Twitter Image

Windows Identity Foundation and Windows Authentication on MSCRM 2011

Written by Stéphane Dorrekens
Tuesday, 26 June 2012 08:51

I had a query the other day to validate if WIF (windows indentity foundation) was actively used in a MSCRM 2011 implementation configured with windows authentication (ie: Kerberos).

Now, WIF is a required component of the server installation, of the Outlook addin installation and of the SDK (see this article), but that does not means it is actively used in a non claims based mode.
Looking in the Claims authentication white paper, I found this little note :

"Microsoft Dynamics CRM 4.0 uses Integrated Windows authentication to authenticate internal users and forms authentication to enable Internet access for external users not using VPN.
Microsoft Dynamics CRM Server 2011 replaces forms
authentication with claims-based authentication, an identity access solution designed to provide simplified user access and single sign-on access to Microsoft Dynamics CRM data.
Claims-based authentication is built on Windows Identity Foundation (WIF), a framework for building claims-aware applications and security token service (STS) that is standards-based and interoperable.
is provided through reliance on industry standard protocols such as WS-Federation, WS-Trust, and Security Assertion Markup Language 1.1 (SAML)."
Reading this, it means CRM 2011 uses two modes : Windows Authentication and Claims Based Authentication and only the Claims Based Authentication uses WIF.
Actually, the data flow for Windows authentication in the white paper is exactly the same as for MSCRM 4.0 (or any standard windows authentication by the way), so no need to involve another technology