I'm trying to configure a new Dynamics CRM 2016 on premise installation with Claims based authentication for Sharepoint Online (Office 365) and Internet facing access.
We currently have a Windows 2012 R2 Essentials domain controller synchronizing with Office 365, I'm aware we should not change passwords on any online services but instead use the local account so it syncs up the new password.
At the time we wanted to be as lean as possible in terms of setup in the office, so Essentials was the obvious choice, but I now think it's a bit too essential when you want to add-on other services! Is that correct?
I've seen this article, http://blog.kloud.com.au/2014/06/06/claims-based-federation-service-using-microsoft-azure/, that explains how to leverage ACS for the CRM's claims federation, which would sort the CRM login.
But I am slightly concerned about rolling this out without having single sign on configured across the directory. e.g. sync down the password from Azure to the onprem AD and apparently that's not possible with this setup, see https://social.technet.microsoft.com/Forums/windowsserver/en-US/97cdba31-afda-49a0-bd71-cdd408b22fe6/windows-server-2012-r2-essentials-and-azure-active-directory-sync-tool?forum=winserveressentials
Before I commit to using ACS (available in Azure premium only), I want to ensure we'll also be able to rool-out single sign on across the directory as it is, or if we need to migrate to a new DC (not on essentials) and use AADConnect instead? See https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/ that includes a ADFS and thus not needing ACS.
Am I just mixing concepts? Is my concern unfounded?
Has anyone been able to do this kind of setup before?
Any help on this would be greatly appreciated.
No comments:
Post a Comment