Question Status

Verified
Pradeep Pawar asked a question on 9 Oct 2013 7:17 AM

Configure Internet Facing Deployment for CRM 2011 Server in more secure way with ADFS Proxy:

 

After reading the White Papers, blogs and YouTube videos on the topic, I figured I would need notes for myself as much as anything. This is mostly because I am yet to find one single example that covered the setup I was after. That being Separate CRM Server, DB Server, ADFS Server and ADFS Proxy(in DMZ)

 

Present Setup:

This is staging environment setup, with fully patched version of:

Windows Server 2008 R2 Enterprise SP1     

SQL Server 2008 R2 Enterprise SP1

CRM 2011 Server

I setup CRM 2011 on the default website as ADFS is on a separate box.

Test if CRM is working on CRM Server first

 

Below configurations already made ready:

  • Certificate-

SAN certificate used with below entries

1)   Organization Name – ifdcrm.domain.com

2)   InternalCRM – internalcrm.domain.com

3)   ADFS Server – adfs.domain.com

4)   External Domain – authifd.domain.com

 

  • DNS Entries

We need to have some subdomains pointing to-

CRM Server:

1)   ifdcrm.domain.com

2)   authifd.domain.com

3)   devifd.domain.com

4)   internalcrm.domain.com

ADFS Server:

1)   adfs.domain.com

 IIS Bindings on CRM Server

 http is working on 80

add new binding with https on 443 and selected SAN certificate

 

  • IIS Binding on ADFS Server

https on 443 and SAN Certificate

 

 

  • Firewall configurations:

Please follow this guide and allow ports as needed. In my configuration I have allowed below firewall configuration,

To Domain: TCP domain, UDP domain, TCP 1688, TCP ldap, UDP 389, TCP 88, TCP 135, TCP netbios-ssn, TCP 445, UDP 445, UDP NTP, UDP NETBIOS-NS, UDP NETBIOS-DGM, UDP 1025, TCP 808, TCP  LDAPS, TCP 3268, TCP 3269, TCP 49156, TCP 49158.

To Exchange:        SMTP, 995.

TO SQL:       TCP 1433, TCP www, TCP https, TCP 135, UDP 1025, TCP netbios-ssn, TCP 445, UDP ntp, UDP 445, UDP        netbios-ns, UDP netbios-dgm.

To ADFS Proxy: TCP https.

To ADFS:           TCP https.

To Internet:       TCP https.

 

Configuration Claim-based authentication for internal access

1)   Install and configure AD FS 2.0 .

 2)   Claims-based authentication configuration CRM 2011 server.

 3)   Claims-based authentication configuration AD FS 2.0 server.

 4)   Test claims-based authentication inside network.

 

 

1)  Install and configure AD FS 2.0

 

Download the AD FS 2.0 from the following link to download the AD FS 2.0

Active Directory Federation Services

 http://go.microsoft.com/fwlink/?LinkID=204237 

 

Start installation wizard

Install prerequisites on the wizard itself.

After installation, it will automatically open ADFS Management page for the first time.

 

Start ADFS Configuration wizard

Click on Create new Federation Service

  

On next wizard , select set standalone federation server

 The next page you have to choose your SSL and provide federation service name

  

On Summary page click next

Click close.

 

 

Verify ADFS Installation by checking federation metadata URL in IE. Ensure that no certificate related warning is appearing.

URL format:

https://<FederationServiceName>federationmetadata/2007-06/federationmetadata.xml

After configuring ADFS you will need to configure Claims based authentication on CRM server.

 

Configure Claims based authentication

 

Configure CRM 2011 binding to HTTPS

Go to Deployment manager on CRM Server- Right click Microsoft Dynamics CRM and hit Properties option. In Second Tab ‘Web address’ click https and provide root domain. In my case I have root domain entry ‘internalcrm.domain.com’ pointing to CRM server, and as my CRM website https binding was on port 443.

 

 Click OK.

 

Provide CRMAppPool user read access on the SAN certificate kept in Private store through MMC.

