ADFS Installation Document

\Microsoft documentation: 

Interactive Web, Step-by-step instructions :

Missing Steps from Documentation

  1. SPNs.  If you have one server for CRM and ADFS, most likely SPNs are not needed.  If you have more than one server, you will need to issue these 2 commands:
    1. setspn -s http/ Domain\ADFSSericeAccountName
    2. setspn -s http/ Domain\CRMApplicationPoolAccount
  2. On the CRM server, you need to update the flag to useAppPoolCredentials=True

Troubleshooting steps:

ADFS Certificate Timeout

Typically we set the internal timeout to 9 hours and the external timeout 2 hours.  Consult with the client for specific requirements

ADFS Certificate Expiration

Assuming that you are using ADFS to generate the new token signing certificate, you can use the Set-ADFSProperties cmdlet to modify the CertificateDuration property, then create a new token signing certificate. In the example below, new certificates won't expire for 36500 days (100 years):

Add-PSSnapin Microsoft.Adfs.Powershell

Set-ADFSProperties -CertificateDuration 36500

Note that this needs to be run on the ADFS server. If you aren't familiar with using the ADFS PowerShell cmdlets, I suggest running "Windows PowerShell Modules" as administrator to get started.

If you are the cautious type, you can run Get-ADFSProperties to check the current certificate duration before changing it. You will probably find that you ADFS server is set to the default value of 365 days, but in this case I have already changed the value to 36500 using the script above:

We can now create a new Token Signing certificate that will be valid for the new duration:

Update-ADFSCertificate -CertificateType Token-Decrypting -Urgent

Update-ADFSCertificate -CertificateType Token-Signing -Urgent

By including the –Urgent parameter, we are triggering immediate certificate rollover, meaning that any reliant parties will need to be updated with the new certificate before authentication via ADFS can occur. In other words, the cmdlet above will break authentication for all SharePoint Web Application zones using ADFS until we have imported the new certificate. Remember, this needs to be run on the ADFS server.

We now set ADFS to not try and rollover again:

Set-ADFSProperties -AutoCertificateRollover $false

After doing that, the certificate will be good for 100 years.

For the above changes to take effect:

  1. In CRM server go to Deployment Manager and then disable the Claims Based Authentication.
  2. Do an IISReset on CRM server
  3. Re-configure Claims- Based Authentication from Deployment manager keeping all the settings same.
  4. Re-configure IFD through deployment manager.
  5. Do an IISRESET again on CRM server
  6. In ADFS management console on ADFS server , update the corresponding Federation Metadata URLs.