Showing posts with label Claim-Based Authentication. Show all posts
Showing posts with label Claim-Based Authentication. Show all posts

Wednesday, November 19, 2014

Configure ADFS, Claim-Based Authentication and IFD for MS CRM 2013


Limitation of Active Directory Federation Services (ADFS)

1.       ADFS requires default website & default port like port 80 & 443. On the server where you are going to install & configure ADFS, port no 80 & 443 should be available.
2.       When Claim is enabled HTTPS must be used both for internal & external.

You need wild card certificate for Claim-Based Authentication & IFD


DNS Configuration

You need to create at least 5 host name in DC: Forward Lookup Zone (For DNS Resolution)
1.       ADFS 2.0 URL (External Domain : adfs2. mydomain.com : https://adfs2.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml)
2.       CRM Server IFD URL (CRM IFD Federation endpoint, e.g. crmauth.mydomain.com)
3.       CRM Discovery Service endpoint (crmdiscovery.mydomain.com)
4.       CRM Org URL (myOrg1.mydomain.com)
5.       Internal URL to access the CRM (CRM Claims Federation endpoint, internalCRM.mydomain.com)

Install ADFS on CRM server or on a different server

1.       Go to Server Manager
2.       Add Roles & Features
3.       Select Installation type : Role-based or feature-based installation, then click next
4.       Again next
5.       In Server role section, select “Active Directory Federation Services” then press next.
6.       Then click next.
7.       In the AD FS page click next.
8.       In the confirmation page, click Install.
9.       Wait for installation.
Note: Default site & default port (80, 443) should be available.

Add SSL certificate in ADFS Server

1.       Open IIS
2.       Click on “Default Web Site” & Click on “Bindings” in right navigation
3.       Create new binding for https & port 443
4.       Now select wild card certificate & press OK.

Configure ADFS

1.       Go to Administrative Tools.
2.       Click on AD FS Manager
3.       Click on “ADFS Federation Server Configuration Wizard”
4.       Click on “Create New Federation Service”, then click “Next”
5.       Click on “Stand-alone federation sever”, then click “Next”
6.       You will a SSL certificate on this form & now you need to type federation service name i.e. adfs2. mydomain.com & then press “Next”. (DNS record should be created in DC for adfs2)
7.       After this, you will see some option in left nav. i.e. Services, Trust Relationships. Click on Trust Relationship then click on “Claims Provider Trusts”.
8.       Now click on “Edit Claim Roles” from right nav pan.
9.       There will be default 10 roles in the form. We need to add a new UPN role. Now click on “Add Role”
10.   Select default “Send LDAP Attributes as Claims”. Then press “Next”.
11.   Provide Role Name i.e. UPN (User Principle Name)
12.   Select Attribute Store as “Active Directory” which is default.
13.   Select LDAP Attribute as User-Principle-Name & Outgoing Claim Type as UPN
14.   Now ADFS setup you can check url : https://adfs2. mydomain.com/FederationMetadata/2007-06/FederationMetadata.xml

Configure HTTPS for MS CRM

1.       Open CRM Server
2.       Open IIS Manager
3.       Click on Microsoft Dynamics CRM site, Then click on “Bindings”
4.       Click on “Add” button.
5.       Type should be : https, Port no 443 or 444 & the select your ssl certificate.
6.       Open Deployment Manager
7.       Click on “Properties” under the Action pan.
8.       Now click on Web Address tab
9.       Change Binding Type to HTTPS.
10.   Now change all 4 urls to internalCRM.mydomain.com
11.   Click on OK button

Configure Claim-Based Authentication

1.       Open Deployment Manager
2.       Click on Configure Claim-Based Authentication from Action Pane.
3.       After Open the Wizard, click on the “Next” button.
4.       Put Federation metadata url : https://adfs2. mydomain.com/FederationMetadata/2007-06/FederationMetadata.xml
5.       Click on Next
6.       Now select Certificate & click on Next button.
7.       Wait for system checks for 2 things : Federation Metadata URL , Encryption Certificate
8.       Then click Next & will show you re-cap the information. Now press Apply.
9.       Now click on “View the log file” & go to bottom. You will see a new url there. https://internalcrm. mydomain.com/FederationMetadata/2007-06/ FederationMetadata.xml
10.   Note down this url.

Check Permission for Application Pool Account has access on Certificate on MS CRM Server & ADFS Server

1.       Click on Start
2.       Click on Run
3.       Type MMC & hit enter key.
4.       Go to File -> Add/Remove Snap-In.
5.       Click on Certificates
6.       Click on Add.
7.       Select Computer Account & hit Next
8.       Select Local Computer & hit Finish
9.       You should see Certificates (Local Computer) under the Console Root.
10.   Click OK
11.   Now Click on Console Root -> Certificates (Local Computer) -> Personal -> Certificates -> Click on your previously selected wild card certificate.
12.   Right click on it.
13.   Go to All Tasks -> Manage Private Keys
14.   Your Application Pool Account should have read access here.

