locked
CRM2013 IFD redirects to internal ADFS for login RRS feed

  • Question

  • Hello,

    I am currently deploying CRM2013 in my org. Everything works, except IFD that is doing the redirect to the internal ADFS for user/pass auth and can't find it.

    More Info:

    Lets say my internal domain is xx.ro and my external one is xyxy.ro.

    My AD FS server is fs(so: fs.xx.ro and fs.xyxy.ro)

    My CRM 2013 server is crm2013(so: crm2013.xx.ro and crm2013.xyxy.ro)

    My SQL server is sql2013, only sql2013.xx.ro

    IFD config:

    Web Application Server Domain: xyxy.ro
    Organization Web Service Domain: xx.ro
    Discovery Web Service Domain: dev.xyxy.ro
    External domain where IF servers are located: auth.xyxy.ro

    To sum it up:

    - I am connected with RDP on a external network w/o VPN.

    - Type in browser crm2013.xyxy.ro

    - Server not found error and URL is: https://fs.xx.ro/adfs/ls/?wa=wsignin1.0&wtrealm=https%3a%2f%2fcrm2013.xyxy.ro%2f&wctx=rm%3d1%26id%3d0303ac9a-4d4e-4fc9-b2d0-cbc4b6a41b0c%26ru%3dhttps%253a%252f%252fcrm2013.xyxy.ro%252fdefault.aspx&wct=2014-06-11T08%3a02%3a12Z&wauth=urn%3aoasis%3anames%3atc%3aSAML%3a1.0%3aam%3apassword

    - If I copy this link into my internal web browser it redirects me to the AD FS login screen(domain\user & pass)

    - If I manually resolve the URL (replace xx with xyxy) it brings me to a different error page: Service Unavailable - HTTP Error 503. The service is unavailable but the URL does not change and there are no errors in event viewer.

    So, please help... give me pointers where I should look more closely or how it has to be on a working IFD. I lost so much time trying to figure it out and only managed to almost get fired and I'm 2 months overdue on live release(I don't have a team, just me working on everything)


    Wednesday, June 11, 2014 8:17 AM

All replies

  • The Web Application Server, Organization Web Service and Discovery Web Service domains should be the internal domains - i.e.

    Web Application Server Domain: xx.ro
    Organization Web Service Domain: xx.ro
    Discovery Web Service Domain: dev.xx.ro


    Microsoft CRM MVP - http://mscrmuk.blogspot.com/ http://www.excitation.co.uk

    Wednesday, June 11, 2014 9:22 AM
    Moderator
  • I've changed the IFD Domains now I get a different URL generated: https://fs.xx.ro/adfs/ls/?wa=wsignin1.0&wtrealm=https%3a%2f%2fcrm2013.xx.ro%2f&wctx=rm%3d1%26id%3d58b99d46-8d69-4ae9-a58f-aab8884ebb5d%26ru%3d%252fdefault.aspx&wct=2014-06-12T08%3a45%3a37Z&wauth=urn%3afederation%3aauthentication%3awindows

    So, now it will redirect to internal site: crm2013.xx.ro and requires windows auth... is this right? (AD FS is v2.0 on WIN Server 2012, w/o Proxy)

    Also, topic related, in ADFS IIS, on adfs site(under default website) I have this error(can't post screenshot yet):

    Challenge-based and login redirect-based authentication cannot be used simultaneously.

    With:

    Anonymous Auth = Enabled

    ASP.NET Impersonation = Disabled

    Forms Auth = Enabled (HTTP 302 Login/Redirect)

    Windows Auth = Enabled (HTTP 401 Challenge)

    I don't think this is normal...  In the IFD guide it says to enable forms auth but when I did the error appeared.

    Any pointers?

    Thanks,

    Rares


    • Edited by Rares Lupan Thursday, June 12, 2014 9:02 AM
    Thursday, June 12, 2014 8:59 AM
  • I still have the error described above. Any advice?
    Thursday, June 19, 2014 6:08 AM