Configure the AD FS server for claims-based authentication
After enabling claims-based authentication, the next step is to add and configure the claims provider and relying party trusts in AD FS.
Configure the claims provider trust
You need to add a claims rule to retrieve the user principal name (UPN) attribute from Active Directory and send it to Dynamics 365 Customer Engagement (on-premises) as a UPN.
Configure AD FS to send the UPN LDAP attribute as a claim to a relying party
On the server running AD FS, start AD FS Management.
In the Navigation Pane, expand Trust Relationships, and then select Claims Provider Trusts.
Under Claims Provider Trusts, right-click Active Directory, and then select Edit Claims Rules.
In the Rules Editor, select Add Rule.
In the Claim rule template list, select the Send LDAP Attributes as Claims template, and then select Next.
Create the following rule:
Claim rule name: UPN Claim Rule (or something descriptive)
Add the following mapping:
Attribute store: Active Directory
LDAP Attribute: User Principal Name
Outgoing Claim Type: UPN
Select Finish, and then select OK to close the Rules Editor.
Configure a relying party trust
After you enable claims-based authentication, you must configure Dynamics 365 Server as a relying party to consume claims from AD FS for authenticating internal claims access.
On the server running AD FS, start AD FS Management.
In the Navigation Pane, expand Trust Relationships, and then select Relying Party Trusts.
On the Actions menu located in the right column, select Add Relying Party Trust.
In the Add Relying Party Trust Wizard, select Start.
On the Select Data Source page, select Import data about the relying party published online or on a local network, and then type the URL to locate the federationmetadata.xml file.
This federation metadata is created during claims setup. Use the URL listed on the last page of the Configure Claims-Based Authentication Wizard (before you select Finish), for example, https://internalcrm.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml. Verify that no certificate-related warnings appear.
Select Next.
On the Specify Display Name page, type a display name, such as Dynamics 365 Claims Relying Party, and then select Next.
On the Configure Multi-factor Authentication Now page, make your selection and select Next.
On the Choose Issuance Authorization Rules page, select Permit all users to access this relying party, and then select Next.
On the Ready to Add Trust page, on the Identifiers tab, verify that Relying party identifiers has a single identifier such as the following:
If your identifier differs from the above example, select Previous in the Add Relying Party Trust Wizard and check the Federation metadata address.
Select Next, and then select Close.
If the Rules Editor appears, select Add Rule. Otherwise, in the Relying Party Trusts list, right-click the relying party object that you created, select Edit Claims Rules, and then select Add Rule.
Important
Be sure the Issuance Transform Rules tab is selected.
In the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then select Next.
Create the following rule:
Claim rule name: Pass Through UPN (or something descriptive)
Add the following mapping:
Incoming claim type: UPN
Pass through all claim values
Select Finish.
In the Rules Editor, select Add Rule, in the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then select Next.
Create the following rule:
Claim rule name: Pass Through Primary SID (or something descriptive)
Add the following mapping:
Incoming claim type: Primary SID
Pass through all claim values
Select Finish.
In the Rules Editor, select Add Rule.
In the Claim rule template list, select the Transform an Incoming Claim template, and then select Next.
Create the following rule:
Claim rule name: Transform Windows Account Name to Name (or something descriptive)
Add the following mapping:
Incoming claiming type: Windows account name
Outgoing claim type: Name
Pass through all claim values
Select Finish, and when you have created all three rules, select OK to close the Rules Editor.
This illustration shows the three relying party trust rules you create.
The relying party trust you created defines how AD FS Federation Service recognizes the Dynamics 365 Customer Engagement (on-premises) relying party and issues claims to it.
Enable Forms Authentication
In AD FS in Windows Server 2012 R2, forms authentication is not enabled by default.
Log on to the AD FS server as an administrator.
Open the AD FS management console and select Authentication Policies.
Under Primary Authentication, Global Settings, Authentication Methods, select Edit.
Under Intranet, enable (check) Forms Authentication and then select OK.
For Windows Server 2016, run a cmdlet
If you're AD FS server is running Windows Server 2016, run the following Windows PowerShell cmdlet:
Grant-AdfsApplicationPermission -ClientRoleIdentifier "<ClientRoleIdentifier>" -ServerRoleIdentifier <ServerroleIdentified>
ClientRoleIdentifier : the ClientId of your Adfsclient. For example: e8ab36af-d4be-4833-a38b-4d6cf1cfd525
ServerroleIdentified : the Identifier of your relying party. For example: https://adventureworkscycle3.crm.crmifd.com/
For more information, see Grant-AdfsApplicationPermission.
See Also
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for