Stable Relying Party Trust in ADFS

1.       Before adding Relying Party Trusts, You have to make sure that you have added DNS entry for (MS CRM Server) : internalcrm, crmauth, crmdiscovery, myOrg1
2.       Open ADFS Manager Console
3.       Go to Trust Relationships -> Relying Party Trusts
4.       Click on Add Relying Party Trust in right navigation pane.
5.       On the form, Click on Start button.
6.       On the Select Data Source form, Put the internal url of MS CRM : internalcrm.mydomain.com (port) (It is url what you have copied from “Configure Claim-Based Authentication”
7.       Click on Next Button
8.       On Specify Display Name form : enter display name i.e. Internal Relying Party CRM & hit Next button
9.       On Choose Issuance Authorization Rules page, Select “Permit all users to access this relying party” option and then hit Next.
10.   Now on Ready to Add Trust page. You will see re-cap & go to Identifiers tab and check url.
11.   Go ahead & click next.
12.   Check on the “Open the Edit Claim Rules dialog for this relying party trust when the wizard closes” & then hit close.

Configure “Edit Claim Rules for Internal Relaying Party CRM”

1.       Make sure you are on Issuance Transform Rules tab.
2.       Click on Add Role
3.       On the Choose Rule Type page, Select Claim Role Template to :  “Pass Through or Filter an Incoming Claim” and Press Next.
4.       On the Configure Claim Rule form , Type “Pass Through UPN” under Claim rule name.
5.       Now Incoming Claim type should be “UPN” and select “Pass Through all claim values”
6.       Press Finish.
7.       Click on Add Role
8.       On the Choose Rule Type page, Select Claim Role Template to :  “Pass Through or Filter an Incoming Claim” and Press Next.
9.       On the Configure Claim Rule form, Type “Pass Through Primary SID” under Claim rule name.
10.   Now Incoming Claim type should be “Primary SID” and select “Pass Through all claim values”
11.   Press Finish.
12.   Click on Add Role
13.   On the Choose Rule Type page, Select Claim Role Template to:  “Transform an Incoming Claim” and Press Next.
14.   On the Configure Claim Rule form, Type “Transform Windows Account Name to Name” under Claim rule name.
15.   In “In coming Claim Type”, select “Windows account name”.
16.   In “Outgoing claim type”, select “* Name”
17.   Select “Pass Through all claim values”
18.   Press Finish.
19.   Finally Click OK button
20.   Switch to any other machine & test the url : https://internalcrm.mydomain.com

 

Configure IFD on CRM Server

1.       Open Deployment Manager.
2.       Click on Configure Internet-Facing Deployment.
3.       Click on Next on Welcome screen
4.       Type “mydomain.com :port#” under Web Application Server Domain
5.       Type “mydomain.com :port#” under Organization Web Service Domain
6.       Type “crmdiscovery.mydomain.com: port#” under Discovery Web Service Domain.
7.       Type “crmauth.mydomain.com:port#” under “Enter the external domain where your Internet-facing servers are located:”
8.       Then click Next.
9.       Now system will do system checks for External Domain URL and Root Domains.
10.   Click Next
11.   Now click on Apply.

Stable Relying Party Trust in ADFS

1.       Open ADFS Manager Console
2.       Go to Trust Relationships -> Relying Party Trusts
3.       Click on Add Relying Party Trust in right navigation pane.
4.       On the form, Click on Start button.
5.       On the Select Data Source form, Put the internal url of MS CRM : crmauth.mydomain.com (port) (It is url what you have copied from “Configure Claim-Based Authentication”
6.       Click on Next Button
7.       On Specify Display Name form : enter display name i.e. External Relying Party CRM & hit Next button
8.       On Choose Issuance Authorization Rules page, Select “Permit all users to access this relying party” option and then hit Next.
9.       Now on Ready to Add Trust page. You will see re-cap & go to Identifiers tab and check url.
10.   Go ahead & click next.
11.   Check on the “Open the Edit Claim Rules dialog for this relying party trust when the wizard closes” & then hit close.

Configure “Edit Claim Rules for External Relaying Party CRM”

1.       Make sure you are on Issuance Transform Rules tab.
2.       Click on Add Role
3.       On the Choose Rule Type page, Select Claim Role Template to:  “Pass Through or Filter an Incoming Claim” and Press Next.
4.       On the Configure Claim Rule form, Type “Pass Through UPN” under Claim rule name.
5.       Now Incoming Claim type should be “UPN” and select “Pass Through all claim values”
6.       Press Finish.
7.       Click on Add Role
8.       On the Choose Rule Type page, Select Claim Role Template to:  “Pass Through or Filter an Incoming Claim” and Press Next.
9.       On the Configure Claim Rule form, Type “Pass Through Primary SID” under Claim rule name.
10.   Now Incoming Claim type should be “Primary SID” and select “Pass Through all claim values”
11.   Press Finish.
12.   Click on Add Role
13.   On the Choose Rule Type page, Select Claim Role Template to:  “Transform an Incoming Claim” and Press Next.
14.   On the Configure Claim Rule form, Type “Transform Windows Account Name to Name” under Claim rule name.
15.   In “In coming Claim Type”, select “Windows account name”.
16.   In “Outgoing claim type”, select “* Name”
17.   Select “Pass Through all claim values”
18.   Press Finish.
19.   Finally Click OK button
20.   Switch to any other machine & test the url : https://myOrg1.mydomain.com
Do the setting for IE Tool -> Security -> Local Intranet

Download PDF