Tuesday, May 28, 2013

CRM 2011 - Pre-Install checklist for IFD/ ADFS setup

While there is a lot of good documentation on the web about the IFD setup for CRM 2011, it is still a bit daunting for a newbie to wade though the deluge. In this post, I will document a few items that need to be in place before the actual ADFS install and configuration can happen. This checklist is especially important if you do not have complete access/ control and are dependent on an external teams assistance.

Many thanks to my colleagues Ash Dupree and Rakaesh Navaneethan for validating the data!
The first place to look would be the CRM 2011 IFD/ ADFS TechNet article which lays out pretty much everything you could need.

1. ADFS is to be installed on a separate server.
2. Domain is contoso.com

Firewall rules:
If the ADFS server is in the same VLAN/network segment as the AD servers and CRM servers, then open 443 (default SSL port) inbound/outbound from the internet.

Additional ports that are needed for the other CRM/ SQL Servers:

User Accounts:
Have an user with local admin/ install rights on the ADFS Server
Have an user who is assigned the Deployment Administrator role on the CRM server.

External A Records

Internal DNS Records

Internal addresses all should point the web server port 80/443 except Sts.Contoso.com which will point to the ADFS Server:port.

If there are more than 1 front end servers, there is the option of LB using Windows Network Load Balancing or using Hardware Load Balancing. If you are using HW LB, consider SSL offloading onto the Load Balancer.

If you are using a Wild Certificate  *.Contoso.com

Else here is a list of SAN Certificate Names:


ADFS Proxy Certificate Name:


Here are a couple of screenshots of the IFD architecture for both internal and external access:

Internal Access:

External Access:

Here are some additional links around IFD setup that might be useful:

1. Microsoft CRM 2011 How to Configure IFD Hosted Setup

2. MSDN - Configuring IFD with Microsoft Dynamics CRM 2011

3. CRM 2011 and Claims Based Authentication with Internet Facing Deployment

No comments:

Post a Comment