I have just spent several days working through getting Claims Based Authentication and Internet Facing Deployment working on my CRM 2011 system. It was a bumpy road and I thought that I might help smooth the road a bit for others by posting a few tips from the lessons I learned in the process. This is not a set of instructions for doing so, those can be found in the CRM 2011 Implementation Guide and specifically in the accompanying Word document “Microsoft Dynamics CRM 2011 and Claims Based Authentication.doc”. All can be downloaded from here.
The first step is to install and configure ADFS 2.0 (Active Directory Federated Services). This must be installed in the default web site of the server ADFS is installed on. If you are using Small Business Server, as I am, you will need to install this on another server. No problem. I’m running CRM on its own virtual server on port 5555 so I added ADFS on this server. ADFS must be configured to use SSL. The default port for SSL is 443. The SBS server uses port 443. My router points port 443 to my SBS server. Need to use another port. No problem, port 444 is free. You must bind the port to the default web site before you install ADFS.
Tip 1 – Bind your port to the default web site BEFORE you install ADFS. Don’t forget to have your router forward the port to your ADFS server.
Tip 2 – If you miss Tip 1 and install it to port 443 and need to change it, you will have to uninstall ADFS to do so. ADFS does not show up in Control Panel/Programs and Features unless you click on “View installed updates” and look under Microsoft Windows.
You will need several DNS entries pointing to your server, assuming CRM and ADFS are on the same server. If not, you will still need several pointing to ADFS and CRM. These are external names pointing to your internal addresses. For instance You’ll need one for crm.mycompany.com with an address of 192.168.1.5 and another for sts1.mycompany.com with an address of 192.168.1.5. If you are running SBS, your internal domain name is likely mycompany.local so you will need to create a new zone in DNS for mycompany.com. You also probably also have an separate zone for remote.mycompany.com pointing to your SBS server. Be sure your external DNS points appropriately as well. In my case everything goes to my one public IP and the router sorts it out.
Tip 3 – Create a separate zone for mycompany.com to put your addresses in. Don’t bother adding entries in the .local zone.
Before you get too far in trying to make things work, especially from a browser on another computer, such as your workstation, be sure to open the firewall on the ADFS server for your SSL port. Hopefully you’ve already done so for your CRM port.
Tip 4 – Use Windows Firewall with Advanced Security to permit your SSL port (443 or 444 or whatever).
When you run CRM with Claims Based Authentication, you will find that it will periodically log you off! Even while you are in the middle of updating a record! Especially if you have configured IFD! This is not fun. The default timeout is 60 minutes but it will start messing with you after just 20 minutes. You can extend this time out period by following these instructions and using PowerShell.
Tip 5 – Check out the Technet article “Claims Based Authentication and security token expiration” and proceed accordingly.
This is by no means an exhaustive list but I think I could have saved myself a lot of time if I’d only written this before I started trying to configure IFD on my system. I hope it helps you. Be sure to also check out my article on how to reconfigure your Outlook client to use the newly configured IFD.