web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics CRM (Archived) / What is meant bei Clai...
Microsoft Dynamics CRM (Archived)

What is meant bei Claim-Based for external access but keeping Ad-integrated for internal access?

(0) ShareShare
ReportReport
Posted on by Dieter Tontsch 25

I am about to setup ADFS + claim-based and IDF for CRM2011, I have to do this for PowerMailChimp to work withour CRM. But I do not like to push my users to use claim-based aouthentication. We have no need for trusts between domains etc, it's a simple straight-forward single domain environment. Because I do not know of any side-effects with claim-based aouthenticatoin I like to keep the authenticatoin mode as it is, additionally provide claims-based for PowerMailChimp and eventually others who need it. Because I also want to keep ssl on 443 I decided to install ADFS 2.0 on a different server. I already managed to have ADFS/Claims-Based and IDF working in a test-envornment, but there was everything on the same server and only claims-based did work, no Active-Directory integrated in parallel.

The first thing which I don't feel confident with is that once I setup claim-based authentication no "normal" login is possible anymore (domain\uid) from that moment on. I wonder where the difference which url to be claim-based and which one to be not is made in the configuration. Does this just mean like domain.intra is considered to be internal and domain.com should be external = claim-based? But not even this is logical to me. I have to specify Web Address in CRM Deployment Manager and this is either/or - and from what I specifiy in my Web Addresses area in CRM Deploament Manager the claim-based url is created of.  However, in my scenario once I turn on claim-based authentication on CRM no login is possible anymore (ADFS is not et configured correctly) no matter what url I use in order ot access my CRM server. I did this all only in a test environment so far, I am affraid to set this up on the live server as long I can't control which URL to be claim-based and which one not.

Also, I didn't really find yet realy helpfull docuemntaotin which describes how to setup adfs on one server and the rest on the CRM server. It is all about setting up everyting on the same server, sticking for 444 port for the CRM SSL etc.... In these docs everything is mixed up. any url works at any time since it's always the same. No idea when to use auth. or dev, or sts.....

But I read somewhere that all this stuff is meant to be setup both ways, claim-based for exterla users and keeping Ad-integrated for the internal uses. But no idea how to set this up.

Thanks

*This post is locked for comments

I have the same question (0)
  • Verified answer
    Pradeep Pawar Profile Picture
    Pradeep Pawar 2,930 on at

    You can check from my below post in forum:

    community.dynamics.com/.../113817.aspx

    You will surely get some idea.

    Although I summarized your queries in below point. Please find probable answers inline below.

    1) once I setup claim-based authentication no "normal" login is possible anymore (domain\uid) from that moment on

    Once you will configure claims based authentication and IFD, two URLs will be generated One for Internal Users (users who will be accessing CRM from IntraNet) and the other is External (users who will be accessing CRM over the internet) So Internal users do not need to provide credentials, as it will be SSO.

    2) I wonder where the difference which url to be claim-based and which one to be not is made in the configuration. Does this just mean like domain.intra is considered to be internal and domain.com should be external = claim-based?

    Once you will configure claims based authentication and IFD, two URLs will be generated One for Internal Users (users who will be accessing CRM from IntraNet) and the other is External (users who will be accessing CRM over the internet)

    for example:

    Internal URL would be in format : https://<internalcrmaccess>.domain.com(:Port)/<Org_name>

    External URL would be like:  https://<Org_name>.domain.com(:Port)/

    3) But not even this is logical to me. I have to specify Web Address in CRM Deployment Manager and this is either/or - and from what I specifiy in my Web Addresses area in CRM Deploament Manager the claim-based url is created of

    Please refer Configure  Claims based authentication and IFD from : www.microsoft.com/.../details.aspx

    4)  I am affraid to set this up on the live server as long I can't control which URL to be claim-based and which one not.

    You may refer above answers for this as well.

    I hope this will work for you.

    Regards,

    Pradeep P

  • Dieter Tontsch Profile Picture
    Dieter Tontsch 25 on at

    Hi Pradeep, thanks for your answer, it helped me somehow to get the big picture. But unfortnatelly I have now mi IFD urls working with ADFS, but not my internal-access. Based on this guide I did the according configuration with 2 IP's and dedicated domains + DNS etc. See www.crmcodex.com/.../configuring-mscrm-2011-ifd-externally-and-internally-for-a-single-virtual-environment

    IFD urls now work, and thanks to your explanations I now can also browse all my orgs accordingly. But unfortunatelly SSO (internal access) still doesn't workl. It redirects me to a login screen of sts.domain.com (sts is my adsf server) and than it does not accept any login.

    My configuration is like:

    claim-based url: crmtest.domain.com

    ifd url's: auth.ifd.domain.com, dev.ifd.domain.com, org1.ifd.domain.com, org2.ifd.domain.com....

    In addition https://crmtest.domain.com or crmtest.domain.com/org1 do not work. I expected these to still accept SSO. The *.ifd.domain.com ones do via ADFS. 

    What is wrong here?

  • Pradeep Pawar Profile Picture
    Pradeep Pawar 2,930 on at

    ifd url's: auth.ifd.domain.com, dev.ifd.domain.com, org1.ifd.domain.com, org2.ifd.domain.com....

    Here, could you please try making these URLs like:

    ifd url's: authifd.domain.com, devifd.domain.com, org1ifd.domain.com, org2ifd.domain.com

    ?

    Also, I am not sure it will resolve this  but try adding both websites in Trusted site AND keeping IE's User authentication setting to Automatic Logon with current user on CLIENT system.

    Pradeep P

  • Dieter Tontsch Profile Picture
    Dieter Tontsch 25 on at

    but the ifd URLs are the ones which are working? Do you think this format might mess up my internal url?

  • Pradeep Pawar Profile Picture
    Pradeep Pawar 2,930 on at

    Not sure, I am just asking giving a single try on that.

    You must be using Wildcard certificate right? So you may add couple of more entries to your DNS as I said, and all the above entries should point to CRM Web server.

    See if you can try it out once.

    Before making any changes like I said, please note down all your current setup somewhere... :)

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics CRM (Archived)

#1
SA-08121319-0 Profile Picture

SA-08121319-0 4

#1
Calum MacFarlane Profile Picture

Calum MacFarlane 4

#3
Alex Fun Wei Jie Profile Picture

Alex Fun Wei Jie 2

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans