The following are some of the limitations of accessing Dynamics CRM platform using Claims-based authentication
- Dynamics CRM does not enforce strong password policy and this task is handled by AD.
- ADFS federation server sessions are valid up to 8 hours for deactivated or deleted users. The ADFS server tokens allocated to a web single sign-on (SSO) have cookie expiration of 8 hours. Therefore even when a user is deactivated or deleted from authentication provider as long as the user session is still active the user can continue to be authenticated to access resources.
- Certificates created using the CNG key template are incompatible with Microsoft Dynamics CRM.
- CRMAppPool account used for Dynamics CRM website must have read permission to the private key or encryption certificate.
Work around option(s):
- Disable the user in Dynamics CRM and AD.
- Reduce the ADFS token life time. (Power Shell). In ADFS 4.0 on Server 2016 TokenLifetime is replaced with SsoLifeTime and default is set to 480