Preparation
Dynamics 365 server, ADFS server and SSL certificate.
Configure claims-based authentication
First, an SSL certificate needs to be installed on the Dynamics 365 server and the ADFS server. Install to the local computer, click Next.
Select Automatically select the certificate store based on the certificate type.
Since the subsequent configuration may involve the limited reading of the private key of the certificate, you need to open the mmc console to set it on the adfs and dynamics servers respectively.
Click on the file, select "Add\Remove Snap-in" and then select "Certificate", continue to select "Computer Account" and click Next.
Select "Local Computer" and click Finish.
In the certificates under the personal directory, find the added certificate, right-click all tasks, and select "Manage Private Key".
Add Full Control permissions for Everyone.
Open the deployment manager in Dynamics 365 Server and click "Properties".
Select the "Web address" tab, select HTTPS as the binding type, and set the following addresses uniformly:
internalcrm.domain.com
and set the port according to actual needs. My default is 443.
The domain name here must be consistent with the SSL certificate.
Open the IIS manager, click Binding, set the type to https, select the SSL certificate, and note that the port needs to be consistent with the setting of the deployment manager above.
Back in the deployment manager, click on "Configure claims-based authentication".
Click Next.
Here is the federation metadata URL of ADFS, the format is:
https://domain name/federationmetadata/2007-06/federationmetadata.xml
Open the browser to verify whether it can be accessed, if not, check whether the dns or hosts file is There is a corresponding analysis, and whether there are corresponding restrictions on the firewall or network.
Select the certificate and click Next.
Go ahead and click Next.
Click Apply.
Click to view the log file.
Find the last line of
Metadata URL: https://internalcrm.domainname.com/FederationMetadata/2007-06/FederationMetadata.xml
Verify that the browser can access the adfs server, if not, check whether there is a correspondence in the dns or hosts file , and whether there are corresponding restrictions on the firewall or network.
Now open ADFS Admin on ADFS server.
Click the "Claim Provider Trust" directory, right-click on "Active Directory", and select "Edit Claim Rules".
Click "Add Rule".
Select "Send LDAP attributes by claim" and click Next.
Fill in LDAP UPN Claim Rule in the claim rule name, select Activity Directory for "Characteristic Storage", as shown in the figure, select User-Principal-Name, select UPN, and click Finish.
Click Apply and OK.
Right click on "Relying Party Trust" and "Add Relying Party Trust".
Select "Claim Awareness" and click "Start".
Enter the Metadata URL generated by the deployment manager just now into the federation metadata address
https://internalcrm.domain.com/FederationMetadata/2007-06/FederationMetadata.xml
and click Next.
Enter the display name, CRM Cliams Relying Party, and click Next.
The next step is the default, do not check the option.
Continue to the next step.
Click Close.
Right click on the newly added "Relying Party Trust" and click "Edit Statement Issuance Policy".
Click "Add Rule".
Select "Go through or screen incoming statements" and click Next.
Choose a claim rule name, Pass Thrungh UPN, and select "UPN" in the "Incoming Claim Type Selection" below.
To add the second one, select "Experience or filter incoming statements" and click Next.
Choose a claim rule name, Pass Through Primary SID, select "Primary SID" in the "Incoming Claim Type Selection" below, and click Finish.
Add the third one, select "Convert Incoming Claims", and click Next.
Choose a claim rule name, Transform Windows Account Name To Name, select "Windows Account Name" for "Incoming Claim Type", select "Name" for "Outgoing Claim Type", and click Finish.
Click Apply and OK.
In the "Authentication Methods" category, click Edit for the primary authentication method.
Make sure Forms Authentication is checked.
Verify whether
https://internalcrm.domainname.com
can be successfully logged in. So far, the configuration of claim-based authentication is complete.
Configure an Internet-facing deployment
Open the dynamics deployment manager and click "Configure Internet-facing deployment".
Click Next.
Web application server domain and organization Web service domain input: domain name.com.
Discovery Web Service domain input: transfer. domain name.com.
The domain name and SSL certificate remain the same.
Add the domain name resolution of the corresponding ip to the dns or hosts file, such as: transfer.domain.com. Then click Next.
Enter the external domain where the Internet-facing server is located. In the next step
, add the corresponding ip domain name resolution of auth.domain.com to the dns or hosts file.
Like: transfer.domain.com, auth.domain.com, internalcrm.domain.com.
These three correspond to the IP of the crm application server.
Click Next.
Click Apply, and you're done.
Finally, verify whether the address https://auth.domain.com/FederationMetadata/2007-06/FederationMetadata.xml can be successfully accessed on the ADFS server .
Go back to the ADFS server, right-click on the "Relying Party Trust" directory and "Add Relying Party Trust".
The default "Claims Aware" click to activate.
Enter "Federation Metadata Address"
https://auth.domain.com/FederationMetadata/2007-06/FederationMetadata.xml
and click Next.
Enter the display name, CRM IFD Relying Party, and click Next.
Click Next and leave the options unchecked.
Go ahead and click Next.
Just close it.
In the newly added relying party trust, right-click and click "Edit Statement Issuance Policy".
Click "Add Rule".
Select "Go through or screen incoming statements" and click Next.
Choose a claim rule name, Pass Thrungh UPN, and select "UPN" in the "Incoming Claim Type Selection" below.
To add the second one, select "Experience or filter incoming statements" and click Next.
Choose a claim rule name, Pass Through Primary SID, select "Primary SID" in the "Incoming Claim Type Selection" below, and click Finish.
Add the third one, select "Convert Incoming Claims", and click Next.
Choose a claim rule name, Transform Windows Account Name To Name, select "Windows Account Name" for "Incoming Claim Type", select "Name" for "Outgoing Claim Type", and click Finish.
Click Apply and OK.
Add: dynamics organization name.domain name.com
to the dns or hosts file for analysis, and then test whether the access can be successful. At this point, all configurations are complete.