locked
CRM URLs RRS feed

  • Question

  • Hi All

    We are trying to use a custom URL to access a CRM organisation by publishing it via ISA. Basically we point the custom URL to the ISA servers external interface where it terminates SSL and makes a connection to the CRM server over HTTP. The ISA Server is configured to forward the host header of the actual CRM org (crmorg.ourdomain.com)  as opposed to the custom URL to the CRM server. This doesnt seem to work and the login form is just returned again. It seems to accept the credentials as when we purposely get the password wrong it states as such. We have configured IFD fine and we can acces externally no probs using the standard crmorg.ourdomain.com url behind ISA server.

    Can anyone offer any assistance on getting this to work?

    Thanks

    Adam

     

    Friday, July 16, 2010 6:27 PM

Answers

  • IFD always changes the FQDN of the URL.  It issues a redirect to the client, while establishing a session that runs with the Anonymous Logon account impersonating the user for CRM operations.  If the redirect does not get properly applied by ISA for further communication back to the CRM server, then the logon is effectively aborted.  I don't know if ISA is capable of catching and rewriting redirects, but CRM will redirect the browser to <Organization Name>.crmorg1.internaldomain.com .  (This assumes that the FQDN for the server is actually crmorg1.internaldomain.com .)  If ISA doesn't rewrite that to represent <Organization Name>.crm.theirdomain.com , or if it does, and instead does not translate <Organization Name>.crm.theirdomain.com to <Organization Name>.crmorg1.internaldomain.com ; the user will never be properly directed to the IFD session.

    I personally have no experience with ISA, so I'm afraid I've reached the bounds of my experience.  I am rather familiar with IFD, and I read the documentation around using ISA in conjunction with IFD.  That said, I do indeed think the IFD redirect is the cause of the problem.


    Dave Berry - MVP Dynamics CRM - http:\\crmentropy.blogspot.com
    Friday, July 30, 2010 5:58 PM
    Moderator

All replies

  • Adam,

    Here are a few troubleshooting steps to try and figure out what is going on.

    1) Navigate to your custom URL.

    2) You should get directed to https://customurl/signin.aspx?targeturl=https%3a%2f%2ORGNAME.DOMAIN.COM%3aPORTNUMBER%2fdefault.aspx The "%3aPORTNUMBER" might or might not show depending on how you've configured SSL

    3) Replace the ORGNAME.DOMAIN.COM with your custom URL before you enter your credentials.

    4) Try to log in. Does behavior change?

    5) If it doesn't, try navigating to https://customerurl/signin.aspx (by including signin.aspx, you bypass some of the weird forwarding/routing the signin page does over IFD).

    Also, make sure you've got your custom url in your trusted sites in IE.


    Phil Edry – Altriva Solutions – Solution Developer
    Friday, July 16, 2010 6:52 PM
  • Hi Phil

    Thanks for your response.

    When I changed the orgname.domain.com with the custom URL and then entered credentials the same thing happens, Also the URL just redirects back to the URL mentioned in step 2. above

    When I try accessing with https://customerurl/signin.aspx I just get the login form again and the URL changes back.

    The custom URL is in trusted sites.

    I guess ISA is just redirecting the URL back and doing what I am essentially asking it to do. I'm puzzled as to why I cannot logon though.

    Thanks

    Adam

    Saturday, July 17, 2010 9:51 PM
  • Hi Adam,

    I'm not sure I can give more advice without getting my hands dirty with your ISA configuration. Perhaps someone else in the forums can help -- I would suggest starting a case with Microsoft since you'll be able to provide full environment details confidentially.


    Phil Edry – Altriva Solutions – Solution Developer
    Monday, July 19, 2010 7:37 PM
  • Have you read this article thoroughly? http://blogs.msdn.com/b/crm/archive/2008/07/24/publishing-microsoft-crm-4-0-through-isa-server-2006.aspx
    Dave Berry - MVP Dynamics CRM - http:\\crmentropy.blogspot.com
    Monday, July 19, 2010 8:36 PM
    Moderator
  • Hi Dave

    Yes we have, that article is just really standard ISA stuff and doesn't cover custom URLs. We have no issues with using the standard URL in the format of crmorg1.ourdomain.com, crmorg2.ourdomain.com etc etc. The issue is trying to front end that with a custom URL using ISA. It doesn't appear to work even if we get ISA to forward the host name defined in the publishing rule (Which would be the crmorg1.ourdomain.com URL).

