Remove From My Forums

CRM 2011 IFD on port 443

Question
0

Sign in to vote

Hi,

Can I configure IFD CRM 2011 on port 443 if I have ADFS 2.0 on same server?

Wednesday, March 16, 2011 12:13 PM

Answers

0

Sign in to vote
Hey, I have been going through the documentation, trial and error, and using MSFT Product services to get the full picture of Configuring the IFD for CRM 2011, perhaps I can lend some of my knowledge. Presumably you can have both on the same server (though the path I took was to have AD FS 2.0 and CRM 2011 on separate servers) IF, you did not install Dynamics CRM 2011 on the Default website. If this is the case, it will not work, and you'll need to install AD FS on a different server, since it installs on the default website. If you have CRM on a new website, you can install AD FS 2.0 and configure it to use the default HTTPS port, then Configure CRM's HTTPS binding to use another port (444 or whatever). This may be the better option, since you won't have to make an extra DNS record for the AD FS server. HTH, --MD
--Dodd
- Proposed as answer by Bugs_Oli Thursday, March 17, 2011 10:50 AM
- Marked as answer by Jamie MileyModerator Tuesday, May 28, 2013 5:35 PM
Wednesday, March 16, 2011 2:43 PM

All replies

0

Sign in to vote
You should be able to use it. ADFS uses HTTPS but your applications should also be able to just fine since they are on different sites, etc...

I would install it and give it a shot. You can always remove the role or feature from the server and stand it up somewhere else.
Jamie Miley
http://mileyja.blogspot.com
LinkedIn Profile
- Proposed as answer by Jamie MileyModerator Thursday, March 17, 2011 1:31 PM
- Unproposed as answer by Jamie MileyModerator Thursday, March 17, 2011 1:32 PM
Wednesday, March 16, 2011 1:25 PM

Moderator
0

Sign in to vote
Hey, I have been going through the documentation, trial and error, and using MSFT Product services to get the full picture of Configuring the IFD for CRM 2011, perhaps I can lend some of my knowledge. Presumably you can have both on the same server (though the path I took was to have AD FS 2.0 and CRM 2011 on separate servers) IF, you did not install Dynamics CRM 2011 on the Default website. If this is the case, it will not work, and you'll need to install AD FS on a different server, since it installs on the default website. If you have CRM on a new website, you can install AD FS 2.0 and configure it to use the default HTTPS port, then Configure CRM's HTTPS binding to use another port (444 or whatever). This may be the better option, since you won't have to make an extra DNS record for the AD FS server. HTH, --MD
--Dodd
- Proposed as answer by Bugs_Oli Thursday, March 17, 2011 10:50 AM
- Marked as answer by Jamie MileyModerator Tuesday, May 28, 2013 5:35 PM
Wednesday, March 16, 2011 2:43 PM
0

Sign in to vote

I have tred with two Ip adresses.

One is for ADFS 2.0 on port 443 other on Default Site , other is for CRM on separeted site on port 443.Willd card certificate is same.

sts1.xxxxx.xx is on one adress

---------------------------------

dev.xxxxx.xx is on other adress

auth.xxxxx.xx

crm.xxxxx.xx

------------------------------------

I have tried to set auth.xxxxx.xx on first adress but with no help.
This configuration don't work. ADFS is showing this error's in event log:

Encountered error during federation passive request.

Additional Data

Exception details:

Microsoft.IdentityServer.Web.InvalidScopeException: MSIS7007: The requested relying party trust 'https://crm.xxxxxx.xx/default.aspx' is unspecified or unsupported. If a relying party trust was specified, it is possible that you do not have permission to access the trust relying party. Contact your administrator for details.

Thursday, March 17, 2011 10:07 AM
0

Sign in to vote
Hey, I have been going through the documentation, trial and error, and using MSFT Product services to get the full picture of Configuring the IFD for CRM 2011, perhaps I can lend some of my knowledge. Presumably you can have both on the same server (though the path I took was to have AD FS 2.0 and CRM 2011 on separate servers) IF, you did not install Dynamics CRM 2011 on the Default website. If this is the case, it will not work, and you'll need to install AD FS on a different server, since it installs on the default website. If you have CRM on a new website, you can install AD FS 2.0 and configure it to use the default HTTPS port, then Configure CRM's HTTPS binding to use another port (444 or whatever). This may be the better option, since you won't have to make an extra DNS record for the AD FS server. HTH, --MD
--Dodd

As dodd said it, you have to configure your CRM on another port than 443 if you install the 2 products on the same server!

The best thing to do is to install CRM on default 443 port and ADFS on another server that does not need the 443 port.

