web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics CRM (Archived) / Does CRM 2011 require ...
Microsoft Dynamics CRM (Archived)

Does CRM 2011 require claims-based auth for an IFD?

(0) ShareShare
ReportReport
Posted on by Jeff Ballard 390

Is using claims-based authentication *required* for an IFD in CRM 2011 or can you used AD authentication? This article says that it is supported although it's under a section titled "Access the Web Services", so I can't tell if they mean it's supported for web services access or for the whole client.

The customer has told me they're able to access the client when accessing it over the internet and it seems to work fine. I can verify that - I enter the domain credentials and it seems to work fine. But is it supported?

I'm trying to encourage my customer to use claims-based auth as I feel it's more secure, but they're asking. I just want to know if I'm getting into unsupported territory.

Thanks,

Jeff

 

*This post is locked for comments

I have the same question (0)
  • Suggested answer
    Community Member Profile Picture
    Community Member on at

    From the book Microsoft Dynamics CRM2011 Administration:

    Claim based authentication is a new authentication model that is required (mentioned multiple times that claim based authentication is a pre requirement for IFD setup) for internet-facing deployments. When a user attempts to log in to Dynamics CRM, his credentials are redirected to the federation server (fe ADFS 2.0) which checks his claim against the identity provider (fe Active Directory). If the claim is valid; a token is given to the user to provide access to Dynamics CRM.

    Hope that answers your question :)

  • Chris Sealy Profile Picture
    Chris Sealy 125 on at

    Perhaps I need to read more, but I don't think the previous answer does not answer the question.

    The docs state it is a requirement. I assume it is so that you are using a 'supported' configuration. But they do not state why. I guess they are leaving it up to us to read more about ADFS and it's benefits. (Understandable)

    I think the bigger question is, Is it required to make it a secure application?

    For instance, it sounds like the customer opened up a port on the firewall and put out a public DNS entry that points to their NAT'ed address. Then an outside user fails Kerberos authentication and is therefore prompted for NTLM. The user enters their credentials and they are authenitcated via NTLM. It would work just fine and I know it works.

    It seems that ADFS gives the web user a much more robust encryption to help preserve their site from being hacked. Or their session from being hijacked, even though they would at least be using https(I would hope).

    Will someone with more knowledge of ADFS / CRM integration please answer this question in a little bit more detail and possibly offer a tiny business case for using ADFS?

    I know we should all read up on ADFS, IIS, Network Protocols, etc., but many of us are left to perform the task by ourselves within a limited amount of time. It is sometimes nice to find a small gold-mine of an answer other than, "because I said so". :)

  • Community Member Profile Picture
    Community Member on at

    Hehe understand what you mean Chris and you are correct. The approach that you provide does indeed also work. Have done it that way myself.

    I'm also no big expert on  ADFS, that's why I was indeed refering to the manual ;-)

    Hopefully someone else can fill that gap.

    The added value of using federation services for me is that you can use another source to authenticate to. Like for instance live ids or something custom. With ADFS, AD. But that still doesn't answer your question because then we are back at your scenario. I think claim based auth is more secure then just using NTLM. Anyway hopefully an ADFS expert can help us out.

  • Suggested answer
    Chris Consul Profile Picture
    Chris Consul 75 on at

    Hi all, when you want to publish Dynamics CRM 2011 to the internet IFD/Claims/ADFS is teh only supported way. And it also takes not much time you can do the configuration in 30 minutes.

    The idea behind this change is the following. CRM 2011 needs to be working with other cloud products and like Sharepoint 2010 and Exchange 2011. With ADFS enabled you can use it to Logon with your credentials and you will get an token. With this token you are able to logon on every claims trusted application. The big customer of the hosted will beable to manage his own ADFS Server and the Hoster is only trusting them. This change will make many thinks easier to manage. It will also bring the opportunity to do the authentication 1 time and work with all levels of application operation (self hosted, partner hosted and in the microsoft cloud).

    Find more information here:

    dynamics-crm2011.blogspot.com/.../configuring-hostedifd-with-microsoft.html

    When you have questions regarding CRM and ADFS, let me know I ´ve done the setup many. many times now and know most of the issue you can get...

