locked
CRM 2011 IFD with User Certificate Authentication RRS feed

  • Question

  • I would like to configure an on-premise deployment of CRM 2011 as an IFD, but I would like external users to be able to authenticate to the service using a user certificate.

    Certainly, with CRM installed "out of the box," and not configured for claims-based authentication, it was straightforward to reconfigure IIS to require a user certificate for authentication.  I was able to configure this and get it working in a test environment without too much trouble.

    But, when I configure CRM for claims based authentication (or IFD), I cannot get ADFS to accept a certificate when attempting to connect to the CRM URL.  Regardless of changes I have made in ADFS (including reconfiguring its web.config file to prefer SSL authentication), I am always prompted with a username/password box to connect to the CRM page.  Almost as if to taunt me, when I click on "Log Off" within CRM, before ADFS will show me the you have been logged off page, it asks for the client certificate.

    I have ensured that Claims/IFD was configured correctly before embarking on my attempt to make it take a certificate.  I was able to log on to CRM with a "normal" claims-based authentication attempt or as an IFD using the forms-based sign-on page, as you would expect.

    There must be something within the federation metadata coming from CRM that makes ADFS always prompt the user for a username and password, but I can't figure out how to reconfigure it to accept a certificate.  If anyone has any experience with this configuration, it would be greatly appreciated.



    • Edited by John Balint Thursday, September 18, 2014 2:22 PM
    Thursday, September 18, 2014 2:19 PM

Answers

  • I worked out how to do this, and wrote about it in some detail at the below link, if anyone else is interested in configuring CRM claims based authentication with user certificates:

    http://halflifeofknowledge.blogspot.com/2014/09/configuring-crm-for-user-certificates.html


    • Edited by John Balint Tuesday, September 23, 2014 1:26 PM
    • Marked as answer by John Balint Tuesday, September 23, 2014 1:26 PM
    Tuesday, September 23, 2014 1:22 PM