码迷,mamicode.com
首页 > 其他好文 > 详细

Configure the AD FS server for claims-based authentication -zhai zi wangluo

时间:2014-09-18 18:39:24      阅读:186      评论:0      收藏:0      [点我收藏+]

标签:des   http   io   os   java   ar   strong   for   2014   

Applies To: Microsoft Dynamics CRM 2011, Microsoft Dynamics CRM 2013

After enabling claims-based authentication, the next step is to add and configure the claims provider and relying party trusts in AD FS.

You need to add a claims rule to retrieve the user principal name (UPN) attribute from Active Directory and send it to Microsoft Dynamics CRM as a UPN.

  1. On the server running AD FS, start AD FS Management.

  2. In the Navigation Pane, expand Trust Relationships, and then click Claims Provider Trusts.

  3. Under Claims Provider Trusts, right-click Active Directory, and then click Edit Claims Rules.

  4. In the Rules Editor, click Add Rule.

  5. In the Claim rule template list, select the Send LDAP Attributes as Claims template, and then click Next.

  6. Create the following rule:

    • Claim rule name: UPN Claim Rule (or something descriptive)

    • Add the following mapping:

      1. Attribute store: Active Directory

      2. LDAP Attribute: User Principal Name

      3. Outgoing Claim Type: UPN

  7. Click Finish, and then click OK to close the Rules Editor.

After you enable claims-based authentication, you must configure Microsoft Dynamics CRM Server as a relying party to consume claims from AD FS for authenticating internal claims access.

  1. On the server running AD FS, start AD FS Management.

  2. In the Navigation Pane, expand Trust Relationships, and then click Relying Party Trusts.

  3. On the Actions menu located in the right column, click Add Relying Party Trust.

  4. In the Add Relying Party Trust Wizard, click Start.

  5. On the Select Data Source page, click Import data about the relying party published online or on a local network, and then type the URL to locate the federationmetadata.xml file.

    This federation metadata is created during claims setup. Use the URL listed on the last page of the Configure Claims-Based Authentication Wizard (before you click Finish), for example, https://internalcrm.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml. Verify that no certificate-related warnings appear.

  6. Click Next.

  7. On the Specify Display Name page, type a display name, such as CRM Claims Relying Party, and then click Next.

  8. On the Configure Multi-factor Authentication Now page, make your selection and click Next.

  9. On the Choose Issuance Authorization Rules page, click Permit all users to access this relying party, and then click Next.

  10. On the Ready to Add Trust page, on the Identifiers tab, verify that Relying party identifiers has a single identifier such as the following:

    • https://internalcrm.contoso.com

    If your identifier differs from the above example, click Previous in the Add Relying Party Trust Wizard and check the Federation metadata address.

  11. Click Next, and then click Close.

  12. If the Rules Editor appears, click Add Rule. Otherwise, in the Relying Party Trusts list, right-click the relying party object that you created, click Edit Claims Rules, and then click Add Rule.

    bubuko.com,布布扣Important
    Be sure the Issuance Transform Rules tab is selected.

     

     

  13. In the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next.

  14. Create the following rule:

    • Claim rule name: Pass Through UPN (or something descriptive)

    • Add the following mapping:

      1. Incoming claim type: UPN

      2. Pass through all claim values

  15. Click Finish.

  16. In the Rules Editor, click Add Rule, in the Claim rule template list, select the Pass Through or Filter an Incoming Claim template, and then click Next.

  17. Create the following rule:

    • Claim rule name: Pass Through Primary SID (or something descriptive)

    • Add the following mapping:

      1. Incoming claim type: Primary SID

      2. Pass through all claim values

  18. Click Finish.

  19. In the Rules Editor, click Add Rule.

  20. In the Claim rule template list, select the Transform an Incoming Claim template, and then click Next.

  21. Create the following rule:

    • Claim rule name: Transform Windows Account Name to Name (or something descriptive)

    • Add the following mapping:

      1. Incoming claiming type: Windows account name

      2. Outgoing claim type: Name or * Name

      3. Pass through all claim values

  22. Click Finish, and when you have created all three rules, click OK to close the Rules Editor.

    bubuko.com,布布扣

    This illustration shows the three relying party trust rules you create.

The relying party trust you created defines how AD FS Federation Service recognizes the Microsoft Dynamics CRM relying party and issues claims to it.

In AD FS in Windows Server 2012 R2, forms authentication is not enabled by default.

  1. Log on to the AD FS server as an administrator.

  2. Open the AD FS management console and click Authentication Policies.

  3. Under Primary Authentication, Global Settings, Authentication Methods, click Edit.

  4. Under Intranet, enable (check) Forms Authentication.

bubuko.com,布布扣

 

See Also

 

Send comments about this article to Microsoft.

© 2014 Microsoft Corporation. All rights reserved.

Configure the AD FS server for claims-based authentication -zhai zi wangluo

标签:des   http   io   os   java   ar   strong   for   2014   

原文地址:http://www.cnblogs.com/haoliansheng/p/3979669.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!