In the article there is description of how claims based authentication works in the context of CRM platform. In this post I will details the steps involved to get this working for the deployment scenario as shown here. The detailed information will be split into posts viz., Step 1 & Step2


  1. Setup and configure Active Directory Fedaration Services (AD FS) on Windows Server 2012 R2 and the steps involved are described here
  2. Enabled CRM platform for Claim-based Authentication and this is done through Deployment Manager. The steps are detailed below with the a series of screen snap shots.
  3. Set up Relying-Party trust in AD FS
  • Open Deployment Manager GUI and the summary screen will indicate whether claims-based authentication is enabled/disabled.


  • Click on Configure Claims-Based Authentication and if the access point is not set to use HTTPS the following will be displayed


  • Click on Action > Properties and enter the following settings


  • Now click on Configure Claims-Based Authentication








  • Click on View the log file to make note of the url that needs to be added to the Relying Party trust in the AD FS management console.


Things to Check:

By default the CRM platform set up does not configure the web site for SSL. This step needs to done manually.


Once the above steps are completed. You need to ensure that browsing to the Internal Federation Metadata URL as indicated above returns content without any errors. If the following error is displayed then the cause will be missing read permissions for the private key on the certificate.

XRMPrivateKeyNoPermissionResolution: Open MMC and assign read permissions to service account used for the certificate in use.


Once the internal federation metadata URL loads the XML data without any errors the expected Claims set from ADFS is listed as below and while configuring ADFS the outgoing claims will be upn,name and primarysid