Updated as of 4/5/2011: This is an updated video demonstrating how to configure the RTM Dynamics CRM 2011 deployment with claims-based authentication and IFD access. The recording utilizes internally hosted DNS records and signed Certificates from an internal CA. The video is unable to cover purchases of third party certificates, external DNS updates or routing through firewalls as there are too many variations and the Dynamics CRM team is unable to endorse one product over the other.
Keep in mind that both the CRM Site and the ADFS site should be exposed through your firewall in order for external clients to access CRM.
As many of our early adopters have learned by now, configuring an Internet-facing deployment (IFD) has changed pretty drastically from Microsoft Dynamics CRM 4.0 to Microsoft Dynamics CRM 2011.
So what changed?
We hope you find this helpful!
Cheers, Michael Guthmann
Thanks very much for this - it's good to see the steps set out as you should see them when you need to do it for yourself
However - given that this demo all appears to be on one server and uses self-signed certs it would be good if you could add some additional text to explain:
a) What steps have to be performed on each machine
b) Additional steps that only have to be performed if using self-signed certs
c) Any caveats with wildcard certificates (is Windows Mobile still a problem?)
You say at the end that you hope to produce more documentation soon. Hopefully fully federated scenarios will be covered? Home-realm discovery using CRM 2011 is still a mystery - can you do it?
-- Regards, Simon
Awesome! This clears up a lot of the mystery.
Thank you for this.
One question... What is the easiest way to create self-signed wildcard certificate?
I ran into this same question myself. Apparently creating a self-signed wildcard certificate is not possible via IIS7 UI. Any pointers towards the easiest SSL certificate tool for this purpose would be greatly appreciated. Thanks for great video.
Good starting point but I was expecting a detailled documentation and more points covered.
What to do when you need internal network access AND IFD ? just as it was possible in CRM 4 ? Is it always an option, I hope so ?
What about securing CRM 2011 with ForeFront TMG ?
And last but not least: what about a service provider installation ? Even the CRM 4 documentation for this last point was outdated, only documented for no more supported management tools ?
I am very surprised to see that these points are not covered at 10 days from the official launch of product. Is quality a secondary concern for this product.
You can use selfssl for creating self signed certificate. You are right it is part of IIS 6 but you can still install it and use it. It is part of windows development kit. I hope this answers your question.
What about claim based authentication for CRM 2011 online. I await SDK update on that.
I have followed the steps mentioned in the video to enable IFD for crm 2011.
I am facing the below mentioned error.Can you please help me figure out the cause.
There was a problem accessing the site. Try to browse to the site again.
If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.
Reference number: 4d8848a0-d5e7-468a-8177-462ca8c52e27
@crm40: This error can occur for a variety of reasons. However, the first time you setup IFD with Claims-Based Authentication, you might see this error if you haven't properly configured DNS so that the URLs for CRM are accessible. You'll need to have your external DNS set so you can hit your CRM server at the orgname.crmserver.com address. I also found it was easiest to edit the hosts file on my CRM server so the URLs resolved internally while I was testing my configurations in the Deployment Manager.
what about single signin in Sharepoint integration with CRM2011 ifd?
Is it possible?
Thanks for the comments and questions. I'll do my best to answer what I can right now and then follow up on other ones and try to post back later.
For Simon's questions:
a) With multiple machines (say you have multiple front end machines), you will need to have the encryption cert in the cert store for each machine. That way each CRM server can encrypt the messages passed between CRM (the relying party) and AD FS 2.0 (the identity provider).
b) You only have to put the certs in the trusted root certification authorities store if you are using self-signed certificates.
For David and Jose:
I like to use MakeCert to create my self-signed wildcard certificates. msdn.microsoft.com/.../aa386968%28v=VS.85%29.aspx
For c Suriex:
We had some limitations in RC around internal and IFD coexistence. This is something that we have worked to improve for RTM. We'll disclose more details at that time.
And concerning service provider documentation, this is something that is on our radar.
Thanks for your answers Michael. I got a little bit confused while doing the installation per your video because you had DC and CRM servers in the same box. I ran into problems when trying to add the trusts to ADFS and I think I have the "auth" endpoint configured incorrectly. Is it possible to have a documentation in which this installation is specified to an environment in which DC and CRM servers are two separate machines?
Is it possible to make CRM 2011 Online to authenticate against your own ADFS? Or WindowsLive is the only option for authentication?
Is it possible to install MS CRM 2011 with IFD on windows small business server 2008?
Facing problem during AD FS 2.0 installation on windows small business server 2008.
Hi, I would like to know when CRM 2011 Service provider documentation will be available? Or if it is already available where can I find it?
I am also wondering about this:
"Is it possible to make CRM 2011 Online to authenticate against your own ADFS? Or WindowsLive is the only option for authentication?"