HTH,

Olivier
Currently blogging @ www.furnemont.eu
Currently twittering @bugsoli
Currently restoring my Mustang @www.mustangpassion.com
- Proposed as answer by Bugs_Oli Thursday, March 17, 2011 10:50 AM
- Unproposed as answer by Dejan Zivanovic Extreme doo Thursday, March 17, 2011 11:03 AM
Thursday, March 17, 2011 10:50 AM
0

Sign in to vote

I understand that CRM IFD work's on other port.I have configure it on 444 and CRM IFD works. I don't have two server's.I am trying to find solution for IFD on sigle server, that user can authenticate on default https port, not 444. If someone managed to make it work, please share.

Thursday, March 17, 2011 11:09 AM
0

Sign in to vote

Did you get the answer you needed here? You haven't marked one yet?
Jamie Miley
http://mileyja.blogspot.com
Linked-In Profile
Follow Me on Twitter!

Thursday, May 26, 2011 12:37 AM

Moderator
0

Sign in to vote

No I didn't get it....

Thursday, May 26, 2011 7:59 AM
0

Sign in to vote

maybe try reviewing this video from the IFD team.

http://blogs.msdn.com/b/jim_glass/archive/2011/04/06/introducing-microsoft-dynamics-crm-2011-claims-based-authentication.aspx
Jamie Miley
http://mileyja.blogspot.com
Linked-In Profile
Follow Me on Twitter!

Thursday, May 26, 2011 1:59 PM

Moderator
0

Sign in to vote

Did you get this figured out?
Jamie Miley
Check out my about.me profile!
http://mileyja.blogspot.com
Linked-In Profile
Follow Me on Twitter!

Thursday, February 16, 2012 2:40 AM

Moderator
0

Sign in to vote

According to the CRM claims based authentication configuration guide it is a requirement to have CRM and ADFS installed on different ports if both services are installed on the same server (http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=3621). I have tried various ways of making this work but you have to have CRM and ADFS on different ports or different servers.
You can configure IIS to accept the requests on the same port with different host headers to different IIS sites but ADFS does not honor this. Based on what I have seen the federation urls are mapped before IIS gets to decide which site the request goes to. When you install both on the same server and port open the FederationMetadata.xml on both the sts and crm urls. Specifically look at the entityId this will both shows the sts url, these should be different. Using configuration example urls this xml file should have the entityid contain the following sts1.contoso.com (for sts1.contoso.com), auth.contoso.com (for auth.contoso.com, crm.contoso.com and dev.contoso.com) and internalcrm.contoso.com (for internalcrm.contoso.com). I use this to check if the configuration has been done correctly.

Patrick Verbeeten
www.patrickverbeeten.com
www.wavextend.com

Thursday, February 16, 2012 2:16 PM
0

Sign in to vote

In the previous post by Patrick can you clarify what the following means "When you install both on the same server and port open the FederationMetadata.xml on both the sts and crm urls."

Patrick then continues saying "Specifically look at the entityId this will both shows the sts url, these should be different." Where do I see the entityId?

It seems I have an issue with using the same URL (sts...) both for internal and external but I understand for single-server deployment I need to have different ones (but don't know where to make those changes).

Friday, March 2, 2012 8:01 AM
0

Sign in to vote
During the setup you will have several different url for FederationMetadata.xml. Each using a different dns name for example (when following the MS claims based authentication guide):

https://sts1.contoso.com/federationmetadata/2007-06/federationmetadata.xml
https://internalcrm.contoso.com:444/FederationMetadata/2007-06/FederationMetadata.xml
https://auth.contoso.com:444/FederationMetadata/2007-06/FederationMetadata.xml

You can open each of these files in your browser.

The first line in this file is something similar to:

<EntityDescriptor ID="_df4f6a1e-a3de-4895-ab2a-96c9e475e871" entityID="https://auth.contoso.com:444/" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">

The ID will be different each time you retrieve the file but the entityID property identifies the source of the file. The url in this should match the start of the URL used to request it.

If you have installed CRM and ADFS on the same server both using port 443 the url for CRM (https://auth.contoso.com) will return have the sts1.consoto.com in the entityID. This is more a diagnostic aid which can be used to check if the federation configuration is correct. Because neither CRM nor ADFS will report an error if the incorrect data (entityID) is selected in one of the configuration step but the login will simply fail to work.
Patrick Verbeeten
www.patrickverbeeten.com
www.wavextend.com
Friday, March 2, 2012 9:31 AM
0

Sign in to vote
Thanks Patrick. If I check my settings during installs I have the following:

ADFS Config --> sts.[domain].com

Claims-based Auth Wizard --> https://sts.[domain].com:444/federationmetadata/2007-06/federationmetadata.xml (putting it into IE shows entityID = http://sts.[domain].com/adfs/services/trust)

ADFS Party Trust --> https://internalcrm.[domain].com:444/FederationMetadata/2007-06/FederationMetadata.xml(putting it into IE shows entityID = http://sts.[domain].com/adfs/services/trust -> same as above)

I don't have auth.[domain].com yet because I did not setup IFD yet. Otherwise the above seem to match what you have listed.

