We had a unique Dynamics CRM implementation in which we had a requirement for enabling external Active directory users connected to CRM environment using vpn tunnel to authenticate with CRM without exposing CRM over the internet, this lead us to utilize the enabling claims based authentication for internal access CRM configuration with configuring IFD, below are some hints and hard lesson learned to achieve such authentication requirements:
- Host the CRM web services on a port other than 443 as per Microsoft guidelines for claims based authentication for internal access, port 443 can be used for the web application access normally.
- We managed hosting the CRM web services on port 444 while the CRM web client was hosted on different port which is 443 and CRM worked normally.
- Ensure that any client that is trying to access CRM web interface or use CRM web services is having access to the CRM front end servers and to the ADFS servers as well due to the fact that the authentication is happening through a re-direction to the ADFS landing page.
- For any custom web services or SSIS sychronization packages integrating with Dyanmics CRM, make sure they have the appropriate access to the ADFS servers.
- In plugin registration tool you may need to use a special format for the username depending on the UPN claim format which is configured in ADFS when adding the CRM as a relaying party.
- The default session timeout period is very small and controlled from ADFS, it is advised to increase the token lifetime for a better user experience as when the session times out, the client must close all opened browser sessions and open it again to re-authenticate.
I will try to update this post with any new hints that I missed.
Amr Attia's Blog 