    Thanks to both of you guys for your input

    Adam 

    Wednesday, July 21, 2010 7:19 PM
  • Do you have any trace logs from either ISA or CRM that might indicate what's going on?  It doesn't sound like you're receiving an error message, so you may need to enable tracing specifically for each app to figure out what actions it is taking.  Question:  what is the server's base URL in relation to the IFD "orgname" destination, and are both resolvable on either side of the ISA appliance?  I wasn't quite sure if "crmorg1" and "crmorg1" represented server names, or CRM Organization names, because for me, the DNS inside my Active Directory network resolves basedomain.com to my Domain Controller, and not a web-server.

    What I mean to say is that, the login page/IFD mechanisms prepend the orgname to whatever URL you used to connect with, so if you're connecting to it from ISA on "crmorgname.domain.com", the IFD page will redirect to "crmorgname.crmorgname.domain.com".

    That means ISA will need to be able to resolve crmorgname.crmorgname.domain.com to the CRM server as well, and that the URL remains in-tact when connecting to IIS on the CRM server.

    This could explain the recurrent "login page" issue, since you're going precisely where ISA is saying to go, so there is no error as far as the server is concerned.


    Dave Berry - MVP Dynamics CRM - http:\\crmentropy.blogspot.com
    • Marked as answer by Don ChangModerator Tuesday, July 27, 2010 8:06 PM
    • Unmarked as answer by Adam42 Friday, July 30, 2010 8:32 AM
    Friday, July 23, 2010 8:34 PM
    Moderator
  • Hi Dave

    Interesting, your last paragraph might just be the issue. I was unaware that is what IFD did. I will test this when I get 5 minutes and report back.

    Thanks

    Adam 

    Monday, July 26, 2010 6:43 PM
  • Hi David

    Thinking about this some more, I'm not sure I'm following. crmorg represents the actual CRM organisation name. The ISA Server will attempt to connect to the CRM server using crmorg1.internaldomain.com. The external user will actually use a vanity URL such as crm.theirdomain.com. Link translation is enabled on ISA so there should be no issues with links being sent back to the client as crmorg1.internaldomain.com and these not being resolved correctly.

    I thought that the CRM server would just see that the URL is crmorg1.internaldomain.com from the host header and serve up the correct app to the user, or is that not the case?

    Thanks

    Adam

    Friday, July 30, 2010 8:43 AM
  • IFD always changes the FQDN of the URL.  It issues a redirect to the client, while establishing a session that runs with the Anonymous Logon account impersonating the user for CRM operations.  If the redirect does not get properly applied by ISA for further communication back to the CRM server, then the logon is effectively aborted.  I don't know if ISA is capable of catching and rewriting redirects, but CRM will redirect the browser to <Organization Name>.crmorg1.internaldomain.com .  (This assumes that the FQDN for the server is actually crmorg1.internaldomain.com .)  If ISA doesn't rewrite that to represent <Organization Name>.crm.theirdomain.com , or if it does, and instead does not translate <Organization Name>.crm.theirdomain.com to <Organization Name>.crmorg1.internaldomain.com ; the user will never be properly directed to the IFD session.

    I personally have no experience with ISA, so I'm afraid I've reached the bounds of my experience.  I am rather familiar with IFD, and I read the documentation around using ISA in conjunction with IFD.  That said, I do indeed think the IFD redirect is the cause of the problem.


    Dave Berry - MVP Dynamics CRM - http:\\crmentropy.blogspot.com
    Friday, July 30, 2010 5:58 PM
    Moderator
  • Hi Adam,

    IFD and ISA is very strict.  You cannot have any redirect because of the SSL certificate and security.   IFD and ISA is a STRICT pass thru.   Any redirect will cause it to fail.

    That is a limitation of CRM 4.0 IFD.   CRM 2011 will have new features, I am not privilege to say what they are as it is still pre-beta and things may change.

     


    Best regards,

    Don Chang
    Online Technical Community
    -----------------------------------------------------------------------------------------
    We hope you get value from our new forums platform! Tell us what you think:
    http://social.microsoft.com/Forums/en-US/partnerfdbk/threads
    ------------------------------------------------------------------------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, August 2, 2010 8:58 PM
    Moderator
  • Hi Don

    Thanks for your reply. Can you point me to an article that describes this behaviour?

    Many thanks

    Adam

    Monday, August 2, 2010 10:18 PM