locked
CRM 2011 IFD - using the same internal and external URLs RRS feed

  • Question

  • Hello,

    We are working on a test upgrade to CRM 2011 (CRM\SQL on one server, ADFS on another) and have run into an issue after enabling IFD.  In CRM 4.0 (single CRM web server, separate SQL server), our users can hit https://productionorg.mydomain.com both internally and externally, the internal users are automatically authenticated while the external users get the IFD login screen.

    Is this same behavior possible in CRM 2011? We would like our users to be able to use the same URL whether they are inside the building or not.  After running through the Claims and IFD setup, our users can access https://crm2011Org1.mydomain.com both internally and externally successfully.  However, they always get the AD FS logon, even if they are inside our office.  If they enter their credentials at the ADFS login, CRM pulls up successfully.  Ideally, we would like it to automatically authenticate our internal users.

    Is this possible with CRM 2011? 

    Any help is greatly appreciated.

    Thanks,

    Nick

    Wednesday, March 2, 2011 3:34 PM

Answers

  • Hi Nick

    Unfortunately, when using https://crm2011org1.mydomain.com, ADFS doesn't know where you are so it assumes that you need to be authenticated hence you are always prompted for credentials. 

    You can set a second relying party that points to an internal URL susch as https://crmserver/org.  When you go to https://crmserver ADFS will see that you are already authenticated an issue you a token and , in a word, you should be able to connect with out being prompted.

    So to answer your question, you will always be prompted when using the external URL, whether you are internal or external.

    You can download the white paper from here and it has a chapter on configuring IFD for internal use.


    Marc Collins www.QGate.co.uk
    Tuesday, March 8, 2011 4:43 PM

All replies

  • 2 things

    1. Check the IFD tool to make sure you put the network ip and not the server ip in the setup.  For instance, if my server is at 192.168.1.7 and my subnet is 255.255.255.0 then I should put the network IP in the IFD tool (192.168.1.0), not the server IP.

    2. This is a non-standard setup as you would normally use myorg.myserverordomain.com on the ifd side but use your crmserver/orgname internally.

    Sometimes depending on your DNS setup you cannot resolve the IFD address internally.  Your network admins will have to do some DNS handiwork to make this happen correctly.

     


    Jamie Miley
    Wednesday, March 2, 2011 3:42 PM
    Moderator
  • For internal users, try to add https://crm2011Org1.mydomain.com as intranet site, from security tab in IE internet options.


    Islam Eldemery
    http://idemery.net
    idemery
    Wednesday, March 2, 2011 4:16 PM
  • Jamie,

    As far as I know, the IFD tool has gone away with CRM 2011.  You do not get to specify local IP ranges in the new CRM 2011 IFD setup.  DNS is resolving correctly everywhere, it just requires you to log in at the ADFS screen even if you are an internal.

    Wednesday, March 2, 2011 4:24 PM
  • Try this:

    1. In IE, go to tools, Internet Options, security, trusted sites, add the site to trusted sites.

    2. Now go to Custom Level on the same security tab for the trusted sites zone and scroll down to the bottom under logon.  Pick anonymous login and try that, and if that doesn't help try automatic login with current user.

    See if either of those helps.


    Jamie Miley
    Wednesday, March 2, 2011 6:52 PM
    Moderator
  • Adding it to my trusted sites and changing the login options did not make a difference, we still get stopped at the ADFS login page.  We are going to keep trying things, but are resigning ourselves to the fact that the URL's will probably have to be different in CRM 2011 for internal vs external access.
    Wednesday, March 2, 2011 8:07 PM
  • Maybe thinking way too basic here, but in the IIS properties for the new website, what directory security > authentication do you have set? Are you using windows integrated?
    Thursday, March 3, 2011 2:25 PM
  • Hmm, good point, I think it is supposed to be set as anonymous isn't it?
    Jamie Miley
    Thursday, March 3, 2011 3:00 PM
    Moderator
  • Hi Nick

    Unfortunately, when using https://crm2011org1.mydomain.com, ADFS doesn't know where you are so it assumes that you need to be authenticated hence you are always prompted for credentials. 

    You can set a second relying party that points to an internal URL susch as https://crmserver/org.  When you go to https://crmserver ADFS will see that you are already authenticated an issue you a token and , in a word, you should be able to connect with out being prompted.

    So to answer your question, you will always be prompted when using the external URL, whether you are internal or external.

    You can download the white paper from here and it has a chapter on configuring IFD for internal use.


    Marc Collins www.QGate.co.uk
    Tuesday, March 8, 2011 4:43 PM
  • Marc,

    We came to the same conclusion.  It is unfortunate, but we are just going to have all of our users use the IFD URL.  They will have to sign in inside the building as well, but it will reduce confusion as we are constantly in and out of the building.

    Thanks for everyones input.

    Thursday, March 10, 2011 3:55 PM
  • Hello,

    The only way to achieve that would be with URL rewrite. Check this URL, it explains well how to achieve that:

    http://www.sidesofmarch.com/index.php/archive/2012/01/15/url-rewriting-for-user-friendly-urls-with-dynamics-crm-2011

    Regards,

    Christian Rivard

    • Proposed as answer by Crowdak Wednesday, June 26, 2013 6:06 PM
    Wednesday, June 26, 2013 5:45 PM