Recently, I had the opportunity to do an ADFS migration from ADFS 2.0 (Windows 2008 R2) to ADFS 3.0 (Windows Server 2012 R2). During the process, I realized that there were wild differences between the two versions – and, there are a few extra steps you need to do in order to get CRM 2011’s Internet-Facing Deployment (IFD) working….

1.)   The first thing you need to do, of course, is install and configure the ADFS role on Windows Server 2012 R2, then set up CRM’s Claims-Based Authentication and IFD. Those procedures are documented on TechNet, and honestly, they haven’t changed from prior versions of ADFS.

However, once that’s done….

2.)   I found out the hard way that, for some reason, ADFS 3.0 does not enable Forms-Based Authentication by default. You’ll have to do the following:

  • In the ADFS console, click “Authentication Policies from the left pane
  • In the center pane, under the Primary Authentication section, click Edit

ADFS Screenshot 1
(Click image to enlarge)

  •  In the Edit Global Authentication Policy window, make sure that Forms Authentication is checked for both Extranet and Intranet.

ADFS Screenshot 2
(Click image to enlarge)

3.)   This got me a step closer!!! But, there is one more step. ADFS on Windows Server 2012 and 2012 R2 has a known issue publishing metadata for MEX endpoints. Fortunately, there is a Microsoft TechNet article on how to fix it here.

Once I completed those 3 steps, I could log into CRM via the new ADFS interface!

Next up: How to customize your ADFS 3.0 Logon Page!

Have questions or issues with your Dynamics CRM? We can help!


Like this post? Share it!