Applies To: Microsoft Dynamics CRM 2011, Microsoft Dynamics CRM 2013

After enabling claims-based authentication, the next step is to add and configure the claims provider and relying party trusts in AD FS.

You need to add a claims rule to retrieve the user principal name (UPN) attribute from Active Directory and send it to Microsoft Dynamics CRM as a UPN.

  1. On the server running AD FS, start AD FS Management.

  2. In the Navigation Pane, expand Trust Relationships, and then click Claims Provider Trusts.

  3. Under Claims Provider Trusts, right-click Active Directory, and then click Edit Claims Rules.

  4. In the Rules Editor, click Add Rule.

  5. In the Claim rule template list, select the Send LDAP Attributes as Claims template, and then click Next.

  6. Create the following rule:

    • Claim rule name: UPN Claim Rule (or something descriptive)
    • Add the following mapping:
      1. Attribute store: Active Directory
      2. LDAP Attribute: User Principal Name
      3. Outgoing Claim Type: UPN

  7. Click Finish, and then click OK to close the Rules Editor.

After you enable claims-based authentication, you must configure Microsoft Dynamics CRM Server as a relying party to consume claims from AD FS for authenticating internal claims access.

  1. On the server running AD FS, start AD FS Management.

  2. In the Navigation Pane, expand Trust Relationships, and then click Relying Party Trusts.

  3. On the Actions menu located in the right column, click Add Relying Party Trust.

  4. In the Add Relying Party Trust Wizard, click Start.

  5. On the Select Data Source page, click Import data about the relying party published online or on a local network, and then type the URL to locate the federationmetadata.xml file.

    This federation metadata is created during claims setup. Use the URL listed on the last page of the Configure Claims-Based Authentication Wizard (before you click Finish), for example, https://internalcrm.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml. Verify that no certificate-related warnings appear.

  6. Click Next.

  7. On the Specify Display Name page, type a display name, such as CRM Claims Relying Party, and then click Next.

  8. On the Configure Multi-factor Authentication Now page, make your selection and click Next.

  9. On the Choose Issuance Authorization Rules page, click Permit all users to access this relying party, and then click Next.

  10. On the Ready to Add Trust page, on the Identifiers tab, verify that Relying party identifiers has a single identifier such as the following:

    • https://internalcrm.contoso.com

    If your identifier differs from the above example, click Previous in the Add Relying Party Trust Wizard and check the Federation metadata address.

  11. Click Next, and then click Close.

  12. If the Rules Editor appears, click Add Rule. Otherwise, in the Relying Party Trusts list, right-click the relying party object that you created, click Edit Claims Rules, and then click Add Rule.

    Important
    Be sure the Issuance Transform Rules tab is selected.

  13. In the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next.

  14. Create the following rule:

    • Claim rule name: Pass Through UPN (or something descriptive)
    • Add the following mapping:
      1. Incoming claim type: UPN
      2. Pass through all claim values

  15. Click Finish.

  16. In the Rules Editor, click Add Rule, in the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next.

  17. Create the following rule:

    • Claim rule name: Pass Through Primary SID (or something descriptive)
    • Add the following mapping:
      1. Incoming claim type: Primary SID
      2. Pass through all claim values

  18. Click Finish.

  19. In the Rules Editor, click Add Rule.

  20. In the Claim rule template list, select the Transform an Incoming Claim template, and then click Next.

  21. Create the following rule:

    • Claim rule name: Transform Windows Account Name to Name (or something descriptive)
    • Add the following mapping:
      1. Incoming claiming type: Windows account name
      2. Outgoing claim type: Name or * Name
      3. Pass through all claim values

  22. Click Finish, and when you have created all three rules, click OK to close the Rules Editor.

    This illustration shows the three relying party trust rules you create.

The relying party trust you created defines how AD FS Federation Service recognizes the Microsoft Dynamics CRM relying party and issues claims to it.

In AD FS in Windows Server 2012 R2, forms authentication is not enabled by default.

  1. Log on to the AD FS server as an administrator.

  2. Open the AD FS management console and click Authentication Policies.

  3. Under Primary Authentication, Global Settings, Authentication Methods, click Edit.

  4. Under Intranet, enable (check) Forms Authentication.

See Also

Send comments about this article to Microsoft.

© 2014 Microsoft Corporation. All rights reserved.

