Steps to build the Microsoft Dynamics CRM 2011 for an Internet-deployed (IFD) ADFS Virtual machine environment (CRM is installed on the same server as ADFS) from the network

Source: Internet
Author: User
Tags domain server ssl certificate microsoft dynamics

1: Install Windows Server R2 Chinese version (process slightly)

After installation, set the machine name and IP address, the process machine name crm5dev, dns: (native)

Administrator/[email protected]

2: Configure the domain Server domain name to Crm5.lab by adding the domain service through Server Manager.

Note: Use advanced mode to install.

Description: The server is Windows Server 2003 then select Windows Server 2003

Server is Windows Server R2 best choice for Windows Server R2

Another option here is Windows Server 2003, which, when installed, can be upgraded to Windows Server 2008 or not.

Select a DNS server

Choose Yes

password [email protected]

3: Add the Certificate Services/iis service through Server Manager.

Select a certification authority

Enter a common name for the CA:

4: Add the role service for the Certificate Services role:

(You need to install the Certificate Services role before you can install the role services for other Certificate Services roles)

After the installation is completed, in the browser address input: http://crm5dev/certsrv/, enter the user name and password, you can see the certificate registration interface:

5: Request a wildcard certificate for ADFS:

1) In IIS Server Manager, select the server, and in the right-side Ribbon Select the server certificate:

Select "Open Features":

Select Create Certificate Request:

Here, the name is entered *.crm5.lab, which represents a wildcard certificate, and Crm5.lab is the domain name of the server that uses the certificate.

Save a file for the certificate request (this file will be used after the content)

Back to Internet Explorer, enter http://crm5dev/certsrv/

Select Request Certificate:

Select Advanced Certificate Request:


Submit a certificate request using a Base64 encoded CMC or PKCS #10 file, or renew the certificate request using a Base64 encoded PKCS #7 file.

Copy the text content from the previously saved file (Crm5cert.txt, open with Notepad) to the multiline text of the saved request:

Certificate Template Select Web server:

Then submit

Click Download Certificate:

Save the certificate locally.

Go back to IIS Manager, select "Complete certificate Request" in the server Certificate action:

Select the certificate you just downloaded and take a name (General.crm5.lab, with domain name):

Then change the HTTPS binding certificate for the default Web site to the certificate you just completed:

Select Default Web site, right-edit bindings, select HTTPS, click Edit, select SSL Certificate: (This certificate is used when ADFS is installed)

Note The configuration Certificate service does not really play a big role, if you have a certificate, you can directly import the certificate through IIS, then do not step 3,4,5, but the certificate binding site is still required.

6: Download and install ADFS:

(It should be possible to add a federation authentication service through Server Manager, but the ADFS manager was not found by adding a role)



Select "Federated Server",

Reboot after installation is complete,

Configuring the ADFS Server: (Managed by Administrative Tools ADFS 2.0)

Configuration Wizard:

To create a new federation Authentication service:

Select a standalone federation server:

Enter the Federation authentication Service name Sts1.crm5.lab, the machine name sts1 cannot be the same as the machine name of the CRM service.

Complete the installation.

In DNS Add calculator sts1: Administrative Tools, dns->crm5.lab-> new host:

In the browser address bar, enter:

Https://sts1.crm5.lab/federationmetadata/2007-06/federationmetadata.xml (You can use the machine name + domain name if you don't go up here)

See the following results:

7: Install SQL Server, mscrm2011 Chinese version

1) Install sqlserver2008


The verification process prompts the firewall, through the Control Panel Windows Firewall, to turn off the firewall.

Select all when selecting components:

Use the same account (Domain Admins) password: [email protected]

Description Supplement:

SQL Server Reporting Services: Best choice for net services

Other options are available for crm5\administrator.

Or you can choose Net SERVICES.

Blending mode, adding the current user

Add Current User

Select Install but do not configure the report server

after installing the patch, configure the report server, if you choose to install the computer mode default configuration at this time, the crm2011 installation verification will prompt ReportServer cannot pass, it is estimated that the SQL Server version issue. Install the report server here, the report server database should store the version of the report server, which is lower than the patched version.

