Configure claims-based authentication

The claims-based security model extends traditional authentication models to include other directory sources that contain information about users. This identity federation lets users from various sources—such as Active Directory Domain Services, customers through the internet, or business partners—use Dynamics 365 for Customer Engagement.

Important

Claims-based authentication is required for Dynamics 365 for Customer Engagement Internet-facing deployment (IFD) access. However, claims-based authentication isn’t required for intranet Dynamics 365 for Customer Engagement access if Dynamics 365 for Customer Engagement is deployed in the same domain where all Dynamics 365 for Customer Engagement users are located, or users are in a trusted domain.

Before you run the Configure Claims-Based Authentication Wizard, a security token service (STS), such as Active Directory Federation Services (AD FS) must be available. For more information about Active Directory Federation Services (AD FS), see Identity and Access Management.

Configure claims-based authentication

  1. Start the Deployment Manager.

  2. Set the Binding Type to HTTPS, as follows:

    • In the Actions pane, select Properties.

    • Select the Web Address tab.

    • Under Binding Type, select HTTPS.

    • Select OK.

    Important

    The Binding Type must be set to HTTPS to use claims-based authentication.

    Verify that the web addresses are valid for your TLS/SSL certificate and the TLS/SSL port bound to the Dynamics 365 for Customer Engagement website.

    If Dynamics 365 for Outlook clients were configured using the old binding values, these clients will need to be configured with the new values.

  3. Open the Configure Claims-Based Authentication Wizard in one of two ways:

    • In the Actions pane, select Configure Claims-Based Authentication.

    • In the Deployment Manager console tree, right-click Dynamics 365 for Customer Engagement, and then select Configure Claims-Based Authentication.

  4. Select Next.

  5. On the Specify the security token service page, enter the Federation metadata URL, such as https://adfs.contoso.com/federationmetadata/2007-06/federationmetadata.xml.

    This data is typically located on the website where the Active Directory Federation Services (AD FS) is running. To verify the correct URL, open an internet browser by using the URL to view the federation metadata. Verify that no certificate-related warnings appear.

  6. Select Next.

  7. On the Specify the encryption certificate page, specify the encryption certificate in one of two ways:

    • In the Certificate box, type the name of the certificate. Type the complete common name (CN) of the certificate by using the format CN=certificate_subject_name.

    • Under Certificate, select Select, and then select a certificate.

    This certificate is used to encrypt authentication security tokens that are sent to the Active Directory Federation Services (AD FS) security token service (STS).

    Note

    The Dynamics 365 for Customer Engagement service account must have Read permissions for the private key of the encryption certificate. See The CRMAppPool account and the Microsoft Dynamics 365 Customer Engagement (on-premises) encryption certificate.

  8. Select Next.

    The Configure Claims-Based Authentication Wizard verifies the token and certificate you specified.

  9. On the System Checks page, review the results, fix any problems, and then select Next.

  10. On the Review your selections and then click Apply page, verify your selections, and then select Apply.

  11. Note the URL you must use to add the relying party to the security token service. View and save the log file for later reference.

  12. Note the information on the page, and then select Finish.

  13. Configure relying parties for claims-based authentication.

    Important

    Claims-based authentication won’t work until you create the relying parties in STS. For more information, see Configure the AD FS server for claims-based authentication.

The CRMAppPool account and the Microsoft Dynamics 365 Customer Engagement (on-premises) encryption certificate

Claims data sent from Dynamics 365 for Customer Engagement to Active Directory Federation Services (AD FS) is encrypted using a certificate you specify in the Configure Claims-Based Authentication Wizard. The CRMAppPool account of each Dynamics 365 for Customer Engagement web application must have Read permissions to the private key of the encryption certificate.

  1. On the Dynamics 365 Server, create a Microsoft Management Console (MMC) with the Certificates snap-in console that targets the Local computer certificate store.

  2. In the console tree, expand the Certificates (Local Computer) node, expand the Personal store, and then select Certificates.

  3. In the details pane, right-click the encryption certificate specified in the Configure Claims-Based Authentication Wizard, point to All Tasks, and then select Manage Private Keys.

  4. Select Add (or select the Network Service account if that is the account you used during setup), add the CRMAppPool account, and then grant Read permissions.

    Tip

    You can use IIS Manager to determine what account was used during setup for the CRMAppPool account. In the Connections pane, select Application Pools, and then check the Identity value for CRMAppPool.

  5. Select OK.

See also

Disable claims-based authentication
Configure an Internet-facing deployment