    Cheers

    Chris

  • Suggested answer
    Chris Consul Profile Picture
    Chris Consul 75 on at

    adding a bit more regarding the secure part you are asking for: The Token you get from the STS (ADFS External endpoint is encrypted via SSL Certificate. This can be the same certificate like you are using for the CRM and ADFS Website (This would be the normal config, using an wildcard certificate for all). You can also use an different certificate for the token signing. In this case only the CRM Server will be able to encrypt the token, but anyway, it is a bit more complex to hack this additional part. But this is not the mainpart that we are looking for an more secure autenification here. It is like written before more an feature.

    Active Directory Federation Services (AD FS) is a feature in the Microsoft Windows Server® 2003 R2 and Windows Server® 2008 operating systems that provides Web single-sign-on (SSO) technologies to authenticate a user to multiple, related Web applications over the life of a single online session. AD FS accomplishes this by securely sharing digital identity and entitlement rights, or "claims," across security and enterprise boundaries. :-)

    for example here: ADFS make is possible to use CRM 2011 and other applications with Novell Groupwise as Identity Provider. ADFS 2.0 is talking to CRM and ADFS 2.0 is talking to ADFS 1.0.

    and ADFS 1.0 is able to talk to Novell for example. This way you can build hig complex secure identity provider scenarios :-)

    dynamics-crm2011.blogspot.com/.../crm-2011-adfs-20-federating-with-adfs.html

  • Suggested answer
    Mohammad Atif Profile Picture
    Mohammad Atif on at

    Hi All,

    I would just like to add my comments here as I found that the things are already discussed in great details in this thread.

    If you are using the claims based authentication and trying to access the CRM application within the domain or trying to Configure CRM 2011Outlook Client use internal URL(Claims URL) and if you are trying to access it from Internet use IDF URL(Internet facing Deployment), this is what has been tested and verified by Microsoft. Other Authentication might work for you but there are scenarios when you may land up in some issues. So the instructions in White paper available at: www.microsoft.com/.../details.aspx are pretty much clear  to configure and use Claims and IDF.

    Thanks,

    Mohammad

  • dinker Profile Picture
    dinker 5 on at

    HI Chris,

    I am going to setup IFD for crm 2011 at my office.Would you please let me know below few points.

    In our office we are runing crm 2011 with http & we want to run it on https.I got so many links for setup ifd/adfs but confused.

    1- I want know why we required ADFS for CRM2011  & from where we can get certificate for adfs ?

    2-can we configure IFD without using ADFS  ? If yes how & if no..Please send me some usefull link.

    Looking forward to reply.

    Regards

    Dinker Gururani

  • Enjay Profile Picture
    Enjay 670 on at

    Hi Chris!

    Not sure if I should hog this thread to ask you the questions I have in mind about ADFS 2.0 but here goes.

    I am fairly new to taking the CRM on IFD. Lets say I am going to be performing all the settings for the first time.

    I am even before moving on to claims based authentication, running into a snag when I try to set up Federation Services through ADFS 2.0.

    I have multiple web sites and because of that ADFS 2.0 doesnt pick up a default or allow me to choose the site I want. I stopped all other websites and ran only one, but that still didnt get picked up.

    I then chose the one that was set up on the default port 80 and stopped all other websites. That didnt work either.

    I have gone through many documents, ran several internet searches and theoretically this is what I have learnt:

    Set up ADFS 2.0

    Must have an SSL Certificate for your website

    Configure claim based authentication using the Federation Services and SSL certificate

    then configure IFD.

    Then you can use your domain and/or public IP to access the CRM any where.

    Where am I going wrong? I am a complete novice at this and would love some help from anyone who can help me figure this out!

    Thanks :)

  • Community Member Profile Picture
    Community Member on at

    Hi Chris,

    Am newbie to Dynamics CRM and in my organization we are trying to publish CRM 2011 to internet via TMG. While entering the public url , it redirects to crm and asks for credentials but fails with error : You dont have permission / privilleges to perform this action. I have not set up claims based authentication / ADFS / IFD . I read in many blogs that for making CRM internet facing this is required. Please advise what is recommended in my scenario to make my CRM avaliable on internet.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Stars!

Meet the Microsoft Dynamics 365 Contact Center Champions

We are thrilled to have these Champions in our Community!

Congratulations to the March Top 10 Community Leaders

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics CRM (Archived)

#1
JS-09031509-0 Profile Picture

JS-09031509-0 3

#2
AS-17030037-0 Profile Picture

AS-17030037-0 2

#2
Mark Eckert Profile Picture

Mark Eckert 2

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans