Documente Academic
Documente Profesional
Documente Cultură
Introductions
Christopher Cognetta Practice Manager Client Field Engineering Microsoft Dynamics CRM MVP chris.cognetta@tribridge.com CRMUG Chairperson Miami & Tampa Co Chair 250+ Dynamics CRM Implementations & Upgrades - 80+ with ADFS & IFD Infrastructure /Application Architecture Guru BLOG: www.cognettacloud.com TWITTER: @ccognetta
Agenda
What is ADFS?
Active Directory Federated Services (ADFS) is Microsofts Security Token Service (STS) designed to provide or federate (SSO Single Sign On) with other security providers (AD, Windows Live, Office 365, and many others). Mobile and Cloud based ISV add-ons often require your CRM to be ADFS/IFD (Internet Facing Deployment) enabled.
ADFS Diagrams
Standard Authentication
Internal ADFS
Preparation
Internal and External DNS Entries Deployment Options CRM and ADFS Installation Tips ADFS Screen Shots Quick Check List Tips and Tricks
Firewall Overview
Internal IP
Port Forward All URLs
Web Server
ADFS Server
All URLs except ADFS will port forward to the CRM webserver port 443 . ADFS will be configured as a separate website under port 444. Recommend ADFS Standalone server under port 443.
ADFS must be the default website - Site #1 in shown IIS Sites CRM must be installed on a port, and not on the default site if Implementing ADFS and CRM on the same server.
OPTION 3
FIREWALL
External IP
D M Z
P Web Server
Web Server
Certificates Required
Some security teams do not want to use wildcard certificates like *.domainname.com
Certificate Warnings
HTTPS://crm.domain.com
ALL SYSTEMS GO
The following URL is be provided in order to test the ADFS Federation Service is working: https://adfs.domain.com/FederationMetadata/2007-06/FederationMetadata.xml Note: Port is required in the URL if not running under 443.
Provider Trust For Active Directory Select Claims Provider Select Active Directory Select Edit Claim Rules Add Rule UPN Claim Rule Matches the User Principal Name to the UPN field
Overview
Minimum Requirements
Server 2008 R2 Configure to use deployed certificate Download and Install the Microsoft Online Services sign-in assistant and Microsoft Online Services Module (for PowerShell) Change Security on Default URL from Anonymous Authentication to Windows Authentication Add Public Domain URL to Local Intranet Zone Run MS Online Services Module Powershell and convert your public domain to Federated:
$cred=Get-Credential Connect-MsolServices -Credential $cred Convert-MsolDomainToFederated -DomainName <domain>
AD Sync Config
Troubleshooting
Checklist Summary
1. 2. 3. 4. 5.
Optional Optional
Quick Checklist
http://www.microsoft.com/download/en/details.aspx?displaylang
=en&id=3621
BackConnectionHostNames
http://support.microsoft.com/kb/896861
HTTPS Binding
Republish CRM Customizations Restart IIS and/or Reboot Reconfigure via the CRM wizards See www.cognettacloud.com Blog for URL Reservations Issue
http://go.microsoft.com/fwlink/?LinkID=210780
http://go.microsoft.com/fwlink/?LinkId=205316
Caution on Cache