A Study : Authentication variety of Dynamics CRM (2016 - 365) with multiple domains and external providers(google, hotmail etc)

Hello,

I want to share configuration details of multiple LDAP service providers to be used for Dynamics CRM authentication.

Fortunately, Dynamics CRM allows us to utilize federative services to authenticate users from multiple channels.

Note: Authorization is handled by Dynamics CRM itself.



 High Level Architecture:



Dynamics CRM is dependent to only one Domain, rests will be leveraged federative services through ADFS by generating STS (Security Token) for Claimbase Authentication instead of Windows Authentication so Dynamics CRM must be installed to  single domain and Internet Facing Deployment must take in place for Dynmaics CRM then  LDAP vendors must integrate with the ADFS of domain which is utilized by Dynamis CRM.

In my lab works, Scenario was;

Any users who might be under one of the 2 seperated domain controllers internally or  external providers (Hotnail or Gmail etc.,) must login to the Dynamics CRM  successfully.

I took Domain A as main and installed Dynamics CRM to the Domain A accordingly then applied IFD to the deployment.

in line with the scenario, I added Domain B as secondary internal domain controller then install ADFS for Domain B (each ADFS works with one Active Directory for authentication at a time)

Configure "ADFS for A" and "ADFS for B" to see each other for authentication in Domain B.

Finaly, I used oAuth.com service provider to see how Facebook and gmail worked under Dynamics CRM. I configured "ADFS for A" for oAuth communication and did some changes on the setting og oAuth through official website (Auth0.com - you need to have an account - They provide 30 days demo for your test).

Environment:
There were 5 Servers for this work
o   A server for Domain A
o   A server for Domain B
o   ADFS server for Domain A
o   ADFS server for Domain B

o   Dynamics CRM Full server + SQL Server

Operations:

·        Installation 2 Active Directories.
·        Installation 2 ADFS for each ADs
·        Configuration relying parties and claim provider for ADFS
·        Install Dynamics CRM
·        IFD Configuration for Dynamics CRM

·        Perform Smoke test: login to CRM from an account in AD A, another account in AD B and my personal GMail account.

Here is the log of my study:


  • Active Directory 1 
  1. Setup Active Directory,DHCP and DNS roles to the First Windows Server
  2. Create "Domain A" -> check "Create DNS delegation" box
  • Active Directory 2
  1. Setup Active Directory,DHCP and DNS roles to the Second Windows Server
  2. Create "Domain B" -> check "Create DNS delegation" box

  • Active Directory Federation Service (ADFS) for Domain A
  1. Add Windows server for ADFS to the Domain A
  2. Set DNS of the Domain A  into ADFS from Network Settings
  3. Add ADFS server role to the Server

  • Active Directory Federation Service (ADFS) for Domain B
  1. Add Windows server for ADFS to the Domain B
  2. Set DNS of the Domain B  into ADFS from Network Settings
  3. Add ADFS server role to the Server
  • Dynamics CRM Installation
  1. Subscribe Windows Server of the Dynamics CRM  to the Domain A
  2. Set DNS of the Domain A into server from Network Settings
  3. Install SQL Server
  4. Install SQL Reporting Server
  5. Configure SQL Reporting Server (Change Service Account from "Local System" to "Network Service")
  6. Install Dynamics CRM with full nodes
  7. Apply IFD to the Dynamics CRM 
  • Configure "ADFS for Domian B" to integrate with "ADFS Domain A" in order to be used "Domain B" account by Dynamics CRM in Domain A.
  1. Connact to "ADFS for Domain B" server.
  2. Claim Provider Trust

  3. 1.     In the console tree, under AD FS, right click Claims Provider Trusts. Select Add Claims Provider Trust.
    2.     Click "Start" to start the wizard.
    3.     Select the option "Import data about the claims provider published online or on a local network". Enter the URI of the "Domain A" federation metadata endpoint:
    https://auth.<DNS Record in domainA>.testloc.lan/FederationMetadata/2007-06/FederationMetadata.xml
    Complete the wizard using the default options.
    4.     Complete the wizard using the default options
  4. Edit Claims Rule
    1.     Right-click the newly added claims provider trust, and select Edit Claims Rules
    2.     Click Add Rule
    3.     Select "Pass Through or Filter an Incoming Claim" and click Next
    4.     Enter a name for the rule : UPN.
    5.     Under "Incoming claim type", select UPN.
    6.     Select "Pass through all claim values"
    7.     Click Finish.
    8.   Say “yes” for warning message, if it displays
    9.     Repeat steps 2 - 7 and specify Anchor Claim Type for the incoming claim type as shown below:.


