Authentication Models


Knowing the security requirements all of the accounts and services will help you build a effective solution and be better able to troubleshoot issues. Microsoft Dynamics CRM offers a variety of authentication models and capabilities allowing users to access the application from inside and outside their network so network administrators need to make the necessary configurations to ensure Microsoft Dynamics CRM runs securely.

Microsoft Dynamics CRM 2011 currently supported authentication models.

On Premises Intranet Only

  • Integrated Windows Authentication with NTLM or Kerberos
  • CRM users authenticated on internal domain are granted access to CRM
  • Clients may use HTTP or HTTPS
  • On Premises Claims Based Authentication – Internal Access
  • CRM requests are redirected to ADFS Server
  • Credentials verified against Active Directory
  • ADFS Server uses Kerberos ticket from Active Directory, issues token
  • CRM session begins with ADFS issued token
  • HTTPS is required with Claims Authentication

On Premises Claims Based Authentication – External Access (Internet Facing Deployment)

  • CRM requests are redirected to ADFS Server
  • ADFS server prompts user for credentials, user logs in
  • Credentials verified against identity store (like Active Directory)
  • ADFS Server issues a token
  • CRM session begins with ADFS issued token
  • HTTPS is required with Claims Authentication

ADFS 2.0 Deployment Models – On-Premises

  • Stand-alone server: Using a local database single ADFS 2.0 server with or without an ADFS Proxy and runs with local server account but does not provide fault tolerance nor load balancing.
  • Farm Server:  Typically a group of servers configured with a local database or ideally using SQL Server for the ADFS database.  This configuration will provide load balancing and fault tolerance.
  • ADFS Proxy:  ADFS Proxies will reside in perimeter (DMZ) networks. They present the user with the authentication page and then pass the request to internal ADFS servers over HTTPS.  The token is passed back to the client via the Proxy.

ser5

Note: A stand-alone ADFS server cannot be “switched” to a farm server.  If there are plans to scale and might require fault tolerance and load balancing in the future it is best to take the time now to configure a single farm server when ADFS is being deployed.