locked
ADFS redirects does not redirect to the same URL RRS feed

  • Question

  • Hello,

    I'm trying to configure Microsoft Dynamics CRM 2016 (on-premises) IFD with ADFS but I'm having a strange behavior.

    If the user is in the internal network, there is no problem, he access CRM with <organization>.<rootdomain>, then is redirect to ADFS and after authenticated, is redirected back to <organization>.<rootdomain>.

    If the user is in an EXTERNAl network, the user type the CRM url <organization>.<rootdomain>, is redirected to ADFS, and after authenticated is redirected to the external URL defined in the CRM IFD (example: auth.<domain>). This opens the wrong CRM organization, but if the user type again the correct URL <organizarion>.<rootdomain>, he has access and everything works fine.

    Anyone can help?

    I'm missing something? Is IFD problem or ADFS problem?

    Thanks

    Tuesday, January 10, 2017 5:15 PM

Answers

  • Hi,

    The cause of the error was Microsoft Forefront TMG. I don't know the details (I'm not responsible for this TMG), but it looks like it was replacing the urls <organization>.<domain> for auth.<domain>.

    The solution was to create a tunnel for this specific server in TMG.

    Thanks for the Help.

    Friday, January 27, 2017 12:58 PM

All replies

  • Are all the organisations on the same CRM instance, or do you have more than one CRM instance ?

    If you have more than one CRM instance, then do they have separate auth.<domain> urls ? If you had 2 separate CRM instances that tried to have the same auth.<domain> url, then this could explain the behaviour, though I would have expected ADFS (assuming they use the same ADFS farm) to have thrown an error when setting up the trusts

    If it is just the one CRM instance, then I think the error is either with the IFD configuration, or it is more likely that network components (e.g. firewalls or load balancers) cause the http headers from the client request to be removed or changed. CRM uses the http headers to determine the original url (e.g. <organization>.<rootdomain>) used from the client request, and if this is missing, the user may get directed to their default organisation


    Microsoft CRM MVP - http://mscrmuk.blogspot.com/ http://www.excitation.co.uk

    Wednesday, January 11, 2017 11:54 AM
    Moderator
  • Hi David

    I have just on CRM instance.

    I'm trying to troubleshot the problem, and analyzing the requests made by the browser, I notice that after authentication from ADFS, there is a request to the auth.<domain> and this should respond with the <organization>.<domain> URL. How CRM determinate the URL (organization url) to witch the user should be redirect?

    Thanks.

    Friday, January 20, 2017 12:50 PM
  • Hi,

    The cause of the error was Microsoft Forefront TMG. I don't know the details (I'm not responsible for this TMG), but it looks like it was replacing the urls <organization>.<domain> for auth.<domain>.

    The solution was to create a tunnel for this specific server in TMG.

    Thanks for the Help.

    Friday, January 27, 2017 12:58 PM