2) Install sqlserver2008 patch (SQL Server Service Pack 1) Download:

3) Configure the report server database;

Report Services Configuration Manager

To test the report server:

Note: Windows SQL Server R2 can then not require additional configuration of the report server. When installing, choose the default is OK.

8: Install crm2011 Chinese version

1) Preparation before installation:

Installing Dotnetfx40_full_x86_x64

Installation: ReportViewer

Installation: WINDOWSAZUREAPPFABRICSDK (this version may be a bit of a problem, install crm2011 or check not installed, need to network download updates)

2: Install crm2011

During installation, the virtual function is guaranteed to access the extranet directly to check for and download updates



Installation Complete

Installing reporting Extensions

Installation Complete

9: Configure internal claims-based authentication Mode 1: Configure CRM Server1) Set binding HTTPS

Through the CRM Deployment Manager:

Select the site Miscrosoft Dynamics CRM, right-click Properties, select Web address:

Select a binding type of HTTPS,

In each service bar input: internal.crm5.lab:8081 (note: Preferably with a domain name), port number do not use the default HTTPS port.

Also, add an HTTPS binding for the CRM site through IIS Manager:

Certificate Select the previously requested wildcard certificate Generalca.crm5.lab

Note You need to add the computer internal in DNS:

2) Configure claims-based authentication

In the CRM Deployment Manager, Action menu bar selection: Configure claims-based authentication:

In the Federation metadata field, enter:

https://sts1.crm5.lab/federationmetadata/2007-06/federationmetadata.xml(Note https://sts1.crm5.lab/ is the ADFS server name)

Select Certificate:

Select Generalca.crm5.lab (the same certificate as the ADFS HTTPS certificate)



2: Configure ADFS1) To configure the relying party for ADFS

Through adfs2.0 Management

Select the relying Party trust and right-click Add Relying Party trust:


To add a translation rule:




Three after the completion of the rules;

2) Configure the claims provider trust:

Select Active Directory and right-click to edit the Declaration rule:

Click Add Rule:

Enter a name, select the attribute store, and the mapping of the attribute to the outgoing claim type:

3) Register ADFS as SPN

Need register the AD FS 2.0 server as a servicePrincipalName (SPN):

Setspn-a Http/sts1.crm5.lab Crm5\crm5dev (This step can not be less )

Where Sts1.crm5.lab is the ADFS service name, CRM5 is the domain name, and Crm5dev is the CRM server name


3: Verify

Enter Address https://internal.crm5.lab:8081/

Pop-up User Password dialog box: (This place is not clear why this dialog box is still the way)

Enter the administrator user password, the CRM interface appears

testing the intranet access based on the declarative authentication method

10: Configure external claims-based authentication mode

The external claims-based authorization mode can be configured only after the internal claims-based authorization mode is configured

1: Configure CRM Server

In the CRM Deployment Manager, Action menu bar selection: Configure Internet-facing deployment




Where Crm5.lab is the domain name, 8081 is the HTTPS bound port

Input: neu.crm5.lab:8081, where neu is the name of the organization when the CRM installation is configured, that is, the sub-path when internal access:

Add hosts in DNS: Dev, neu;

2: Configure the ADFS relying party

This process is basically consistent with the claims-based authorization pattern within the configuration, where the relying party metadata should respond to URLs that should be accessed externally

1) Configure the relying party for ADFS

Through adfs2.0 Management

Select the relying Party trust and right-click Add Relying Party trust:


To add a translation rule:




Three after the completion of the rules;

3: Verify

In the browser address bar input: https://neu.crm5.lab:8081 after the following login screen:

Enter the domain administrator user name password, enter the CRM interface;

Ok, declare success.

Description: Setting up an environment on a virtual machine can be more or less problematic, there are fewer problems installing directly on the server, and configuring the IFD environment must first configure the claims-based authentication mode.

The key to configuring IFD is to install the ADFS 2.0 software.

? Expansion: Here CRM and ADFS installed on the same server, you can consider CRM and ADFS on the same server, installed on multiple servers, such as CRM installed on a server, ADFS installed on a server, decentralized processing, can reduce the server pressure (load).

Steps to build the Microsoft Dynamics CRM 2011 for an Internet-deployed (IFD) ADFS Virtual machine environment (CRM is installed on the same server as ADFS) from the network

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.