Configure the AD FS server for claims-based authentication -zhai zi wangluo

Applies To: Microsoft Dynamics CRM 2011, Microsoft Dynamics CRM 2013

After enabling claims-based authentication, the next step is to add and configure the claims provider and relying party trusts in AD FS.

Configure the claims provider trust

You need to add a claims rule to retrieve the user principal name (UPN) attribute from Active Directory and send it to Microsoft Dynamics CRM as a UPN.

Configure AD FS to send the UPN LDAP attribute as a claim to a relying party

  1. On the server running AD FS, start AD FS Management.
  2. In the Navigation Pane, expand Trust Relationships, and then click Claims Provider Trusts.
  3. Under Claims Provider Trusts, right-click Active Directory, and then click Edit Claims Rules.
  4. In the Rules Editor, click Add Rule.
  5. In the Claim rule template list, select the Send LDAP Attributes as Claims template, and then click Next.
  6. Create the following rule:
    • Claim rule name: UPN Claim Rule (or something descriptive)
    • Add the following mapping:
      1. Attribute store: Active Directory
      2. LDAP Attribute: User Principal Name
      3. Outgoing Claim Type: UPN
  7. Click Finish, and then click OK to close the Rules Editor.

Configure a relying party trust

After you enable claims-based authentication, you must configure Microsoft Dynamics CRM Server as a relying party to consume claims from AD FS for authenticating internal claims access.

  1. On the server running AD FS, start AD FS Management.
  2. In the Navigation Pane, expand Trust Relationships, and then click Relying Party Trusts.
  3. On the Actions menu located in the right column, click Add Relying Party Trust.
  4. In the Add Relying Party Trust Wizard, click Start.
  5. On the Select Data Source page, click Import data about the relying party published online or on a local network, and then type the URL to locate the federationmetadata.xml file.

    This federation metadata is created during claims setup. Use the URL listed on the last page of the Configure Claims-Based Authentication Wizard (before you click Finish), for example, https://internalcrm.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml. Verify that no certificate-related warnings appear.

  6. Click Next.
  7. On the Specify Display Name page, type a display name, such as CRM Claims Relying Party, and then click Next.
  8. On the Configure Multi-factor Authentication Now page, make your selection and click Next.
  9. On the Choose Issuance Authorization Rules page, click Permit all users to access this relying party, and then click Next.
  10. On the Ready to Add Trust page, on the Identifiers tab, verify that Relying party identifiers has a single identifier such as the following:
    • https://internalcrm.contoso.com

    If your identifier differs from the above example, click Previous in the Add Relying Party Trust Wizard and check the Federation metadata address.

  11. Click Next, and then click Close.
  12. If the Rules Editor appears, click Add Rule. Otherwise, in the Relying Party Trusts list, right-click the relying party object that you created, click Edit Claims Rules, and then click Add Rule.
    Important
    Be sure the Issuance Transform Rules tab is selected.
  13. In the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next.
  14. Create the following rule:
    • Claim rule name: Pass Through UPN (or something descriptive)
    • Add the following mapping:
      1. Incoming claim type: UPN
      2. Pass through all claim values
  15. Click Finish.
  16. In the Rules Editor, click Add Rule, in the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next.
  17. Create the following rule:
    • Claim rule name: Pass Through Primary SID (or something descriptive)
    • Add the following mapping:
      1. Incoming claim type: Primary SID
      2. Pass through all claim values
  18. Click Finish.
  19. In the Rules Editor, click Add Rule.
  20. In the Claim rule template list, select the Transform an Incoming Claim template, and then click Next.
  21. Create the following rule:
    • Claim rule name: Transform Windows Account Name to Name (or something descriptive)
    • Add the following mapping:
      1. Incoming claiming type: Windows account name
      2. Outgoing claim type: Name or * Name
      3. Pass through all claim values
  22. Click Finish, and when you have created all three rules, click OK to close the Rules Editor.

    This illustration shows the three relying party trust rules you create.

The relying party trust you created defines how AD FS Federation Service recognizes the Microsoft Dynamics CRM relying party and issues claims to it.

Enable Forms Authentication

In AD FS in Windows Server 2012 R2, forms authentication is not enabled by default.