    10.     Click Apply then OK to complete the wizard.
  5. Enable home-realm discovery.

    Run the following PowerShell script in the server

    Set-ADFSClaimsProviderTrust -TargetName "auth.<DNS record in Domain A>.testloc.lan" -OrganizationalAccountSuffix @("<DNS record in Domain A).testloc.lan")

  • Configure "ADFS for Domian A" to integrate with "ADFS Domain B" in order to be used "Domain B" account by Dynamics CRM in Domain A.
  1. in Server Manager of "ADFS for Domain A" , click Tools, and then select AD FS Management
  2. In the console tree, under AD FS, right click Relying Party Trusts. Select Add Relying Party Trust
  3. Select Claims Aware and click Start
  4. On the Select Data Source page, select the option "Import data about the claims provider published online or on a local network".

    Enter the URI : https://auth.<DNS record in Domain B>.testloc.lan/FederationMetadata/2007-06/FederationMetadata.xml
    then click “Next"
  5. On the Specify Display Name page, enter any name then click next
  6. On the Choose Access Control Policy page, choose Permit everyone as a policy, click next.
    (You could permit everyone in the organization or choose a specific security group.)
  7. Click Next and leave selection default finally click Close to complete the wizard.
  8. Add Claims RuleA.     Right-click the newly added relying party trust and select Edit Claim Issuance Policy.B.     Click Add Rule.
    C.   Select "Send LDAP Attributes as Claims" and click Next.
    D.   Enter a name for the rule, such as "UPN". Under Attribute store, select Active Directory then in the Mapping of LDAP attributes section:              Under LDAP Attribute, select User-Principal-Name.
                  Under Outgoing Claim Type, select UPN.

                     

    E.  Click Finish
    F.   Click "Add Rule" Again
    G.  Select "Send Claims Using a Custom Rule" and click Next
    H.  Enter a name for the rule, such as "Anchor Claim Type". Copy and Paste following statement under Custome Rule:
                         EXISTS([Type == "http://schemas.microsoft.com/ws/2014/01/identity/claims/anchorclaimtype"])=>
    issue (Type = "http://schemas.microsoft.com/ws/2014/01/identity/claims/anchorclaimtype",
          Value = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn");
              
  9. Click Finish, Apply and Ok respectively to close wizard.
  • Install Dynamics CRM (Standard)
  • Configure Internet Facing Deployment (Standard)
  • Configure ADFS for Dynamics CRM (Standard - ask google.com) 
  Environment is now ready for multiple AD test in Dynamics CRM.

Do you want to integrate Dynamics CRM to Hotmail, Facebook, GMail account?

The trick is simple just find federation services (SAML 2.0) and define it in ADFS . 
I used Auth0.com in my lab study so I just created an account in Auth0.com for free (demo account)  then connected to ADFS for Domain A then;
1- Open ADFS management console
2- Go To "Claims Provider Trusts" under the AD FS root
3- Click "Add Claims Provider Trusts..." from the actions section
4- configure "Claims provider's federation metadata URL" . it is provided by vendor (like auth0.com or Gmail or Facebook... ) - set name like Gmail - Facebook etc... setup certificate which is already uploaded to the opponent. 
5
that's all...


enjoy...

















Comments

Popular posts from this blog

Assembly Microsoft.Dynamics.Service.Plugins.dll can not be loaded. Dynamics CRM 365 Engine version 9 - CRM User creation error

Exception caught instantiating TERADATA report server extension SQL Reporting Services

Could not load file or assembly 'System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'. The system cannot find the file specified at Configuration class initiation in CrmServiceHelper.cv