locked
CRM 2011 IFD + ADFS 2.0 + TMG RRS feed

  • Question

  • Hi all,

    we are trying to setup an CRM 2011 IFD deployment. We have 4 Servers: CRM App Server, Database, ADFS and TMG.

    We are using company.local as AD domain and company.com as external Domain. The goal is to publish CRM 2011 IFD with TMG.

    I ran into a few issues regading the "split domain config (company.local/company.com)" regarding ADFS.
    - How do we have to configure the ADFS identifier and URL?
    - Should we publish the /federationmetadata/ with the TMG?
    - Which ADFS Url should be used within CRM 2011 Federation Metadata service (external or internal)
    - Is that setup recommend or is there a better way?

    Thanks,
    Tobias
    Tuesday, June 7, 2011 4:45 PM

All replies

  • Good luck with that, we have been trying to set up a similar configuration for the past two months.

    We keep getting ADFS errors and opened a ticket with Microsoft support.

    No luck still..

    Tuesday, June 14, 2011 7:35 AM
  • Hi,

     

    I ran into a few issues regading the "split domain config (company.local/company.com)" regarding ADFS.

              You need to pick a Federation Service Name for AD FS and stick with it. I would suggest SSO.company.com. This needs to resolve internally and externally in DNS.


    - How do we have to configure the ADFS identifier and URL?

              No need to change the ID if you have already selected a Federation Service Name. The URLs do not need to be changed either. If you need to change your Federation Service Name, see this: http://social.technet.microsoft.com/wiki/contents/articles/ad-fs-2-0-how-to-change-the-federation-service-name.aspx


    - Should we publish the /federationmetadata/ with the TMG?

              Yes, you may also need to publish your WS-Trust endpoints as well. At a minimum for web clients, you'll need /adfs/ls/ and /federationmetadata/2007-06/federationmetadata.xml


    - Which ADFS Url should be used within CRM 2011 Federation Metadata service (external or internal)

              There is only 1 AD FS hostname: the Federation Service Name. The client resolves this in DNS depending on whether the client is sitting internal or external. Again, there are NO internal vs. external names for your Federation Service.


    - Is that setup recommend or is there a better way?

              If you have TMG, by all means, utilize it. Be aware that there is a AD FS 2.0 Federation Server Proxy role that serves the specific purpose of proxying AD FS 2.0.

     

    Be careful with Link Translation in TMG when dealing with claims, WS-Federation, SAML 2.0, and XML data. It tends to break the message digest. I recommend disabling it.

     

    Good luck,

    Adam Conkle

    Tuesday, June 14, 2011 7:00 PM
  • Hi Adam,

     

    thanks for the infos. I configured ADFS + CRM + TMG successfuly.

    There is one problem left: if I put the CRM Site into the Trusted Sites Zone in IE, I get an 404 error after login to the CRM. The Authentication settings are configured to the default settings.


    Do you have any hints?
    THanks
    Tobias

    Friday, June 24, 2011 11:34 AM
  • Hi Tobi,

    Can you tell him how did you create WebListners and WebSite Publishing rules for CRM?

     

    regards,


    Khaja Mohiddin|||||http://www.dynamicsexchange.com/
    Friday, June 24, 2011 12:05 PM
  • Hi Adam,

     

    Iam new to this CRM.i am implementing it for my organization, I want to know about the splitting of domains as u wrote in Your post(companyname.local and companyname.com). please let me know how to configure the split domain for my organization domain.

     

    Regards,

    Mohan

     

    Monday, June 27, 2011 5:51 AM
  • Hi Mohana,

    You have to create a forward lookup(companyname.com) zone in your internal DNS Server.

    And create all the cnames in new forward lookup zone and configure IFD.

     

    regards,


    Khaja Mohiddin|||||http://www.dynamicsexchange.com/
    • Proposed as answer by Khaja Mohiddin Thursday, July 14, 2011 10:38 AM
    Monday, June 27, 2011 8:00 PM
  • Hi Tobi,

    Can you tell him how did you create WebListners and WebSite Publishing rules for CRM?

     

    regards,


    Khaja Mohiddin|||||http://www.dynamicsexchange.com/


    Hi Khaja, hi all,

    I think it could be helpful to describe the infrastructure:

    CRM-Server:  internalcrm01.domain.local
    ADFS-Server: adfs01.domain.local
    TMG:            tmg01.domain.local

    All are single server setups.

    I created the following rules in TMG:

    1. Publishing Rule for ADFS:

    a) HTTPS-Listener with HTTP-Redirect to HTTPS and certificate for adfs01.domain.com and no auth
    b) Web Server Publishing rule with following options:
         i. Bridging: redirect requests to SSL Port 443
         ii. Link translation disabled
         iii. paths: /federationmetadata/* and /adfs/*
         iv. Auth delegation: No delegation, but client may auth directly
         v. To: adfs01.domain.local, forward host header, requests appear to come from client directly

     

    2. Publishing rule for crm server:

    a) HTTPS-Listener with HTTP-Redirect to HTTPS and certificate for crm-server.domain.com and no auth
    b) Web Server Publishing rule with following options:
         i. Bridging: redirect requests to SSL Port 443
         ii. Link translation disabled
         iii. paths: /*
         iv. Auth delegation: No delegation, but client may auth directly
         v. To: internalcrm01.domain.local, forward host header, requests appear to come from client directly

     

    3. Publishing rule for organization (Org name: CRM)

    a) HTTPS-Listener with HTTP-Redirect to HTTPS and certificate for crm.domain.com and no auth
    b) Web Server Publishing rule with following options:
         i. Bridging: redirect requests to SSL Port 443
         ii. Link translation disabled
         iii. paths: /*
         iv. Auth delegation: No delegation, but client may auth directly
         v. To: internalcrm01.domain.local, forward host header, requests appear to come from client directly

    Clients connect via https://crm.domain.com to crm. Outlook client is working perfect, access via IE has no problems too, when the site is in the internet zone.

    Do you have any idea why we get the 404 error when client put the crm site in the trusted site zone in ie9?

    THanks,
    Tobias
    Thursday, June 30, 2011 3:54 PM
  • Hi Tobi,

    You also have to create publising rules for DEV and AUTH also.

    Or you can also both these entires in CRM Publising rule->Public names->Add->dev.domain.com and  auth.domain.com

    If it wont work then create individual publishing rules for AUTH and DEV with existing CRM Web Listner.

    And the DNS also has to be resolved externally.

     

    Regards,


    Khaja Mohiddin|||||http://www.dynamicsexchange.com/
    Thursday, June 30, 2011 7:38 PM
  • Hi Khaja,

    thanks for your help.

    The "AUTH" Publishing rule is the first one I posted: "adfs01.domain.com". Why do I need to publish the DEV site and what is that for?


    Thanks,

    Tobi

    Friday, July 1, 2011 10:45 AM
  • DEV.domain.com is CRM Discovery service endpoint.

    When we configure IFD for CRM2011, you can see the endpoints.

     

    Regards,


    Khaja Mohiddin|||||http://www.dynamicsexchange.com/
    Monday, July 4, 2011 10:52 AM
  • Good afternoon!

    Regaring the Publishing I have some updates. Justs posted an summary of findings from today!

    Hopefully we get an fix from Microsoft soon, as this topic is coming up to an bad performance issue with no real workaround.

    http://dynamics-crm2011.blogspot.com/2012/01/tmg-2010-or-isa-or-ans-kind-of-reverse.html

     

    We have taken some networktraces an found out the following!

    It is an BUG in Dynamics CRM 2011. Everytime when the CRM Webserver

    receives an request including an "reverse proxy header" it answers with

    Cache-Control: public
    Vary: *

    to the response header. This “Vary: *” is causing the behavior that some CRM Page elements are not used out of the Internet Explorer Cache.

    We fixed this for one customer with creating a new ISA/TMG rule “Server publishing on Port 443” instead of using an Web publishing rule. But this can´t be the real solution due to security reasons!

    Cheers

    Christian

     

     

    Thursday, January 19, 2012 8:20 PM
  • Hi Tobi,

    Did you configured everything without any issues?

    Or did you find any issues?

    Regards,


    Khaja Mohiddin|||||http://www.dynamicsexchange.com/

    Monday, February 20, 2012 7:34 PM
  • Tobi, with regard to your IE "Trusted Site" http 404 error, I can reproduce this as well.  If the organization URL is in IE's Trusted Sites, then the "auth" URL must be listed as well (e.g. https://auth.contoso.com).  There is an issue transfering zones when redirected with AD FS where one URL is trusted and the other is not.

    -Ben

    Friday, March 23, 2012 8:10 PM