So by now you've heard about CRM 2011 AND that it supports Claims Based Authentication. You've also heard that in order to create an IFD (Internet Facing Deployment) implementation which is recommended for Mobile configurations you're going to be required to set up a Secure Token Server (STS). Microsoft recommends AD FS 2.0 (Active Directory Federation Services 2.0)
Now ADFS 2.0 isn't your Dad's old Federation Service. That would be ADFS 1.X. ADFS 1.0 comes with Windows 2008 and ADFS 1.1 is the flavor with Windows 2008 R2.
So, this isn't an article on configuring CRM 2011 with ADFS 2.0 as that has been done and redone. You'll find much of what you need for this here in the Claims Based Authentication white paper and CRM 2011 Implementation Guide located here : http://www.microsoft.com/downloads/en/details.aspx?FamilyID=9886ab96-3571-420f-83ad-246899482fb4&displaylang=en
This blog post is going to talk about how you federate that CRM 2011 / ADFS 2.0 implementation to a partner organization where your Partner is running ADFS 1.X and may not be ready to upgrade. In the example below, the CRMPractice domain represents CRM 2011 and the ADFS 2.0 servers and the ADFS1 domain is the partner organization. The following steps are necessary to get this working. Both assume that ADFS is set up correctly and that CRM 2011 is already configured with the ADFS 2.0 implementation.
Certificate Management is one of the toughest things to get all of this working. Your Certificates for Local Computer should have the Signing Certificate with Key on both ADFS servers in the Personal Hive (ADFS1 should have ADFS1 Signing Cert, CRMPractice should have CRMPractice Signing Cert) Additionally, the opposite Signing Cert should be in Trusted Root Authorities and the path should be constructed so that the cert is trusted. The ADFS 2.0 creates a special signing certificate that you should export from the ADFS 2.0 Snap-In under Service | Certificates | Token-signing. You can View Certificate and under Details, Copy to File.
Certificate Management is one of the toughest things to get all of this working. Your Certificates for Local Computer should have the Signing Certificate with Key on both ADFS servers in the Personal Hive (ADFS1 should have ADFS1 Signing Cert, CRMPractice should have CRMPractice Signing Cert) Additionally, the opposite Signing Cert should be in Trusted Root Authorities and the path should be constructed so that the cert is trusted. The ADFS 2.0 creates a special signing certificate that you should export from the ADFS 2.0 Snap-In under Service | Certificates | Token-signing. You can View Certificate and under Details, Copy to File.
ADFS 1.x Side
- Open MMC with Active Directory Federation Services Snap-In
- Open Federation Service | Trust Policy | My Organization
- Right Click Account Stores and Select New | Account Store
- Click Next and then choose Active Directory Domain Services (AD DS), Click Next
- Enable this store is checked, next
- Finish
- Now go to Partner Organizations
- Right Click Resource Partners (CRM 2011 is in the Resource Domain) and Add New Resource Partner
- Click Next and then indicate No policy file to import
- Enter a Display Name
- The URI will be whatever the URI is in ADFS but start with your federation metadata url base and instead of “/federationmetadata/2007-06/federationmetadata.xml” use instead “/adfs/” as this is probably right (more on all the “matchups” later)
- The Federation Service Endpoint URL again we’ll use the “/adfs/ls/” in place of the “/federationmetadata/2007-06/federationmetadata.xml” as a start.
- Click next, and in most cases you will use Federated Web SSO, click Next
- Select UPN Claim only
- Pass all UPN suffixes through unchanged
- Enable the Resource Partner is checked
- Finish
1.x Matchup Data
- If you right click your new Resource Partner and choose Properties, you will see something like this:
- If you right click the Federation Service and choose properties, then click View on the Certificate you should get some notable screens to keep in mind:
- Next right click the Trust Policy and choose Properties for another important screen
ADFS 2.0 Side
- Open MMC with the ADFS 2.0 Snap-In
- Open Trust Relationships | Claims Provider Trusts
- Right click and choose Add Claims Provider Trust and click Start
- Choose Enter claims provider trust data manually - this is important as you don't have a federation metadata URL.
- On the Display Name, this will actually show up for the Users, so you should name it the name of the ADFS1.0 domain such as “ADFS1 Users” and click next
- Choose AD FS 1.0 and 1.1 profile and click next
- On the WS-Federation Passive URL use the Federation Service endpoint URL from the screenshot above (ours would be https://sts2.ADFS1.com/adfs/ls/)
- On the Claims provider trust identifier use the Federation Service URI from the screenshot, it is said that it is case sensitive (from our example that would be https://sts2.ADFS1.com/adfs/)
- Add the Certificate from your ADFS1 Signing cert.
- If you get a problem with the length of the cert, just accept it
- Click Next, Next again and it should open the Claims Rules
- On the Claims rules, we are configuring one rule which is UPN and it will be a transform claim rule. We will be taking an Incoming claim type of “Name ID” with Incoming name ID format of “UPN” and our Outgoing claim type will be “UPN”
2.0 Matchup Data
- If you click on AD FS 2.0 and in the Actions pane choose Edit Federation Service Properties you will see a similar screen as the one from 1.x
- So to verify, if you right click the ADFS 1.x Resource Partner you should see that the Federation Service identifier here is the Federation Service URI there. (Case sensitive again I believe)
- That is normally the last thing.
- If your environment balks like some do you should be able to visit the Event Viewer | Applications and Services | AD FS 2.0 | Admin
- If you see a set of 3 Errors with 315, 111, 364 standing in your way each time you attempt to connect there is a problem with your certificate revocation checking (common when not using a Trusted Root CA) To remedy this:
- On your ADFS 2.0 server open Powershell
- First command is ‘Add-PSSnapin Microsoft.Adfs.PowerShell’ which allows you to command ADFS using scripts
- Second command is ‘set-ADFSClaimsProviderTrust -TargetName "sts2.ADFS1.com" -SigningCertificateRevocationCheck None’ where you would replace sts2.ADFS1.com with whatever the name you gave the Claims Provider, in our earlier example that would be ADFS1 Users within the quotes.
- Restart the ADFS 2.0 Service and perform an IISRESET on both ADFS boxes.
I know what your next question is going to be, but for now you'll have to wait for the next blog post when I discuss: Can CRM 2011 leverage ADFS 1.1 without ADFS 2.0?