Why does Dynamics CRM Require IFD (ADFS)?

Question

Why does Dynamics CRM require IFD for the tablet app and why do some ISV's - PowerObjects for one - require IFD, more specifically why do they require ADFS?

Even if AD DS is accessible to CRM and only a single AD is used it still seems to require ADFS for the above situations; all web services are externally accessible without ADFS, so why do some ISV solutions and the tablet app even care if the deployment is not using ADFS?

Answer 1

I talked to PowerObjects about this, and it seems that they require that their applications ping their servers to check that you have a valid license. Hence they need to be able to reach their servers from your CRM server.

Answer 2

Various parts to this, I think: 1) It gives a single common end-point for apps to work with regardless of devices being able to talk to AD directly or not. 2) Apps don't have to be able to reach AD, you can put STS in DMZ 3) You don't have to use AD, technically. You can use other identity providers. Again, app does not want or need to care what you use 4) Consistent approach for online / on-premises

Answer 3

I would think because it's generally considered bad practice to open up a website (in this case Dynamics CRM) externally using AD authentication (windows authentication). For these scenarios claims based authentication such as ADFS is recommended.

Even though you can use tablet apps within your internal AD domain, the main use case for these apps is to use outside your corporate network, thus externally available.