Search This Blog

Thursday, September 15, 2016

Microsoft Dynamics CRM 2013 Internet Facing Deployment (IFD)

This post will cover all the steps that need to be follow to configure Internet facing deployment (IFD) for Microsoft Dynamics CRM 2013 On premise deployment.


  1. Dynamics CRM Server 2013 installed on Windows Server 2012 R2 Standard.
  2. ADFS 2.0 server on a separate Windows Server 2012 Standard.
First you will need to purchase the appropriate certificates for the IFD configuration or you can create your own domain certificates and bind them with the sites as described in below:
Steps to create domain certificate:
1. First go to the ADFS server and open IIS manager and then go to server certificates then create a domain certificate.



C:\Users\deepak.jangra\Desktop\IFD images\Create Certificate.png

2. In the next step specify the certification authority and enter the friendly name. Click finish.

    C:\Users\deepak.jangra\Desktop\IFD images\Create Certificate1.png

    3. Now export this certificate from the ADFS Server.

    Import the certificate to CRM Server.

    After this we need to bind the certificate with ADFS server site as mentioned below:

    1. Go to the default website of ADFS server in IIS manager right click the default site and click on edit bindings...

    C:\Users\deepak.jangra\Desktop\IFD images\Create Certificate2.png

    2. Under Type, select https.

    Under SSL certificate, select your SSL certificate and then click OK and then Close.
    C:\Users\deepak.jangra\Desktop\IFD images\Create Certificate3.png

    C:\Users\deepak.jangra\Desktop\IFD images\Create Certificate5.png

    C:\Users\deepak.jangra\Desktop\IFD images\Create Certificate4.png

    3. Repeat the above step 1 and 2 for Dynamics CRM site as well on the CRM Server.


    Now the CRMAppPool account will need to have rights to the certificate.

    In my case CRMAppPool is running under Network Service account so i need to give read permission to the certificate for the Network Service account.

    Follow below steps to give permission to Network Service account:

    1. Launch the MMC (Microsoft Management Console) console and go to File menu and select Add-Remove Snap In.

    2. Select Certificates from the available snap-ins and click Add


    3. Select Computer Account and click Next.

    4. Click Finish on the next window and then click Ok.

    5. Expand Certificates->Personal->Certificates ->Right click on Manage Private keys

    6. Select the Network Service which is running the CRM application pool and give it read permissions and then Ok.

    Now follow below steps to setup ADFS on the Server.

    1. Launch Server manager and click on Add roles and features.

    1. Click Next
       C:\Users\deepak.jangra\Desktop\IFD images\adfs.png
    1. Select Role-based or feature based installation and click Next

       C:\Users\deepak.jangra\Desktop\IFD images\adfs1.png
    1. Select a server from the server pool and click Next
    1. Select Active Directory Federation Services
    C:\Users\deepak.jangra\Desktop\IFD images\adfs3.png
    1. Click on Add Features and then click Next
    C:\Users\deepak.jangra\Desktop\IFD images\adfs4.png
    1. Then on the confirmation page click Install.
    C:\Users\deepak.jangra\Desktop\IFD images\adfs5.png

    Once ADFS get installed then we need to configure that:


    1. Launch Administrative tools and then select ADFS management. 

    2. Click on ADFS Federation Server Configuration Wizard and then select Create a new Federation Service and click Next
    3. Now depending upon your requirement you can choose the appropriate option. The screen explains each of the options.

    I will choose New federation server farm.

    C:\Users\deepak.jangra\Desktop\IFD images\adfs6.png
    4. Specify the Federation Service Name.
    C:\Users\deepak.jangra\Desktop\IFD images\adfs7.png
    5. Shows you the summary of what is about to be installed. Click Next to continue.


    6. Wait for the configuration process to complete and click the Close button. 

     Configuring CRM server for claims based authentication

    Now the next step is to configure Dynamics CRM for claims based authentication.
    Go to CRM Server and open the Deployment Manager and then go to properties and select the tab Web Address.

    C:\Users\deepak.jangra\Desktop\IFD images\CRMClaim.png

    Now enter the internal network URL for CRM and update the binding type to HTTPS then click on "Apply".

    2. Now go to Configure Claims-Based Authentication in the deployment manager.


    3. On the Specify the security token service page, enter the Federation metadata URL, such as and click Next. To verify the correct URL, open an Internet browser by using the URL to view the federation metadata. Verify that no certificate-related warnings appear.

    C:\Users\deepak.jangra\Desktop\IFD images\CRMClaim2.png
    4. Now specify the encryption certificate and click Next

    5. On the System Checks page, review the results, perform any steps required to fix problems, and then click Next

    6. On the Review your selections and then click Apply page, verify your selections, and then click Apply.

    7. Click View log file and scroll to the bottom and copy the Federation metadata URL we will need that in further steps.
    C:\Users\deepak.jangra\Desktop\IFD images\CRMClaim3.png

    Now we need to configure claims provider trusts and relying party trusts on ADFS Server.

