I have just spent several days working through getting Claims Based Authentication and Internet Facing Deployment working on my CRM 2011 system. It was a bumpy road and I thought that I might help smooth the road a bit for others by posting a few tips from the lessons I learned in the process. This is not a set of instructions for doing so, those can be found in the CRM 2011 Implementation Guide and specifically in the accompanying Word document “Microsoft Dynamics CRM 2011 and Claims Based Authentication.doc”. All can be downloaded from here.
The first step is to install and configure ADFS 2.0 (Active Directory Federated Services). This must be installed in the default web site of the server ADFS is installed on. If you are using Small Business Server, as I am, you will need to install this on another server. No problem. I’m running CRM on its own virtual server on port 5555 so I added ADFS on this server. ADFS must be configured to use SSL. The default port for SSL is 443. The SBS server uses port 443. My router points port 443 to my SBS server. Need to use another port. No problem, port 444 is free. You must bind the port to the default web site before you install ADFS.
Tip 1 – Bind your port to the default web site BEFORE you install ADFS. Don’t forget to have your router forward the port to your ADFS server.
Tip 2 – If you miss Tip 1 and install it to port 443 and need to change it, you will have to uninstall ADFS to do so. ADFS does not show up in Control Panel/Programs and Features unless you click on “View installed updates” and look under Microsoft Windows.
You will need several DNS entries pointing to your server, assuming CRM and ADFS are on the same server. If not, you will still need several pointing to ADFS and CRM. These are external names pointing to your internal addresses. For instance You’ll need one for crm.mycompany.com with an address of 192.168.1.5 and another for sts1.mycompany.com with an address of 192.168.1.5. If you are running SBS, your internal domain name is likely mycompany.local so you will need to create a new zone in DNS for mycompany.com. You also probably also have an separate zone for remote.mycompany.com pointing to your SBS server. Be sure your external DNS points appropriately as well. In my case everything goes to my one public IP and the router sorts it out.
Tip 3 – Create a separate zone for mycompany.com to put your addresses in. Don’t bother adding entries in the .local zone.
Before you get too far in trying to make things work, especially from a browser on another computer, such as your workstation, be sure to open the firewall on the ADFS server for your SSL port. Hopefully you’ve already done so for your CRM port.
Tip 4 – Use Windows Firewall with Advanced Security to permit your SSL port (443 or 444 or whatever).
When you run CRM with Claims Based Authentication, you will find that it will periodically log you off! Even while you are in the middle of updating a record! Especially if you have configured IFD! This is not fun. The default timeout is 60 minutes but it will start messing with you after just 20 minutes. You can extend this time out period by following these instructions and using PowerShell.
This is by no means an exhaustive list but I think I could have saved myself a lot of time if I’d only written this before I started trying to configure IFD on my system. I hope it helps you. Be sure to also check out my article on how to reconfigure your Outlook client to use the newly configured IFD.
When I first upgraded my CRM 4.0 to CRM 2011 I didn’t set it up with access via SSL and I only had it for internal use. So, when I configured my Outlook client I used the URL http://myCRM:5555 and used the organization MyOrg. I have just reconfigured my CRM 2011 to now use Claims Based Authentication and an Internet Facing Deployment. More on how to do that in another post. My IFD is working fine with the web client but I needed to reconfigure my Outlook client accordingly. Unfortunately, one cannot edit the configuration other than to chance the display name. That doesn’t help much. I tried adding a new configuration for the new URL but it told me there weren’t any organizations there. I suppose that is because my one and only organization was already configured.
After much head scratching and Bing/Googling I decided to check the Registry. There I found what I was looking for. Before making any changes to the Registry be sure to make a backup. I did am was glad I had! The Registry entry of interest is HKEY_CURRENT_USER\Software\Microsoft\MSCRMClient. There you will find several references to the CRM URL. I changed all these to reflect my new https URL. I then brought up the CRM Configuration Wizard and still had the same problem. Remember that backup?? Then I looked a bit further and saw another key under the MSCRMClient with a GUID for a name. Selecting that presented me with another selection of the CRM URL. I changed all those to the new https URL and opened up the CRM Configuration Wizard once again. Much to my delight all the values were changed to the new values. Even better my Outlook was once again able to connect to my server and sync up all the changes I’d made to it while off-line.