  1. Log on to the AD FS server as an administrator.
  2. Open the AD FS management console and click Authentication Policies.
  3. Under Primary Authentication, Global Settings, Authentication Methods, click Edit.
  4. Under Intranet, enable (check) Forms Authentication.

See Also

Concepts

Implement claims-based authentication: internal access

Send comments about this article to Microsoft.

© 2014 Microsoft Corporation. All rights reserved.

时间: 2024-10-08 20:34:04

Configure the AD FS server for claims-based authentication -zhai zi wangluo的相关文章

Configure mutiple IBM HTTP Server / Other Apache based WEB server on 1 physical server (Section 1)

It's very simple to configure a IBM HTTP Server / Apache service on a server. But sometimes, considering the cost or any other reason, we need to share a physical server and configure 2 or more Web services. How to do it? Here I list out the major st

Configure mutiple IBM HTTP Server / Other Apache based WEB server on 1 physical server (Section 3)

This Section will continue the actual configure for IHS related files. 3) Copy the httpd.conf file to httpd2.conf, and modify them.   Now Virtual IP have been added, and it's port 80 have been released, so we can start to do some needed configure. Fi

Configure mutiple IBM HTTP Server / Other Apache based WEB server on 1 physical server (Section 2)

Continue from the last article...... 2) Confirmed the 80 port of the new added IP is not listened by any other services.   Why need to test this? This is to ensure the 80/443 port of the new created IP is not listened by any other application. Test m

Claims Based Authentication and Token Based Authentication

基于声明的认证方式,主要用于第三方认证. A claim is a statement that one subject makes about itself or another subject. The statement can be about a name, identity, key, group, privilege, or capability, for example. Claims are issued by a provider, and they are given on

how to deployment Office 365 AD FS SSO --布署 Office 365 AD FS SSO

1.首先登录Office 365:https://login.partner.microsoftonline.cn/ 添加域:nos.hk.cn 在域名解析设置里添加TXT记录: 这里先跳过添加用户的步骤. 在域名解析中添加以上的记录: 其中:login 和 owa两条记录为了方便登录建议添加. 然后返回office 365 验证: 显示已经添加成功!! 接下来设置AD同步: 接下来 准备单一登录 环境: AD DC  windows server 2008 R2    DC08.nos.hk.

Office 365之AD FS 3.0实现SSO(一)

简单的介绍什么是单点登录,单点登录是企业业务应用整合的一种解决方案,通过配置单点登录,登陆用户就可以访问企业内部的应用系统.简单的说就不需要多次登录输入账号密码,凭借当前登录用户的令牌去认证各个应用系统,实现一次登陆可以同时进入各个应用系统. 其实说真的,发这篇文章之前,搭建好几次环境,也遇到不少问题,也看了不少写office 365跟AD FS实现SSO的博文.我就简单的说一下我搭建的环境以及需要配置什么步骤. -----------------------------------------

Office 365之AD FS 3.0实现SSO(四)

继续我们的实验,前面的步骤可以返回到 第一篇:http://gshao.blog.51cto.com/3512873/1788027 第二篇:http://gshao.blog.51cto.com/3512873/1788038 第三篇:http://gshao.blog.51cto.com/3512873/1788048 ----------------------------------我是略污的中折线------------------------------------- 大概的思路步骤

Office 365之AD FS 3.0实现SSO(二)

继续我们的实验,前面的步骤可以返回到第一篇:http://gshao.blog.51cto.com/3512873/1788027 ----------------------------------我是略污的中折线------------------------------------- 大概的思路步骤如下: 1.添加UPN,配置用户的UPN后缀(这个跟你内外域名是否一致有关系,如果一致直接错过这步骤)   2.申请证书(公网)     3.安装AD FS服务     4.内部DNS服务器新建

Office 365之AD FS 3.0实现SSO(三)

继续我们的实验,前面的步骤可以返回到 第一篇:http://gshao.blog.51cto.com/3512873/1788027 第二篇:http://gshao.blog.51cto.com/3512873/1788038 ----------------------------------我是略污的中折线------------------------------------- 大概的思路步骤如下: 1.添加UPN,配置用户的UPN后缀(这个跟你内外域名是否一致有关系,如果一致直接错过这