 

Configure Claims based authentication

Click next on first page

 

 

Provide federationmetadata URL

 

Select Certificate. Click Next

  

 

Ensure system checks passes with success, if not then you have to check Federation metadata URL is accessible without any certificate error in IE.

 

On next screen, click review your selection and click apply.

On final finish screen, not down the URL And if you are able to browse the same, then you are done here.

 

 

 

Claims based authentication configuration on ADFS Server

 

On AD FS 2.0, open AD FS 2.0 Management.

In the Navigation Pane , expand the Trust Relationships , and then click the Claims Provider Trusts.

In the Claims Provider Trusts under , right-click Active Directory , and then click Edit Claims Rules.

 

         

Click on Add rule

In Claim rule template list , select the Send LDAP Attributes as Claims template then click Next.

 

Create the rule

Claim rule name: UPN Claim Rule OR any descriptive name

Add the following mapping:

Attribute Store- Active Directory

LDAP Attribute- User Principal Name

Outgoing Claim Type: UPN 

 

Click Finish , then click OK close the Rules Editor.

 

 

Configuration relying party trusts

 

Open AD FS 2.0 Management.

Under Trust relationship- Right click Add Relying Party Trust

 

In Add Relying Party Trust Wizard , click Start.

In the Select Data Source page , enter the federation metadata.xml file URL noted in CBA wizrd.

 

Click Next

In Specify Display Name page , enter a display name, such as CRM Claims Relying Party , and then click Next.

 

 

 

In the Choose Issuance Authorization Rules page , choose Permit All users to access this Relying Party , and then click Next.

 

 

In the Ready to Add Trust page , click Next , then click Close .

 

 

 

 

 

When the Rule Editor appears , click Add Rule . Otherwise, the Relying Party Trusts list, right-click you create a relying party objects, click the Edit Claims Rules , and then click Add Rule.

 

  

In Claim rule template list , select the Pass Through or Filter an Incoming Claim template, and then click Next.

 

Create the following rule:

· Claim rule name: Pass Through UPN ( or other descriptive name )

· Add the following mapping:

Incoming claim type: UPN

Pass through All claim values

 

 

Click Finish .

In the Rule Editor , click Add Rule , in Claim rule template list , select the Pass Through or Filter an Incoming Claim template , and then click Next :

· Claim rule name: Pass Through Primary SID ( or other descriptive name )

· Add the following mapping:

  Incoming claim type: Primary SID

  Pass through All claim values

Click Finish .

 

 

In the Rule Editor , click Add Rule

In Claim rule template list , select the Transform an Incoming Claim template , and then click Next.

create the following rule:

Claim rule name: Transform Windows Account Name to Name ( or any descriptive)

Incoming claim type: Windows account name

Outgoing claim type: Name

Pass through All claim values

 

Click Finish , click OK close the Rule Editor

 

Test claims-based authentication within Intranet

You should now be able to use the claims certified to the internal access CRM 2011

Open the Deployment Manager.

Under Deployment Manager click on Organizations .

Right-click your organization , and then click Browse .

If you face any issue to open CRM, reset IIS.

 

 

Configuration Claim-based authentication -External access

 

You need to do the following steps:

  • Complete contents of the previous section: Configuring Claim-based          authentication- internal access.
  • For the IFD configuration CRM 2011 server.
  • For the IFD configuration AD FS 2.0 server.
  • Test claims-based authentication external access.

 

IFD Configuration on CRM Server

 

Open the Deployment Manager.

Right-click Microsoft Dynamics CRM , and then click Configure Internet-Facing Deployment

 

 

 Click Next

 

 

Fill correct domain information for the Web Application, Org, and Discovery Web services. Remembering here that in our case: *.interactivewebs.com was the name of the wildcard certificate used, and that PORT 444 was the port we configured for the CRM Web Instance in the bindings for IIS.

Thus we use:

Web Application Server Domain: interactivewebs.com:444

Organization Web Service Domain: interactivewebs.com:444

Web Service Discovery Domain: dev.interactivewebs.com:444 

 

Note – Enter the domain name, rather than the server name .

