CRM IFD with ADFS 3.0 and single sign-on

(0) Share

Report

Posted on by Community Member

Hello,

I have a working Internet Facing Deployment of CRM 2015 with ADFS 3.0. Everything works, except the single sign-on feature for internal access.

What I've tried is:

- put adfs and all CRM URLs to intranet zone (with option "automatic logon with current user name and password")

- enabled intranet access on CRM:

DiscoveryWebServiceRootDomain : *****************
Enabled : True
ExternalDomain : ******************
IntranetAccessEnabled : True
OrganizationWebServiceRootDomain : *****************
WebApplicationRootDomain : *******************
ExtensionData : System.Runtime.Serialization.ExtensionDataObject

- confirmed all URLs resolve to local IP address, not proxy adfs

- set SPN for ADFS service account ("http/ADFS_URL")

- ensured there is "Enabled Integrated Windows Authentication" checked in IE advanced settings

And it still asks for credentials when I open CRM from intranet.

If the IFD option is disabled, single sign-on works and I don't have to put the credentials.

Is it possible to configure it with the IFD turned on? If yes then how? If no, is it documented anywhere?

*This post is locked for comments

I have the same question (0)

All responses (18)

Answers (3)

Verified answer

David Jennaway 14,065 on at

Like (0)

Report
This should be possible with IFD enabled. Some things to check:

It will only work if you use the internal URL syntax - e.g. https://<domainname>/<orgname>, where <domainname> is the Web Application Server on the Web Address tab in CRM Deployment Manager

Make sure 'Windows Authentication' is an enabled option in the Intranet Global Authentication Policy in ADFS

It's worth checking the ADFS url that you're redirected to when you try to access CRM. This will be the url for which authentication will be done

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report
Internal address redirects to the ADFS login page and asks for credentials as well

Windows authentication is checked, together with Forms.

And if I'm correct about the communication ADFS <-> CRM then adfs redirects to the "auth" records of CRM.

Was this reply helpful? Yes No
awalters 3,079 on at

Like (0)

Report

What browser/version are you using to access? Have you tried any others?

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

I tried firefox, it also gives a prompt for credentials.

On the Win2012R2 I have an IE 11.0.9600.18205

Was this reply helpful? Yes No
awalters 3,079 on at

Like (0)

Report

The name you're using in the URL - is it the exact name of the CRM server? Or are there any other factors like CNAMEs, etc... in play?

Do you have anything in your logs on the ADFS server? (http://c7solutions.com/2015/12/checking-for-login-issues-with-ad-fs-and-office-365 talks about where those are)

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report
Let me describe the configuration in more details. Here is what I have on the LAB:

DNS contains

A records

Pointing to CRM server:

auth.crm.contoso.com

org.crm.contoso.com

dev.crm.contoso.com

internal.crm.contoso.com

adfs.contoso.com (pointing to ADFS server)

SPNs:

http/internal.crm.contoso.com (for service account running AppPool on CRM server)

http/adfs.contoso.com (for service account running ADFS service on ADFS server)

https://adfs.contoso.com is added to intranet zone

WindowsAuthentication and FormsAuthentication is turned on for the Intranet Zone on ADFS.

Basically when I configure claims-based authentication, I do not have to put on the credentials. I see in Fiddler the communication between CRM and ADFS server. This works as expected.

Once I enable IFD, I have to provide the credentials in the ADFS login page. If I disabled the "FormsAuthentication" for intranet, it shows the ADFS login page with an error. Event log then says: "requested authorization method is unsupported".

It looks to me like the CRM always requires the Forms Authentication when the IFD is turned on. Can this be changed somehow?

Was this reply helpful? Yes No
Verified answer

awalters 3,079 on at

Like (0)

Report

I have Forms Auth disabled on mine, and it works. Under the Enabled Providers for Windows Auth, what do you have listed and in what order? I know I had to fiddle with this for a bit - I'll look back and see if I can find any notes...

Here's a site I had in my history that talks about the Windows Auth providers - https://crmbusiness.wordpress.com/2011/02/01/crm-2011-repeated-credential-prompts-when-accessing-on-premise-install-of-2011/

It says to add Negotiate as a second option behind NTLM, and that is how mine's set up...

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

David and Allison, thank you both for pointing me in the right direction.

It works now. To sum up the issue was the address on the "web Address" tab on the CRM properties. I've had there

"internal.crm.contoso.com:443"

when I removed the ":443" it started working. I did test it with changing the authentication providers but it doesn't matter, at least in my configuraiton. So I have the "Negotiate" first and "NTLM" as second.

What also helped me is the post here (from Arpita Saini): http://community.dynamics.com/crm/f/117/t/97335

saying that the URL org.<domainname.com> is automatically an extranet URL and can't be used as internal.

I just want to know if this is true cause I thought the ADFS somehow else determines the 'extranet' and 'intranet'. Not only based on the URL. Now I will have to use 2 separate URLs for one CRM, depending on the location, right? so:

-orgname.crm.contoso.com (from the internet)

-internal.crm.contoso.com (from the local intranet)

One more thing. I'm checking with the Fiddler now and it doesn't really ask the ADFS with internal URL. Is that correct? I even removed both Forms and Windows authentication from ADFS and it still enters the internal URL..

Was this reply helpful? Yes No
Verified answer

awalters 3,079 on at

Like (1)

Report

I was able to get it working so that the same URL works both internally and externally, but it was fiddly. I wish I'd taken better notes, but here's a couple of things that might be helpful:

1. My original post on it - https://community.dynamics.com/crm/f/117/t/174383

2. The page I used as reference for the necessary DNS settings - https://technet.microsoft.com/en-us/library/gg188591(v=crm.6).aspx

Basically, I have orgname.oursite.com as an A record on our external domain, with a CNAME of crm.oursite.com pointing to it. (I also have the dev, auth, etc... records, as shown on that page.) Then in our internal DNS, I also have crm.oursite.com as a CNAME pointing to the server. Then I have AD FS relying party trusts for our external ADFS url as well as for crm.oursite.com.

The downside I've found to this is that there's no way to set different token lifetimes for the trust based on whether it's internal or external, as it's done solely by name (https://community.dynamics.com/crm/f/117/t/174241). So either you'll have it timing out frequently when people are in the office, or staying open all day when people are accessing remotely... :-( I really wish it could just use Claims auth when accessing from the outside, and regular Windows auth from the inside, but that doesn't seem to be a thing (regardless of how DNS is set up).

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

I thought using CNAMEs for CRM is not supported.

Now I have a

- crm.contoso.com pointing to orgname.contoso.com

- orgname.contoso.com pointing directly to the server

- crm.contoso.com set under the WebAddress tab on Properties of CRM (NOT! crm.contoso.com:443)

- 2 relying party trust for ADFS

Regarding the token lifetime you're writing. Isn't it possible to set it via PowerShell separately for the relying parties? There's such a parameter with value 0 by default.

Was this reply helpful? Yes No