locked
Active Directory Authentication while Claims and IFD is enabled. RRS feed

  • Question

  • We have developed a custom application that integrates with CRM2011 using Integrated Active Directory Authentication and the Organization Service endpoint. We have enabled Claims Based Authentication with the IFD. Claims and IFD are working without errors and people can authenticate to the orgs. The custom application now fails to authenticate to the CRM server using the internal endpoint and the new IFD endpoint. When I try to access CRM through the following URLs:

    • https://myOrg.myDomain.com, I get forwarded to Claims to authenticate and this works.
    • https://orgInternal.myDomain.com/myOrg - I get prompted for Windows Authentication and can never successfully authenticate.

    The CRM IG, says that CRM2010 supports 3 different configuration scenarios 1) Internal Users Only 2) Internal Users and IFD access 3) IFD Only.

    Questions

    1. Is there away of properly authenticating using Active Directory Authentication to the internal URL while both Claims and IFD are enabled? Is it Claims-based or Active Directory Authentication not both? 
    2. Based on this will I have to update my custom application to use Claims Based Authentication security model? 
    3. Any possible workarounds? 

    Endpoints:

    • Before Claims and IFD - https://orgInternal.myDomain.com/myOrg/XRMServices/2011/Organization.svc
    • After Claims and IFD - https://myOrg.myDomain.com/XRMServices/2011/Organization.svc

    Thanks for the help.


    C.

    Monday, September 19, 2011 8:51 PM

Answers

  • Hi Colin,

    1. Yes, you can only have claims or Windows Integrated auth. Not both simultaneously. There are actually four configurations: internal only via Windows Integrated auth (1 Internal Users Only), internal only via claims auth (1 Internal Users Only), external only via claims auth (3 IFD Only), and both internal and external via claims auth (2 Internal Users and IFD access). It is not possible to have IFD without also having your internal folks using the claims auth pipeline.

    2. Yes.

    3. Not that I know of off the top of my head.

    Hope this helps,
    Michael

    Monday, September 19, 2011 11:28 PM

All replies

  • Hi Colin,

    1. Yes, you can only have claims or Windows Integrated auth. Not both simultaneously. There are actually four configurations: internal only via Windows Integrated auth (1 Internal Users Only), internal only via claims auth (1 Internal Users Only), external only via claims auth (3 IFD Only), and both internal and external via claims auth (2 Internal Users and IFD access). It is not possible to have IFD without also having your internal folks using the claims auth pipeline.

    2. Yes.

    3. Not that I know of off the top of my head.

    Hope this helps,
    Michael

    Monday, September 19, 2011 11:28 PM
  • Thank you Michael for the clarification. 
    Tuesday, September 20, 2011 12:22 AM