 

Web Service Discovery Domain must be a Web Application Server Domain as a subdomain like the  “dev.” that we setup in DNS earlier.

domain name must be on the SSL certificate name

Domain examples :

Web Application Server Domain: contoso.com

Organization Web Service Domain: contoso.com

Web Service Discovery Domain: dev.contoso.com

You must specify the domain specified in the previous step Web Application Server Domain sub-domains . default , will be “auth.” added to the Web Application Server Domain before.

Domain examples :

External Domain: auth.contoso.com

 

 

In the System Checks page , if there is no problem, click Next

  

In Review your selections and then click Apply page , confirm your input , and then click Apply.

 

Click Finish

 

Open a command line tool, run: iisreset

 

The IFD configuration AD FS 2.0 server

To open CRM 2011 on the IFD , you need to add AD FS 2.0 server for the IFD to create a relying party endpoints.

Follow these steps:

open AD FS 2.0 Management .

In the Actions menu, click Add Relying Party Trust.

In the Add Relying Party Trust Wizard , click Start .

In the Select Data Source page , click Import Data about the Relying Party Online or published on a local Network , enter federation metadata.xml file URL.

Note – This is almost the same URL as we used previously, but has the .auth sub domain that we used in point above. For use the Federation metadata is configured IFD when created.

In this case https://auth.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml

Check in your browser the URL, to ensure that no certificate-related warnings appear.

Click Next.

 

In the Specify Display Name page , enter the display name , such as CRM IFD Relying Party , and then click Next.

 

In the Choose Issuance Authorization Rules page , select the Permit all users to access this relying party options , and then click Next.

 

In the Ready to Add Trust page , click Next , then click Close .

If the Rule Editor appears , click Add Rule.OR right-click you create a relying party objects, click the Edit Claims Rules, and then click Add Rule.

 

In Claim rule template list , select the Pass Through or Filter an Incoming Claim template, and then click Next.

create the following rule:

· Claim rule name: Pass Through UPN ( or other descriptive name )

· Add the following mapping:

    Incoming claim type: UPN

    Pass through All claim values 

Click OK.

In the Rule Editor , click Add Rule , in Claim rule template list , select the Pass Through or Filter an Incoming Claim template , and then click Next :

Claim rule name: Pass Through Primary SID ( or other descriptive name )

Add the following mapping:

    Incoming claim type: Primary SID

    Pass through All claim values 

Click OK

 

In the Rules Editor , click Add Rule ,

In Claim rule template list , select the Transform an Incoming Claim template , and then click Next .

Create the following rule:

Claim rule name: Transform Windows Account Name to Name ( or any descriptive name )

    Incoming claim type: Windows account name

    Outgoing claim type: Name

    Pass through All claim values

 

Click Ok , you have created three rule later , click OK close the Rule Editor .

 

Test claims-based authentication to access external

Now, you should use the claims certified external access CRM 2011 a. In IE the browser CRM 2011 external address (for example: https://org.contoso.com), you will see the following pages:

Enter the user name password, log CRM 2011.

 

 

Configure ADFS Proxy Server to redirect all traffic coming from outside network i.e. Internet

 

Your AD FS proxy and your ADFS servers will resolve to the same Federation Service Name. So the same SAN certificate will do work here.

Import certificate in both the certificate stores i.e. Trusted Root and Personal

Add host entry for Internal ADFS Server for example sts.contoso.com pointing to Internal ADFS and CRM Server URLs like org1.contoso.com, auth.contoso.com, dev.contoso.com pointing to CRM server which in DMZ.

Install ADFS Proxy:

Run the executable that you downloaded from Microsoft’s website “ADFSSetup.exe”.

When the “Welcome to ADFS 2.0 Setup’ screen appears, Click “Next”.

Accept the EULA agreement and Click “Next”.

 

Choose the “Federation Proxy” role on the “Server Role” screen and Click “Next”.

