web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics CRM (Archived) / CRM 2013 authenticatio...
Microsoft Dynamics CRM (Archived)

CRM 2013 authentication: NTLM, Kerberos, ADFS

(0) ShareShare
ReportReport
Posted on by ashlega 34,477

Hi,

  I wonder if somebody could clarify this whole question of CRM authentication and provide references to the official documentation.

  First of all, are there any limitations on the NTLM authentication when it comes to CRM? Let's say we are talking about internal CRM deployment (not internet-facing). Will there be any problems? (if we go beyond that  statement that Kerberos is a newer/preferred authentication protocol in general) For CRM 2011, there was a technet article mentioning NTLM authentication for CRM. I can't find a similar article or CRM 2013/2015, though. With that said, I can't find any articles stating the opposite (that NTLM would cause problems).

  Another part of this question is related to the internet-facing deployment. Let's forget about that IFD configuration wizard in CRM for a second. What if CRM was exposed to the internet and had NTLM authentication enabled? Technically, it should work, and, based on a few experiments we had here, it does. Except, maybe, for the Outlook and mobile apps. So why is there a requirement to have ADFS in this scenario?

   Would really appreciate reference to the official documentation that also explains "why"..

Thanks a lot!

  

*This post is locked for comments

I have the same question (0)
  • Suggested answer
    Community Member Profile Picture
    Community Member on at

    Hello Alex,

    In CRM

    First preference is Kerberos and if  it is not possible NTLM is chosen.  Kerberos mandates that the calling user computer is joined to the same domain of CRM server or at least trusted with the CRM domain. NTLM is the older protocol and is not as secure as Kerberos. Neither of these protocols are good enough to be used across the internet OR from untrusted domains or non-domain joined computers.

    In CRM 3.0 - You will have to VPN into the corporate domain from your lap top to be able to access CRM.

    In CRM 4.0 - A more graceful solution - usage of an add on that receives the CRM user's credentials via a forms based page was introduced. support.microsoft.com/.../948779

    ADFS provided CRM 2011 internet facing deployment with the below major advantages:

    Ø Security - This purpose built platform component was way more secure that the simple add-on for CRM 4.0 could ever hope to be.

    Ø Single sign on capability with other applications that use ADFS - custom web pages, SharePoint etc

    Ø Ability to federate with partner domains - Add a partner companies' employees as users in your CRM application. They will be able to log into your CRM server using their home domain credentials. You need not create/manage these external users within your AD, nor do you have to create a forest to forest AD trust with the other company.

    You may also refer this link for FAQ on ADFS

    blogs.technet.com/.../faq-on-adfs-part-1.aspx

    Please mark my answer as verified if you found it useful.

    Regards,

    Bhartendu Pandey

    Microsoft Dynamics CRM Support Engineer

  • ashlega Profile Picture
    ashlega 34,477 on at

    Hi Bhartendu,

     thank you for the reply. Is it fair to say, though, that ADFS is not, actually, required? Well, it is, in a number of scenarios.. and, obviously, it has quite a few advantages.. but, if we ignore outlook integration and mobile apps which require ADFS, would NTLM be  supported otherwise, or would it be, let's say, thrown upon by the Microsoft support engineers if they find themselves troubleshooting CRM deployment in such an environment?

    Thanks,

    Alex

  • Verified answer
    Community Member Profile Picture
    Community Member on at

    Hello Alex,

    Use of NTLM is not a supported scenario when using CRM Because of security related implications.

    Presence of Kerberos authentication is extremely vital for Running reports, Outlook use, and Mobile client application.

    So If Kerberos is not being used. The environment would be considered as Unsupported.

    Please mark my answer as verified if you found it useful.

    Regards,

    Bhartendu Pandey

    Microsoft Dynamics CRM Support Engineer

  • Javeds Profile Picture
    Javeds 30 on at
      1. Configuration Editor
        1. In IIS select the Microsoft Dynamics CRM website
        1. Click Configuration Editor
        1. In the Section box goto

        1. system.webServer

        2. security

        3. authentication

        4. windowsAuthentication

           

        5. Or paste in - system.webServer/security/authentication/windowsAuthentication

           

        1. Ensure both useAppPoolCredentials and usKernelMode are set to “True”
        1. Click “Apply” on the right

     

     

      1. Authentication

        1. In IIS select the Microsoft Dynamics CRM website
        1. Click Authentication
        1. Select Windows Authentication
        1. Click advanced settings on the right actions pane
        1. Ensure “Enable kernel-mode authentication” is enabled
        1. Click OK to save

     

     

     

    After these have been changed you will need to perform an IISRESET on the server.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics CRM (Archived)

#1
SA-08121319-0 Profile Picture

SA-08121319-0 4

#1
Calum MacFarlane Profile Picture

Calum MacFarlane 4

#3
Alex Fun Wei Jie Profile Picture

Alex Fun Wei Jie 2

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans