Applies To: Microsoft Dynamics CRM 2011, Microsoft Dynamics CRM 2013

After enabling claims-based authentication, the next step is to add and configure the claims provider and relying party trusts in AD FS.

You need to add a claims rule to retrieve the user principal name (UPN) attribute from Active Directory and send it to Microsoft Dynamics CRM as a UPN.

  1. On the server running AD FS, start AD FS Management.

  2. In the Navigation Pane, expand Trust Relationships, and then click Claims Provider Trusts.

  3. Under Claims Provider Trusts, right-click Active Directory, and then click Edit Claims Rules.

  4. In the Rules Editor, click Add Rule.

  5. In the Claim rule template list, select the Send LDAP Attributes as Claims template, and then click Next.

  6. Create the following rule:

    • Claim rule name: UPN Claim Rule (or something descriptive)
    • Add the following mapping:
      1. Attribute store: Active Directory
      2. LDAP Attribute: User Principal Name
      3. Outgoing Claim Type: UPN
  7. Click Finish, and then click OK to close the Rules Editor.

After you enable claims-based authentication, you must configure Microsoft Dynamics CRM Server as a relying party to consume claims from AD FS for authenticating internal claims access.

  1. On the server running AD FS, start AD FS Management.

  2. In the Navigation Pane, expand Trust Relationships, and then click Relying Party Trusts.

  3. On the Actions menu located in the right column, click Add Relying Party Trust.

  4. In the Add Relying Party Trust Wizard, click Start.

  5. On the Select Data Source page, click Import data about the relying party published online or on a local network, and then type the URL to locate the federationmetadata.xml file.

    This federation metadata is created during claims setup. Use the URL listed on the last page of the Configure Claims-Based Authentication Wizard (before you click Finish), for example, https://internalcrm.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml. Verify that no certificate-related warnings appear.

  6. Click Next.

  7. On the Specify Display Name page, type a display name, such as CRM Claims Relying Party, and then click Next.

  8. On the Configure Multi-factor Authentication Now page, make your selection and click Next.

  9. On the Choose Issuance Authorization Rules page, click Permit all users to access this relying party, and then click Next.

  10. On the Ready to Add Trust page, on the Identifiers tab, verify that Relying party identifiers has a single identifier such as the following:

    • https://internalcrm.contoso.com

    If your identifier differs from the above example, click Previous in the Add Relying Party Trust Wizard and check the Federation metadata address.

  11. Click Next, and then click Close.

  12. If the Rules Editor appears, click Add Rule. Otherwise, in the Relying Party Trusts list, right-click the relying party object that you created, click Edit Claims Rules, and then click Add Rule.

    Important
    Be sure the Issuance Transform Rules tab is selected.

  13. In the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next.

  14. Create the following rule:

    • Claim rule name: Pass Through UPN (or something descriptive)
    • Add the following mapping:
      1. Incoming claim type: UPN
      2. Pass through all claim values
  15. Click Finish.

  16. In the Rules Editor, click Add Rule, in the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next.

  17. Create the following rule:

    • Claim rule name: Pass Through Primary SID (or something descriptive)
    • Add the following mapping:
      1. Incoming claim type: Primary SID
      2. Pass through all claim values
  18. Click Finish.

  19. In the Rules Editor, click Add Rule.

  20. In the Claim rule template list, select the Transform an Incoming Claim template, and then click Next.

  21. Create the following rule:

    • Claim rule name: Transform Windows Account Name to Name (or something descriptive)
    • Add the following mapping:
      1. Incoming claiming type: Windows account name
      2. Outgoing claim type: Name or * Name
      3. Pass through all claim values
  22. Click Finish, and when you have created all three rules, click OK to close the Rules Editor.

    This illustration shows the three relying party trust rules you create.

The relying party trust you created defines how AD FS Federation Service recognizes the Microsoft Dynamics CRM relying party and issues claims to it.

In AD FS in Windows Server 2012 R2, forms authentication is not enabled by default.

  1. Log on to the AD FS server as an administrator.

  2. Open the AD FS management console and click Authentication Policies.

  3. Under Primary Authentication, Global Settings, Authentication Methods, click Edit.

  4. Under Intranet, enable (check) Forms Authentication.

See Also

Send comments about this article to Microsoft.

© 2014 Microsoft Corporation. All rights reserved.

Configure the AD FS server for claims-based authentication -zhai zi wangluo的更多相关文章

  1. Claims Based Authentication and Token Based Authentication和WIF

    基于声明的认证方式,其最大特性是可传递(一方面是由授信的Issuer,即claims持有方,发送到你的应用上,注意信任是单向的.例如QQ集成登录,登录成功后,QQ会向你的应用发送claims.另一方面 ...

  2. Windows Server 2008 R2 配置AD(Active Directory)域控制器 -zhai zi wangluo

    http://files.cnblogs.com/zhongweiv/Windows_Server_2008_R2_%E9%85%8D%E7%BD%AEActive_Directory%E5%9F%9 ...

  3. Developing a Custom Membership Provider from the scratch, and using it in the FBA (Form Based Authentication) in SharePoint 2010

    //http://blog.sharedove.com/adisjugo/index.php/2011/01/05/writing-a-custom-membership-provider-and-u ...

  4. Office 365实现单点登录系列(4)—安装AD FS

    单一登录 (Single Sign-On)简而言之,就是让用户使用一套ID和密码,就可以登录一个或多个系统的授权机制.用户只需要通过其中一个应用的安全认证之后,再访问同一服务器其他应用的资源时不需要再 ...

  5. 做了面向互联网部署的Dynamics 365 CE更改AD FS的登录页面

    摘要: 微软动态CRM专家罗勇 ,回复306或者20190307可方便获取本文,同时可以在第一间得到我发布的最新博文信息,follow me!我的网站是 www.luoyong.me . 默认情况下A ...

  6. How to Install and Configure Bind 9 (DNS Server) on Ubuntu / Debian System

    by Pradeep Kumar · Published November 19, 2017 · Updated November 19, 2017 DNS or Domain Name System ...

  7. ADFS3.0 Customizing the AD FS Sign-in Pages

    Windows Server2012R2自带的adfs是3.0的版本,不同于以前的版本的是3.0中登陆页面的定制化全部是通过powershell指令实现,官方的介绍链接如下:http://techne ...

  8. 修改AD FS

    https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/operations/ad-fs-user-sign-in ...

  9. 解决dotnet错误 System.InvalidOperationException Message=Unable to configure HTTPS endpoint. No server certificate was specified, and the default developer certificate could not be found.

    开始=>设置=>manage user certificats  (管理用户证书),里面所有的.net core的全部删除 然后控制台执行: dotnet dev-certs https ...

随机推荐

  1. 大坑!常被忽视又不得不注意的小细节——%I64,%lld与cout(转载)

    原地址:http://blog.csdn.net/thunders01/article/details/38879553 刚刚被坑完,OI一年了才知道%I64和%lld有区别(做题会不会太少),lon ...

  2. Unity3d Shader开发(三)Pass(Color, Material, Lighting )

    材质和灯光参数被用于控制内置顶点光照.顶点光照是Direct3D/OpenGL标准的按每顶点计算的光照模型.光照打开时,光照受材质块,颜色材质和平行高光命令的影响. 每像素光照常被实现为自定义顶点/片 ...

  3. 【一起学OpenFOAM】04 OpenFOAM的学习资源

    OpenFOAM的学习资料并不多,个人猜测也许是与软件的类型有关系. 对于商用软件来讲,由于要占领市场,软件开发商自然是巴不得会用软件的人越多越好,因为他们卖的是软件,会用的人越多,软件卖得越好.他们 ...

  4. posix和system v有什么区别/?

    posix和system v有什么区别/?现在在应用时应用那一标准浮云484212 | 浏览 243 次 2014-11-06 10:362014-11-19 22:36 最佳答案们是有关信号量的两组 ...

  5. matlab怎么同时显示imshow 两幅图片

    matlab怎么同时显示imshow 两幅图片 matlab怎么同时显示imshow 两幅图片 方法一:subplot()函数 subplot(2,1,1); subplot(2,1,2); 分上下或 ...

  6. 安装Ubuntu 14.04后要做的5件事情

    转自安装Ubuntu 14.04后要做的5件事情 Ubuntu目前是世界上最流行的Linux操作系统,它提供了桌面版本和服务器版本,其他流行的Linux发行版本如Linux Mint也是基于Ubunt ...

  7. new[]上面居然有一个内存计数,怪不得delete[]从来不出错

    开眼界了,留个爪,以后再仔细看几遍: http://www.cnblogs.com/hazir/p/new_and_delete.html

  8. lib-flexible 结合 WKWebView 的样式错乱解决方法

    技术栈 lib-flexible 是淘宝的可伸缩方案 WKWebView 是ios8以上支持的网页控件 问题场景 最新公司一个项目使用 lib-flexible 来做移动端的伸缩解决方案,页面在saf ...

  9. 【Linux】理解setuid()、setgid()和sticky位

    详见: http://blog.csdn.net/m13666368773/article/details/7615125 Linux SETUID机制 (1)进程运行时能够访问哪些资源或文件,不取决 ...

  10. 应付描述性弹性域 Description Flexfield

    (N) AP > Setup > Flexfield > Description > Segments To define your descriptive flexfield ...