Deployment scenarios in this document

The placement of the AD FS security token service is an important decision when planning your claims-based authentication. This document focuses on the two most common AD FS deployment scenarios: single server or separate servers.

AD FS and Microsoft Dynamics CRM on the same server AD FS and Microsoft Dynamics CRM on separate servers
One server scenario - CRM + AD FS 2.0

Two server scenario - CRM and AD FS 2.0

A single-server deployment is suitable for small offices with a limited number of users. Because AD FS 2.0 must be installed in the default website, the URL used for claims-based access to Microsoft Dynamics CRM will require a port number such as 444.

Separating AD FS onto a second server means Microsoft Dynamics CRM can be installed on the default website on the Microsoft Dynamics CRM server and no port number is required in the URL used for claims-based access. Port 443 is assumed in HTTPS binding.

The second server for AD FS must have a public IP address and be an endpoint for external connections – unless you use an AD FS proxy server.


Most example Microsoft Dynamics CRM websites used in this document include a port number (for example, 444). Appending a port number is required on a single server installation where Microsoft Dynamics CRM uses a non-default website with binding to a port other than the standard 443 port.

Send comments about this article to Microsoft.

© 2012 Microsoft Corporation. All rights reserved.