ADFS is on the default web site bound to port 444. CRM is bound to port 443.

Is it ok that both of the above show the same entityID or should they be different?

Note that in "ADFS ->Turst Relationship->Relying Party Trusts" the identifier says "http://sts.[domain].com/adfs/services/trust. Could the missing :444 be the issues? Note that when I go to the properties of the trust I see https://sts.[domain].com:444/adfs/ls/ as the Endpoints. The federation metadata URL https://internalcrm.[domain].com:444/Fed.... tests out ok.
Friday, March 2, 2012 3:44 PM
0

Sign in to vote

The entityID for the https://internalcrm.. URL is incorrect. In a proper configuration this should show https://internalcrm... In the urls you have listed above both adfs and crm use the same port, from experience I an tell you it is not possible to get this to work. In this setup the crm url (internalcrm) returns the federationmetadata.xml file for the sts service. Using this file to setup the adfs party trust will not work as it does not contain the required information about CRM.

While I was installing ADFS I did figure out that the FederationMetadata file does not 'look' at the IIS configuration. Try running the following on the command line:

netsh http show urlacl

This will give you a listing urls including some urls related to ADFS. What I have noticed is that even if you change the port numbers in IIS, the port numbers in that listing do not change. Based on this it would appear that changing the port using by ADFS requires an additional step.
Patrick Verbeeten
www.patrickverbeeten.com
www.wavextend.com

Saturday, March 3, 2012 10:07 AM
0

Sign in to vote

Patrick, thanks for your response. I actually have CRM on 443 and ADFS on 444 (I changed the binding to the default site to 444 before installing ADFS). So it seems I got the URLs wrong. I followed the instructions about claims based authentication multiple times but seems to miss something. Any input is appreciated.

Also I used the command you gave to list URLs and found some errors. Note, under ADFS->Trust Relationships->Relying Party Trusts I have an "Issuance Transform Rule" with Incoming claim type = Primary SID and "Pass through all claim values". On a side note, in case it's relevant, I have another ruls with incoming type Windows account name and outgoing claim type *Name. I am not sure why there is a *. The first time I did it (before reinstalling everything again for so many time) it did not have the *.

    Reserved URL            : http://+:80/adfs/services/
Can't lookup sid, Error: 1332
             SDDL: D:(A;;GA;;;S-1-5-80-2246541699-21809830-3603976364-117610243-975697593)

    Reserved URL            : https://+:444/adfs/services/
Can't lookup sid, Error: 1332
             SDDL: D:(A;;GA;;;S-1-5-80-2246541699-21809830-3603976364-117610243-975697593)

    Reserved URL            : https://+:444/FederationMetadata/2007-06/
Can't lookup sid, Error: 1332
             SDDL: D:(A;;GA;;;S-1-5-80-2246541699-21809830-3603976364-117610243-975697593)

    Reserved URL            : https://+:444/adfs/fs/federationserverservice.asmx/
Can't lookup sid, Error: 1332
             SDDL: D:(A;;GA;;;S-1-5-80-2246541699-21809830-3603976364-117610243-975697593)

Some other URLs are

http://+:80/wsman/
http://+:80/Temporary_Listen_Addresses/
https://+:443/sra_{BA19...}/
http://+:80/ReportServer/
http://+:80/Reports/
https://[computername].[domain].local:443/ReportServer/
https://[computername].[domain].local:443/Reports/

Saturday, March 3, 2012 6:27 PM
0

Sign in to vote

The *Name etc should not be a problem. I don't know why this happens but in most installations I have done I had the same and my environments are working.

I see no obvious errors in any of this. To avoid problems I usually put the ADFS installation on a different server but I have seen enough examples of people running everything on one server. However they all used port 443 for ADFS. I do understand your reasoning for wanting to have CRM on port 443, but I cannot offer any more input on what is the cause of the problem you are experiencing.
Patrick Verbeeten
www.patrickverbeeten.com
www.wavextend.com

Monday, March 5, 2012 12:38 PM
0

Sign in to vote

Your reserved URLacls have errors in the SIDs. You need to delete these and probably uninstall / reinstall ADFS to reinstate them correctly. If they are correct and show no errors, then this post may help you configure ADFS and CRM to both use port 443 on the same server:
Configure CRM 2011 and ADFS 2.0 on a single server on port 443
Hope this helps. Adam Vero, MCT

Friday, June 22, 2012 8:33 AM
0

Sign in to vote

Thanks Adam. I tried "Install CRM and ADFS on the same server but on different ports". I set the default website to 444 before installing ADFS. Then I installed CRM using "Select Web Site" = "Default Web Site" which seems to have overwritten ADFS. So how do you do this? Do you use "Create new Web site" and chose some arbitrary port and then after the installation bind it to 443?

Sunday, June 24, 2012 7:34 AM

Answered by:

CRM 2011 IFD on port 443

Question

Answers

All replies