locked
Claims Based Authenticated user need CRM AD account ? RRS feed

  • Question

  • Hi,

    I want to do a CRM deployment in a dedicated domain without user DC access. For this we plan to authenticate user with claim based authentication and install ADFS in user domain.

    I think understand from Dynamics documentation that all active user in CRM must be present in CRM server DC or trusted DC.

    My question is, in Dynamics CRM 2013, do I need to create user in CRM server DC before create it in CRM or Claim Based Authentication can directly match claims in user token to CRM User ?

    Regards,

    Thierry

    Friday, March 14, 2014 1:59 PM

Answers

  • I know in this case we're not necessarily talking about a 'partner company' here but this is the model you are talking about.

    http://technet.microsoft.com/en-us/library/gg188605(v=crm.6).aspx

    Once you have CRM set up and running, and then have the federation set up properly between the domain CRM is installed on and the domain your users will be logging in from, you can simply add users in CRM using the UPN from the 'user' domain.

    Domain A: crmdomain

    Domain B: userdomain

    Once the federation is all set, you add users from the local crmdomain like crmdomain\username, but for 'external' users from Domain B you would use the UPN, something like 'A.Jones@userdomain.com' - CRM will not perform any validation on that user when you create it the way it does with a local domain account, and ADFS will just 'handle' the transition and token-handling for you. You do not need to create anything for the users in the CRM domain - just configure a CRM user account with their UPN.

    This is very nice for having CRM hosted externally without any domain trusts (just relying party trusts in ADFS) but yet still being able to log in with your regular domain accounts.

    Wednesday, March 19, 2014 5:56 PM

All replies

  • Installing user must have an account in same domain as CRM server (SQL server must also be in same domain).

    Users can be in same domain or trusted domain. If you are using ADFS you should in theory be able to allow users to access using credentials from a "foreign" (non-trusted) domain, or indeed a non-AD source of credential checking. How you add those users to CRM in the first place though, I am not entirely sure, I have to admit. If they are in a foreign AD domain then this may work in the usual way as long as the CRM server can see that domain.


    Hope this helps.
    Adam Vero, Microsoft Certified Trainer | Microsoft Community Contributor 2011
    UK CRM Guru Blog

    Sunday, March 16, 2014 11:10 AM
  • I know in this case we're not necessarily talking about a 'partner company' here but this is the model you are talking about.

    http://technet.microsoft.com/en-us/library/gg188605(v=crm.6).aspx

    Once you have CRM set up and running, and then have the federation set up properly between the domain CRM is installed on and the domain your users will be logging in from, you can simply add users in CRM using the UPN from the 'user' domain.

    Domain A: crmdomain

    Domain B: userdomain

    Once the federation is all set, you add users from the local crmdomain like crmdomain\username, but for 'external' users from Domain B you would use the UPN, something like 'A.Jones@userdomain.com' - CRM will not perform any validation on that user when you create it the way it does with a local domain account, and ADFS will just 'handle' the transition and token-handling for you. You do not need to create anything for the users in the CRM domain - just configure a CRM user account with their UPN.

    This is very nice for having CRM hosted externally without any domain trusts (just relying party trusts in ADFS) but yet still being able to log in with your regular domain accounts.

    Wednesday, March 19, 2014 5:56 PM