Dynamics Tutorial: IFD, Claims, ADFS..What now?

What is IFD and why use it?

IFD stands for Internet Facing Deployment which means you can access CRM without being on the local network.

If this confuses you then try and think of it like this:

You are at your company who uses CRM and you can enter the CRM URL and voila you are on and ready to go…

You are some other place on the planet and try using your tablet, phone or a laptop to try to access CRM using the URL but it won’t work….Well, you don’t want everyone being able to access your data if they know your URL

You need your IT team to setup ADFS (Active Directory Federation Services) & IFD (Internet Facing Deployment) so that CRM is accessible to the outside world with a different URL and some login details. This will give you a login screen a bit like Facebook does (see below).

IFD sign in



A question you may get…What is my IFD URL so I can access CRM from anywhere once it is setup?

Open CRM Deployment manager on the server and go to the properties and take the URL and replace the prefix at the front before the first dot with the organization name you are trying to access. For example: https://organization1.mycrm.com:444  Please see the screenshot below:

Find IFD URL

What is ADFS used for and why use it?

It is used for web single sign on/STS (Single token Signing). When someone accesses CRM from an external location ADFS will allow them to use a single sign on method. It means that products can federate with windows environments such as Active Directory. It is used in conjunction with IFD. Imagine SQL to CRM SQL holds the data, well ADFS is like SQL in that it contains the encrypted signing in information.

If you don’t want to use the STS external URL, you can use the internal URL via Active directory. You can find this in Deployment Manager>Right click CRM>Properties>Web address URL – This will give you the internal URL which passes the Kerberos authentication.

The bottom left of the diagram shows the client accessing CRM via IFD. It makes a request for a token, AD FS sends a logon page, user logs in and AD FS issues a token to the client machine to allow access to CRM which will expire after a set amount of time.

What is ADFS used for

The first thing to discuss when looking at IFD Deployments are the different authentication methods which can be used for accessing CRM

Windows Authentication methods

This can use NTLM or Kerberos within an Intranet environment meaning users must all be setup in an Active Directory domain and Local Intranet zones must be used.

Kerberos flow diagram = Client request to CRM server – Declined – Client makes Kerberos request to AD – Kerberos ticket granted to client – Client attempts to make contact with CRM server again and CRM server responds happy this time and lets you in.

Windows authentication mode

IFD Authentication method

This is very long winded in comparison to Windows authentication but this is because it is on a site open to the internet for anyone to attempt to login if they call the right URL. The Kerberos part is not used as an AD FS logon page is presented. The user will enter credentials which are checked and if correct the user will be issued a token which CRM will utilize CRM will be available.

IFD Autentication

A key thing to remember is that when IFD is configured you must use those IFD URL’s, not the generic standard ones. You will have one that you can use externally to receive the login page and you will have a new internal URL that can be used which can be found from deployment manager in the IFD configuration URL’s (the top one). The claims internal URL port will remain the same but the ‘HTTPS://yourserverurl‘ will be different. The port can still be 5555.

ADFS

When did CRM start to use ADFS?

It was Introduced with CRM 2011 and still being used.

Do you know where you can access ADFS?

ADFS stands for Active Directory Services and can be accessed on any server which it is installed on. It is within a MMC management console which is accessed in Start>Administrative Tools>ADFS 2.0 OR 3.0 Management.

You can download ADFS 2.0 from the web but ADFS 3.0 is a Server role/feature. Open server manager and go to roles to enable this feature when setting up IFD.

Accessing the properties of ADFS via PowerShell

Powershell for ADFS properties:

Get-adfsproperties will fetch the ADFS properties

What is Federation Metadata and where can you find the URL

Federation metadata seen on the right of the diagram above confirms if the ADFS has been configured correctly. If it has, you should be able to call the metadata federation URL seen similar to the examples below and no certificate warnings should appear. You may need to turn on compatibility mode.

Federation service name is setup during the AD FS configuration wizard when you start installing AD FS as seen below.

Specify service properties

Example URL: https://server/federationmetadata/2007-06/federationmetadata.xml

Example 2: https://sts1.contoso.com/federationmetadata/2007-06/federationmetadata.xml

What common problems occur with ADFS and what effect do you see from this on CRM?

Error enabling endpoints of the federation service: ADFS console has an area for the enabled/disabled endpoints.

ADFS services could stop: You can restart this service in Services on the server where ADFS is installed.

You must use the federation metadata URL of the ADFS server

If you see the ADFS Blue screen generic error when accessing CRM via IFD, you need to tick forms authentication in the ADFS Authentication policies (https://community.dynamics.com/crm/f/117/t/162153)

How would you identify and troubleshoot an ADFS issue?

Use the AD FS services section in the Event viewer on the ADFS server.

Could you install and configure ADFS? What article would you use and what are the simplified steps?

http://www.interactivewebs.com/blog/index.php/crm/how-to-set-up-crm-2015-ifd-on-windows-2012-and-adfs-3-0/

Installation steps from Microsoft can be found here: https://technet.microsoft.com/en-us/library/gg188612.aspx

http://www.interactivewebs.com/blog/index.php/server-tips/microsoft-crm-2011-how-to-configure-ifd-hosted-setup/

Using ADFS on mobiles or tablets

You will need to configure ADFS and Power shell using the article below. CRM 2013

https://community.dynamics.com/crm/b/aeonnexuscrm/archive/2014/07/16/enable-adfs-authentication-for-mobile-app

What has the relying party trust got to do with ADFS and CRM?

If for example you have two programmes sitting in different domains, like ADFS in one environment and ADFS in a second environment you will need to create a trust between these two domains otherwise known as a relying party trust. This can be configured in the AD FS Management console in AD FS\Trust Relationships.

