web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics CRM (Archived) / Second front end CRM 2...
Microsoft Dynamics CRM (Archived)

Second front end CRM 2011 server in DMZ (different domain) without ADFS?

(0) ShareShare
ReportReport
Posted on by Rich101 75

We have CRM 2011 set up internally and it will only be used internally by users, but we need to allow a 3rd party marketing add-in to access the system from externally. Due to the strict policies in place a second CRM front end server has been added within the DMZ and will just have the Web Services installed to allow the external add-in to communicate with CRM.

Due to the server in the DMZ being on a different domain and the trust only being one way  (Internal to DMZ and not the other way around) we are having issues. CRM needs an account to be used that is on the DMZ domain otherwise it gives errors during installation, but an account on that domain cannot be added to the CRM AD groups on the internal domain, so fails authentication to SQL during install.

I don't think we'll be allowed to install ADFS between the two domains, so are there any other options on how we can get this to work?

Thanks

*This post is locked for comments

I have the same question (0)
  • AaronRic Profile Picture
    AaronRic 10,035 on at

    You would need to have a two way trust between the domains in order to get authentication to work properly.

  • Rich101 Profile Picture
    Rich101 75 on at

    Thanks for the response.

    We seem to have got around the issue by installing CRM whilst the server is on the internal domain and then migrating the server back to the DMZ domain.

    We can then use an internal domain account which can authenticate correctly.

  • MaKeer Profile Picture
    MaKeer on at

    Can you provide some more details as how was App configured on DMZ

    1. What was App Pool Identity?

    2. If there was one way trust, then hows CRM DB Server was authenticating App Server?

    As I understand App Pool identity is gets db_owner access on CRM DB and that's how SQL connection is established between App Server and backend. So in your case how was it working?

  • Rich101 Profile Picture
    Rich101 75 on at

    Hi,

    Whilst we have got this working I don't really recommend this as a solution but if, like us, you have no other option, then it is possible.

    Our setup was to have a full CRM setup internally, with service accounts on the internal domain. We then added an additional CRM front end server, initially on the internal domain, with just the CRM Web role and none of the additional services (Async, Sandbox etc). This allowed us to install CRM, and we then migrated this server onto the DMZ domain.

    We used the same (internal) service account for both CRM App Pools, so this had access to the CRM DB. A proxy server handled the traffic and whether it was sent to the internal or the DMZ CRM server based on whether it originated internally or externally.

    As the only time the DMZ server was used was by a 3rd party service via web services I wouldn't like to say if this set up would work properly for external users accessing CRM via the actual CRM website.

    We also had issues due to the 3rd party add-in having a plug-in that needs to communicate to their external servers. As this runs on the sandbox service (internal), it was failing so ended up having to allow communication with a limited amount of IP addresses from an internal server (not ideal).

    We tried installing the sandbox service on the DMZ server initially but due to CRM using the ID values of Active Directory groups, rather than fully qualified names including domain, it was looking on the wrong domain and so this wouldn't work.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics CRM (Archived)

#1
SA-08121319-0 Profile Picture

SA-08121319-0 4

#1
Calum MacFarlane Profile Picture

Calum MacFarlane 4

#3
Alex Fun Wei Jie Profile Picture

Alex Fun Wei Jie 2

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans