Dynamics 365 Internal/External, ADFS, IFD etc. RRS feed

  • Question

  • Hello,
    I am a bit confused about Dynamics 365 (on-premise), ADFS 4.0, internal URL, external URL, IFD, Single-Sign-On etc. I have had configured this with CRM2011 and ADFS 2.0 already, but maybe not the real way.
    Now I started from scratch with Dynamics 365 and ADFS 4.0, it basically works, but we have osme issues on some computers, depending of connecting from LAN or WAN, accessing the external URL or the internal one...
    Lets assume the following:
    - Internal URL is https://hostname.domain.com/Orgname
    - External URL is https://orgname.domain.com
    - We use a GoDaddy signed Wildcard Certificate for *.domain.com on both servers, CRM and ADFS
    - crm server + adfs server (sts) are both added to IE Security Settings Local Intranet (that's why SSO works once accessing https://hostname.domain.com/Orgname, is this as it is supposed to be?)
    - In many cases https://hostname.domain.com/Orgname accessed by Domain Users, but connected to Internet only (no VPN) also works as SSO, but not to everyone, and I tend to believe it has something to do with the respective PC and not the user. Because while it does not work on one PC , it does one another one. More details about this issue later on.
    - https://orgname.domain.com always redirects to sts login page. If one enters credentials accordingly, username@domain.intra, he can login. No matter whether the user comes from LAN or WAN. Also, here we have some issues, that some users (this time it is bound to the user) cannot login, they repeatedly get the login screen from ADFS (sts) again and again. While. on th every same PC another user can login the same way.

    Now to my questions/issues:
    - Whats the main idea with ADFS (we need it because of some third-party solution), is it correct that external url is https://orgname.domain.com and internal url is https://hostname.domain.com/orgname? And if yes, whats the idea, how should users work? We only have own domain users, no third-party whatever. Shall users use external if in WAN and internal if in LAN? Do these two urls necessarily have ot be different? Can't they be the same, eventually masked by a reverse proxy if coming from WAN? I am asking because it would be inconvenient if users have to pay attention whether they are now connected internally or from the internet.
    - Is it a good approach to have the internal url available (DNS- and Firewall-wise) in the internet? We do this in order to allow users to access CRM SSO, without the requirement to always type uid/pwd. And does anyone have a clue why this access works on like 75 % of the PC's (with IE or Edge browser), but not on th eother 25% The failing ones do, by whatever reason, not login SSO, but also don't promt for credentials and deliver a 401 instead. If I "destroy" SSO by removing th ecrm and sts server url from Security --> Local Intranet, it works, becasue it is no SSO anymore and login dialog shows up. The same is true for Chrome or Firefox which are eventually not configured for SSO, in that case it works too, because the login dlg is shown.
    - any idea what the reason can be that some sues cannot login via external url and adfs, getting login dialog again and again. But credentials are validated, becasue if the intruduce wrong password, the error message is accordingly.
    - Is it always desired, that external url never works with SSO, but always the ADFS login Dialog comes first and user needs to authenticate?

    lots of questions, hope someone takes it's time going through this.

    kind regards,

    Thursday, November 23, 2017 5:39 PM