locked
Configure IFD in Front End server without impact for Users RRS feed

  • Question

  • Hi,

       I have installed CRM 2013 in Full Server Roles with separate SQL Server. Now I would like to configure IFD . So I have placed 2 different servers(NLB) in DMZ with Front end server & Deployment Manager Role(by connecting with same DB) installed. Now I have 1 Full Server, 1 DB Server and 2 FE server in DMZ. I would like to configure IFD in front end server Deployment Manager. But I would like to configure this without disturbing the current Internal CRM users accessing the CRM. How to  configure this IFD in FE without having any impact on the current internal CRM Users?

    Tuesday, November 10, 2015 4:30 PM

Answers

  • What URL do the internal users use to access CRM currently. Once you have installed IFD, the URL will have to be a FQDN over https, so for minimal disturbance you should ensure the internal users already access CRM via a URL that meets these criteria. You should also ensure this URL, and the URL you intend to use for ADFS, are in the local intranet zone on each client - this will avoid prompts for login credentials

    In reality you need to allow a certain amount of downtime to run the Claims and IFD wizards, and to configure the relying party trusts in ADFS - if I'm confident there are not likely to be any issues, I would allow a minimum of an hour for this, during which time users will probably not be able to access CRM


    Microsoft CRM MVP - http://mscrmuk.blogspot.com/ http://www.excitation.co.uk

    • Marked as answer by Vinoth Thiru Monday, November 16, 2015 12:00 PM
    Tuesday, November 10, 2015 5:19 PM
    Moderator
  • The internal users will need to make a slight change.  When IFD and ADFS is configured, you will create an internal DNS record for internalcrm that will resolve to the CRM server.  So the url that the internal users will use is something like https://internalcrm.domain.com/orgname instead of the NetBIOS name of the CRM server or NLB.

    I'm not 100% certain, but I think you may see an issue with configuring things.  In the Deployment Manager properties, you will need to indicate that you are using a NLB.  Which should be the single source of traffic for the 2 CRM servers in the NLB.  But you also have the full server sitting inside the network as sort of a third wheel.  So I'm not sure how the deployment will react to this.

    What may have been a better option would be to place all 3 CRM servers into the NLB.  Then publish the ADFS URL and the NLB URL through a web access proxy in Windows Server 2012 R2.  Now all 3 CRM servers would be listening to traffic from the NLB inside your domain.  Internal users use the internalcrm URL and outside users use the IFD URL.


    Jason Peterson

    • Marked as answer by Vinoth Thiru Monday, November 16, 2015 12:00 PM
    Tuesday, November 10, 2015 11:34 PM

All replies

  • What URL do the internal users use to access CRM currently. Once you have installed IFD, the URL will have to be a FQDN over https, so for minimal disturbance you should ensure the internal users already access CRM via a URL that meets these criteria. You should also ensure this URL, and the URL you intend to use for ADFS, are in the local intranet zone on each client - this will avoid prompts for login credentials

    In reality you need to allow a certain amount of downtime to run the Claims and IFD wizards, and to configure the relying party trusts in ADFS - if I'm confident there are not likely to be any issues, I would allow a minimum of an hour for this, during which time users will probably not be able to access CRM


    Microsoft CRM MVP - http://mscrmuk.blogspot.com/ http://www.excitation.co.uk

    • Marked as answer by Vinoth Thiru Monday, November 16, 2015 12:00 PM
    Tuesday, November 10, 2015 5:19 PM
    Moderator
  • Hi,

     Thanks for the response. The internal users are using this URL "http://servername/Orgname/main.aspx".

    Will there be a certain downtime even in the DMZ Front end Server -Claims based and IFD Config ?

    Thanks 

    Tuesday, November 10, 2015 5:34 PM
  • The internal users will need to make a slight change.  When IFD and ADFS is configured, you will create an internal DNS record for internalcrm that will resolve to the CRM server.  So the url that the internal users will use is something like https://internalcrm.domain.com/orgname instead of the NetBIOS name of the CRM server or NLB.

    I'm not 100% certain, but I think you may see an issue with configuring things.  In the Deployment Manager properties, you will need to indicate that you are using a NLB.  Which should be the single source of traffic for the 2 CRM servers in the NLB.  But you also have the full server sitting inside the network as sort of a third wheel.  So I'm not sure how the deployment will react to this.

    What may have been a better option would be to place all 3 CRM servers into the NLB.  Then publish the ADFS URL and the NLB URL through a web access proxy in Windows Server 2012 R2.  Now all 3 CRM servers would be listening to traffic from the NLB inside your domain.  Internal users use the internalcrm URL and outside users use the IFD URL.


    Jason Peterson

    • Marked as answer by Vinoth Thiru Monday, November 16, 2015 12:00 PM
    Tuesday, November 10, 2015 11:34 PM
  • Thanks Jason,

    1.              I tried to configure IFD. But after configuring Claim Based Authentication, My existing CRM Full Server(servername/orgname) URL is not working and completely stopped saying as Page 404 error.  In FE server, when I tried to browse(crminternal.domain.com). It opens up the CRM but doesn't open any entities/Records.  The Sitemaps are not proper ! and page cannot be displayed when clicked on all the entities ?

    2.             For Internal Users - After I configured IFD in CRM FrontEnd Server. Will the internal users need to pass the authentication through ADFS only ? Or any other way to use without ADFS authentication 

    Thanks

    Wednesday, November 11, 2015 8:28 PM
  • Hi,

    If you get this up and running, please let me know how because as of yet I've been struggling with internal/external address, maybe because of a weird setup :)

    Another thing that is worth mentioning is that if the users are working in the Outlook client and are sometimes on the inside and sometimes on the outside you should probably set that up to the external address only.

    Regards


    Rickard Norström Developer CRM-Konsulterna
    http://www.crmkonsulterna.se
    Swedish Dynamics CRM Forum: http://www.crmforum.se
    My Blog: http://rickardnorstrom.blogspot.se

    Thursday, November 12, 2015 6:57 AM
  • Hi Richard,

      Thanks David , Jason and Richard

       I have done the IFD configuration in the Front Server.  As I said in my earlier reply. I have configured IFD and facing issues in the Front end server 

         Issue1. :   "There was no endpoint listening at net.tcp://crmname/CrmSandboxHost that could accept the message" 

       Resolution: I resintalled CRM with selecting Front end server Roles ,Deployment role AND SELECTED ONLY SANDBOX SERVICES (check Box) roles. After that I reconfigured IFD as well. Then the issue is resolved. Now it is working with IFD URL and all the data is shown without issues. 

       Issue2 :  The Old URL (existing internal CRM URL before IFD configuration URL) was not working showing as Relying Party certificate is not found. 


        Exception type: CrmSecurityException 
        Exception message: GetServiceConfiguration - Initialization:
    Host: servername
    Request Url: http://localhost/
    Relying Party Certificate was not found

     Resolution: Open the Old Full Server CRM  added the certificate(used in IFD Front End server)in to the Personal and Trusted Root Certification Authorities  and in mmc->Certificates->Right click the certificate -> All Tasks-> Manage Private Keys-> ADD the Account( the account should be App pool service account). Do IIS Reset in the Full CRM Server. This is issue is nothing to do with the Front end server except providing the certificate to CRM Full server. 

    Now old Internal & IFD is working

    Thanks again for all the inputs 

     




    • Edited by Vinoth Thiru Monday, November 16, 2015 12:06 PM r
    Monday, November 16, 2015 12:00 PM