Working CRM 2011 IFD example using separate servers and 3rd party wildcard certificate RRS feed

  • General discussion


    Purpose: To demonstrate how to host CRM2011 in an internet-facing only deployment using separate servers for ADFS and CRM in a perimeter network.

    Example Highlights:

    • Purchasing a wildcard SSL certificate.
    • Specifying your internal DNS settings.
    • Sharing the certificate between servers.
    • Managing website service accounts.
    • Configuring Active Directory Federation Services.
    • Configuring CRM claims-based authentication.
    • Configuring CRM for internet-facing deployment.
    • Adding a Relying Party Trust with rules to the federation server.
    • Preparing your firewall.
    • Specifying your external DNS settings.


    • Wherever found, replace contoso.com with your domain.
    • The steps assume that an internal CRM server is up and running.
    • Wherever found, replace ADFSServer with the actual server name for your domain.
    • Wherever found, replace CRMServer with the actual server name for your domain.
    • You know your way around AD, MMC, IIS7, Windows Server 2008 R2, etc.


    On the AD FS Server:

    1. Create a wildcard certificate request for *.contoso.com in IIS7 console.

    2. Purchase an SSL wildcard certificate from GoDaddy or other 3rd party.

    3. Import intermediate certificate using the MMC Certificates snap-in.

    4. Complete the certificate request in IIS7 console which imports the wildcard certificate into the Personal store of the local computer.

    5. Change the certificate’s Friendly Name to *.contoso.com in MMC Certificates snap-in.

    6. In IIS7, create an HTTPS binding on the Default website using certificate *.contoso.com, port 443 and host name sts1.contoso.com. (Not mentioned in the documentation: a unique host name is required to enable use of the wildcard certificate on more than 1 server; and the certificate friendly name must contain the “*” prefix so host name field is enabled for input.)

    7. Create new Forward Lookup Zone contoso.com on your internal DNS server and add the following alias records:


    Points To













    8. Create a new application pool service account, adfsAccount for example, in AD and grant it READ permission to the wildcard certificate’s private key using the MMC Certificates snap-in.

    9. Add the adfsAccount service account to the Log On as Batch Job policy on the local machine.

    10. Install AD FS 2.0:

    • as the first server in a farm
    • with service URL = sts1.contoso.com
    • using service account adfsAccount
    • in Service>Certificates, view the Token-decrypting certificate and install it in the Local Computer Root Certificate Authority
    • in Service>Certificates, view the Token-signing certificate and install it in the Local Computer Root Certificate Authority

    11. Export the Signing and Decrypting certificates from ADFS Management Console > Service Certificates.

    12. Export the wildcard certificate with its private key from the MMC Certificates snap-in.

    13. Add a new rule to the Active Directory claims provider trust in ADFS Management Console > Claims Provider Trusts as follows:

    • Template: Send LDAP Attributes as Clams
    • Claim Rule Name: UPN
    • Attribute Store: Active Directory
    • LDAP Attribute: User-Principle Name
    • Outgoing Claim Type: UPN

    On the CRM Server:

    14. MILESTONE: Verify that you can browse the metadata on the ADFS server at:


    15. Import the Signing and Decrypting certificates into Local Computer Trusted Root Certification Authorities using the MMC Certificates snap-in.

    16. Import the wildcard certificate into both the Personal store and the Trusted Root Certification Authorities store and change its Friendly Name to *.contoso.com.

    17. Grant the Dynamics CRM website’s application pool service account READ permission to the wildcard certificate’s private key using the MMC Certificates snap-in. (Get the account name from IIS7’s Application Pool Advanced Settings.)

    18. In IIS7, create an HTTPS binding on the Dynamics CRM website using certificate *.contoso.com, port 443 and leave the host name blank. (Multiple CRM orgs can thus be resolved to this server.)

    19. Perform an IISRESET.

    20. In CRM Deployment Manager > Properties > Web Address, change the Binding Type to HTTPS and all the URLs to crm1.contoso.com.

    21. Select task Configure Claims Based Authentication and:

    • Enter the federation metadata URL:


    • Select *.contoso.com as the Encryption Certificate

    22. Select Configure Internet-Facing Deployment and:

    • Set the web application server domain = contoso.com
    • Set the organization web service domain = contoso.com
    • Set the discovery web service domain = dev.contoso.com
    • Set the external domain = auth.contoso.com

    23. Perform an IISRESET.

    On the AD FS Server:

    24. Create a new Relying Part Trust with:

    a. Relying party’s federation metadata URL:


    b. Verify that the Relying Party Identifiers Tab lists:

    • https://auth.contoso.com
    • https://dev. contoso.com
    • https://crmorg1. contoso.com
    • https://crmorg2. contoso.com

      c. Add rule:

    • Template: Passthrough or Filter Incoming Claim
    • Claim Rule Name:  Pass UPN
    • Incoming Claim Type: UPN

      d. Add rule:

    • Template: Passthrough or Filter Incoming Claim
    • Claim Rule Name:  Pass Primary SID
    • Incoming Claim Type: Primary SID

      e. Add rule:

    • Template: Transform an Incoming Claim
    • Claim Rule Name:  Transform Windows Account Name
    • Incoming Claim Type: Windows Account Name
    • Outgoing Claim Type: Name

    25. Perform an IISRESET.

    Firewall and External DNS Provisioning:

    26. Identify the external IP addresses to be used for external access to ADFSServer and CRMServer. (Contact your ISP for available addresses and/or your network admin for 2 that are not currently being used.)

    27. Configure your WAN-facing firewall for external access to your CRMServer and ADFSServer (your firewall may have a wizard to do this):

    • Add rules to allow HTTPS traffic from the WAN to the ADFSServer and CRMServer.
    • Add both inbound, outbound and loopback NAT policies associating the external IP address of each server to its corresponding internal IP address.

    28. Using the domain tools provided by the ISP hosting your domain, create your DNS records. The aliases named crmorg(x) are named after the organizations you initially created in Deployment Manager.

          Type      Name                                    PointsTo

    • Host       auth.contoso.com           CRMServer’s external IP address
    • Host       sts1.contoso.com            ADFSServer’s external IP address
    • Alias       dev.contoso.com             auth.contoso.com
    • Alias       crmorg1.contoso.com      auth.contoso.com          
    • Alias       crmorg2.contoso.com      auth.contoso.com          

    29. Open Internet Explorer and attempt to login to your organizations at:



    You should see the URL redirect to https://sts.contoso.com/... and present you with the Federation Services login page.

    Good luck!

    Val Vorisek

    • Edited by VorisekTech Friday, February 10, 2012 1:34 PM
    Thursday, February 9, 2012 10:53 PM