Applies To: Microsoft Dynamics CRM 2011, Microsoft Dynamics CRM 2013

After enabling claims-based authentication, the next step is to add and configure the claims provider and relying party trusts in AD FS.

You need to add a claims rule to retrieve the user principal name (UPN) attribute from Active Directory and send it to Microsoft Dynamics CRM as a UPN.

  1. On the server running AD FS, start AD FS Management.

  2. In the Navigation Pane, expand Trust Relationships, and then click Claims Provider Trusts.

  3. Under Claims Provider Trusts, right-click Active Directory, and then click Edit Claims Rules.

  4. In the Rules Editor, click Add Rule.

  5. In the Claim rule template list, select the Send LDAP Attributes as Claims template, and then click Next.

  6. Create the following rule:

    • Claim rule name: UPN Claim Rule (or something descriptive)
    • Add the following mapping:
      1. Attribute store: Active Directory
      2. LDAP Attribute: User Principal Name
      3. Outgoing Claim Type: UPN
  7. Click Finish, and then click OK to close the Rules Editor.

After you enable claims-based authentication, you must configure Microsoft Dynamics CRM Server as a relying party to consume claims from AD FS for authenticating internal claims access.

  1. On the server running AD FS, start AD FS Management.

  2. In the Navigation Pane, expand Trust Relationships, and then click Relying Party Trusts.

  3. On the Actions menu located in the right column, click Add Relying Party Trust.

  4. In the Add Relying Party Trust Wizard, click Start.

  5. On the Select Data Source page, click Import data about the relying party published online or on a local network, and then type the URL to locate the federationmetadata.xml file.

    This federation metadata is created during claims setup. Use the URL listed on the last page of the Configure Claims-Based Authentication Wizard (before you click Finish), for example, https://internalcrm.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml. Verify that no certificate-related warnings appear.

  6. Click Next.

  7. On the Specify Display Name page, type a display name, such as CRM Claims Relying Party, and then click Next.

  8. On the Configure Multi-factor Authentication Now page, make your selection and click Next.

  9. On the Choose Issuance Authorization Rules page, click Permit all users to access this relying party, and then click Next.

  10. On the Ready to Add Trust page, on the Identifiers tab, verify that Relying party identifiers has a single identifier such as the following:

    • https://internalcrm.contoso.com

    If your identifier differs from the above example, click Previous in the Add Relying Party Trust Wizard and check the Federation metadata address.

  11. Click Next, and then click Close.

  12. If the Rules Editor appears, click Add Rule. Otherwise, in the Relying Party Trusts list, right-click the relying party object that you created, click Edit Claims Rules, and then click Add Rule.

    Important
    Be sure the Issuance Transform Rules tab is selected.

  13. In the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next.

  14. Create the following rule:

    • Claim rule name: Pass Through UPN (or something descriptive)
    • Add the following mapping:
      1. Incoming claim type: UPN
      2. Pass through all claim values
  15. Click Finish.

  16. In the Rules Editor, click Add Rule, in the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next.

  17. Create the following rule:

    • Claim rule name: Pass Through Primary SID (or something descriptive)
    • Add the following mapping:
      1. Incoming claim type: Primary SID
      2. Pass through all claim values
  18. Click Finish.

  19. In the Rules Editor, click Add Rule.

  20. In the Claim rule template list, select the Transform an Incoming Claim template, and then click Next.

  21. Create the following rule:

    • Claim rule name: Transform Windows Account Name to Name (or something descriptive)
    • Add the following mapping:
      1. Incoming claiming type: Windows account name
      2. Outgoing claim type: Name or * Name
      3. Pass through all claim values
  22. Click Finish, and when you have created all three rules, click OK to close the Rules Editor.

    This illustration shows the three relying party trust rules you create.

The relying party trust you created defines how AD FS Federation Service recognizes the Microsoft Dynamics CRM relying party and issues claims to it.

In AD FS in Windows Server 2012 R2, forms authentication is not enabled by default.

  1. Log on to the AD FS server as an administrator.

  2. Open the AD FS management console and click Authentication Policies.

  3. Under Primary Authentication, Global Settings, Authentication Methods, click Edit.

  4. Under Intranet, enable (check) Forms Authentication.

See Also

Send comments about this article to Microsoft.

© 2014 Microsoft Corporation. All rights reserved.

Configure the AD FS server for claims-based authentication -zhai zi wangluo的更多相关文章

  1. Claims Based Authentication and Token Based Authentication和WIF

    基于声明的认证方式,其最大特性是可传递(一方面是由授信的Issuer,即claims持有方,发送到你的应用上,注意信任是单向的.例如QQ集成登录,登录成功后,QQ会向你的应用发送claims.另一方面 ...

  2. Windows Server 2008 R2 配置AD(Active Directory)域控制器 -zhai zi wangluo

    http://files.cnblogs.com/zhongweiv/Windows_Server_2008_R2_%E9%85%8D%E7%BD%AEActive_Directory%E5%9F%9 ...

  3. Developing a Custom Membership Provider from the scratch, and using it in the FBA (Form Based Authentication) in SharePoint 2010

    //http://blog.sharedove.com/adisjugo/index.php/2011/01/05/writing-a-custom-membership-provider-and-u ...

  4. Office 365实现单点登录系列(4)—安装AD FS

    单一登录 (Single Sign-On)简而言之,就是让用户使用一套ID和密码,就可以登录一个或多个系统的授权机制.用户只需要通过其中一个应用的安全认证之后,再访问同一服务器其他应用的资源时不需要再 ...

  5. 做了面向互联网部署的Dynamics 365 CE更改AD FS的登录页面

    摘要: 微软动态CRM专家罗勇 ,回复306或者20190307可方便获取本文,同时可以在第一间得到我发布的最新博文信息,follow me!我的网站是 www.luoyong.me . 默认情况下A ...

  6. How to Install and Configure Bind 9 (DNS Server) on Ubuntu / Debian System

    by Pradeep Kumar · Published November 19, 2017 · Updated November 19, 2017 DNS or Domain Name System ...

  7. ADFS3.0 Customizing the AD FS Sign-in Pages

    Windows Server2012R2自带的adfs是3.0的版本,不同于以前的版本的是3.0中登陆页面的定制化全部是通过powershell指令实现,官方的介绍链接如下:http://techne ...

  8. 修改AD FS

    https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/operations/ad-fs-user-sign-in ...

  9. 解决dotnet错误 System.InvalidOperationException Message=Unable to configure HTTPS endpoint. No server certificate was specified, and the default developer certificate could not be found.

    开始=>设置=>manage user certificats  (管理用户证书),里面所有的.net core的全部删除 然后控制台执行: dotnet dev-certs https ...

随机推荐

  1. qt 5 小练习 创建无边框界面

    我们大家都知道QT5 自带的界面不是那么美观,并且每个软件我们都发现他们的边框是自定义的,所以我决定写一篇这样的博文,也许已经有许许多多篇大牛写的论文了,但我还是想写一篇记录自己的学习QT的历程 首先 ...

  2. SDC(1)–Hold Time

    从以下两个论点触发可能会使Hold Time的计算理解起来更加容易: (1) H = SU – 1 ; (2) Hold Check的目的是确保Source Clock在某个边沿打出数据时,该数据不会 ...

  3. 浅谈HTTP响应拆分攻击

    在本文中,我们将探讨何谓HTTP响应拆分以及攻击行为是怎样进行的.一旦彻底理解了其发生原理(该原理往往被人所误解),我们就可以探究如何利用响应拆分执行跨站点脚本(简称XSS).接下来自然就是讨论如果目 ...

  4. UVA 11733 Airports

    最小生成树,然后看他有多少个连通分量,每个连通分量有个飞机场,最后看所有剩下的边是否有大于飞机场的费用,有的话,改成飞机场: 比赛的时候一直没想明白,╮(╯▽╰)╭: #include<cstd ...

  5. WAF 与 RASP 的安装使用大比拼!

    什么是WAF和RASP? WAF全称是Web application firewall,即 Web 应用防火墙.RASP 全称是 Runtime Application Self-protect,即应 ...

  6. Fast CGI 工作原理

    http://www.cppblog.com/woaidongmao/archive/2011/06/21/149092.html 一.FastCGI是什么? FastCGI是语言无关的.可伸缩架构的 ...

  7. php smarty section使用

    文件:section.tpl <html> <head> <title></title> </head> <body> {sec ...

  8. 找不到mysql服务或mysql服务名无效

    问题原因:mysql服务没有安装. 解决办法: 在 mysql bin目录下 以管理员的权限 执行 mysqld -install命令 出现:Service successfully installe ...

  9. SPRING IN ACTION 第4版笔记-第四章ASPECT-ORIENTED SPRING-003-Spring对AOP支持情况的介绍

    一. 不同的Aop框架在支持aspect何时.如何织入到目标中是不一样的.如AspectJ和Jboss支持在构造函数和field被修改时织入,但spring不支持,spring只支持一般method的 ...

  10. ruby oop学习

    class Man def initialize(name,age) @name=name @age=age end def sayName puts @name end def sayAge put ...