On the “Install Prerequisite Software” screen Click “Next” to install the required prerequisites for ADFS 2.0.

 

 The Prerequisites and ADFS 2.0 will now begin to install as shown in the image below. Depending on the prerequisites needed, the time for the installation will vary.

Once the install is completed you will receive a completion screen for the ADFS 2.0 Setup Wizard. You can choose to start the “ADFS 2.0 Management Snap-in” when the wizard closes

 

 

 

Running the AD FS 2.0 Federation Proxy Server Proxy Configuration Wizard:

 

Open the “AD FS 2.0 Federation Proxy Server Proxy Configuration Wizard” from the Start Menu.

Click “Next on the “Welcome” screen.

On the “Specify Federation Service Name” screen, enter in the federation service name and click the “Test Connection” button. If all goes well you will see a successful connection as shown below. Click “OK” and then click “Next”.

 

When you click “Next” on the “Specify Federation Service Name” screen you will be prompted for the ADFS Service account name that you used when configuring your internal ADFS Server Farm as shown below and click “OK”.

 

 

 

On the “Ready To Apply Settings” screen click “Next”.

 

 

When everything is complete on the “Configuration Settings” screen, click “Close”.

 

Support Websites:

http://www.microsoft.com/en-in/download/details.aspx?id=27569

Thanks,

Pradeep Pawar

Cybage Software Pvt Ltd

Reply
Suggested Answer
DEVENDRA VISHWAKARMA responded on 10 Oct 2013 12:13 AM

Excellent post. Thanks for sharing.

Reply
Pramod Kale responded on 10 Oct 2013 5:52 AM

Great....vey much helpful.

Reply
Aditya_Patil responded on 10 Oct 2013 6:01 AM

Very Informative..

Reply
Verified Answer
Pradeep Pawar responded on 12 Nov 2013 1:48 AM

Thanks!

Reply
ManLung responded on 6 Feb 2014 3:05 AM

Hi, I would like to know does your CRM application server sitting on DMZ?

I understand I need to have 2 public IP address for CRM server entry point and ADFS proxy server.

If I put my CRM server on internal network, how does it work when external enter the CRM server URL?

Thanks

Reply
Pradeep Pawar responded on 6 Feb 2014 3:13 AM

Hi,

Yes, CRM Server and ADFS Proxy Server resides in DMZ.

CRM Server should be public as when External put CRM URL, it first goes to CRM Server. We can put ADFS in DMZ but it may be security threat for Organization environment so ADFS Proxy is there who redirects(Send \ Receives) requests from CRM Server(DMZ) to ADFS (internal network)

Let me know for any query.

Pradeep P

Reply
ManLung responded on 6 Feb 2014 8:03 AM

Dear Pradeep,

For security reason, I can't put the CRM server on DMZ. The deployment mode will be like

crmbook.powerobjects.com/.../ser51.png

Should external access IFD mode still valid?

My doubt is when external party input the URL e.g. https://crm.contonso.com, how can the internal CRM server receive the request and return the data back?

Thanks,

ManLung

Reply
Pradeep Pawar responded on 6 Feb 2014 9:35 PM

I got your point, yes it is supported case for ADFS deployment standpoint. I could not able to test all scenarios for ADFS Deployment due to our internal restrictions but you can try it.

May be below can help you. In my explained scenario I have opted for Option 3 in this diagram below:


Let me know on that, which will be an added advantage for my knowledge as well. :)

Pradeep P.

Cybage Software Pvt. Ltd.

Reply
ManLung responded on 6 Feb 2014 11:14 PM

Dear Pradeep,

I think it would be option 2 for my case. May I know do I need to assign a public IP address for the internal CRM server? Once if i do it, it will make my internal CRM expose to internet which would cause network security concern.

ManLung

Reply
Verified Answer
Pradeep Pawar responded on 12 Nov 2013 1:48 AM

Thanks!

Reply
Suggested Answer
DEVENDRA VISHWAKARMA responded on 10 Oct 2013 12:13 AM

Excellent post. Thanks for sharing.

Reply