Microsoft CRM 2011 How to Configure IFD Hosted Setup

Screenshot 2014-07-05 15.44.06Like many, we have struggled to configure Microsoft CRM 2011 as an Internet Facing Deployment. There is quite a bit of disjointed and some what typical Microsoft “junk” on how to set this up.

So after reading the White Papers, blogs and YouTube videos on the topic, I figured I would need notes for myself as much as anything. This is mostly because I am yet to find one single example that covered the setup I was after. That being:

Single Server

On an existing domain

Running true IFD ready for customer access.

The last point it telling, as all the Microsoft examples give a self generated SSL cert, that really is an example of a DEV environment only. We want to test the “real deal”, and don’t mind spending a few $ on a real Certificate to see this in a true working environment.

If you need support upgrading Microsoft CRM 4.0 to CRM 2011 or CRM 2013, then contact InteractiveWebs CRM team.

The Existing Setup

Because this is a test environment, we are running the server on a Hyper V server. A single VM machine, that is running a fully patched version of:

  • Windows 2008 R2 SP1 64 Bit
  • SQL 2008 R2 64 Bit
  • Microsoft CRM 2011 64 Bit

Interesting enough, something that always takes me 15 min, it ensuring I download the correct version of the ISO files from MSDN. I get it that I am somewhat lame, but if you get a wrong version you can waste a load of time and energy later.


With a list looking like this it can be painful. Anyway, these are the files we used for install:


For those who care, the VM was set to run with 6000 MB ram, and fold out to use more.



When we setup CRM, we selected the option to NOT use the default website, but configure a new one with the default settings of port 5555. This is necessary as you will see later.


Backup First

In all things Microsoft world, it is vital what you establish a working point to avoid unnecessarily installing things all over again. To get things working we have started fresh over 4 times.

Hyper V is great for this, as we just stopped the server, and made a copy of the VHD file. Then when it is time to start all over, it is just a matter of restoring from copy/backup.


Test First

Test that your CRM setup is working. Go to the local computer name (ours is VSERVER08) on the correct port: http://vserver08:5555

We called our Deployment of CRM – “CRM2011” So the URL redirects to: http://vserver08:5555/CRM2011/main.aspx

and after being prompted for login, we are in and testing.


Apply a Wildcard SSL Certificate

In CRM, the accessing of deployments is handled by the sub domains. So if we call a deployment “business1” we will access that as:

For testing, we purchased a standard Wildcard SSL certificate that applied that to the IIS7 server.

We will let you work out that bundle of joy, but a few tips.

1. Godaddy was about as cheap as you find on the net.

2. Setup involves creating a certificate request from within IIS, then pasting that text into the online providers order system. They then generate the certificates that you then import back into IIS and the server.


Application for a certificate

Here, I will be a wildcard certificate, for example, describes how to create a certificate:

1) Open IIS Manager

2) Click the server name in the main screen double click Server Certificates

3) In the right panel, click Create Certificate Request…


4) fill in the following diagram each column, click Next


5) Cryptographic Service Provider Properties page to keep the default, click Next.

6) In the File Name page, enter C: \ req.txt , and then click Finish.

7) Run cmd , run

certreq-submit -attrib “CertificateTemplate: WebServer” C: \ req.txt

8) Select the CA , click OK.

9) the certificate is stored as C: \ Wildcard.cer . ( 7-9 can also be in the CA to complete)

10) back to the IIS Manager, click No. 3)  Step graph Complete Certificate Request …

11) Select the C: \ Wildcard.cer , Friendly name named *. , of course, you can take a different name.

12) Click OK.

13) so that we completed the wildcard certificate request.


Additional SSL Certificate Imports

1) RUN MMC at the start / search

2) Select File / Add Remove Snapin – Select Certificates – ADD


Computer Account

image NEXT / Finish

3) Expand the first two folders, and Right Click on the Certificates Folder and select: All Tasks /  Import.

4) Browse to your wildcard SSL certificate file, and import that into the Personal and Trusted Root Certification Authorities.



Ensure that you


Binding site for the default SSL certificate

1) Open IIS Manager.

2) In the Connections panel, expand Sites , click Default Web Site.

3) In the Actions pane, click Bindings.


4) In the Site Bindings dialog box, click Add.

5) Type select HTTPS.

6) SSL Certificate , select the certificate you just created *. , and then click OK.

image Ours is

7) Click Close.

8) Repeat for the Personal certificate folder.


For the CRM 2011 binding site SSL certificate

1) Open IIS Manager.

2) In the Connections panel, expand Sites , click CRM Web Site.

3) In the Actions pane, click Bindings.

4) In the Site Bindings dialog box, click Add.

5) Type select HTTPS.

6) SSL Certificate , select the certificate you just created *. .

7) Port to select a different 443 (e.g. 444 ) and port number, and then click OK

8) Click Close.


DNS configuration

For MS CRM 2011 configuration Claims-based authentication, you need the DNS to add some records to make CRM 2011 for each breakpoint can be resolved correctly.

There are two ways you can achieve the desired result. But first lets understand the desired result.

  1. We make the assumption that your server is running at least one static IP address.
  2. Because this is Internet Facing, that IP needs to be accessible to the world.
  3. That same IP can be used for access to your server both internally on the matching we are playing with, and externally form anyone on the net.
Lets Get Basic

Start a Command Prompt, and work out what your IP address of the server is.


Type IPCONFIG – Enter

Under the name: IPv4 Address is a number that looks like:


That is Your IP Address of the Server.

The DNS Goal

Make sure that when you PING that it points to that IP address. Both for the world and for you when you do that on your server.

(xxx is the sub domain that we are about to configure.)

To configure CRM, we need some sub domains to point to the server IP.

  4. Your ORG name. (Where ORG is the CRM deployment name of your organization or organizations), e.g.


We have two setup here: CRM and CRM2011. So we need to configure and

Hosting Your Own DNS

If you host your own Domain Name Server (DNS) and you host the domain name that you are using to setup IFD. Then configuring an A record for the above mentioned sub domains is easy.

START > Administrative Tools > DNS

Find your Domain Name

Right Click and select NEW HOST A



Add an A record that points to your servers IP address.

Repeat this process for all of the above mentioned sub domains. auth, sts1, dev, and your own organization names.

Test DNS

You must be able to ping all of those names and get the correct server IP address. Both from computers on the internet, and from the server.

Note: If you have added the DNS records, but still encounter name resolution problems, you can try running on the client ipconfig / flushdns to clean up the cache. You can also click the DNS server root and click CLEAR CACHE so that the server is responding with the latest updates.


Note: Don’t bother proceeding past this step if you cannot ping your sub domains internally and externally correctly.


Firewall configuration

You need to set the firewall to allow the CRM 2011 and the AD FS 2.0 port used by the incoming data stream. HTTPS (SSL) is the default port 443.

For Initial setup testing etc. We recommend just turning the thing off. Better start from a place where it does not muck you around, then turn it all back on after you are successful.



Configuration Claim-based authentication internal access

Configure the internal access Claim-based authentication requires the following steps:

  • Install and configure AD FS 2.0 .
  • Set Claims-based authentication configuration CRM 2011 server.
  • Set the Claims-based authentication configuration AD FS 2.0 server.
  • Test claims-based authentication within the access.

Install and configure AD FS 2.0

CRM 2011 with a variety of STS provider ( STS Provider ) together. This article uses Active Directory Federation Services (AD FS) 2.0 to provide a security token service (security token service ).

Note: AD FS 2.0 will be installed to the default site, so install AD FS 2.0 , you must have CRM 2011 installation in the new site. (Remember we said that earlier)

IIS Looks like this if it is correctly installed: image

If you only see the default website with CRM installed in that. Start AGAIN!


Download the AD FS 2.0

From the following link to download the AD FS 2.0

Active Directory Federation Services 2.0 RTW( ).


Install AD FS 2.0

In the installation wizard, select the federation server role installed, for more information refer to

Install the AD FS 2.0 Software( ).

Configure AD FS 2.0

1 in the AD FS 2.0 server, click Start , then click AD FS 2.0 Management .

2 In the AD FS 2.0 Management page , click AD FS 2.0 Federation Server Configuration Wizard .


3 In the Welcome page , select Create a new Federation Service , and then click Next.


4 In the Select Deployment Type page , select Stand-alone Federation Server , and then click Next.


5 Choose your SSL certificate (the choice of a certificate created *. ) ,add a Federation Service name ( for example ,, and then click Next.


Note: Only you as the AD FS 2.0 sites when using the wildcard certificate, only need to add the Federation Service name.

