web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics CRM (Archived) / On-Premise CRM 2016 IF...
Microsoft Dynamics CRM (Archived)

On-Premise CRM 2016 IFD without Wildcard Certificate

(0) ShareShare
ReportReport
Posted on by Community Member

Hi everyone.

I'm attempting to implement OnPremise CRM 2016 with ADFS 3.0 and IFD, however the customer doesn't want to use a Wildcard Certificate and is insisting on individual certificates for each sub-domain.

I've checked the software requirements and found the following statement from Microsoft:

"Individual certificates for each host name are only valid if you use different servers for each web server role. Multiple IIS bindings, such as a website with two HTTPS or two HTTP bindings, aren’t supported for running Microsoft Dynamics 365"

https://technet.microsoft.com/en-us/library/hh699671.aspx

IFD requires multiple subdomains including:

  • internalcrm.domain.com
  • discovery.domain.com
  • auth.domain.com
  • org1.domain.com
  • org2.domain.com, etc

That's a minimum of 4 certificates, + 1 more for each additional organisation.

If IIS doesn't allow multiple HTTPS bindings then how on earth do I configure the individual certificates?

*This post is locked for comments

I have the same question (0)
  • Suggested answer
    PS Profile Picture
    PS 23,577 on at

    Check the response by Adam in the following URL:

    community.dynamics.com/.../154151

  • Verified answer
    Nadeeja Bomiriya Profile Picture
    Nadeeja Bomiriya 6,804 on at

    Hi crmoz,

    If you use IIS8 this scenario is supported with the introduction of SNI (Server Name Indication).  Please check out below articles for more details.

    www.iis.net/.../iis-80-server-name-indication-sni-ssl-scalability

    www.sherweb.com/.../host-different-ssls-on-one-ip-with-iis-8-sni

  • Community Member Profile Picture
    Community Member on at

    Thanks guys for your response. I checked Adam's response and he doesn't address the issue with multiple bindings.

    Nadeeja, SNI looks promising. We are running IIS8 so I could configure multiple bindings, one for each individual certificate. However Microsoft do not document that they support SNI for Dynamics CRM. Before I go and purchase all 4 certificates is there a way to test this (i.e. using self-signed certs)?

  • Verified answer
    Nadeeja Bomiriya Profile Picture
    Nadeeja Bomiriya 6,804 on at

    Hi crmoz,

    Yes, you can use self-signed certificates.  You can use the MakeCert command in Windows SDK to generate the self-signed certificates. Make sure to add the certificate to Root Certificate Authority of the local machine and also to current users certificate store of all the machines accessing the URL.  

    Download Windows SDK.

    developer.microsoft.com/.../windows-8-sdk

    Example of MakeCert command.

    makecert -r -pe -e 01/25/2018 -eku 1.3.6.1.5.5.7.3.1 -ss My -n CN=internalcrm.domain.com -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -len 2048

  • Community Member Profile Picture
    Community Member on at

    Thanks very much Nadeeja

  • Verified answer
    Alfredo Aristimuño Profile Picture
    Alfredo Aristimuño 135 on at

    I implemented IFD with many Dynamics CRM from version 2011 to 2016, and I can tell you this is not an easy procedure. So avoid wasting your time and buy a wildcard certificate from GoDaddy, Comodo or other.
    Many of them provide Risk-Free 30 Day Refund Policy.

  • Community Member Profile Picture
    Community Member on at

    Thanks Alfredo. I've tried SNI and I immediately run into problems with error such as:

    The service '/orgname/xrmservices/2011/organization.svc' cannot be activated due to an exception during compilation. The exception message is: This collection already contains an address with scheme https. There can be at most one address per scheme in this collection. If your service is being hosted in IIS you can fix the problem by setting 'system.serviceModel/serviceHostingEnvironment/multipleSiteBindingsEnabled' to true or specifying 'system.serviceModel/serviceHostingEnvironment/baseAddressPrefixFilters'. Parameter name: item.

    I really don't want to go down with path. I will push for the wildcard certificate.

  • Suggested answer
    Community Member Profile Picture
    Community Member on at

    I thought I'd give an update on this.

    The customer would not allow wildcard certificates as there is security risks with them. Adam was correct, SAN certificates can be used in place of wildcard certificates. I used openssl.exe to generated the self signed certificate using these instructions:

    apetec.com/.../generatesan-csr.htm

    This allowed me to get IFD working but the Dynamic iPad app failed as I couldn't get iOS to verify the certificate.

    Not until I purchased a SAN certificate from a Certified Authority then the iPad App stated working.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics CRM (Archived)

#1
SA-08121319-0 Profile Picture

SA-08121319-0 4

#1
Calum MacFarlane Profile Picture

Calum MacFarlane 4

#3
Alex Fun Wei Jie Profile Picture

Alex Fun Wei Jie 2

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans