver Light web part ·          Business Connectivity Services ·          Social Media Investments ·          Large lists ·          Enhanced collaboration features ·          Visio Services ·          Usage reporting and logging ·          Better Network Differencing & SharePoint Offline in SharePoint Workspace ·          High Availability/ Disaster Recovery Innovation ·          Admin Insights through the Logging & Usage database, and dev dashboard ·          Service Applications ·          SharePoint Designer Enh
Read more

Download Infopath Form Templates

By -
Click here to download InfoPath Form Collection   Hi, I have lots of InfoPath forms with me which are downloaded from lots of places. I am uploading this InfoPath form collection for all InfoPath and SharePoint Users. These form are related to Infopath 2003, 2007 & 2010.   Click here to download InfoPath Form Collection
Read more

How to get current logged user information using JavaScript ?

By -
This is post which is simple and not really needed. But when I started writing the code in ECMAScript I have faced problems in getting the logged in user information. So, my readers may feel good after see this post and really most the users are looking for this too. By this time, we have really understood all about ECMAScript Client Object Model and debugging. So, it's easy for us to know it well. Please find the code below to get the current user information. <asp:Content ContentPlaceHolderId="PlaceHolderAdditionalPageHead" runat="server"> Now copy & paste this JavaScript code after above mentioned tag : <script type="text/ecmascript">         ExecuteOrDelayUntilScriptLoaded(getUserData, "sp.js");              // To Get Current User Name     var context = null;      var web = null;      var currentUser = null;      var currentUserId=''     function getUserData() {             context = new SP.Cli
Read more

Steps to set Form based authentication (FBA) for SharePoint 2010

By -
Image
1.        DOWNLOAD FBA User Management Tool           Go to “C:\Windows\Microsoft.NET\Framework\v2.0.50727”. 2.        Open file “aspnet_regsql.exe” (with Run as Administrator).                                 I.             You will get an installation form. Hit “Next” button.                               II.             Click on “Configure SQL Server for application services” then hit “Next” button.                             III.             Now provide server name to connect & install new database for Membership. Now hit “Next” button.                             IV.             Now you get a summary page on which you will get server name & its new database name called “aspnetdb”. Click on “Next” button.                               V.             Now database has been created. Click on “Finish” button. 3.        Install FBA tool. 4.        Create a new Site collection (suppose we called it “A”). 5.        Extend this site (Suppose we called it “B”).        
Read more

SharePoint Interview Questions and Answers II

By -
What is Microsoft Windows SharePoint Services? How is it related to Microsoft Office SharePoint Server 2007? Windows SharePoint Services is the solution that enables you to create Web sites for information sharing and document collaboration. Windows SharePoint Services -- a key piece of the information worker infrastructure delivered in Microsoft Windows Server 2003ice system and other desktop applications, and it serves as a platform for application development. Office SharePoint Server 2007 builds on top of Windows SharePoint Services 3.0 to provide additional capabilities including collaboration, portal, search, enterprise content management, business process and forms, and business intelligence. What is Microsoft SharePoint Portal Server? SharePoint Portal Server is a portal server that connects people, teams, and knowledge across business processes. SharePoint Portal Server integrates information from various systems into one secure solution through
Read more

Get List Items - JavaScript

By -
  var value = SP.ListOperation.Selection.getSelectedList();   var productcollection; function getProducts(title) {     try {         var context = new SP.ClientContext.get_current();         var web = context.get_web();         var list = web.get_lists().getByTitle('product');         var query = '<View Scope=\'RecursiveAll\'>'+                         '<Query>'+                             '<Where>'+                             '<Contains>'+                                 '<FieldRef Name=\'ProductName\'/>' +                                 '<Value Type=\'Text\'>' + title +'</Value>'+                             '</Contains>'+                             '</Where>'+                         '</Query>'+                              '</View>';         var camlQuery = new SP.CamlQuery();         camlQuery.
Read more

Cross Site List Rollup Web Part for SharePoint 2010

By -
Downalod Cross Site List Rollup   Hi I was wondering that how to show a list from other site on my home page. But I didn’t get any proper & free solution. So I decided to create a Cross Site List Rollup Webpart . Now I have developed a Cross site list rollup web part which can show your list from any site to any site (within site collation only) and I am ready to share this web part with all of you.  It’s too simple in use. You have to just provide a:    Site URL (Site URL from where you want to display list or library).    List Title (Display Name of List) (Title of the list which has to be on given site URL).    View Name (Name of view which you have created to show in this web part). Now it is ready to use. Enjoy!!! Downalod Cross Site List Rollup Gaurav Goyal
Read more

Hide Recently Modified Items

By -
Image
Hide Recently Modified Items In SharePoint 2010 we all are familiar with the following annoying quicklaunch menu:   Follow these steps :  Go to  " Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\Template\DocumentTemplates" . Open "wkpstd.aspx" file . Search for tag " SharePoint:RecentChangesMenu". Add visible="false"  at the end of this tag. Save this file & refresh SharePoint site .
Read more

Change Language for current user with JSOM in SharePoint Online

By -
Hi, Here is code which can change language for current user with JSOM : <script type="text/javascript" charset="utf8" src="/sites/BizDev/Style%20Library/SPS/jquery-1.11.3.min.js"></script> <select id='LangSelect' onchange="SetUserLanguage(this.value);"></select> <script type="text/javascript"> function SetUserLanguage(lCode) {     var call = $.ajax({             url: _spPageContextInfo.siteAbsoluteUrl + "/_api/Web/Lists/GetByTitle('Languages')/items?" + "$select=Title,Code,LCode,ID&$top=5000&$filter=Code eq "+lCode,             type: "GET",             dataType: "json",             headers: {                 Accept: "application/json;odata=verbose"             }         });         call.done(function (data, textStatus, jqXHR) {             var multipleValues = [];             for (var i=0;i<data.d.results.length;i++){            
Read more

SharePoint 2010 CSS Chart

By -
Image
CSS Comments Screenshots body #s4-ribboncont{background-image:none;} /*Globally turning off bordersThis is needed to have any of the style below to take effect.   .ms-cui-groupSeparator {border-right:1px solid #E7E7E8 !important; } .ms-cui-topBar2{border-width:0px;}*/ /*Turn on separators in the Ribbon   .ms-cui-ribbonTopBars{ background: red url() repeat-x !important; padding-top:0px; } /* Set the background for the tabs at the top (Browse / Page) */ .ms-cui-cg-i{ background-image:url() !important; background-position:bottom left; background-repeat:no-repeat !important; height:15px; margin-bottom:2px; } .ms-cui-cg-db .ms-cui-cg-t{height:17px; background-image:url(‘http://integration.echn.ca/Media/SiteImages/bgBackground.gif’) !important; background-position:bottom right !important; background-repeat:no-repeat !important; margin-left:4px;} .ms-cui-cg-t-i{ color:white; font-weight:bold; } .ribbon-wrapper{position:relative;} /* Set the background for the addi
Read more