6 Summary page, click Next.


7 Click Close to close the AD FS 2.0 Configuration Wizard.


Note: If you have not added ( ) to add DNS records, then do it now.


Verify the AD FS 2.0 is working

Follow the steps below to verify that the AD FS 2.0 is working :

1 Open Internet Explorer.

2 Enter the federation metadata of the URL , for example:

3. to ensure that no certificate associated with the warning appears.



Claims-based authentication configuration CRM 2011server

After you install and configure the AD FS 2.0 , we need to configure the Claims-based authentication before setting CRM 2011 binding types ( Binding type ) and the root domain (root Domains) .

According to the following steps to set up CRM 2011 bound for the HTTPS and configure the root domain address :

1 Open the CRM Deployment Manager.

2 In the Actions pane , click Properties .


3 Click the Web Address page .

4 In the Binding Type , select HTTPS .

5. Ensure that the network address for the binding CRM 2011 site SSL certificate and SSL ports. Because you configured for internal access to Claims-based authentication, so the address of the host for the root domain name. Port number must IIS in CRM 2011 is set in the port the same site.

6 For example, *. wildcard certificate, you can 444 as the network address.


7 Click OK .

Note: If the CRM Outlook client configuration using the old binding value, then the need to be updated to use the new value. + Make sure you have a DNS entry for: internalcrm.

From the CRM 2011 is passed to the AD FS 2.0 of Claims data you need to use the Claims-Based Authentication Configuration Wizard (described below) specified in the certificate for encryption. Therefore, CRM Web application CRMAppPool account must have read the certificate’s private key encryption ( Read ) permissions.According to the following steps to give this permission:

1 in CRM 2011 server , run the Microsoft Management Console (Start => Run MMC).

2 Click Files => Add / Remove Snap-in …

3 left panel, select Certificates , click Add to add to the right panel.

4 In the pop-up window, select Computer account .

5 next page, select Local Computer , click Finish .

6 Click OK .

7 Expand the Certificates ( Local Computer ) => Personal, select Certificates .

8. In the middle panel, right-click you will be in the Claims-Based Authentication Configuration Wizard to specify the encryption certificate (in this case *. ), click All Tasks => Manage Private Keys.

9 Click Add , add CRMAppPool account (if you are using Network Service , select the account directly), and then give Read permissions.


Note: You can use IIS Manager to view CRMAppPool what account to use. In the Connections panel , click Application Pools , and then see CRMAppPool under Identity .


10 Click OK .


Configure Claims-Based Authentication

Below, we setup Claims-Based Authentication Configuration Wizard ( Configure Claims-Based Authentication Wizard ) to configure the Claims-Based Authentication. To learn how PowerShell to configure Claims-Based Authentication, refer to the English original.

1) Open the Deployment Manager.

2) on the left navigation panel, right-click Microsoft Dynamics CRM , and then click Configure Claims-Based Authentication.


3) click Next.


4) In the Specify the security token service page , enter the Federation metadata URL, such as


Note: The data is usually in the AD FS 2.0 website. Can this URL copied into IE to seeFederation metadata , to ensure that this is the correct URL . Using IE to access the URL can not have a certificate-related warnings (Ignore that crap!)


5) Click Next .

6) In the Specify the encryption certificate page , click on Select…

7) select a certificate, where we choose *



8) This certificate is used to encrypt the transmitted AD FS 2.0 authentication security token service security token.

Note: Microsoft Dynamics CRM service account must have the private key encryption certificate Read permission.

10 Click Next . Claims-Based Authentication Configuration Wizard validates the token and certificate you specified.


11 In the System Checks page, if the test passed, click Next .

12 In the Review your selections and then click Apply page , just to confirm the input, and then click Apply .


13. On this page, note which of the URL , because then, you will use this URL to add a trusted party ( Relying Party ) to the security token service.



14 IMPORTANT – Click View Log File

15 Scroll to the end, and Copy the URL from the bottom of the file.

image– This will be used in the next configuration. Note that this is different to the URL used in step 4 above, as it represents the internal URL. Subtle but vital (and the cause of frustration the first 10 times we tried this).

16 Click Finish.

17 Validate that you can browse to the URL above. If you cannot view this in a browser, then have a look again at your permissions on the certificate in relation to the account on the application pool in IIS for CRM. Read above: Claims-based authentication configuration CRM 2011server.

18. Once you can browse this URL, you are done here.


Claims-based authentication configuration AD FS 2.0server

After completion of the previous step, the next step we need AD FS 2.0 to add and configure the statement provider trust ( claims Provider trusts ) and the relying party trust ( Relying Party trusts ).

Configure claims provider trusts

You need to add a claims rule come from Active Directory to obtain user ‘s UPN (user principal name) and then as a UPN delivered to MS CRM . Follow these steps to configure the AD FS 2.0 to UPN LDAP attribute as a claim is sent to the relying party ( Relying Party ):

1 installed in the AD FS 2.0 on the server , open AD FS 2.0 Management.

2 In the Navigation Pane , expand the Trust Relationships , and then click the Claims Provider Trusts.

3 In the Claims Provider Trusts under , right-click Active Directory , and then click Edit Claims Rules.


4 in the Rules Editor , click Add Rule.


5. In Claim rule template list , select the Send LDAP Attributes as Claims template ,and then click Next.


6 Create the following rule:

  • Claim rule name: UPN Claim Rule ( or other descriptive name )

· Add the following mapping:

  • Attribute Store: Active Directory
  • LDAP Attribute: User Principal Name
  • Outgoing Claim Type: UPN image

7 Click Finish , then click OK close the Rules Editor.


Configuration relying party trusts

In the open claims-based authentication, you must ensure CRM 2011 server configured as a relying party to use from the AD FS 2.0 statement to internal access claims certification.

1 Open AD FS 2.0 Management.

2 In the Actions menu, click Add Relying Party Trust.


3 In the Add Relying Party Trust Wizard , click Start.


4 In the Select Data Source page , click Import Data about the Relying Party Online or published on a local Network , enter the positioning federation metadata.xml file URL.


Federation metadata is set Claims when created. Use Claims-Based Authentication Configuration Wizard. The URL used here is IMPORTANT – Read point 14 in the above section. It is the URL retrieved from the VIEW LOG FILE That we did when  from configuration of Claims Based Authentication:  In this case


Note: Ensure that no certificate-related warnings appear when hitting the URL.

5 Click Next .

6 In the Specify Display Name page , enter a display name, such as CRM Claims Relying Party , and then click Next.


7 In the Choose Issuance Authorization Rules page , choose Permit All users to access this Relying Party , and then click Next.


8 In the Ready to Add Trust page , click Next , then click Close .

9. When the Rule Editor appears , click Add Rule . Otherwise , the Relying Party Trusts list , right-click you create a relying party objects, click the Edit Claims Rules , and then click Add Rule.


10. In Claim rule template list , select the Pass Through or Filter an Incoming Claim template, and then click Next.


11 create the following rule:

· Claim rule name: Pass Through UPN ( or other descriptive name )

· Add the following mapping:

  • Incoming claim type: UPN
  • Pass through All claim values


12 Click Finish .

13 In the Rule Editor , click Add Rule , in Claim rule template list , select the Pass Through or Filter an Incoming Claim template , and then click Next :

· Claim rule name: Pass Through Primary SID ( or other descriptive name )

· Add the following mapping:

  •      Incoming claim type: Primary SID
  •      Pass through All claim values


14 Click Finish .

15 In the Rule Editor , click Add Rule

16. In Claim rule template list , select the Transform an Incoming Claim template , and then click Next.


17 create the following rule:

· Claim rule name: Transform Windows Account Name to Name ( or other descriptive name )

  • Incoming claim type: Windows account name
  • Outgoing claim type: Name
  • Pass through All claim values


18 Click Finish , to create a good three rule later , click OK close the Rule Editor




Test claims-based authentication within the access

You should now be able to use the claims certified to the internal access CRM 2011 a

1 Open the Deployment Manager.

2 Expand the Deployment Manager node , and then click on Organizations .

3 Right-click your organization , and then click Browse . so you can open the CRM web page of ( for example: ).


Trouble Shooting

If the CRM web page can not be displayed, then run the following iisreset and then try again.


If the CRM web page still does not show, then you may need to setup AD FS 2.0 server setup a SPN (Service Principal Name) . Re-run the Claims-Based Authentication Wizard, and then browse to the Specify the security token service page, note the AD FS 2.0 server in the Federation metadata URL in the name. (In this case )


1 Open a command line tool .

2 Enter the following command : ( application, in your own environment, substitute the name of the name of the command line )

c: \> setspn -a http/ fserver4\VSERVER08$

fserver4\VSERVER08 = the domain and machine name of the server.


c: \> iisreset

3 and then re-access the Microsoft Dynamics CRM Server 2011 site, so you should be able to successfully access to the CRM 2011 Web page.

