Problem with autentication from internal URL on IFD deployment RRS feed

  • Question

  • Hello,

    I configured IFD on CRM 2011 external URL works fine and I can autenticate on ADFS with ADFS form for username and password. But when I go to internal URL CRM redirects me to ADFS but in query string I see than auth method is username not windows and ADFS show me Form for username password.

    External URL is orgname.company.cz, auth.company.cz, sts.company.cz, dev.company.cz

    Internal URL is crm.company.cz

    IFD domain id company.cz

    When I add to ADFS relaing party with netbios name of CRM server instead of crm.company.cz. Then when i go to netbios name I got windows auth. When I check white paper for setting claim based auth there is used IFD domain contoso.com and orgname.contoso.com for external and internalcrm.contoso.com for external access. But I thing it can'nt work. When I use workarround with netbios name It work but I must use wildcard certificate with SAN.

    Is there another way?



    Thursday, March 17, 2011 1:28 PM

All replies

  • Did you solve this problem?
    Monday, April 4, 2011 5:23 AM
  • ADFS is identifiing your internal URL as external. 

    The extenal relying party uses auth.company.cz so looks for organisations that are *.company.cz and as your internal URL falls into this category, it treats it as external.

    You should change the Internal URL to something like crm.company.local or just use the crm server name. You will need to create a new relying party for your internal URL.

    Marc Collins www.QGate.co.uk
    Monday, April 4, 2011 8:06 AM
  • Not ADFS but CRM does. Indetification is done on CRM side and than user is redirected to ADFS site with indetification of how to authenticate user. You can see in query string at the end windows for internal or password for external. As I said before I user computer name but I cannot use simple wildcard certificate I must use certificate with SAN atribute set to computername. And this is the main problem that in white paper is writen to use simle wildcard certificate.

    Thursday, April 21, 2011 1:46 PM
  • You can use a SAN certificate that contains a wildcard as a subject as well as the server name as a subject. 

    For example, your SAN cert would have a subject of "CN=*.company.cz, CN=Server_Name". 

    Marc Collins www.QGate.co.uk
    Thursday, April 21, 2011 1:58 PM
  • Hi,

    Did you add SPN record for ADFS??

    I was having the same issue, then i have created a SPN record for ADFS then it's working fine.



    Khaja Mohiddin
    Friday, April 29, 2011 12:31 PM