Claims-based authentication and IFD requirements
The following items are required or recommended for Internet-facing deployments (IFD). This topic assumes you will be using Active Directory Federation Services (AD FS) 2.0 as the security token service (STS). For more information about configuring Microsoft Dynamics CRM for claims-based authentication, download the Claims-based Authentication White Paper from the Microsoft Download Center.
Exposing the Microsoft Dynamics CRM website to the Internet is not supported unless claims-based authentication is used and Microsoft Dynamics CRM is configured for IFD.
- The computer where Microsoft Dynamics CRM Server Setup is installed must have access to a STS service, such as AD FS 2.0 federation server.
- Note the following conditions for the Web components before you configure IFD:
- If you are installing Microsoft Dynamics CRM in a single server configuration, be aware that AD FS 2.0 installs on the Default Web Site. Therefore, you must create a new Web site for Microsoft Dynamics CRM.
- When you run the Internet-Facing Deployment Configuration Wizard, Microsoft Dynamics CRM Server 2011 must be running on a Web site that is configured to use Secure Sockets Layer (SSL). Microsoft Dynamics CRM Server Setup will not configure the Web site for SSL.
- We recommend that the Web site where the Microsoft Dynamics CRM Server 2011 Web application will be installed has the “Require SSL” setting enabled in IIS.
- The Web site should have a single binding. Multiple IIS bindings, such as a Web site with an HTTPS and an HTTP binding or two HTTPS or two HTTP bindings, are not supported for running Microsoft Dynamics CRM.
- Access to the AD FS 2.0 federation metadata file from the computer where the Configure Claims-Based Authentication Wizard is run. Note the following:
- The federation metadata endpoint must use the Web services trust model (WS-Trust) 1.3 standard. Endpoints that use a previous standard, such as the WS-Trust 2005 standard, are not supported. In AD FS 2.0, all WS-Trust 1.3 endpoints contain /trust/13/ in the URL path.
- Encryption certificates. The following encryption certificates are required. You can use the same encryption certificate for both purposes, such as when you use a wildcard certificate:
- Claims encryption. Claims-based authentication requires identities to provide an encryption certificate for authentication. This certificate should be trusted by the computer where you are installing Microsoft Dynamics CRM Server 2011 so it must be located in the local Personal store where the Configure Claims-Based Authentication Wizard is running.
- SSL (HTTPS) encryption. The certificates for SSL encryption should be valid for host names similar to org.contoso.com, auth.contoso.com, and dev.contoso.com. To satisfy this requirement you can use a single wildcard certificate (*.contoso.com), a certificate that supports Subject Alternative Names, or individual certificates for each name. Individual certificates for each host name are only valid if you use different servers for each Web server role. Multiple IIS bindings, such as a Web site with two HTTPS or two HTTP bindings, is not supported for running Microsoft Dynamics CRM. For more information about the options that are available to you, contact your certificate authority service company or your certificate authority administrator.
- The CRMAppPool account of each Microsoft Dynamics CRM Web application must have read permission to the private key of the encryption certificate specified when configuring claims-based authentication. You can use the Certificates snap-in to edit permissions for the encryption certificate found in the Personal store of the local computer account.