If you receive ADFS – sts1 errors.

There was a problem accessing the site. Try to browse to the site again.
If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.
Reference number: xxx

And or if you look in your log files under ADFS 2.0 You will see errors like this.


In our case, this was because we used the external Metadata URL and not the Internal URL that we should have copied from the “View Log File” When configuring the Claims Based Authentication. Step 14 in the section above.



Note the difference between this:

and the original meta data check we did with:

We incorrectly figured it would be pulling the same XML data. It does NOT!


Configuration Claim-based authentication external access

Open to the CRM 2011 Data Claims-based authentication of external access, you need to do the following steps:

1 complete contents of the previous section: Configuring Claim-based authentication- internal access.

2 for the IFD configuration CRM 2011 server.

3 for the IFD configuration AD FS 2.0 server.

4 Test claims-based authentication external access.

The IFD configuration CRM 2011 server

When opening Claims certified internal access, you can open by IFD external claims visited. The following describes using the IFD Configuration Wizard to configure, if you want to learn how to use PowerShell to be configured, refer to the English original.

1 Open the Deployment Manager.

2 In the tree structure , right-click Microsoft Dynamics CRM , and then click Configure Internet-Facing Deployment.


3 Click Next.


4 Fill in the correct domain information for the Web Application, Org, and Discovery Web services. Remembering here that in our case: * was the name of the wildcard certificate used, and that PORT 444 was the port we configured for the CRM Web Instance in the bindings for IIS.

Thus we use:

  • Web Application Server Domain:
  • Organization Web Service Domain:
  • Web Service Discovery Domain: image

Note – Enter the domain name, rather than the server name .

  • If the CRM installed on the same server or servers are installed in the same domain, then the Web Application Server Domain and Organization Web Service Domain should be the same .
  • Web Service Discovery Domain must be a Web Application Server Domain as a subdomain like the  “dev.” that we setup in DNS earlier.
  • domain name must be on the SSL certificate name

Domain examples :

  • Web Application Server Domain: 444
  • Organization Web Service Domain: 444
  • Web Service Discovery Domain: 444

For more information on the website, please refer to Install Microsoft Dynamics CRM Server 2011 on multiple computers( )

5 In the Enter the external domain where your Internet-facing servers are located input box , enter for your internet to CRM 2011 server located outside the domain of information, and then click Next .


You must specify the domain specified in the previous step Web Application Server Domain sub-domains . default , will be “auth.” added to the Web Application Server Domain before.

Domain examples :

  • External Domain: 444

6 In the System Checks page , if there is no problem, click Next.


7 In Review your selections and then click Apply page , confirm your input , and then click Apply.


8 Click Finish .


9. Open a command line tool, run: iisreset


The IFD configuration AD FS 2.0 server

To open CRM 2011 on the IFD , you need to add AD FS 2.0 server for the IFD to create a relying party endpoints. Follow these steps:

1 open AD FS 2.0 Management .

2 In the Actions menu, click Add Relying Party Trust.


3 In the Add Relying Party Trust Wizard , click Start .

4 In the Select Data Source page , click Import Data about the Relying Party Online or published on a local Network , enter the positioning federation metadata.xml file URL.

Note – This is almost the same URL as we used previously, but has the .auth sub domain that we used in point 4 above. For use the Federation metadata is configured IFD when created. In this case .

Check in your browser the URL, to ensure that no certificate-related warnings appear.


5 Click Next.

6 In the Specify Display Name page , enter the display name , such as CRM IFD Relying Party , and then click Next.


7 In the Choose Issuance Authorization Rules page , select the Permit all users to access this relying party options , and then click Next.


8 In the Ready to Add Trust page , click Next , then click Close .

9. If the Rule Editor appears , click Add Rule. Otherwise , the Relying Party Trusts list ,right-click you create a relying party objects, click the Edit Claims Rules, and then click Add Rule.


