Configure the Microsoft Dynamics CRM Server for IFD


Applies To: Dynamics CRM 2013

With internal claims authentication access enabled on Microsoft Dynamics CRM Server, you can now enable external claims access through IFD.

Configure an Internet-facing deployment using the Configure Internet-Facing Deployment Wizard

  1. Start the Deployment Manager.

  2. In the Deployment Manager console tree, right-click Microsoft Dynamics CRM, and then click Configure Internet-Facing Deployment.

  3. Click Next.

  4. On the Make Microsoft Dynamics CRM available to users who connect through the Internet page, type the domains for the specified Microsoft Dynamics CRM Server roles, and then click Next.


    • Specify domains, not servers.

    • If your deployment is on a single server or on servers that are in the same domain, the Web Application Server domain and Organization Web Service domain will be identical.

    • The Discovery Web Service domain must be a resolvable host name and not a root domain. For example:

    • The Discovery Web Service domain must not match an organization's Fully Qualified Domain Name (FQDN). For example, the Discovery Web Service domain should not be:

    • The domains must be valid for the SSL certificate's common name or names.

    • The domains must be set to resolve correctly in DNS to your Microsoft Dynamics CRM servers holding the server roles.

    • The domains can be in a different domain than the domain which the Microsoft Dynamics CRM servers reside.

    Example domains:

    • Web Application Server domain:

    • Organization Web Service domain:

    • Discovery Web Service domain:

    With the example settings above, if your organization name was "orgname", clients would access your Microsoft Dynamics CRM website with the following URL:

    Configure IFD server role domains

    For more information about web addresses on multiple servers, see Install Microsoft Dynamics CRM Server 2013 on multiple computers in the Microsoft Dynamics CRM Installing Guide.

  5. In the Enter the external domain where your Internet-facing servers are located box, type the external domain information where your Internet-facing Microsoft Dynamics CRM Server servers are located, and then click Next.

    The domain you specify must be a sub-domain of the Web Application Server domain specified in the previous step. By default, "auth." is pre-pended to the Web Application Server domain.


    • The external domain is used by the AD FS server when retrieving the Microsoft Dynamics CRM IFD federationmetadata.xml file.

    • The external domain must not contain an organization name.

    • The external domain must not contain an underscore character (“_”).

    • The external domain must be valid for the SSL certificate's common name or names.

    • The external domain must be set to resolve correctly in DNS to your Microsoft Dynamics CRM server holding the Web Application Server role.

    Example domain:

    • External domain:

    Configure IFD external domain

  6. On the System Checks page, review the results, fix any problems, and then click Next.

  7. On the Review your selections and then click Apply page, verify your selections, and then click Apply.

  8. Click Finish.

  9. Run the following command at a command prompt: iisreset

  10. If you have not already done so, add host records in DNS for the IFD endpoints (for example:,,

To Configure an Internet-facing deployment using Windows PowerShell

  1. Open a Windows PowerShell prompt.

  2. Add the Microsoft Dynamics CRM Windows PowerShell snap-in:

    PS > Add-PSSnapin Microsoft.Crm.PowerShell 
  3. Get the IFD settings:

    PS > $ifd = Get-CrmSetting -SettingType "IfdSettings"
  4. Configure the IFD object:

    PS > $ifd.Enabled = 1 (or $true) PS > $ifd.DiscoveryWebServiceRootDomain = Discovery_Web_Service_DomainPS > $ifd.ExternalDomain = External_Server_DomainPS > $ifd.OrganizationWebServiceRootDomain= Organization_Web_Service_DomainPS > $ifd.WebApplicationRootDomain = Web_Application_Server_Domain


    • 1 = "true".

    • Discovery_Web_Service_Domain is the Discovery Web Service domain.

    • External_Server_Domain is the external server domain.

    • Organization_Web_Service_Domain is the Organization Web Service domain.

    • Web_Application_Server_Domain is the Web Application Server domain.

    For the domain paths, the values for the paths must be in the form:





    • server is the computer name

    • domain is the complete sub domain path where the computer is located

    • tld is the top level domain, such as com or org

    • The :port designation is required if you are not using the standard http port (80) or https port (443).

    Typically, in a Full Server or Front-end Server role deployment, the path values are the same. However, if you deploy Microsoft Dynamics CRM on multiple servers with separate server roles, that is, where the Web Application Server, Organization Web Service, or Discovery Web Service server roles are located on different servers, these path values will be different:

    • Web Application Server. WebApplicationServerName.domain.tld:port

    • Organization Web Service. OrganizationWebServiceServerName.domain.tld:port

    • Discovery Web Service. DiscoveryWebServiceServerName.domain.tld:port

  5. Set the Internet-facing deployment object.

    PS > Set-CrmSetting $ifd

See Also

Implement claims-based authentication: external access