CRM 2011: Internal users login via IFD prompts. Change it and make them Happy!

I have run into several customers having internally users loginning each time using the companies external crm address. This can cause a bit of anger with your CRM users.

Each ADFS system has an internal URL. This URL can be found by openning up the ADFS Management Console or Using the CRM deployment manager. Using the CRM deployment manager, right click on CRM and hit properties, and navigate to the web tab. This is the internal URL.

The internal URL will pass the domain credentials (Kerboros) and not force the user to login each time. The CRM users will love you!

CRM 2011: Setting the ADFS Timeout for IFD

Once you deploy ADFS in a functional environment, the users will generally receive timeout requests, or requests to log back in, which can quickly become an issue within an 8 hour shift (480 minutes).

The solution is to set the ADFS Timeout. The ADFS timeout determines how long the claims token will live in the system before requiring a re-authentication or signin from the user. This can be set on the internal and external sides of ADFS. You will need to know the names of your ADFS relying party trusts.

To begin, open the ADFS Management Console:










Open the left hand navigation, expand relying parting trusts to find the display names:

 Now, run the Windows Powershell from the machine with ADFS installed.











Now from the powershell, start the PSSnapin for ADFS:





Using the internal relying party trust name from the ADFS wizard above, enter this command where the is the name of your internalcrm ADFS relying party trust.


 The last line of the results specific TokenLifetime will say how long the current time out is set.















Set the timeout to 480 for 8 hours ( minute increments). Example below is (240).

Now, set the timeout is set. You can follow the same steps to review or set your external timeout as well. It’s not a good security practice to set your external lifetime greater than 1 hour, as somebody who logins in remotely and forgets to logout, the session will be active until that timeout period is reached.

CRM 2011 Rollup 5: Issues Reported After Installs

Several customers are reporting issues since installing rollup 5 which is not uninstallable:

  • Workflow based Organizations (many levels deep)
  • ADFS / IFD Deployments
  • CRM Email Router and Outlook Clients ( Cannot access the webservices)

A hotfix was originally released but now has been disgarded. Micorosft has now released UR6 to fix some of the issue(s) introduced with UR 5.

Best Practices for Implementing CRM 2011 Claims Based Authentication

Presentation from the CRM UG Summit 2011 in Las Vegas, November 11, 2011

Configuring ADFS/IFD for CRM2011 can be challenging. During this session we will explore the technology, focus on key configuration points, and discuss best practices and tips. The information presented during the session is based on lessons learned from working in the trenches on more than 40 real-world implementation of CRM 2011 since Feb 2011.


CRM 2011: Reinstallation of ADFS fails after installation removal.

When installing ADFS to support your CRM 2011 IFD installation, if you have any errors or stop the install, the install will leave directories under the default website that need to be deleted.

You can run this from the command prompt:

appcmd delete app “Default Web Site/adfs/ls

This will delete the website. You can also view the application pool in IIS to see all applications still associated to the application pool as shown:

CRM 2011 ADFS/IFD Installation Tip: Using the BackConnectionHostNames Registry Key

During the CRM 2011 installation process for ADFS/IFD, you will notice issues when resolving external non matching internal domain references ( to crm.go.local) especially when using the SSL certficates. This can take hours of tracing and troubleshooting to realize its related to a new lookback feature introduced with Windows 2003 Server SP1.

The solution is to add to key BackConnectionHostNames to the registry, with the DNS, most likely your ADFS and internalcrm webserver FQDN (fully qualified domain names ie

Click Start, click Run, type regedit, and then click OK.

In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_04.Right-click MSV1_0, point to New, and then click Multi-String Value.

Type BackConnectionHostNames, and then press ENTER.

Right-click BackConnectionHostNames, and then click Modify.

In the Value data box, type the host name or the host names ( the external address for the ADFS system) for the sites that are on the local computer, and then click OK.

Quit Registry Editor, and then restart the IISAdmin service from the command prompt using IISRestart