10. In Claim rule template list , select the Pass Through or Filter an Incoming Claim template, and then click Next.


11 create the following rule:

· Claim rule name: Pass Through UPN ( or other descriptive name )

· Add the following mapping:

  •     Incoming claim type: UPN
  •     Pass through All claim values image

12 Click Finish .

13 In the Rule Editor , click Add Rule , in Claim rule template list , select the Pass Through or Filter an Incoming Claim template , and then click Next :

· Claim rule name: Pass Through Primary SID ( or other descriptive name )

· Add the following mapping:

  •     Incoming claim type: Primary SID
  •     Pass through All claim values image

14 Click Finish .

15 in the Rules Editor , click Add Rule ,

16. In Claim rule template list , select the Transform an Incoming Claim template , and then click Next .

17 create the following rule:

· Claim rule name: Transform Windows Account Name to Name ( or other descriptive name )

  •     Incoming claim type: Windows account name
  •     Outgoing claim type: Name
  •     Pass through All claim values


18 Click Finish , you have created three rule later , climageick OK close the Rule Editor .

Test claims-based authentication to access external

Now, you should use the claims certified external access CRM 2011 a. In IE the browser CRM 2011 external address (for example: ), you will see the following pages:

Enter the user name password, log CRM 2011.


Final Notes

An additional log cleanup step here.

Like anything Microsoft, this was not easy. It took us over 10 attempts drawing on over a dozen resources to get this worked out. For us, the main tripping points related the the meta data URL’s used in configuring the endpoints. Our fault, but it also appears to be a common error to other administrators on the net.

To Microsoft – you documentation sucks badly! If I never read another White Paper it will be too soon!

Thanks to – Jackie Chen (Chen Pan) Your blog was GOLD!

Also Look at these Updates

Look for our other posts on Email Router Configurations. “is a fickle bitch!”

AD FS certificate rollover CRM 2011

CRM 2011 Rollup 10 Invalid Argument Error

Posted by InteractiveWebs

This blog is the combined blog work of the InteractiveWebs Dev Team. Together we work on a range of DotNetNuke (DNN) applications, modules, Silverlight, and Microsoft CRM Portal integration products. Our Business is website design and hosting, with a strong focus on DotNetNuke, Microsoft Dynamics CRM, Silverlight and iPhone iPad development.



We have deployed MSCRM for IFD. The instance is working fine. But the custom applications added to it are not opening up. Say, we have a custom import tool in the ribbon. The ttol could not be opened from Public access of MSCRM. Showing up . Error details as below:
InvalidOperationException was unhandled by user code
Message=The user authentication failed!
at Microsoft.Xrm.Sdk.ClientExceptionHelper.Assert(Boolean condition, String message)
at Microsoft.Xrm.Sdk.Client.ServiceProxy`1.AuthenticateCore()
at Microsoft.Xrm.Sdk.Client.ServiceProxy`1.Authenticate()
at Microsoft.Xrm.Sdk.Client.ServiceProxy`1.ValidateAuthentication()
at Microsoft.Xrm.Sdk.Client.ServiceProxy`1.get_ServiceChannel()
at Microsoft.Xrm.Sdk.Client.ServiceContextInitializer`1.Initialize(ServiceProxy`1 proxy)
at Microsoft.Xrm.Sdk.Client.ServiceContextInitializer`1..ctor(ServiceProxy`1 proxy)
at Microsoft.Xrm.Sdk.Client.OrganizationServiceContextInitializer..ctor(OrganizationServiceProxy proxy)
at Microsoft.Xrm.Sdk.Client.OrganizationServiceProxy.ExecuteCore(OrganizationRequest request)
at Microsoft.Xrm.Sdk.Client.OrganizationServiceProxy.Execute(OrganizationRequest request)
at _Default.PopulateStatusList(IOrganizationService service) in D:\—–\Default.aspx.vb:line 110
at _Default.form1_Init(Object sender, EventArgs e) in D:\—-\Default.aspx.vb:line 334
at System.Web.UI.Control.OnInit(EventArgs e)
at System.Web.UI.HtmlControls.HtmlForm.OnInit(EventArgs e)
at System.Web.UI.Control.InitRecursive(Control namingContainer)
at System.Web.UI.Control.InitRecursive(Control namingContainer)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

Please help us in identifying the issue.


Don’t know about this one. Perhaps someone else who reads this can assist. If you find a solution, please post it.

Tomasz Olędzki

ADFS Proxy config is missing. Publishing MSCRM and ADFS directly to the internet is extreme security threat.


