Internet-facing Deployment of CRM

In Microsoft Dynamics Server 2011, configuring an internet-facing deployment depends on claims-based authentication instead of the forms-based approach used in CRM 4.0. This means that a security token service (such as Active Directory Federation Services 2.0) must be installed. Certificate management is also important for service providers to understand.

Using federation identity technology such as Active Directory Federation Services (AD FS) 2.0, Microsoft Dynamics CRM supports claims-based authentication. This technology helps simplify access to applications and other systems by using an open and interoperable claims-based model that provides simplified user access and single sign-on to applications on-premises, cloud-based, and even across organizations.

Configuring claims-based authentication and settings for an internet-facing deployment now take place as post-installation tasks. The steps to accomplish both tasks have been built into the Deployment Manager. Administrators that would prefer to script IFD configuration can do so using our new Dynamics CRM Windows PowerShell™ cmdlets.

Use of a wildcard certificate is recommended for Microsoft Dynamics CRM Server 2011 2011 for hosting because each organization will be accessed using a unique host name in a common domain for the deployment. This should be a certificate provided by a known and trusted third-party certificate authority (CA). Although not required, you may simplify the certificate management by reusing the CRM wildcard certificate as the encryption certificate for the AD FS platform. However, this may not be appropriate when authenticating users from partner domains.

For more information, see "Certificate selection and requirements" in the Microsoft Dynamics CRM 2011 Configuring Claims-based Authentication white paper, available for download at