locked
CRM 2015 with ADFS on Server 2012 for internal and external users RRS feed

  • Question

  • Hi,

     I'm looking at deploying ADFS with CRM 2015. I have an internal CRM environment which I would like to use as follows:

    - Internal CRM accessed by internal users with SSO. Some internal users will be using IPads.
    - I have a DMZ environment with a separate DC and ADFS servers. I would like my DMZ users to be able to use my internal CRM via ADFS (being authenticated against the DMZ DCs)

    I've had a look at the online guides for ADFS configuration with CRM, typically they'll focus on internal ADFS SSO or external, but not both. Whats the best way to achieve what I'm after?

    In addition, from the various blog posts I've seen it's advised to use a wildcard certificate for the IFD configuration of CRM and the same certificate is used on the CRM server itself - is this a requirement?

    I was planning on using a cert with:

    sts.contoso.com
    enterpriseregistration.contoso.com

    For my ADFS server, but will use a wildcard cert if needed - please advise....

    In addition, the top link from Microsoft says that if the CRM and ADFS servers are 2 SEPARATE, do not use 443 for Web Application Server, Organization Web Service, or Discovery Web Service in the CRM configuration - should this be if the ADFS server and the CRM server are installed on the SAME server do not use 443? The bottom link has the roles installed on the same server using different ports (as I would expect)


    https://technet.microsoft.com/en-us/library/gg188575.aspx#BKMK_server_binding
    http://www.interactivewebs.com/blog/index.php/crm/how-to-set-up-crm-2015-ifd-on-windows-2012-and-adfs-3-0/


    thanks in advance
    Friday, October 16, 2015 4:45 PM

Answers

  • A few pointers:

    1. If you want ADFS and CRM on the same server, you must install ADFS first.
    2. you are correct in that CRM should not use 443 if they're on the SAME server.
    3. Full ADFS/IFD configuration generally requires that everyone internal and external use the full URL and IFD.  If you're using apps for iPad (or any apps, really), you will HAVE to fully implement IFD.  Apps won't work any other way, and they're really finicky about the configuration.
    4. Wildcard is really the way to go. It will make your life easier with the certs.

    The postings on this site are solely my own and do not represent or constitute Hitachi Solutions' positions, views, strategies or opinions.

    Friday, October 16, 2015 4:52 PM

All replies

  • A few pointers:

    1. If you want ADFS and CRM on the same server, you must install ADFS first.
    2. you are correct in that CRM should not use 443 if they're on the SAME server.
    3. Full ADFS/IFD configuration generally requires that everyone internal and external use the full URL and IFD.  If you're using apps for iPad (or any apps, really), you will HAVE to fully implement IFD.  Apps won't work any other way, and they're really finicky about the configuration.
    4. Wildcard is really the way to go. It will make your life easier with the certs.

    The postings on this site are solely my own and do not represent or constitute Hitachi Solutions' positions, views, strategies or opinions.

    Friday, October 16, 2015 4:52 PM
  • Couple of clarifications:

    1. If CRM and ADFS are on the same server, they will need to be on different ports. The most common configuration is to have ADFS on port 443, and CRM on a different port, but it can work the other way around
    2. The order in which CRM and ADFS are installed doesn't matter
    3. If using Windows 2008 for ADFS, ADFS has to be on the default website, and so CRM has to be on a different website. This doesn't mean that ADFS has to be on port 443, as you can change the port for the default website

    Microsoft CRM MVP - http://mscrmuk.blogspot.com/ http://www.excitation.co.uk

    Saturday, October 17, 2015 2:17 PM
    Moderator
  • Thanks
    Monday, October 19, 2015 2:23 PM