Enabling AD FS 2.0 token signing
By default, Microsoft Dynamics CRM Server 2011 does not check for the presence or validity of the AD FS 2.0 token signing certificate and does not use AD FS 2.0 token signing. To enable validation and use of the AD FS 2.0 token-signing certificate, create the TrustedIssuerCertificateValidation registry entry on all Front End Servers.
To create the TrustedIssuerCertificateValidation registry
Click Start, click Run, type regedit, and then press Enter.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM
Create the following registry entry:
Value name: TrustedIssuerCertificateValidation
Value type: String
Value data: (one of the following)
Value Data Description None
No validation of the certificate is done.
PeerTrust
The certificate is valid if it is in the trusted people store.
PeerOrChainTrust
The certificate is valid if the chain builds to a certification authority in the trusted root store.
PeerOrChainTrust
The certificate is valid if it is in the trusted people store, or if the chain builds to a certification authority in the trusted root store.
Note
The Custom value is not supported in Microsoft Dynamics CRM Server 2011.
Close the Registry Editor.
For more information, see X509CertificateValidationMode Enumeration (https://go.microsoft.com/fwlink/?LinkID=209771).
Note the following information regarding enabling AD FS 2.0 token signing:
By default, AD FS 2.0 creates a self-signed certificate for signing tokens.
Note
If token signing is enabled, when the signing certificate expires AD FS 2.0 creates a new signing certificate. The new signing certificate will need to be moved to the Trusted Root Certification Authorities store of all Microsoft Dynamics CRM Server 2011 servers.
To use the self-signed certificate, do the following:
Export the signing certificate.
On the AD FS 2.0 server, open AD FS 2.0 Management, expand Service, and then expand Certificates.
Double-click the token-signing certificate, click the Details tab, and then click Copy to File.
Proceed through the Certificate Export Wizard using default values and save the certificate.
Import the signing certificate.
On the Microsoft Dynamics CRM Server 2011 server, open MMC and add the Certificates Manager snap-in.
Import the token-signing certificate into the Trusted Root Certification Authorities store.
You can use a signed certificate from a trusted CA instead of the self-signed certificate generated by AD FS 2.0.
For more information, see Certificate Requirements for Federation Servers (https://go.microsoft.com/fwlink/?LinkId=182466).