web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics CRM (Archived) / When to use claims and...
Microsoft Dynamics CRM (Archived)

When to use claims and when to use adfs

(0) ShareShare
ReportReport
Posted on by Community Member

Hi all,

I'm getting my head slowly around Crm and the authentication methods.  I have my server set for internal users (uses claims and passes through users on domain) and external users using adfs where they must renter credentials on adfs form.

My question is why have the 2 methods? My users are all remote from data centre and access servers over VPN so presumably claims us sufficient - when would adfs be preferred?  Would that be none domain joined pc's?  Couldn't they cone in via claims and just enter credentials?

Thanks

craig 

*This post is locked for comments

I have the same question (0)
  • Suggested answer
    Bruno Lucas Profile Picture
    Bruno Lucas 5,421 on at

    ADFS needs claim to complete the authentication.

    "A federation server (ADFS) on one side (the Accounts side) authenticates the user in Active Directory Domain Services and then issues a token containing a series of claims "

    so it needs "Claims" to authenticating a user based on a set of claims about its identity contained in a trusted token

    msdn.microsoft.com/.../bb897402.aspx

    this is the only supported approach for exposing CRM to the outside. I've seen some folks trying some hacks and it did not end up well.

  • Suggested answer
    Bruno Lucas Profile Picture
    Bruno Lucas 5,421 on at

    Another way to explain, ADFS just pick you login info and check against AD , generates a token. Claims takes this token and if it's all good it will let you in

    windowsitpro.com/.../how-adfs-does-identity-federation

    also note ADFS is a SSO and should be on the DMZ

    you need something like claims or Kerberos to communicate across different branches

    crmbook.powerobjects.com/.../authentication-models

  • Community Member Profile Picture
    Community Member on at

    Thanks Bruno.  Perhaps I should rephrase the initial question as I understand the need for adfs.  Should my users, when coming to crm from the internet, be accessing it using the ifd URL or using the internal URL?  Ie using the 'sso login' or using the form logon?

    Thanks.

  • Bruno Lucas Profile Picture
    Bruno Lucas 5,421 on at

    if you are outside the network, you use the external URL

    technet.microsoft.com/.../gg188591(v=crm.6).aspx

    that will display that web form login form

    if you use the external address inside, you may get a second authentication prompt

    blogs.msdn.com/.../step-by-step-configuring-crm-2013-internet-facing-deployment-ifd.aspx

    if you use the internal address inside the network, it should just open the crm as usual without prompts

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Stars!

Congratulations to our 2025 Community Spotlights

Thanks to all of our 2025 Community Spotlight stars!

Congratulations to the February Top 10 Community Leaders

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics CRM (Archived)

#1
JS-09031509-0 Profile Picture

JS-09031509-0 3

#2
AS-17030037-0 Profile Picture

AS-17030037-0 2

#2
Mark Eckert Profile Picture

Mark Eckert 2

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans