Applies To: Microsoft Dynamics CRM 2011, Microsoft Dynamics CRM 2013

After enabling claims-based authentication, the next step is to add and configure the claims provider and relying party trusts in AD FS.

You need to add a claims rule to retrieve the user principal name (UPN) attribute from Active Directory and send it to Microsoft Dynamics CRM as a UPN.

  1. On the server running AD FS, start AD FS Management.

  2. In the Navigation Pane, expand Trust Relationships, and then click Claims Provider Trusts.

  3. Under Claims Provider Trusts, right-click Active Directory, and then click Edit Claims Rules.

  4. In the Rules Editor, click Add Rule.

  5. In the Claim rule template list, select the Send LDAP Attributes as Claims template, and then click Next.

  6. Create the following rule:

    • Claim rule name: UPN Claim Rule (or something descriptive)
    • Add the following mapping:
      1. Attribute store: Active Directory
      2. LDAP Attribute: User Principal Name
      3. Outgoing Claim Type: UPN
  7. Click Finish, and then click OK to close the Rules Editor.

After you enable claims-based authentication, you must configure Microsoft Dynamics CRM Server as a relying party to consume claims from AD FS for authenticating internal claims access.

  1. On the server running AD FS, start AD FS Management.

  2. In the Navigation Pane, expand Trust Relationships, and then click Relying Party Trusts.

  3. On the Actions menu located in the right column, click Add Relying Party Trust.

  4. In the Add Relying Party Trust Wizard, click Start.

  5. On the Select Data Source page, click Import data about the relying party published online or on a local network, and then type the URL to locate the federationmetadata.xml file.

    This federation metadata is created during claims setup. Use the URL listed on the last page of the Configure Claims-Based Authentication Wizard (before you click Finish), for example, https://internalcrm.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml. Verify that no certificate-related warnings appear.

  6. Click Next.

  7. On the Specify Display Name page, type a display name, such as CRM Claims Relying Party, and then click Next.

  8. On the Configure Multi-factor Authentication Now page, make your selection and click Next.

  9. On the Choose Issuance Authorization Rules page, click Permit all users to access this relying party, and then click Next.

  10. On the Ready to Add Trust page, on the Identifiers tab, verify that Relying party identifiers has a single identifier such as the following:

    • https://internalcrm.contoso.com

    If your identifier differs from the above example, click Previous in the Add Relying Party Trust Wizard and check the Federation metadata address.

  11. Click Next, and then click Close.

  12. If the Rules Editor appears, click Add Rule. Otherwise, in the Relying Party Trusts list, right-click the relying party object that you created, click Edit Claims Rules, and then click Add Rule.

    Important
    Be sure the Issuance Transform Rules tab is selected.

  13. In the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next.

  14. Create the following rule:

    • Claim rule name: Pass Through UPN (or something descriptive)
    • Add the following mapping:
      1. Incoming claim type: UPN
      2. Pass through all claim values
  15. Click Finish.

  16. In the Rules Editor, click Add Rule, in the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next.

  17. Create the following rule:

    • Claim rule name: Pass Through Primary SID (or something descriptive)
    • Add the following mapping:
      1. Incoming claim type: Primary SID
      2. Pass through all claim values
  18. Click Finish.

  19. In the Rules Editor, click Add Rule.

  20. In the Claim rule template list, select the Transform an Incoming Claim template, and then click Next.

  21. Create the following rule:

    • Claim rule name: Transform Windows Account Name to Name (or something descriptive)
    • Add the following mapping:
      1. Incoming claiming type: Windows account name
      2. Outgoing claim type: Name or * Name
      3. Pass through all claim values
  22. Click Finish, and when you have created all three rules, click OK to close the Rules Editor.

    This illustration shows the three relying party trust rules you create.

The relying party trust you created defines how AD FS Federation Service recognizes the Microsoft Dynamics CRM relying party and issues claims to it.

In AD FS in Windows Server 2012 R2, forms authentication is not enabled by default.

  1. Log on to the AD FS server as an administrator.

  2. Open the AD FS management console and click Authentication Policies.

  3. Under Primary Authentication, Global Settings, Authentication Methods, click Edit.

  4. Under Intranet, enable (check) Forms Authentication.

See Also

Send comments about this article to Microsoft.

© 2014 Microsoft Corporation. All rights reserved.

Configure the AD FS server for claims-based authentication -zhai zi wangluo的更多相关文章

  1. Claims Based Authentication and Token Based Authentication和WIF

    基于声明的认证方式,其最大特性是可传递(一方面是由授信的Issuer,即claims持有方,发送到你的应用上,注意信任是单向的.例如QQ集成登录,登录成功后,QQ会向你的应用发送claims.另一方面 ...

