404 Error CRM 2011 IFD CBA and ADFS 2.0

(0) Share

Report

Posted on by Community Member

I'm having an issue with a setup for a client where we're getting a 404 when accessing CRM IFD externally from the network. When accessed internally everything looks ok. We're not even getting to the sign in page externally the 404 looks like it's happening on the ADFS page before sign in.

We have all CRM roles (w/ Rollup 8) on one server and ADFS 2.0 on a separate server. Used a wildcard cert for both sites sitting on 443. Internal DNS is setup for all URL's and external DNS is setup for the IFD and ADFS URL's. The URL's resolve the correct IP when pinged internal and external, and tested the firewall using telnet to port 443 for ADFS without issue.

I've tried setting the IE options as I know the cache and IE settings can cause a 404 but something else appears to be the culprit here. I've read some others suggest making multiple SPN changes but if this was the issue I wouldn't think it would work internally? I also verified the FS URL's are setup correctly and the RP Trusts look right with the correct identifiers, again everything works internally which is baffling why it won't work externally.

Any ideas are greatly appreciated!

Thanks,

Brian

*This post is locked for comments

I have the same question (0)

All responses (26)

Answers (1)

Arpita Saini on at

Like (0)

Report

Usually when you get 404 from external environment following can be the issues:-

1) Public DNS entries for following URLs:-

· ADFS service name : e.g sts.namma.com

· CRM website’s external URL : https://org.namma.com i.e. mycrm.namma.com as org name is mycrm.

· CRM discovery URL : https://dev.namma.com

· CRM IFD URL : https://auth.namma.com i.e. CRM IFD Federation endpoint

Make sure these are A(Hostnames) records in DNS or at least ADFs URL and external CRM URL.

2) Secondly, Firewall. Can you please give the details of the firewall that you have. Is it TMG ?

3)

Can you please browse following ADFS URL externally :-

https://<sts.domain.com>/adfs/ls/idpinitiatedsignon.aspx

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

I'm not able to browse to that URL externally, getting the same 404 error.

I believe the external DNS is setup correctly, there is even a rule that anything resolving to the *.domain will resolve to the correct IP. All of the CRM and ADFS url except the CRM internal url are registered externally and resolve.

The servers are setup in a virtual environment and I'm not totally clear on their firewall. I do not believe they are using a TMG. What I understand is the external IP we're using points to a virtual router that then forwards the request to the correct internal IP using the internal DNS, which is also setup with the all of the CRM urls including ADFS.

I'm having the client double check the DNS setup and verify the requests for ADFS are routing to the correct server.

I'm also looking at disabling the loopback check and need to setup a SPN for ADFS for the CRM server. I don't know that either of these will resolve the issue because I agree it looks like a DNS/Firewall issue.

Thanks,

Brian

Was this reply helpful? Yes No
Verified answer

Arpita Saini on at

Like (0)

Report

Hi Brian,

Thanks for the update.

We really need to be sure that the firewall is not TMG as we have few specific settings and rule to set in that so make it work properly with adfs and CRM or else you will surely get 404 errors.

If you heck and give me confirmation that is TMG I can send you the settings that we need.

Also with regards to DNS sometimes I have seen customers by mistake pointing ADFS URL to CRM server public IP address instead of public IP address of ADFS server resulting in 404 error.

Please me posted with current status.

Regards,

Arpita

Was this reply helpful? Yes No
Arpita Saini on at

Like (0)

Report

Also, this cannot be an SPN issue as you said internally everything works fine (internal and external URL for CRM). SPNs are required for Kerberos authentication only in internal environment they have nothing to do with external environment.

You can also do a small test that from the external client machine from where you are testing all these URLs external CRM URL and ADFs URL to trusted sites.

Last option we have is collect Fiddler Trace and see where it fails :)

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Thank you for your assistance with this. After going back through the setup of external DNS we in fact found that ADFS was not exposed properly and were able to correct the issue. They were using the same public IP for CRM and IFD which was not routing internally to the correct server.

I didn't think it was SPN or loopback but when everything else was "believed" to be setup I was grasping at any possibilities.

Regards,

Brian

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Hello Arpita,

I am currently configuring CRM 2013 with AD FS 3.0 for the IFD external access. I get the webform for the credentials, i access it then i am facing the famous "404 - File or Directory not Found" Error page. if i change the url 2 times then CRM Page is opening.

I have a TMG firewall.

Please advise, i couldn't find any solution online and i am facing this problem since 2 weeks

Was this reply helpful? Yes No
Suggested answer

Arpita Saini on at

Like (0)

Report

Hi Ali,

First if you have TMG firewall, please make sure you create separate rules for all URLs like auth.domain.com, dev.domain.com, crmexternalurl.domain.com URLs in it and not club these CRM rules together and point to crm server. This can be one of the biggest reason to get 404.

Please see below setting we need for CRM and TMG to work together:-

For CRM 2011 IFD URL to work through ISA/TMG we need following CRM and ADFS URLs to be allowed through ISA/TMG.

1) <OrganizationName.domainname.com> - This will be the IFD URL which need to be used from internet to access CRM organization. Traffic from this URL should be directed to CRM server.

2) <adfs.domainname.com> - This will be the URL which will give you form based authentication page which request for user name and password. Traffic from this URL should be directed to ADFS server.

3) <auth.domainname.com> - This will be the URL which redirect authentication information from ADFS to CRM server. Traffic from this URL should be directed to CRM server.

Note: All the above URL can be different according to each environment configuration.

While you create web publishing rules for above 3 URLs you have remember the following,

1) Disable "Link translation"

2) Disable "Verify normalization" and "Block high-bit characters" under HTTP filter setting

3) Listener for the web publishing rule should be configured with "No Autentication"

4) Authentication delegation setting for the rules should be as follows

"No delegation, but client may authenticate directly"

After all the rules are created test the rules and publish it if all the test are successful.

Once this is done please test and let me know , I can give you next steps.

Also confirm if IFD URL orgname.domain.com is working fine internally i.e when you access this external URL in internal machine attached to domain you get IFD page and can access without issues. If no , then this is not TMG issu4e but something else.

Was this reply helpful? Yes No

Community Member on at

Like (0)

Report

Hello Arpita,

I have the below 2 URLs:

Internal Access: https://orgname.domain.com and it is working just fine

External Access: https://crm.domain.com and it is not working properly, it is giving the 404 not found error (even by internal access using the external link).

All configurations were made as documented by Microsoft, can you help me trace the issue from the beginning because i honestly tried a lot of things now and i am kind of lost.

Can you clarify please..

Thank you for understanding Arpita :)

Was this reply helpful? Yes No
Suggested answer

Arpita Saini on at

Like (1)

Report

Your internal URL cannot be <orgname.domain.com> as it is reserved for external URL that's how code determines it is external. Please go to deployment manager --> organization ---> see the name of the org and that must be your external URL as <orgname>.domain.com. I guess you are getting this issue because of this.

Please make sure in deployment manager -->web address tab the URL you mention becomes your internal URL and give any name like crminternal.domain.com but not <orgname.domain.com>

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Hello Arpita,

in my deployment manager --> Actions --> Properties --> Web Address i am using HTTPS Bindings and all URLs are: internalcrm.domain.com

However when i am accessing the internal crm (by going to deployment manager --> organizations --> right click on the organization and browse...the URL opening in the browser is the following: https://orgname.domain.com

any ideas?

Was this reply helpful? Yes No