If you are setting up ADFS to use IFD on a deployment, what should you consider doing in IIS?

ADFS will try to use the default site in IIS which CRM uses. You need to create a new site for CRM then ADFS will use the default site with no problems. See the screenshot below for how this should end up looking. You will need to edit bindings on both of these and add a new HTTPS binding with the relevant port numbers and the correct certificate selected (New one if recently being setup). ADFS configuration will also now pick up the correct certificate.

Setting up adfs to use ifd

Claims Based Authentication

What is Claims based Authentication used for and why use it?

It allows users to be authenticated internally and externally without the use of a VPN. It ‘claims’ a user is a part of something and should be given access and this claim sits within a token. It is a set of standards describing the use of a security token and these standards are built on WIF which is a framework for claims based STS services. This token can be used in either passive mode or active mode and in CRM’s case it uses passive mode. These coin like tokens need to be used by an STS server which is based on Active Directory. In our case this is AD FS on the AD FS server – The federation server issues these tokens.

Do you know where you can access Claims based Authentication and configure it?

You can access this in the CRM Deployment Manager in the right hand window. It can be configured, enabled and disabled here.

Claims should contain a URL and IFD should have its own URL too.

What CRM setups can use Claims based authentication?

CRM Online  –  Through federation authentication

CRM 2015 on premise  – Claims based or AD authentication

CRM 2015 IFD – Claims based or Active Directory authentication

How does Claims based Authentication work?

A request is made to access CRM and the STS server (AD FS) determines whether this user should be authenticated. If it is fine to authenticate it will pass over an encrypted token with a finite life span that holds authentication information. This is using the passive mode.

Active directory authentication uses Active mode which the WCF stack manages in a different way.

When did CRM start to use Claims Based Authentication?

2011 the same as AD FS with CRM.

IFD

Do you know where you can access IFD and configure it?

You can access this in the CRM Deployment Manager in the right hand window. It can be configured, enabled and disabled here.

Claims should contain a URL and IFD should have its own URL too.

What is IFD used for and why use it?

It is a login screen which uses a combination of STS (AD FS) which is spoken to via tokens using Claims based authentication and it is the area where you put in your credentials which will be checked by these areas. Tablet users on CRM 2013 will not be able to access CRM unless this is all setup with an external facing site. If you make CRM externally facing without configuring the aforementioned Claims, ADFS and IFD then you will have an unsupported environment.

If using IFD the Kerberos part is not used, an AD FS logon page is used instead.

What is IFD used for

Instructions to install CRM 2015 with IFD

Please see the ‘Upgrading, installs and Hotfixes’ section.

 IFD

Configuring CRM for IFD means the URL’s will all need changing as you are going from a non-secure to a secure setup.

For IFD (Internet Facing Deployment) to work for an online sign in you will need to ensure that the server has STS (Security Token Service) running on it. A form of STS would be ADFS (Active directory federation services) or any other single sign on method which determines whether the user should be authenticated and this issues a token which contains the user authentication.

Using an NS lookup helps you identify what?

NS Lookup

If for instance you want to check that your ADFS/Claims URL’s are pointing to the right places and getting the correct reply’s from the CRM server you should try the following:

Ping your STS URL (example sts20.ABcrm.com) and you will receive a reply from an IP address. Perform an ns lookup on your CRM server name and see if the returned UP address matches the IP you returned a minute ago.

How to configure ADFS for CRM – http://blogs.msdn.com/b/niran_belliappa/archive/2014/01/16/step-by-step-configuring-crm-2013-internet-facing-deployment-ifd.aspx

Where can I find the relying party trust name?

Find the party relying trust name in ADFS under trust relationships

IFD times out and we lose our CRM session. Can we change the timeout period?

Change the time out period for IFD and internal CRM. Use PowerShell commands on the relying party trust name (See above for the name).

We cannot access organisation via IFD after importing it?

When you have imported an organization and if it is IFD you will not be able to browse to it from deployment console without refreshing the party relying trust name.

Error with Signing certificate revocation check

If CRM has an issue with logging in and ADFS server has error with Signing certificate revocation check – ‘Get-ADFSRelyingPartyTrust’ in poweshell will show revocation checks in place. The following should disable this:

PS C:\Windows\system32> Set-AdfsRelyingPartyTrust -TargetName “internalcrm.markgroup.co.uk” -SigningCertificateRevocationCheck None -EncryptionCertificateRevocationCheck None

ADFS Endpoints and their relevance

Software you are working on and CRM will have endpoints, Your software will have client endpoints, but CRM will have server endpoints

Developers use them for sending messages from their code.

ADFS – Endpoints can be set to yes and no. If something is complaining about connecting to an endpoint and throwing up error messages you will need to find it and try and change it.

1 Access AD FS 2.0 Management Console(Windows Start menu > All Programs > Administrative Tools > AD FS 2.0 Management).

2 In AD FS 2.0 Management Console, under Services, select Endpoints

2 Find the endpoint by looking at the URL Path

3 You can enable and disable endpoints here but be careful not to change too much and consider trying one at a time.

Check the ADFS services area in the event viewer and see if it is complaining about any particular ports being unavailable. You can use a power shell script to change the port which ADFS is using.

Test ADFS is working

To test ADFS is working on a server and ensure the certificates are ok, use the following URL as an example:

https://sts.crm.theggl.com/federationmetadata/2007-06/federationmetadata.xml

Can we restrict users from using IFD to get into CRM?

This cannot be done.

You may be able to restrict access using a proxy/firewall  and then block particular users access by using ‘Selective Authentication’ in Active Directory. See the following posts: https://community.dynamics.com/crm/f/117/t/126955

2 Comments Add yours

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s