Configure Claims-Based Authentication
Below, we setup Claims-Based Authentication Configuration Wizard ( Configure Claims-Based Authentication Wizard ) to configure the Claims-Based Authentication. To learn how PowerShell to configure Claims-Based Authentication, refer to the English original.
1) Open the Deployment Manager.
2) on the left navigation panel, right-click Microsoft Dynamics CRM , and then click Configure Claims-Based Authentication.
3) click Next.
4) In the Specify the security token service page , enter the Federation metadata URL, such as
Note: The data is usually in the AD FS 2.0 website. Can this URL copied into IE to seeFederation metadata , to ensure that this is the correct URL . Using IE to access the URL can not have a certificate-related warnings (Ignore that crap!)
5) Click Next .
6) In the Specify the encryption certificate page , click on Select…
7) select a certificate, where we choose *.interactivewebs.com.
8) This certificate is used to encrypt the transmitted AD FS 2.0 authentication security token service security token.
Note: Microsoft Dynamics CRM service account must have the private key encryption certificate Read permission.
10 Click Next . Claims-Based Authentication Configuration Wizard validates the token and certificate you specified.
11 In the System Checks page, if the test passed, click Next .
12 In the Review your selections and then click Apply page , just to confirm the input, and then click Apply .
13. On this page, note which of the URL , because then, you will use this URL to add a trusted party ( Relying Party ) to the security token service.
14 IMPORTANT – Click View Log File
15 Scroll to the end, and Copy the URL from the bottom of the file.
– This will be used in the next configuration. Note that this is different to the URL used in step 4 above, as it represents the internal URL. Subtle but vital (and the cause of frustration the first 10 times we tried this).
16 Click Finish.
17 Validate that you can browse to the URL above. If you cannot view this in a browser, then have a look again at your permissions on the certificate in relation to the account on the application pool in IIS for CRM. Read above: Claims-based authentication configuration CRM 2011server.
18. Once you can browse this URL, you are done here.
AND if you get the following error: The encryption certificate “…..” does not exist in the local computer certificate store. Here is how you fix it:
When attempting to setup Claims-Based Authentication for CRM 2011 from a client-side ADFS server, you encounter the following error: The encryption certificate “…..” does not exist in the local computer certificate store.
Now, in this case, it is happening after you have just renewed your SSL Wildcard certificate. After a few ponderous moments of head-scratching and chin-rubbing, you go back and double-check that on your CRM server, the new SSL certificate is stored in the correct places within the Microsoft Management Console.
To check, you go to Start-Run-MMC.exe and first load your Certificates snap-in by doing the following: from MMC – File – Add or Remove Snap-ins – Certificates Computer Account – Local Computer.
You check in both the MMC – Certificates – Personal & Trusted Root Certification Authorities stores. The new wildcard SSL certificate is in both stores. Now, at this point you also notice that the old wildcard SSL certificate is in the Personal store. Once you have removed the old certificate from the store (and you may wish to verify that it is not in Trusted Root Certification Authorities store as well), the error dissipates and you can now successfully complete the Claims-based Authentication setup.