    Follow below mentioned steps:
    1. Start ADFS Management on the ADFS Server and in the Navigation Pane, expand Trust Relationships, and then click Claims Provider Trusts. Under Claims Provider Trusts, right-click Active Directory, and then click Edit Claims Rules.

    1. In the Rules Editor, click Add Rule, In the Claim rule template list, select the Send LDAP Attributes as Claims template, and then click Next
    1. Create the following rule
    Claim rule name: UPN Claim Rule (or something descriptive)
    Attribute store: Active Directory
    LDAP Attribute: User Principal Name
    Outgoing Claim Type: UPN
    Click Finish, and then click OK to close the Rules Editor
    After you enable claims-based authentication, you must configure Dynamics CRM Server 2013 as a relying party to consume claims from ADFS for authenticating internal claims access.
    1. Start ADFS Management. On the Actions menu located in the right column, click Add Relying Party Trust. In the Add Relying Party Trust Wizard, click Start.

    1. On the Select Data Source page, click Import data about the relying party published online or on a local network, and then type the URL you copied earlier from the log file. So that will be
    Verify that no certificate-related warnings appear by opening it in the browser. 
    C:\Users\deepak.jangra\Desktop\IFD images\CRMClaim4.png 

    1. On the Specify Display Name page, type a display name, such as CRM Claims Relying Party, and then click Next
    1. On the Choose Issuance Authorization Rules page, leave the Permit all users to access this relying party option selected, and then click Next

    1. On the Ready to Add Trust page, click Next, and then click Close.
    C:\Users\deepak.jangra\Desktop\IFD images\CRMClaim5.png 

    1. If the Rules Editor appears, click Add Rule. Otherwise, in the Relying Party Trusts list, right-click the relying party object that you created, click Edit Claims Rules, and then click Add Rule.
    1. In the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next.
    1. Create the following Rule #1
    Claim rule name: Pass Through UPN (or something descriptive)
    Incoming claim type: UPN
    Pass through all claim values
    Click Finish.

    1. In the Rules Editor, click Add Rule, in the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next.
    1. Create the following Rule #2
    Claim rule name: Pass Through Primary SID (or something descriptive)
    Incoming claim type: Primary SID
    Pass through all claim values
    Click Finish
    1. In the Rules Editor, click Add Rule. In the Claim rule template list, select the Transform an Incoming Claim template, and then click Next.

    1. Create the following rule #3
    Claim rule name: Transform Windows Account Name to Name (or something descriptive)
    Incoming claiming type: Windows account name
    Outgoing claim type: Name
    Pass through all claim values
    Click Finish, and when you have created all three rules, click OK to close the Rules Editor.
    So now we have claims setup for CRM.
    In both Servers (ADFS and CRM) go to IE -> tools -> IE options -> security-> local intranet -> sites -> add internal URL and ADFS URL ( and ) This would have to done on any machines that are accessing the internal access points so that ADFS and CRM can pass those Kerberos tickets without being prompted for credentials.

    Now at last we need to configure CRM Server for IFD

    Go to the the CRM Server and follow below steps:

    1. Start the Deployment Manager. In the Deployment Manager console tree, right-click Microsoft Dynamics CRM, and then click Configure Internet-Facing Deployment. Click Next.
    1. Enter the URLs for the Web Application Server Domain, Organization Web Service Domain and the Discovery Web Service Domain and click on the Next button.

    C:\Users\deepak.jangra\Desktop\IFD images\CRMIFD.png
    1. In the Enter the external domain where your Internet-facing servers are located box, type the external domain information where your Internet-facing Microsoft Dynamics CRM Server 2013 servers are located, and then click Next.
    The domain you specify must be a sub-domain of the Web Application Server Domain specified in the previous step. By default, "auth." is pre-pended to the Web Application Server Domain.
    C:\Users\deepak.jangra\Desktop\IFD images\CRMIFD1.png
    1. On the System Checks page, review the results, fix any problems, and then click Next.
    1. On the Review your selections and then click Apply page, verify your selections, and then click Apply and Finish.
    C:\Users\deepak.jangra\Desktop\IFD images\CRMIFD2.png
    1. Now do the IIS Reset.

    Test the accessibility of Microsoft Dynamics CRM

    You should now be able to access Microsoft Dynamics CRM Server 2013 externally using claims authentication. As shown below.C:\Users\deepak.jangra\Desktop\IFD images\CRMIFD2.png



    No comments:

    Post a Comment