Issues and Limitations of Claim-based authentication when used with Dynamics CRM

The following are some of the limitations of accessing Dynamics CRM platform using Claims-based authentication

Dynamics CRM does not enforce strong password policy and this task is handled by AD.
ADFS federation server sessions are valid up to 8 hours for deactivated or deleted users. The ADFS server tokens allocated to a web single sign-on (SSO) have cookie expiration of 8 hours. Therefore even when a user is deactivated or deleted from authentication provider as long as the user session is still active the user can continue to be authenticated to access resources.
Certificates created using the CNG key template are incompatible with Microsoft Dynamics CRM.
CRMAppPool account used for Dynamics CRM website must have read permission to the private key or encryption certificate.

Work around option(s):

Disable the user in Dynamics CRM and AD.
Reduce the ADFS token life time. (Power Shell). In ADFS 4.0 on Server 2016 TokenLifetime is replaced with SsoLifeTime and default is set to 480

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Twitter account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Connecting to %s