Thanks Tomasz. We are saying how to get things working, not a security best practice. We would always recommend a security layer.

I ahve configures the same Way, however my report records are having internal CRM link. and they are not accessiable via Public Domain Machine. Please let me know how can i use teh External Link under Web address and what all changes in need to made for working Internally and Externally. My current setup is having 2 Applications server. 1 internal and 1 external (in DMZ).


I think we would need to take a look at the setup to comment. Sorry, we cannot be more assistance here.

The Steup is Simple
1. First Application Server – Internal IP Address
2. Second App Server – External IP Address (IN DMZ)
3. SQL Server (Internal – having access to External and Internal all required ports are opened)
4. IFD site is running Fine.
5. We have just noticied that the Report data is having IFD machine name as link, which in a way is not accessiable via Public IP they arr not connected to VPN.
6. WebResource Links are having IFD Machine name as mentioned above in setup help from you.

My question does changing WebResource links in Deployment Manager would work fine. or Do we need to make anyother chnages.


Michael Rodríguez

Thank you having taken the time to create this article. I was tasked with creating a new deployment for my company to use in house and, as you well know, this was a b*tch to set up. Many thanks and take care. I followed all the steps and now I have a functional CRM deployment…now, I gotta learn how to use it, haha.


Not a problem.

Hi, first of all thanks for your guide. I just have 2 question if help me :
1.I want to test IFD then Buy Certificate, there is anyway to do that?
2.i don’t have Static Ip (dedicated Ip),as I said before I want to test this way and then bought certificate and Ip .so any way existed to did it without having Static IP?!
Thank you so much


1. Use a class 1 certificate from They are almost free.
2. Setup a virtual machine, and give the virtual machine 2 NIC’s. You will need static IP addresses, but you can at least access them internally.

If the goal is to go public, you will have a lot less trouble to just jump into it. Modifying the guide to do a locally hosted static IP Virtual environment is tricky for IFD, and defeats the purpose. Internet Facing Deployment as the name suggests is not for internal facing systems.

I was having troubles with MSIS7012/MSIS3127 error messages. In the end I found that this was to do with the “Relying Party Trusts” – “Issuance Transform Rules” number 3 “Transform Windows Account Name to Name”.

The guide says to setup with the following on both claims:
Incoming Claim Type = Windows Account Name
Outgoing Claim Type = Name

Name isn’t an option but the screen allows you to directly type in here. I followed the guide exactly and and I suspect that there was an update that puts in now as “* Name”.

Hi, does anyone knows how to revert the configuration from ADFS to not use ADFS anymore in CRM 2011? we configured ADFS with CRM, but not we need to remove it. Any type of instructions on how to do it? I have not been able to find anything like that?


It should be easy enough to remove the entries you put in place as per this article, then restart IIS.

thank you so much for best guid ever,i finally did it.but i have one small problem. before that i had to say i create certificate by Makecert (wild Certificate) and everything work fine for test enviroment(VMWare).domain controller and CRM and AFDS , all of them installed on one Virtual machine Windows server 2008 R2.other client with out problem can connect to but i can’t log in to crm by server itself.i mean when i enter user and password for loging to CRM don’t accept it and give me error “HTTP Error 401.1 – Unauthorized”
“You do not have permission to view this directory or page using the credentials that you supplied”

but these same user and password work perfectly on another computer machin in network.
i hope someone here can help me to fix it and can log in to internalcrm from server computer.

I am getting same error “HTTP Error 401.1 – Unauthorized”

not able to help please help.



Sounds like the IIS Application pool may not be running on NetworkService and or the files in the folder chosen for the directories used for the website / sites may not have networkservice permissions set correctly.

Do you happen to know if CRM 2011 is compatible with ADFS 3.0? I’m trying to configure claims based authentication. With 2.0, it works. With 3.0, I get redirected to the ADFS page and get the follow error when logging in.

An error occurred
An error occurred. Contact your administrator for more information.
Error details
Activity ID: 00000000-0000-0000-e402-0080000000d1
Error time: Thu, 02 Jul 2015 16:11:27 GMT
Cookie: enabled
User agent string: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.6.3 (KHTML, like Gecko) Version/8.0.6 Safari/600.6.3


It is not.

This is awesome. Can you expand this to include an ADFS Proxy Server in the DMZ. ADFS and CRM are inside the company net.


Not with CRM 2011. But with CRM 2013 and 2015 you could.

Thomas Kammerlander

Hy JVR, well we have that kind of setup and it works just fine. What fu..ed with me a bit was the fact that after setting up ifd access everything seemed to work just fine. Except when you try to “Download” the Organization Service WSDL when you are connected to the CRM Organization via IFD. Did anyone encouter these problems too? Or maybe you never realised that it doesnt work. I can give u a hint if you stumble upon it. Regards, Thomas


No, it should work if you have it set up correctly. This will allow remote programming on that URL.

Hi JVR and Interactive Webs

Firstly let me say that this is probably the best step by step guide out there, but I am STUCK!

JVR Did you ever come right with your setup? I am trying to do the same as you, with ADFS 3.0 and CRM 2015 servers on the inside, as two separate servers and a DFS Proxy server in the DMZ. Our CRM has been up and running a while now and I have to make it available on the internet for our internal staff.

I already have an ADFS Proxy server up and running in the DMZ – (it was set up for a SharePoint site). I now need the steps to do the same for our CRM. I can access my sts URL from the DMZ. The Certificate is fine there. Here I already had a standard SSL certificate in place.

When I run the CRM claims based wizard on the CRM server, I get a certificate error. . In the wizard I choose the wildcard certificate I used on the CRM website and it is in the personal store and the wizard tells me that it cannot find the certificate in the personal store on the local machine!? What now?

Another thing – With the sub domains that have to be entered into DNS – I presume that these are on the external DNS server. Do these hostnames have to appear on the internal DNS as well? How does one handle an external CRM URL differently to the internal address? For example, if you use as the external URL and as the internal URL ( which is URL accessed by Dynamics CRM for Outlook)?

Can someone please tell me what Auth, dev, and orgname DNS entries are for? Why all these DNS entries? Do they all point to our external public IP address and then do they all route to our internal CRM server? or which servers do each route to? I need clarification here please.

Also, can someone tell me WHY you cannot use a self signed wildcard certificate if the site is for internal staff only?

Sorry for all the questions, but I really do need assistance. Any help will be greatly appreciated before I tear my hair out! 🙂


Hard to say exactly how we may be able to assist you. Ordinarily when you get the server certificate error it is because you have not installed the certificate correctly to be visible to the server. Double-check your work in the server certificate installation area.

With regard to the DNS settings. It is always best if your internal DNS is hitting your external DNS and returning the appropriate IP address. In a simple configuration like this where you’re not using firewalls and software to work on internal facing IP addresses and external facing IP addresses, and it is best that they resolve internally and externally.

The different DNS entities how to help you segregate biome name the different calls that are made for the CRM setup. We are just following the recommended names that are suggested in one of the Microsoft set up documents. They could in effect be anything at all. Are you TH for example is used for your authentication URL. Where the dev is used for your development URL. But these could be anything.

Hi. Thank you for your reply. I have now been able to go right through to the end of Configuring Claims-based authentication without certificate errors! Everything went smoothly until I finished entering the rules and did an iisreset. I enter the internal URL and I see it going via sts, but then I get HTTP 400 Bad Request and the webpage cannot be found. I have checked the Internal Relying Party Properties and the URL tests validates successfully. Up until this point I could access the CRM with the internal URL! The only difference I have between your setup and my setup is that the Certificate on ADFS has a SSL Server certificate and does not use the same wildcard certificate that the CRM site uses because the ADFS server was set up a long time ago for a SharePoint site.
I do not however, get certificate errors.
I have set a service principal name as you suggested above and that did not help either.

I have turned on AD FS Tracking (Debug) on and it shows no errors – only information event IDs 54 and 155.

I don’t know where else to look and now no-one can work on the CRM!!! Please help!

In the Event Viewer of CRM Server I get Event ID 18732 errors. I have googled this and tried changing order of Providers as one person suggested – didn’t help.

Trying to Setup new Application Server(Have access to one new server and would like to migrate). is there any way I can run both servers till I’m happy with the new one to replace the old(Live Server)?

Sorry I’m running CRM 2011 Rollup 18.
The current server is Windows Server 2008 R2 and the New Server is Windows Server 2012 R2 Datacenter.


Don’t understand the question.


using a new domain is the easy way to do this. We have a new domain for each instance of CRM we run on.

Leave a Reply to Mike H Cancel reply