Remove From My Forums

Question about IP/DNS configuration for IFD and Claims Based Auth

Question
0

Sign in to vote

Hi,

I currently need to configure IFD and also read the whitepaper from Microsoft regarding IFD/CBA configuration. There's one paragraph which bugs me a bit:

"The following are example DNS settings for a two-server deployment. Two public IP addresses are required for external access to Microsoft Dynamics CRM – one for the Microsoft Dynamics CRM server and one for the AD FS server. Two internally hosted DNS zones are required: contoso.local and contoso.com"

Why wouldn't IFD work with one public IP address forwarded in firewall settings? F.e. public IP 1.2.3.4:443 to adfs.company.local and 1.2.3.4:444 to crmhost.company.local?

If all DNS records resolve correctly, no matter where the traffic is being routed, shouldn't the IP address "irrelevant"? Or could this really cause issues with FederationData.xml responses and other endpoints/service descriptions like '/XRMServices/2011/Organization.svc?wsdl'?

In my configuration only external access will be needed, no internal access via claims based auth. Can I skip creating the second DNS zone for company.com (company.local exists) as long as DNS records auth/org/.company.com are created and reachable from Internet? How do I handle "internalcrm.company.com" in this case?

Thanks in advance, any small hints are appreciated!

Monday, March 11, 2013 3:47 PM

Answers

0

Sign in to vote
I set up a demo server with the following:

A single VM that has ADFS, CRM 2011, SQL Server 2008 R2, Purchased Security Certificate for a .com address

CRM is set up as IFD

On IIS ADFS Port=443 CRM Port=444

One public IP address pointed to our router which is set up with 1:1 NAT with the demo CRM server

External DNS for the domain name that is configured for each CRM org. (e.g. CRMOrgName.Example.com)

That is the simple overview to get connected externally.

The internal connection uses the exact same URL. The trick is to set up your router to realize that the "public" URL is located internally and route it there. I am not a networking guy, but Cisco support was a great help in getting the router configured correctly. So now we can use one URL for CRM IFD and it works on the LAN and outside the office.

For a production install, I would think you would create three separate servers. One for ADFS/Domain and one for CRM, and a SQL server.

Figuring this out took days and required reading lots of CRM partner blogs about IFD deployment. The MS docs were not really helpful. Rather that give specific step-by-step instructions for a given situation, they seem to assume that you have a bus load of technology consultants to call on. Not fun. :(

Maybe this will be of help to you.

-Art

-Art
- Marked as answer by Matzer J Friday, March 15, 2013 8:47 AM
Friday, March 15, 2013 12:51 AM

All replies

0

Sign in to vote

Hi,

I've succeeded to install CRM and ADFS 2.0 on the same server following this guide: http://www.interactivewebs.com/blog/index.php/server-tips/microsoft-crm-2011-how-to-configure-ifd-hosted-setup/

It might need a bit of tweaking regarding the legacy web services but if you don't have to use those I say it's just to follow the instruction. You might have to do it two or three times and remember to keep a goat nearby to sacrifice when you need an extra push :)

Regards
Rickard Norström Developer CRM-Konsulterna
http://www.crmkonsulterna.se
Swedish Dynamics CRM Forum: http://www.crmforum.se
My Blog: http://rickardnorstrom.blogspot.se

Monday, March 11, 2013 5:04 PM
0

Sign in to vote
Hi Rickard,

already read InteractiveWeb's blog post and was a big help. My post above was a general question regarding IP/DNS with IFD.

I managed to set up IFD/CBA so far and external access via browser is working. My problem is configuration of the Outlook Client. When adding an organization, this error message Pops up:

[Window Title]

Microsoft Dynamics CRM für Outlook

[Content]

Die Serveradresse (URL) ist ungültig.

[Expanded Information]

Metadaten enthalten einen Verweis, der nicht aufgelöst werden kann: "https://orgname.company.com:444/XRMServices/2011/Organization.svc?wsdl".

   bei System.ServiceModel.Description.MetadataExchangeClient.MetadataRetriever.Retrieve(TimeoutHelper timeoutHelper)

   bei System.ServiceModel.Description.MetadataExchangeClient.ResolveNext(ResolveCallState resolveCallState)

   bei System.ServiceModel.Description.MetadataExchangeClient.GetMetadata(MetadataRetriever retriever)

   bei System.ServiceModel.Description.MetadataExchangeClient.GetMetadata(Uri address, MetadataExchangeClientMode mode)

And Organization.svc Returns this:
Fault xmlns="http://schemas.microsoft.com/ws/2005/05/envelope/none">

- <Code>

<Value>Receiver</Value>

- <Subcode>

<Value xmlns:a="http://schemas.microsoft.com/net/2005/12/windowscommunicationfoundation/dispatcher">a:InternalServiceFault</Value>

</Subcode>

</Code>

- <Reason>

<Text xml:lang="da-DK">The server was unable to process the request
due to an internal error. For more information about the error, either turn on
IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the
<serviceDebug> configuration behavior) on the server in order to send the
exception information back to the client, or turn on tracing as per the
Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace
logs.</Text>

</Reason>

</Fault>

No more messages in event or trace log.

Any ideas?

There's no goat nearby and all co-workers already left, so I guess I'm stuck ;)
- Edited by Matzer J Monday, March 11, 2013 5:28 PM
Monday, March 11, 2013 5:26 PM
0

Sign in to vote

Can you browse to the webservice endpoint, or do you get an error when doing that?
Rickard Norström Developer CRM-Konsulterna
http://www.crmkonsulterna.se
Swedish Dynamics CRM Forum: http://www.crmforum.se
My Blog: http://rickardnorstrom.blogspot.se

Monday, March 11, 2013 10:25 PM
0

Sign in to vote
I set up a demo server with the following:

A single VM that has ADFS, CRM 2011, SQL Server 2008 R2, Purchased Security Certificate for a .com address

CRM is set up as IFD

On IIS ADFS Port=443 CRM Port=444

One public IP address pointed to our router which is set up with 1:1 NAT with the demo CRM server

External DNS for the domain name that is configured for each CRM org. (e.g. CRMOrgName.Example.com)

That is the simple overview to get connected externally.

The internal connection uses the exact same URL. The trick is to set up your router to realize that the "public" URL is located internally and route it there. I am not a networking guy, but Cisco support was a great help in getting the router configured correctly. So now we can use one URL for CRM IFD and it works on the LAN and outside the office.

For a production install, I would think you would create three separate servers. One for ADFS/Domain and one for CRM, and a SQL server.

Figuring this out took days and required reading lots of CRM partner blogs about IFD deployment. The MS docs were not really helpful. Rather that give specific step-by-step instructions for a given situation, they seem to assume that you have a bus load of technology consultants to call on. Not fun. :(

Maybe this will be of help to you.

-Art

-Art
- Marked as answer by Matzer J Friday, March 15, 2013 8:47 AM
Friday, March 15, 2013 12:51 AM
0

Sign in to vote

Thanks for your effort, guys!

I finally managed to set IFD up correctly, was not able to find out, what caused the endpoint error. I just installed a new CRM instance directly on adfs server and moved the organization (including "funny" errors in CRM Setup Routine, when connecting to an existing Environment ;) ).

So regarding my original question, Art's setup and hints are correct; IFD can be set up with only a single public IP address.

Friday, March 15, 2013 8:47 AM

Answered by:

Question about IP/DNS configuration for IFD and Claims Based Auth

Question

Answers

All replies