web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics CRM (Archived) / Adding ADFS-Proxy to DMZ
Microsoft Dynamics CRM (Archived)

Adding ADFS-Proxy to DMZ

(0) ShareShare
ReportReport
Posted on by Community Member

Hello guys,

I am totally confused so ill try to get some help in here.

We have got a Dynamics 2013 (on premise). Now we want to publish this to the internet. Our configuration:

crm.domain.de (CRM 2013 / Windows Server 2008 R2)

sts.domain.de (ADFS-Server / Windows Server 2008 R2)

Login internally to https://crm.domain.de redirects to sts.domain.de and asks for authentication...works perfect!

Now I set up a Windows Server 2008 R2 into our DMZ and installed ADFS Proxy. So far so good... But what are the next steps to do? We want the CRM to be available from outside our network through the ADFS-Proxy.

Thanks, Daniel  

*This post is locked for comments

I have the same question (0)
  • Abarao Bhople Profile Picture
    Abarao Bhople 445 on at

    Hello Daniel Santos ,

    You need to setup ADFS Proxy server.

    In the federation Service Configuration wizard 

    Specify Federation Service Name   you need to enter your ADFS Service name FQDN (sts.domain.de)

    Click on Test Connection  it will prompt for the authorize credentials.

    after providing credentils , the wizard complete all the validation 

    once all the validation completed successfully ,  you would be able to access your deployment over internet.

     happy to help you  to complete your deployment.

    Abarao Bhople

  • Community Member Profile Picture
    Community Member on at

    Thanks for your reply! Yes, this is what I already did. But I think some more things needs to be done, as if I am trying to connect to https://crm.domain.de I just can see the IIS7 welcome screen. No redirection to sts.domain.de or even a login prompt from crm. Strange because internally my ADFS works pretty well.

    Hope someone can help me out on that....

    Thanks, Daniel

  • Abarao Bhople Profile Picture
    Abarao Bhople 445 on at

    Hello Daniel,

    Have you done the Public DNS entry for your ADFS Proxy server.

    if not ,you need to do it , the name for DNS Entry would be your ADFS Service FQDN.

    please let me know the progress.

    Thank you

    Abarao Bhople

  • Community Member Profile Picture
    Community Member on at

    This is what it looks like right now if I open up https://crm.domain.de :

    IIS.PNG

    If I add an external subdomain like I did for crm.domain.de and add a NAT-Rule on our firewall to point sts.domain.de to the ADSF-Proxy in DMZ it looks like this:

    IIS.PNG

    I am really confused....

  • Abarao Bhople Profile Picture
    Abarao Bhople 445 on at

    Hello Daniel,

    It seems  DNS not resolved properly.

    Below IP Addresses are only for examples 

    yours should be as below.(IP's will be different)

    must be with 1 DMZ IP and 1 Public IP 

    crm.domain.de  (DMZ IP - 192.168.10.102, Public IP 124.82.79.128 )
    auth.yourdomain.com (DMZ IP - 192.168.10.102, Public IP 124.82.79.128 )
    sts.domain.de (DMZ IP - 192.168.10.104, Public IP : 124.82.79.127)

    Note : yours (sts.domain.de) port 443 must be opened to public network.

    Then only it would be resolved. Need to involve your network team.

    Thank you 

    Abarao Bhople

  • Community Member Profile Picture
    Community Member on at

    [quote user="Abarao Bhople"]

    crm.domain.de  (DMZ IP - 192.168.10.102, Public IP 124.82.79.128 )
    auth.yourdomain.com (DMZ IP - 192.168.10.102, Public IP 124.82.79.128 )
    sts.domain.de (DMZ IP - 192.168.10.104, Public IP : 124.82.79.127)

    [/quote]

    Which server does auth.yourdomain.de stand for? CRM?

    CRM and ADFS servers are not in DMZ. Only the ADFS-Proxy...

    Do I need two different public IP`s for crm.domain.de and sts.domain.de (proxy) ?

    Best regards, Daniel

  • Abarao Bhople Profile Picture
    Abarao Bhople 445 on at

    Hello Daniel ,

    Auth sever is your external domain, (it is logical record in your DNS , only you need to create  A Record on your DNS and give the IP Address of your CRM servers DMZ IP  )

    your CRM server must be in DMZ

    and ADFS Proxy server also in DMZ

    yes you need to different Public IP's for crm.domain.de and sts.domain.de (proxy)

    Please get back to me in case any more help required.

    Thank you

    Abarao Bhople

  • Community Member Profile Picture
    Community Member on at

    Thanks Abaroa,

    as far as I know there must be a solution with only adfs-proxy in DMZ.

    www.experts-exchange.com/.../ADFS-Proxy-in-the-DMZ-for-CRM-Dynamics-2013.html

    Its strange because some people say it works with only proxy in DMZ and some say not.

    Greets

  • Community Member Profile Picture
    Community Member on at

    Ok I got some good news and some bad one.

    Both CRM2013 and ADFS-Proxy now have an external IP. The error screen changed a bit:

    2043.sts2.PNG

    This is from the ADFS-Proxy Logs:

    Fehler bei einer passiven Verbundanforderung.

    Zusätzliche Daten

    Ausnahmedetails:
    Microsoft.IdentityServer.Protocols.Saml.NoAuthenticationContextException: MSIS7040: None of the requested authentication types are supported by the server.

    - <Event xmlns="schemas.microsoft.com/.../event">
    - <System>
    <Provider Name="AD FS 2.0" Guid="{20E25DDB-09E5-404B-8A56-EDAE2F12EE81}" />
    <EventID>364</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000001</Keywords>
    <TimeCreated SystemTime="2018-05-29T13:41:54.274875000Z" />
    <EventRecordID>33</EventRecordID>
    <Correlation ActivityID="{E066BC66-50B3-44B7-9D50-7FDD47D8F271}" />
    <Execution ProcessID="2268" ThreadID="2896" />
    <Channel>AD FS 2.0/Admin</Channel>
    <Computer>ADFS-Proxy</Computer>
    <Security UserID="S-1-5-20" />
    </System>
    - <UserData>
    - <Event xmlns:auto-ns2="schemas.microsoft.com/.../events" xmlns="schemas.microsoft.com/.../Events">
    - <EventData>
    <Data>Microsoft.IdentityServer.Protocols.Saml.NoAuthenticationContextException: MSIS7040: None of the requested authentication types are supported by the server.</Data>
    </EventData>
    </Event>
    </UserData>
    </Event>

     

    Greets, Daniel

  • Abarao Bhople Profile Picture
    Abarao Bhople 445 on at

    Hello Daniel Santos,

    After Looking the snpas you attached here ,

    please try below steps.

    A) you have configured 2 Relying Party one for internal CRM and another for external crm access (example : auth.yourdoamin.com)

    right click on auth.yourdomain.com(name may be different) click on Update federation metadata

    after completion of that restart ADFS Service.

    B) after completion above step , open adfs proxy configuration wizard and start configuration , provide your sts name 

    and click on test connection.

    finish that wizard , and then restart IIS on CRM server , then try to access CRM externaly (over the internet)

    Thank you.

    Abarao Bhople

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics CRM (Archived)

#1
SA-08121319-0 Profile Picture

SA-08121319-0 4

#1
Calum MacFarlane Profile Picture

Calum MacFarlane 4

#3
Alex Fun Wei Jie Profile Picture

Alex Fun Wei Jie 2

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans