Configuring an IFD with CRM 2011

I have a client that is upgrading from CRM 4.0 to 2011.  It was pretty easy to set up an Internet Facing Deployment (IFD) in 4.0, but it also had some security weaknesses.  Microsoft increased security by requiring Federation Services (ADFS) in a CRM 2011 IFD, but there are some gotchas to be aware of:

– Not really a gotcha since it is well-documented, but it isn’t intuitively obvious, either.  Don’t install the built-in AD FS role that comes with Windows on your server; instead download AD FS 2 from Microsoft’s web site and install it.

– Use IE compatibility mode when testing the URLs to the federation metadata.  IE should be smart enough that you shouldn’t have to do this, but it isn’t.

– Assume you need 2 external (Internet addressable) IP addresses, one for ADFS and the other for CRM IFD client access.  I was using Microsoft’s TMG, and it required 2 addresses.  I am assuming almost all 3rd-party firewalls will be the same.

– Verify Network Service account (or whichever account the CRMAppPool runs under) has read-access to the private key of your IIS digital certificate.  The Network Service account normally has this permission, but in the process of disjoining from one domain and joining to another I ended up with an orphaned SID in the ACL, and the proper permission was lost.

– Make sure you look at the “Configure Claims-Based Authentication” log in the CRM Deployment Manager.  Near the bottom will be the “Internal Federation Metadata URL”.  You will need this URL when configuring the internal Relying Party Trusts in AD FS.

– I had to turn off ‘Verify Normalization’ and ‘Block high bit characters’ on the TMG HTTP filter for the ADFS rule and the rules for each CRM organization (tenant).

John Scaggs, MCT, MCITP
Senior Consultant, Advanced Infrastructure Group