ADFS Installation Document
\Microsoft documentation: http://www.microsoft.com/en-au/download/details.aspx?id=41701
Interactive Web, Step-by-step instructions : http://www.interactivewebs.com/blog/index.php/crm-2013/crm-2013-ifd-setup-with-adfs-3-0-on-windows-2012-r2-hosted-setup/
Missing Steps from Documentation
- SPNs. If you have one server for CRM and ADFS, most likely SPNs are not needed. If you have more than one server, you will need to issue these 2 commands:
- setspn -s http/adfs.XXXXX.com Domain\ADFSSericeAccountName
- setspn -s http/internalcrm.XXXXX.com Domain\CRMApplicationPoolAccount
- On the CRM server, you need to update the flag to useAppPoolCredentials=True
- Do not issue setspn –a command instead use the setspn –s which checks for duplicates
- To check for duplicate SPNs, issues setspn -x
- To Verify that ADFS is working, issue this command: https://adfs.XXXXXX.com/adfs/ls/IdpInitiatedSignon.aspx
ADFS Certificate Timeout
Typically we set the internal timeout to 9 hours and the external timeout 2 hours. Consult with the client for specific requirements
ADFS Certificate Expiration
Assuming that you are using ADFS to generate the new token signing certificate, you can use the Set-ADFSProperties cmdlet to modify the CertificateDuration property, then create a new token signing certificate. In the example below, new certificates won't expire for 36500 days (100 years):
Set-ADFSProperties -CertificateDuration 36500
Note that this needs to be run on the ADFS server. If you aren't familiar with using the ADFS PowerShell cmdlets, I suggest running "Windows PowerShell Modules" as administrator to get started.
If you are the cautious type, you can run Get-ADFSProperties to check the current certificate duration before changing it. You will probably find that you ADFS server is set to the default value of 365 days, but in this case I have already changed the value to 36500 using the script above:
We can now create a new Token Signing certificate that will be valid for the new duration:
Update-ADFSCertificate -CertificateType Token-Decrypting -Urgent
Update-ADFSCertificate -CertificateType Token-Signing -Urgent
By including the –Urgent parameter, we are triggering immediate certificate rollover, meaning that any reliant parties will need to be updated with the new certificate before authentication via ADFS can occur. In other words, the cmdlet above will break authentication for all SharePoint Web Application zones using ADFS until we have imported the new certificate. Remember, this needs to be run on the ADFS server.
We now set ADFS to not try and rollover again:
Set-ADFSProperties -AutoCertificateRollover $false
After doing that, the certificate will be good for 100 years.
For the above changes to take effect:
- In CRM server go to Deployment Manager and then disable the Claims Based Authentication.
- Do an IISReset on CRM server
- Re-configure Claims- Based Authentication from Deployment manager keeping all the settings same.
- Re-configure IFD through deployment manager.
- Do an IISRESET again on CRM server
- In ADFS management console on ADFS server , update the corresponding Federation Metadata URLs.