The following are some of the limitations of accessing Dynamics CRM platform using Claims-based authentication

  • Dynamics CRM does not enforce strong password policy and this task is handled by AD.
  • ADFS federation server sessions are valid up to 8 hours for deactivated or deleted users. The ADFS server tokens allocated to a web single sign-on (SSO) have cookie expiration of 8 hours. Therefore even when a user is deactivated or deleted from authentication provider as long as the user session is still active the user can continue to be authenticated to access resources.
  • Certificates created using the CNG key template are incompatible with Microsoft Dynamics CRM.
  • CRMAppPool account used for Dynamics CRM website must have read permission to the private key or encryption certificate.

Work around option(s):

  1. Disable the user in Dynamics CRM and AD.
  2. Reduce the ADFS token life time. (Power Shell). In ADFS 4.0 on Server 2016 TokenLifetime is replaced with SsoLifeTime and default is set to 480

 New Picture