This article is a stub and requires massive community input. Please contribute!
Microsoft Dynamics CRM 2011 introduces a new method for providing external access to an organization's on-premises Dynamics CRM deployment, also known as Internet-Facing Deployment (IFD). This new method for configuring IFD access to Dynamics CRM requires Claims-Based Authentication, a concept that is new to many experienced CRM administrators. This article will discuss the concepts, technologies, and practical tips for successfully configuring Claims-Based Authentication for your Dynamics CRM deployment.
Claims-Based Authentication involves several components:
Claims-Based Authentication (CBA) is a way to permit an organization to maintain centralized control over access to resources like applications and data, whether or not those resources reside on the organization's network or not. Many organizations use Active Directory to grant users access to network resources like files and SharePoint sites and workspaces. But as cloud-based applications become more prevalent, organizations are faced with the challenge of controlling access to resources that are beyond their domains and firewalls, and users have an increasing number of credentials to remember. As many smaller businesses are already doing, more and more large organizations are using hosted services to replace systems that have traditionally resided within their networks - services like hosted E-mail, remote data backups, payroll services, and, of course, hosted CRM.
As the software company did with SharePoint 2010, Microsoft has begun laying the groundwork for the future of cloud-connected applications by incorporating CBA in Dynamics CRM 2011. With this framework in place, an organization that wishes to configure Dynamics CRM for Internet-Facing Deployment can begin to extend its traditional Active Directory-based authentication structure into the cloud, essentially becoming a provider of a cloud-based application, even if it is initially only intended to act as a "private" cloud.
The following steps are necessary to configure Claims-Based Authentication for Dynamics CRM in order to provide external access from the internet.
You will need to configure an address for your users to access Dynamics CRM from outside of your network. The URL that users will use will be in the format https://orgname.domain.com. This will require that you get several items set up:
The Deployment Manager provides an interface where you can configure Dynamics CRM so the system is aware of the servers in your deployment that will be used for CBA.
Figure 4. The Deployment Manager provides access to the Claims-Based Authentication wizard.
Figure 5. The first step in configuring CBA in this wizard is letting Dynamics CRM know where your AD FS 2.0 system's configuration information is located.
Figure 6. Next, you will specify the information from your SSL certificate. You can get this info from the certificate that you receive from the issuer.
Figure 7. The last step in the wizard will validate the information that you entered and ensure that the Dynamics CRM server can communicate with the AD FS 2.0 website.
Active Directory Federation Services 2.0 (AD FS 2.0) is a free download available from Microsoft. NOTE: AD FS 2.0 must be installed to a default website in IIS. Therefore, if you plan on installing it on the same server with Dynamics CRM, you must install the CRM website to a non-default website in IIS.
Below is a list of resources that will be invaluable when configuring Claims-Based Authentication for Dynamics CRM.