For Internal Access

New Picture

  1. The client sends a request to access the Dynamics CRM website.
  2. IIS refuses the connection and sends a HTTP 302 and redirect to ADFS
  3. The client sends a request for a security token to ADFS
  4. ADFS returns a HTTP 401.1 error indicating the client must supply a Kerberos ticket
  5. The client sends an Kerberos Authentication request to Active Directory
  6. Active Directory validates the client and sends a Kerberos ticket
  7. The client sends a request for security token to ADFS along with the Kerberos ticket.

Typically for internal access the Client logons to internal domain example and is already validated by Active Directory and hence the Kerberos ticket is already available so steps 4 through to 7 are skipped.

  1. ADFS provides a security token containing claims for providing access to CRM data
  2. The client sends the security token containing claims as obtained from ADFS to CRM server
  3. The CRM server decrypts and validates the security token and presents the user with the information.

For External Access

New Picture

The flow is similar to Internal Access with the exception of the following:

  • The Client will not be logging onto the domain directly and hence there is no Kerberos ticket.
  • The ADFS will present the client a logon page to select a attribute store at which point they enter the credentials which are then validated against Active Directory.