Hi,
We are implementing an on-premise D365 CRM solution for one of our clients where the requirement is like this, There are going to be users on two completely different domains (These domains are not sub-domains) i.e. they are completely different domains on different infrastructure setup.
CRM would be installed on Domain A with the following URL to access it https://crm.domaina.com or crm.domaina.local which is fine.
What is Required:
Now from what we have read, there can be two options, Option 2 has some confusion for me:
For Point 1 above, I think it is understood, I would like to know how Point 2(a) works, (if that works) or did I misunderstand something from the following links as the articles and the verified answer suggests that you don't need to have ADFS/IFD setup to be able to authenticate user from two different domains:
Looking forward to your suggestions and clarifications. Thanks
Hi Phil,
1. What is the relationship between domain A and domain B, same organisation/corp e.g. like a branch office?
They are partner organizations. One indirectly report to the other but not parent/child, they are partner organizations.
2. The current network configuration, how and if are domain A and B connected network wise, same LAN, linked eg. fixed VPN tunnel such or nothing at all, just internet between (I'm not thinking of the domain setup here, as I already understand they currently are two different domains(forests)).
They are not on same LAN, different ISPs most probably, internet in between. Fixed VPN tunnel is what i was thinking they could go with if they don't want to go for ADFS setup, otherwise currently it wont have anything and are simply put two different domains on different networks with internet separating them.
What do you think about the VPN tunnel approach ?
And for the ADFS option, shouldn't the ADFS be setup on both sides with federation trust instead of only one ADFS and asking Domain B to use Domain A credentials to sign in to CRM deployed on Domain A? Is this a recommended practise that a replica user is to be created every time a new user from Domain B needs to access the application or SSO is the way to go with two ADFS and trust in between them, Please also note these are government organizations and long term recommended solution is needed.
For me the most important questions here that is unclear.
1. What is the relationship between domain A and domain B, same organisation/corp e.g. like a branch office?
2. The current network configuration, how and if are domain A and B connected network wise, same LAN, linked eg. fixed VPN tunnel such or nothing at all, just internet between (I'm not thinking of the domain setup here, as I already understand they currently are two different domains(forests)).
There are a lot of more questions to this to determine the right approach than the two above ones, but the simplest solution is most likely (assuming domain A and B are separated via internet):
Setup ADFS for CRM in domain A and create users accounts for the users in domain B in domain A and expose the CRM via IFD and let the users in domain B authenticate thru ADFS sign-in(forms) page.
Of course, the users in domain B would have to live without SSO as they would use their credentials in domain A to authenticate, but hey it gets the job done.
Setting up a forest/domain trust can be a big or small task depending on the network topology, but simply put this is nothing you do for a single app or service.
Nowadays you typically only setup trusts when merging or transitioning organisations that cannot easily consolidate their domain infrastructure either to an existing one or a new one.
Hi Hueseyin,
Thanks for the detailed response which puts things into perspective now, However i would just like to get more clarification on some of the points that you mentioned. We are fine with WIA or Forms authentication both as long as multi domain access issue is taken care of. I understand we will only get forms authentication if we go for proper IFD with ADFS.
Would appreciate if you can elaborate some of the points a bit more:
Important: Publishing Dynamics CRM outside the own Domain / Network is only supported / suggested by using Internet Facing Deployment with ADFS!
So in that case what about the option with WIA with trust between domains separated by internet/wan?
To reach CRM via Windows Authentication you need to configure the DNS properly by using for example a conditional forwarder and the DNS must be reachable. If there is the WAN between (internet) external DNS entries are required for this.
So what exactly would be required by the Network team to make two separate domains not connected to each other, talk to each other? Is it a VPN or any specific term that is to be setup between these networks to reach each other so user from Domain B can open a non-IFD Domain-A CRM URL without having to connect a remote VPN client? And is this not a recommended approach as mentioned in previous bullet.
Domain B Users can be only created when a one-way trust at least is created.
So this trust is different than the relying party trust that is configured on the ADFS server with the CRM server? For a single domain IFD deployment, I suppose you have to configure Claims Based Authentication, Relying Party Trust between the ADFS and CRM server and its good to go. For multi-domain IFD, do we have to establish a different kind of trust between the ADFS-A & ADFS-B ? Is this the same as relying party trust or its something else? And for a multi-domain IFD, 2 trusts are to be created, one between ADFS-A and CRM, and two between ADFS-A & ADFS-B? is this correct?
CRM (Domain A) <-> ADFS Domain A || DMZ (maybe WAP or Proxy) || Internet / WAN with DNS entries authcrm.domain.com, discovery.domain.com, adfs.domain.com, crmorg.domain.com || DMZ || <- Users Domain B
From the above, shouldn't ADFS-B also be there before Users Domain B as they will login on ADFS-B and then ADFS-B will do the talking to ADFS-A?
Appreciate your support on this Hueseyin. Looking forward to your response.
Also, if you have any resource link for multi-domain IFD/ADFS configuration please share.
Thanks
Hello shaheerzep,
so we have two different topics here. (Be aware that DNS and Network configurations are mandatory changes / settings you will require to make the environment reachable)
Topic a) Authentication / Authorization:
You need to answer the question if the customer wants to use Windows Authentication or Form-Based (Username & Password)
Should the authentication handled by the Domain Controller or ADFS?
If we assume that there are Users in Domain B and they want to access CRM in Domain A where the enviroment is hosted in different places the authentication must be handled.
Important: Publishing Dynamics CRM outside the own Domain / Network is only supported / suggested by using Internet Facing Deployment with ADFS!
To reach CRM via Windows Authentication you need to configure the DNS properly by using for example a conditional forwarder and the DNS must be reachable. If there is the WAN between (internet) external DNS entries are required for this.
This is the suggested way to "publish" Dynamics CRM to external (non-Domain A Users).
The Users from Enviroment B will access the CRM via the external URLs and will login via Username and Password.
The Users in Environment A can use the Claim Based URL (Internal via Windows Authentication) or local DNS entries to resolve the IFD URLs via Form-Based login
You could federate 2 ADFS Servers via claims provider trust (WS-FED) so users from B could do a SSO on Enviroment A. (as Form-Based is used anyways there is no need for this step, the benefit here would be Active Directory based authentication as the federation connects the environments and Users will "talk" to their own ADFS)
Topic b) User creation:
Besides of the Authentication Dynamics CRM must be connected to the Active Directory.
Domain A Users can be easily created as CRM runs in the same Domain.
Domain B Users can be only created when a one-way trust at least is created.
Our user creation process queries Active Directory values and we must be able to reach the foreign domain.
(Keep in mind if Domain B users should receive Deployment Administrator rights a two-way trust is required.)
This suggestion is based on the CRM software requirements and best practices.
So in short the architecture:
CRM (Domain A) <-> ADFS Domain A || DMZ (maybe WAP or Proxy) || Internet / WAN with DNS entries authcrm.domain.com, discovery.domain.com, adfs.domain.com, crmorg.domain.com || DMZ || <- Users Domain B
Hope this helps.
André Arnaud de Cal...
291,969
Super User 2025 Season 1
Martin Dráb
230,842
Most Valuable Professional
nmaenpaa
101,156