The Microsoft Dynamics CRM Blog
News and views from the Microsoft Dynamics CRM Team

Configuring IFD with Microsoft Dynamics CRM 2011

Configuring IFD with Microsoft Dynamics CRM 2011

  • Comments 27

Updated as of 4/5/2011: This is an updated video demonstrating how to configure the RTM Dynamics CRM 2011 deployment with claims-based authentication and IFD access. The recording utilizes internally hosted DNS records and signed Certificates from an internal  CA. The video is unable to cover purchases of third party certificates, external DNS updates or routing through firewalls as there are too many variations and the Dynamics CRM team is unable to endorse one product over the other.

Keep in mind that both the CRM Site and the ADFS site should be exposed through your firewall in order for external clients to access CRM.

As many of our early adopters have learned by now, configuring an Internet-facing deployment (IFD) has changed pretty drastically from Microsoft Dynamics CRM 4.0 to Microsoft Dynamics CRM 2011.

So what changed?

  • First, our dependencies changed. In Dynamics CRM 4.0, we used forms-based authentication for IFD and in Dynamics CRM 2011 we instead take a dependency on claims-based authentication for IFD. Therefore, now it is necessary to install and configure a security token service (such as Active Directory Federation Services 2.0) and also to do more certificate management.
  • Second, our configuration steps changed. In Dynamics CRM 4.0, an administrator had two options for configuring IFD. The first option was to specify the IFD settings in an XML configuration file at server installation time. The second option was to use the IFD Configuration Tool which was released out of band. In Dynamics CRM 2011, we made claims-based authentication and IFD configuration post-installation steps to obviate the need for the XML configuration file and built these wizards into our Deployment Manager tool. Administrators that would prefer to script IFD configuration can do so using our new Dynamics CRM PowerShell cmdlets.
These changes amount to a higher learning curve for configuring IFD for Dynamics CRM 2011 as we have heard in feedback from partners and customers. So to help make this configuration a little easier for folks, Henning Petersen (a Support Escalation Engineer for Dynamics CRM) created a video demonstrating how to configure IFD with AD FS 2.0. In addition to this video, we recommend that people looking to configure IFD first review the Dynamics CRM 2011 Configuring Claims-Based Authentication white paper which is posted on the same page as our Dynamics CRM 2011 Implementation Guide.
This video is  called Introducing Microsoft Dynamics CRM 2011 Claims-based Authentication and covers the end-to-end process for configuring IFD which includes:
  1. Installing AD FS 2.0
  2. Configuring the AD FS 2.0 federation server
  3. Managing certificates
  4. Configuring Dynamics CRM 2011 for claims-based authentication and IFD
  5. Creating the relying party trust for CRM and configuring the claims rules on AD FS 2.0

We hope you find this helpful!

Michael Guthmann

  • Thanks very much for this - it's good to see the steps set out as you should see them when you need to do it for yourself

    However - given that this demo all appears to be on one server and uses self-signed certs it would be good if you could add some additional text to explain:

    a) What steps have to be performed on each machine

    b) Additional steps that only have to be performed if using self-signed certs

    c) Any caveats with wildcard certificates (is Windows Mobile still a problem?)

    You say at the end that you hope to produce more documentation soon.  Hopefully fully federated scenarios will be covered?  Home-realm discovery using CRM 2011 is still a mystery - can you do it?

    -- Regards, Simon

  • Awesome!  This clears up a lot of the mystery.

  • Thank you for this.

    One question... What is the easiest way to create self-signed wildcard certificate?

  • I ran into this same question myself. Apparently creating a self-signed wildcard certificate is not possible via IIS7 UI. Any pointers towards the easiest SSL certificate tool for this purpose would be greatly appreciated. Thanks for great video.

  • Good starting point but I was expecting a detailled documentation and more points covered.

    What to do when you need internal network access AND IFD ? just as it was possible in CRM 4 ? Is it always an option, I hope so ?

    What about securing CRM 2011 with ForeFront TMG ?

    And last but not least: what about a service provider installation ? Even the CRM 4 documentation for this last point was outdated, only documented for no more supported management tools ?

    I am very surprised to see that these points are not covered at 10 days from the official launch of product. Is quality a secondary concern for this product.


  • You can use selfssl for creating self signed certificate. You are right it is part of IIS 6 but you can still install it and use it. It is part of windows development kit. I hope this answers your question.

    What about claim based authentication for CRM 2011 online. I await SDK update on that.

  • Hi,

    I have followed the steps mentioned in the video to enable IFD for crm 2011.

    I am facing the below mentioned error.Can you please help me figure out the cause.

    There was a problem accessing the site. Try to browse to the site again.

    If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.

    Reference number: 4d8848a0-d5e7-468a-8177-462ca8c52e27

  • @crm40: This error can occur for a variety of reasons. However, the first time you setup IFD with Claims-Based Authentication, you might see this error if you haven't properly configured DNS so that the URLs for CRM are accessible. You'll need to have your external DNS set so you can hit your CRM server at the address. I also found it was easiest to edit the hosts file on my CRM server so the URLs resolved internally while I was testing my configurations in the Deployment Manager.

  • what about single signin in Sharepoint integration with CRM2011 ifd?

    Is it possible?

  • Thanks for the comments and questions. I'll do my best to answer what I can right now and then follow up on other ones and try to post back later.

    For Simon's questions:

    a) With multiple machines (say you have multiple front end machines), you will need to have the encryption cert in the cert store for each machine. That way each CRM server can encrypt the messages passed between CRM (the relying party) and AD FS 2.0 (the identity provider).

    b) You only have to put the certs in the trusted root certification authorities store if you are using self-signed certificates.

    For David and Jose:

    I like to use MakeCert to create my self-signed wildcard certificates.

    For c Suriex:

    We had some limitations in RC around internal and IFD coexistence. This is something that we have worked to improve for RTM. We'll disclose more details at that time.

    And concerning service provider documentation, this is something that is on our radar.

  • Thanks for your answers Michael. I got a little bit confused while doing the installation per your video because you had DC and CRM servers in the same box. I ran into problems when trying to add the trusts to ADFS and I think I have the "auth" endpoint configured incorrectly. Is it possible to have a documentation in which this installation is specified to an environment in which DC and CRM servers are two separate machines?


  • Is it possible to make CRM 2011 Online to authenticate against your own ADFS? Or WindowsLive is the only option for authentication?

  • Is it possible to install MS CRM 2011 with IFD on windows small business server 2008?

    Facing problem during AD FS 2.0 installation on windows small business server 2008.

  • Hi, I would like to know when CRM 2011 Service provider documentation will be available? Or if it is already available where can I find it?

  • I am also wondering about this:

    "Is it possible to make CRM 2011 Online to authenticate against your own ADFS? Or WindowsLive is the only option for authentication?"

Page 1 of 2 (27 items) 12
Leave a Comment
  • Please add 4 and 8 and type the answer here:
  • Post