  2. Windows Server 2008 R2 配置AD(Active Directory)域控制器 -zhai zi wangluo

    http://files.cnblogs.com/zhongweiv/Windows_Server_2008_R2_%E9%85%8D%E7%BD%AEActive_Directory%E5%9F%9 ...

  3. Developing a Custom Membership Provider from the scratch, and using it in the FBA (Form Based Authentication) in SharePoint 2010

    //http://blog.sharedove.com/adisjugo/index.php/2011/01/05/writing-a-custom-membership-provider-and-u ...

  4. Office 365实现单点登录系列(4)—安装AD FS

    单一登录 (Single Sign-On)简而言之,就是让用户使用一套ID和密码,就可以登录一个或多个系统的授权机制.用户只需要通过其中一个应用的安全认证之后,再访问同一服务器其他应用的资源时不需要再 ...

  5. 做了面向互联网部署的Dynamics 365 CE更改AD FS的登录页面

    摘要: 微软动态CRM专家罗勇 ,回复306或者20190307可方便获取本文,同时可以在第一间得到我发布的最新博文信息,follow me!我的网站是 www.luoyong.me . 默认情况下A ...

  6. How to Install and Configure Bind 9 (DNS Server) on Ubuntu / Debian System

    by Pradeep Kumar · Published November 19, 2017 · Updated November 19, 2017 DNS or Domain Name System ...

  7. ADFS3.0 Customizing the AD FS Sign-in Pages

    Windows Server2012R2自带的adfs是3.0的版本,不同于以前的版本的是3.0中登陆页面的定制化全部是通过powershell指令实现,官方的介绍链接如下:http://techne ...

  8. 修改AD FS

    https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/operations/ad-fs-user-sign-in ...

  9. 解决dotnet错误 System.InvalidOperationException Message=Unable to configure HTTPS endpoint. No server certificate was specified, and the default developer certificate could not be found.

    开始=>设置=>manage user certificats  (管理用户证书),里面所有的.net core的全部删除 然后控制台执行: dotnet dev-certs https ...

随机推荐

  1. FontDialog组件设置字体

    1.设置字体 private void button3_Click(object sender, EventArgs e) { this.fontDialog1.ShowDialog(); this. ...

  2. Eclipse启动Tomcat错误:Several ports (8080, 8009) required by Tomcat v6.0 Server at localhost are already(转载)

    转载自:http://blog.csdn.net/aigochina/article/details/7891107 Eclipse启动Tomcat错误: Several ports (8080, 8 ...

  3. 制作第一个UI字体

    为什么要制作UI字体 一般来说,会有系统默认字体共我们使用,但是出于以下两个原因我们经常会需要制作独特的字体. 1.系统字体的风格和美观程度等无法满足需求. 一般来说,系统字体都比较死板.生硬,风格单 ...

  4. <七> jQuery 设置内容和属性

    设置内容 text() - 设置或返回所选元素的文本内容 html() - 设置或返回所选元素的内容(包括 HTML 标记) val() - 设置或返回表单字段的值 设置属性 jQuery attr( ...

  5. Searching for Approximate Nearest Neighbours

    Searching for Approximate Nearest Neighbours Nearest neighbour search is a common task: given a quer ...

  6. location.hash && location.href

    hash:设置或获取 href 属性中在井号“#”后面的分段. href:设置或获取整个URL为字符串. 通过下面的测试你会发现区别,将代码放到你的HTML中,然后用浏览器打开,测试步骤: 点击“超链 ...

  7. 盘点六大在中国复制失败的O2O案例

    O2O概念自2010年11月被引入中国以来被各方迅速炒热,各种分类信息网站.点评类网站.团购类网站.订餐类网站等都开始宣称自己为O2O模式.O2O最基本的解释是通过线上引导流量去线下体验和消费,从这个 ...

  8. 严重: The web application [] registered the JDBC driver 错误

    近日发现启动tomcat的时候报如下警告: -- :: org.apache.catalina.loader.WebappClassLoader clearReferencesJdbc 严重: The ...

  9. yii 验证器和验证码

    http://www.yiiframework.com/doc/api/1.1/CCaptcha http://www.cnblogs.com/analyzer/articles/1673015.ht ...

  10. WPF手写代码配置文件——单例

    public class SettingHelper { //WPF下配置文件路径 public static readonly string SettingFilePath = AppDomain. ...