In Step1 we looked at configuring the CRM platform with the aid of Deployment Manager GUI to enable claims based authentication. In this post we will look at the steps involved in configuring Relying Party trust in AD FS. Microsoft has provided a detailed guide here. I did find some issues while configuring the claims rule set and will highlight it as we walk through the steps.

1. Create rule for Claims provider trust (Active Directory) for UPN

Right click choose Edit Claims and then “Add Rule..” in the dialog box

Click Finish to add this Rule, the Acceptance Transform Rules looks like

 

2. Create Relying Party trust, choose Relying Party Trust in the AD FS Management console.

Once the above steps are completed the Edit Claims Rules dialog box opens up where we configure the Rules.

 

 

Edit Global Primary Authentication policy to enable Forms Based Authentication.

 

Once the above steps are completed go DEV-WFE01 and try accessing the CRM organization I have set up an org called ACM. (could be any name)

https://xrm.dev.local/ACM comes up with the following:

This will redirect to:

https://sts.dev.local/adfs/ls/wia?wa=wsignin1.0&wtrealm=https%3a%2f%2fxrm.dev.local%2f&wctx=rm%3d1%26id%3dc68e12fd-17d4-4b11-aa86-1cd38f8c1784%26ru%3d%252fACM%252fdefault.aspx&wct=2015-11-22T19%3a12%3a23Z&wauth=urn%3afederation%3aauthentication%3awindows

and once successful will display the main page of CRM Organization:

 

 

This completes configuring claims based authentication for Dynamics CRM platform

 

 

 

In the article there is description of how claims based authentication works in the context of CRM platform. In this post I will details the steps involved to get this working for the deployment scenario as shown here. The detailed information will be split into posts viz., Step 1 & Step2

Pre-Requisites:

1. Setup and configure Active Directory Fedaration Services (AD FS) on Windows Server 2012 R2 and the steps involved are described here
2. Enabled CRM platform for Claim-based Authentication and this is done through Deployment Manager. The steps are detailed below with the a series of screen snap shots.
3. Set up Relying-Party trust in AD FS

• Open Deployment Manager GUI and the summary screen will indicate whether claims-based authentication is enabled/disabled.

• Click on Configure Claims-Based Authentication and if the access point is not set to use HTTPS the following will be displayed

• Click on Action > Properties and enter the following settings

• Now click on Configure Claims-Based Authentication

• Click on View the log file to make note of the url that needs to be added to the Relying Party trust in the AD FS management console.

Things to Check:

By default the CRM platform set up does not configure the web site for SSL. This step needs to done manually.

Once the above steps are completed. You need to ensure that browsing to the Internal Federation Metadata URL as indicated above returns content without any errors. If the following error is displayed then the cause will be missing read permissions for the private key on the certificate.

Resolution: Open MMC and assign read permissions to service account used for the certificate in use.

Once the internal federation metadata URL loads the XML data without any errors the expected Claims set from ADFS is listed as below and while configuring ADFS the outgoing claims will be upn,name and primarysid