I would like to configure an on-premise deployment of CRM 2011 as an IFD, but I would like external users to be able to authenticate to the service using a user certificate.
Certainly, with CRM installed "out of the box," and not configured for claims-based authentication, it was straightforward to reconfigure IIS to require a user certificate for authentication. I was able to configure this and get it working in a test environment without too much trouble.
But, when I configure CRM for claims based authentication (or IFD), I cannot get ADFS to accept a certificate when attempting to connect to the CRM URL. Regardless of changes I have made in ADFS (including reconfiguring its web.config file to prefer SSL authentication), I am always prompted with a username/password box to connect to the CRM page. Almost as if to taunt me, when I click on "Log Off" within CRM, before ADFS will show me the you have been logged off page, it asks for the client certificate.
I have ensured that Claims/IFD was configured correctly before embarking on my attempt to make it take a certificate. I was able to log on to CRM with a "normal" claims-based authentication attempt or as an IFD using the forms-based sign-on page, as you would expect.
There must be something within the federation metadata coming from CRM that makes ADFS always prompt the user for a username and password, but I can't figure out how to reconfigure it to accept a certificate. If anyone has any experience with this configuration, it would be greatly appreciated.