Configure the AD FS server for claims-based authentication -zhai zi wangluo的更多相关文章

  1. Claims Based Authentication and Token Based Authentication和WIF

    基于声明的认证方式,其最大特性是可传递(一方面是由授信的Issuer,即claims持有方,发送到你的应用上,注意信任是单向的.例如QQ集成登录,登录成功后,QQ会向你的应用发送claims.另一方面 ...

  2. Windows Server 2008 R2 配置AD(Active Directory)域控制器 -zhai zi wangluo

    http://files.cnblogs.com/zhongweiv/Windows_Server_2008_R2_%E9%85%8D%E7%BD%AEActive_Directory%E5%9F%9 ...

  3. Developing a Custom Membership Provider from the scratch, and using it in the FBA (Form Based Authentication) in SharePoint 2010

    //http://blog.sharedove.com/adisjugo/index.php/2011/01/05/writing-a-custom-membership-provider-and-u ...

  4. Office 365实现单点登录系列(4)—安装AD FS

    单一登录 (Single Sign-On)简而言之,就是让用户使用一套ID和密码,就可以登录一个或多个系统的授权机制.用户只需要通过其中一个应用的安全认证之后,再访问同一服务器其他应用的资源时不需要再 ...

  5. 做了面向互联网部署的Dynamics 365 CE更改AD FS的登录页面

    摘要: 微软动态CRM专家罗勇 ,回复306或者20190307可方便获取本文,同时可以在第一间得到我发布的最新博文信息,follow me!我的网站是 www.luoyong.me . 默认情况下A ...

  6. How to Install and Configure Bind 9 (DNS Server) on Ubuntu / Debian System

    by Pradeep Kumar · Published November 19, 2017 · Updated November 19, 2017 DNS or Domain Name System ...

  7. ADFS3.0 Customizing the AD FS Sign-in Pages

    Windows Server2012R2自带的adfs是3.0的版本,不同于以前的版本的是3.0中登陆页面的定制化全部是通过powershell指令实现,官方的介绍链接如下:http://techne ...

  8. 修改AD FS

    https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/operations/ad-fs-user-sign-in ...

  9. 解决dotnet错误 System.InvalidOperationException Message=Unable to configure HTTPS endpoint. No server certificate was specified, and the default developer certificate could not be found.

    开始=>设置=>manage user certificats  (管理用户证书),里面所有的.net core的全部删除 然后控制台执行: dotnet dev-certs https ...

随机推荐

  1. strstr函数与strcmp函数

    1.strstr函数主要完成在一个字串中寻找另外一个字串 函数实现工程如下:摘自http://baike.baidu.com/link?url=RwrzOxs0w68j02J2uQs5u1A56bEN ...

  2. C#变成数据导入Excel和导出Excel

    excel 基础 •整个excel 表格叫工作表:workbook:工作表包含的叫页:sheet:行:row:单元格:cell. •excel 中的电话号码问题,看起来像数字的字符串以半角单引号开头就 ...

  3. hex(x) 将整数x转换为16进制字符串

    >>> a = 122 >>> b = 344 >>> c = hex(a) >>> d = hex(b) >>&g ...

  4. top 10 js mvc

    http://codebrief.com/2012/01/the-top-10-javascript-mvc-frameworks-reviewed/ http://www.iteye.com/new ...

  5. HTTP Header 入门详解

    什么是HTTP Headers HTTP是"Hypertext Transfer Protocol"的所写,整个www都在使用这种协定,几乎你在流览器里看到的大部分内容都是通过ht ...

  6. [jobdu]二维数组中的查找

    http://ac.jobdu.com/problem.php?pid=1384 基本思路很简单,从最右上角找起. 九度的OJ做得还是不太行啊.必须要int main()才行,这道题时间卡得太紧,用c ...

  7. Android:Fragment+ViewPager实现Tab滑动

    public class FragAdapter extends FragmentPagerAdapter { private List<Fragment> fragments ; pub ...

  8. 测试ODBC与OLE

    using System;using System.Collections.Generic;using System.Linq;using System.Text;using System.Data. ...

  9. 【POJ】1505 Copying Books

    此题主要采用DP思路,难点是求解"/",需要考虑划分数量不够的情况,先采用DP求解最优解,然后采用贪心求解slash.防止中间结果出错,使用了unsigned int. #incl ...

  10. C#程序中访问配置文件

    在C#编程中,有时候会用到配置文件,那么该如何在程序中获取或修改配置文件中的相关数据呢?下面采用一个简单的C#控制台程序来说明. 新建一个C#控制台程序,打开“解决方案资源管理器”,如下图: 可以看到 ...