Question Status

Suggested Answer
Jennifer Wheeler asked a question on 15 Nov 2011 9:30 AM

From what I have read it sounds like if you need to have an IFD site in CRM 2011 you have to use claims based authentication for both the IFD site and your internal site.  Is that true?  I am currently testing the upgrade to CRM 2011 and got claims based authentication working both internally and externally.  when I upgrade the internal users Oultook client I would prefer they use windows authentication instead of the claims based authentication.  If I use Internet Explorer I can get to the internal CRM site using windows authentication but if I try to configure the Outlook client it will only configure if I use the claims based URL.  So, I was just wondering if there was a way to not use claims based for the internal site.

Thanks
Jennifer

Reply
Suggested Answer
Mohammad Atif responded on 8 Feb 2012 2:47 PM

Hi Jennifer,

Thank you for asking this question.

Please see my answers in line:

Question: From what I have read it sounds like if you need to have an IFD site in CRM 2011 you have to use claims based authentication for both the IFD site and your internal site.  Is that true?

Answer: Yes claims based authentication is required for IFD and internal site.

And got claims based authentication working both internally and externally.  When I upgrade the internal users Outlook client I would prefer they use windows authentication instead of the claims based authentication.  If I use Internet Explorer I can get to the internal CRM site using windows authentication but if I try to configure the Outlook client it will only configure if I use the claims based URL-->

Answer: If you only need windows authentication and want to configure CRM 2011 outlook client from the client machines within the domain as your CRM server or from another domain with a transitive trust relation between the two domains then instead of using the claims based internal URL you can use your default CRM 2011 URL. However if you want IFD URL so that the users outside the domain can configure CRM 2011 Outlook client  then you have to enable the claims based authentication first and then Internet Facing Deployment. Once it is configured successfully you can use External URL (IFD URL) to configure the CRM 2011 Outlook client from any machine (need not to be in the same domain as CRM server) but that system should have internet access.

Moreover, you always have an option to only configure Claims based Authentication for your internal access and also you can use Internal URL to configure the CRM 2011 Outlook client from client machines which are in the same domain as CRM server or from a different domain with a transitive trust relationship between the two domains.

Please let me know if that answers your questions and also let me know if this is not clear to you yet. I will be happy to give more information on this.

For more information you may refer: Microsoft Dynamics CRM 2011 and Claims-based Authentication.doc available at www.microsoft.com/.../details.aspx

Thanks,

Mohammad

Reply
Jens Froherz responded on 15 Feb 2012 7:11 AM

But with IFD configured successful and also successful login in IE, the Outlook  Client Configuration Wizard has problems, if configuring Outlook Client with external Url from external Domain.

Even though the discovery service Url resolves in Ie without problems, the Outlook Client wizard has authentication plroblems, or is there a trick, not mentioned in any Microsoft documentation.....  

Reply
Jennifer Wheeler responded on 15 Feb 2012 9:14 AM

We had that same problem and there is a hotfix for it.  Here is a link to it - support.microsoft.com/.../2645912.  

Jennifer

Reply
Suggested Answer
Mohammad Atif responded on 15 Feb 2012 10:20 AM

Hi Jens,

Thanks for the clarification and thank you Jennifer for sharing this Kb article.

Regards,

Mohammad

Reply
Jens Froherz responded on 15 Feb 2012 12:49 PM

Hi Jennifer,

Hi Mohammad,

I had seen this KB article before, but this Hotfix is not available for my system, so the App told me on Install. In my case I can connect with Outlook Client on Internal Url, but if I insert the HomeRealmUrl in registry, there is no authentication on external Url available. It would be nice to have a possibility,  fixing all the things manually. Have you heard about anything like this?

Thanks Jens

Reply
Jennifer Wheeler responded on 15 Feb 2012 1:01 PM

Hi Jens

Do you have the latest CRM rollup installed?  UR 6 is the latest for CRM 2011.  I believe the hotfix came out after UR 5 so it might be included in UR 6.

