Configure Microsoft Dynamics 365 for Outlook to use claims-based authentication
Applies To: Dynamics 365 (on-premises), Dynamics CRM 2016
In an environment that supports claims-based authentication, a client (such as Dynamics 365 for Outlook) can use federated AD FS to connect to the Microsoft Dynamics 365 Server. The client obtains credentials through federated AD FS and uses these credentials to be authenticated on the same or a different Active Directory domain to connect to the Microsoft Dynamics 365 Server.
You can connect Dynamics 365 for Outlook on one Active Directory domain to a Microsoft Dynamics 365 server in a different Active Directory domain. You can do this when the credentials that Dynamics 365 for Outlook uses on its own domain are authenticated by a server on the other domain. To make this work, use AD FS.
After federation is established, the client can use either its current domain credentials or different domain credentials when attempting to connect to the Microsoft Dynamics 365 Server. You specify which domain and which Active Directory to use through the home realm - an identity provider that authenticates the user.
For external claims-based authentication deployments, use the Microsoft Dynamics 365 Server website's external address (for example: https://orgname.contoso.com) for the Server URL connection setting.
Set up a client for claims-based authentication
In the following procedure, you create a registry key on a single client computer. You may also want to consider using group policy so that you can make this registry change on multiple client computers.
Make sure that a web browser on the client can reach the Microsoft Dynamics 365 Server URL with no certificate errors. If you use a self-signed certificate, you will need to import it to avoid certificate errors. After you import any needed certificates, you should be able to connect to the organization by using non-federated credentials.
To use federated credentials, specify HomeRealmUrl in the Windows registry, as shown here:
This registry key is only needed if the claims provider server is different from the claims provider server used by Microsoft Dynamics 365 Server; for example, the Microsoft Dynamics 365 client authenticates across realms to a different domain.
With Administrator privileges, open the Registry Editor.
Open the registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MSCRMClient.
Create the registry string HomeRealmUrl.
Enter the value data of the federated AD FS. This URL will end in /adfs/services/trust/mex. For example, https://adfs.contoso.com/adfs/services/trust/mex.
Close the Registry Editor.
Configure Dynamics 365 for Outlook. More information: Set up Dynamics 365 for Outlook
You should now be able to connect Dynamics 365 for Outlook to Microsoft Dynamics 365 Server by using claims-based authentication.
Use an administrative template (.adm) file
Modify the following sample data to create an .adm file to use group policy to publish the HomeRealmUrl registry setting.
CLASS MACHINECATEGORY "Microsoft CRM" KEYNAME "Software\Policies\Microsoft\MSCRMClient" POLICY "Home Realm URL" EXPLAIN "Allow Administrator to specify the Home Realm URL for federated domains." PART "Specify Home Realm URL (example: https://adfs.contoso.com/adfs/services/trust/mex" EDITTEXT REQUIREDVALUENAME "HomeRealmUrl" END PART END POLICYEND CATEGORY
For more information, see Administrative Template File Format.
© 2016 Microsoft. All rights reserved. Copyright