Configure claims-based authentication


Applies To: Dynamics 365 (on-premises), Dynamics CRM 2016

The claims-based security model extends traditional authentication models to include other directory sources that contain information about users. This identity federation lets users from various sources—such as Active Directory Domain Services, customers through the Internet, or business partners—use Microsoft Dynamics 365.


Claims-based authentication is required for Microsoft Dynamics 365 Internet-facing deployment (IFD) access. However, claims-based authentication isn’t required for intranet Microsoft Dynamics 365 access if Microsoft Dynamics 365 is deployed in the same domain where all Microsoft Dynamics 365 users are located, or users are in a trusted domain.

Before you run the Configure Claims-Based Authentication Wizard, a security token service (STS), such as Active Directory Federation Services (AD FS) must be available. For more information about Active Directory Federation Services (AD FS), see Identity and Access Management.

Configure claims-based authentication

  1. Start the Deployment Manager.

  2. Set the Binding Type to HTTPS, as follows:

    • In the Actions pane, click Properties.

    • Click the Web Address tab.

    • Under Binding Type, select HTTPS.

    • Click OK.


    The Binding Type  must be set to HTTPS to use claims-based authentication.

    Verify that the web addresses are valid for your TLS/SSL certificate and the TLS/SSL port bound to the Microsoft Dynamics 365 website.

    If Dynamics 365 for Outlook clients were configured using the old binding values, these clients will need to be configured with the new values.

  3. Open the Configure Claims-Based Authentication Wizard in one of two ways:

    • In the Actions pane, click Configure Claims-Based Authentication.

    • In the Deployment Manager console tree, right-click Microsoft Dynamics 365, and then click Configure Claims-Based Authentication.

  4. Click Next.

  5. On the Specify the security token service page, enter the Federation metadata URL, such as

    This data is typically located on the website where the Active Directory Federation Services (AD FS) is running. To verify the correct URL, open an Internet browser by using the URL to view the federation metadata. Verify that no certificate-related warnings appear.

  6. Click Next.

  7. On the Specify the encryption certificate page, specify the encryption certificate in one of two ways:

    • In the Certificate box, type the name of the certificate. Type the complete common name (CN) of the certificate by using the format CN=certificate_subject_name.

    • Under Certificate, click Select, and then select a certificate.

    This certificate is used to encrypt authentication security tokens that are sent to the Active Directory Federation Services (AD FS) security token service (STS).


    The Microsoft Dynamics 365 service account must have Read permissions for the private key of the encryption certificate. See the following section The CRMAppPool account and the Microsoft Dynamics CRM encryption certificate.

  8. Click Next.

    The Configure Claims-Based Authentication Wizard verifies the token and certificate you specified.

  9. On the System Checks page, review the results, fix any problems, and then click Next.

  10. On the Review your selections and then click Apply page, verify your selections, and then click Apply.

  11. Note the URL you must use to add the relying party to the security token service. View and save the log file for later reference.

  12. Note the information on the page, and then click Finish.

  13. Configure relying parties for claims-based authentication.


    Claims-based authentication won’t work until you create the relying parties in STS. For more information, see Configure the AD FS server for claims-based authentication.

The CRMAppPool account and the Microsoft Dynamics CRM encryption certificate

Claims data sent from Microsoft Dynamics 365 to Active Directory Federation Services (AD FS) is encrypted using a certificate you specify in the Configure Claims-Based Authentication Wizard. The CRMAppPool account of each Microsoft Dynamics 365 web application must have Read permissions to the private key of the encryption certificate.

  1. On the Microsoft Dynamics 365 Server, create a Microsoft Management Console (MMC) with the Certificates snap-in console that targets the Local computer certificate store.

  2. In the console tree, expand the Certificates (Local Computer) node, expand the Personal store, and then click Certificates.

  3. In the details pane, right-click the encryption certificate specified in the Configure Claims-Based Authentication Wizard, point to All Tasks, and then click Manage Private Keys.

  4. Click Add, (or select the Network Service account if that is the account you used during setup) add the CRMAppPool account, and then grant Read permissions.


    You can use IIS Manager to determine what account was used during setup for the CRMAppPool account. In the Connections pane, click Application Pools, and then check the Identity value for CRMAppPool.

  5. Click OK.

See Also

Disable claims-based authentication
Configure an Internet-facing deployment

© 2016 Microsoft. All rights reserved. Copyright