Jennifer

Reply
Suggested Answer
Mohammad Atif responded on 15 Feb 2012 2:42 PM

Yes I aggree with Jennifir. Please install UR6 and check the behviorwww.microsoft.com/.../details.aspx

Reply
Jens Froherz responded on 17 Feb 2012 1:18 AM

I checked my Laptop again and found the Update always installed. I had overseen it in the update-list before... Despite of this, only the internal Url and not the external Url is authenticated well.....

Reply
Mohammad Atif responded on 17 Feb 2012 7:35 AM

Hi Jens,

When you are trying to configure CRM 2011 Outlook client using IFD URL are you getting any error message? Is yes please let me know what error message you are getting? Could you please share the Configuration log error details that would be helpful to give more information.

Thanks,

Mohammad

Reply
Jens Froherz responded on 19 Feb 2012 9:49 AM

Hi Mohammad,

thanks for your feedback, but it seems, I have found a possible solution for my problem.

I had tested again - outside of our company network and there - the external Url is working, but not the internal Url. In IE both URL available outside the network.

So outside the company network the things have changed in an invers way. So I suppose, an complete external Connection by Outlook Client is blocked by our Router in our company network. This behavior seems to be different to an IE authentication. I do not have an clear explanation for me now, but if I'm back in my company network tomorrow, I will configure the internal Url too and I hope to have a working system inside and outside in this way.

Many thanks Jens

Reply
Gustavo Rosa responded on 10 Oct 2012 12:41 PM

Hi All

I just installed CRM 2011 and I'm trying to install Claims-Based Authentication, but I'm problem when calling the internal page that is redirected to the page adsf.dominio and shows me an error asking to talk with the administrator.

Anyone ever seen this error?

Reply
Suggested Answer
Mohammad Atif responded on 8 Feb 2012 2:47 PM

Hi Jennifer,

Thank you for asking this question.

Please see my answers in line:

Question: From what I have read it sounds like if you need to have an IFD site in CRM 2011 you have to use claims based authentication for both the IFD site and your internal site.  Is that true?

Answer: Yes claims based authentication is required for IFD and internal site.

And got claims based authentication working both internally and externally.  When I upgrade the internal users Outlook client I would prefer they use windows authentication instead of the claims based authentication.  If I use Internet Explorer I can get to the internal CRM site using windows authentication but if I try to configure the Outlook client it will only configure if I use the claims based URL-->

Answer: If you only need windows authentication and want to configure CRM 2011 outlook client from the client machines within the domain as your CRM server or from another domain with a transitive trust relation between the two domains then instead of using the claims based internal URL you can use your default CRM 2011 URL. However if you want IFD URL so that the users outside the domain can configure CRM 2011 Outlook client  then you have to enable the claims based authentication first and then Internet Facing Deployment. Once it is configured successfully you can use External URL (IFD URL) to configure the CRM 2011 Outlook client from any machine (need not to be in the same domain as CRM server) but that system should have internet access.

Moreover, you always have an option to only configure Claims based Authentication for your internal access and also you can use Internal URL to configure the CRM 2011 Outlook client from client machines which are in the same domain as CRM server or from a different domain with a transitive trust relationship between the two domains.

Please let me know if that answers your questions and also let me know if this is not clear to you yet. I will be happy to give more information on this.

For more information you may refer: Microsoft Dynamics CRM 2011 and Claims-based Authentication.doc available at www.microsoft.com/.../details.aspx

Thanks,

Mohammad

Reply
Suggested Answer
Mohammad Atif responded on 15 Feb 2012 10:20 AM

Hi Jens,

Thanks for the clarification and thank you Jennifer for sharing this Kb article.

Regards,

Mohammad

Reply
Suggested Answer
Mohammad Atif responded on 15 Feb 2012 2:42 PM

Yes I aggree with Jennifir. Please install UR6 and check the behviorwww.microsoft.com/.../details.aspx

Reply