CRM 2016 IFD - explicit http redirect to ADFS Sign In page

(3) Share

Report

Posted on by Community Member

We deployed CRM 2016 and configured IFD as well but the issue we have noticed is if we explicitly mention "HTTP" protocol in org url then its not redirecting to ADFS sign in page. just a basic windows prompt leading with error 401.1 - it does working fine and redirecting properly to adfs sign in page if we mention https. this behavior is only with CRM 2016. CRM 2011 / 2013 / 2015 properly push to ADFS sign in page even with http.

summary : CRM 2016 Only

http://org.rootdomin.com [not redirecting to adfs sign in page]
https://org.rootdomain.com [working fine.]

NOTE : both the combination [http and https] indeed working fine with CRM 2011, 2013 and 2015 update 0.2

To fix this situation we have temporally added http to https redirect Role hooked with CRM website.

is it a bug? or it is by desing, if yes then why? what is the logic behind this...

thanks.

*This post is locked for comments

I have the same question (0)

All responses (11)

Answers (0)

Sort by

Community Member on at

Like (0)

Report
Copy link

Link copied!

Hello Jameel,

Thank you for your query.

I request you to refer the following blog: blogs.msdn.com/.../step-by-step-configuring-crm-2013-internet-facing-deployment-ifd.aspx

One of the mandate step for configuring ADFS is first having the CRM website configured with SSL and configured with https binding.

Yes, if you USE the URL redirect role of the IIS for pointing your CRM http URL to https, it may work, however it is not recommended.

This does not seem to be a bug or a by design issue though (I shall confirm you after checking), but meanwhile, you can recheck your steps in the URL redirect configuration.

If you are getting a 401.1 Unauthorized error, you might be browsing the website from the CRM server, I would want you to test this by browsing this on some other server or machine which is within the domain.

If you still get a prompt on another machine, you may add the Org URL and the STS URL into the Local intranet website zone of the Internet explorer settings. If it still fails by getting a 401 (just a 401), then, this may be an SPN issue.

I would request you to then check the CRM application pool and if it is set to Network Service, then that would be fine, if it is set to a custom domain service account, please ensure that you make the UseAppPoolCredentials setting TRUE. (IIS > Expand IISName> Sites > Click on Microsoft Dynamics CRM website > Under management section , you may find an option called Configuration Editor, double click on it and Expand : System.Webserver > Security > Authentication > Click on Windows authentication > Make the UseAppPoolCredentials = TRUE) Perform an IISRESET.

Set necessary/required SPNs. Refer the following blog for details:

blogs.msdn.com/.../configuring-service-principal-names.aspx

Please do inform me about update. Feel free to reply here and I'll be glad to assist you.

Thanks & Regards,

Sharon Mhatre

Support Engineer

Microsoft Dynamics CRM

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report
Copy link

Link copied!

Hello Sharon,

Thank you for your reply.

Could you please re-check my first post and have a deep look to understand what I am trying to express.

in a nutshell. Everything is working very fine with Dynamics CRM 2011, 2013 and 2015. Means, we have been able to access / browse CRM organizations and being properly redirected to ADFS (3.0) sign in page without any rewrite rules [regardless of the protocol http or https]. if we type http://org.domain.com OR https://org.domain.com both ways properly redirected to ADFS sign in page for authentication.

But with CRM 2016 we are experiencing windows login prompt internally / externally if we use HTTP in the url. CRM 2016 working fine and properly redirect to adfs sign in page if we type https in the url. we even upgraded one of our existing CRM 2015 server to 2016 but after a successful upgrade, Still same results.

if you guys really want to check this scenario then Please install CRM 2016 in your local test labs, configure IFD and access crm organization using http and https that way i think you can get a better idea of this thread.

thanks.

Was this reply helpful? Yes No
http://.Interactive... on at

Like (1)

Report
Copy link

Link copied!

This is the blog we created and is a help to people. www.interactivewebs.com/.../how-to-set-up-microsoft-crm-2016-ifd-on-windows-2012-r2-server

Your environment sounds a little different based on the ports you have used, but the same would apply.

In IIS simply remove the binding for non https. That way the site will not respond to http. This would be done in the default website.

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report
Copy link

Link copied!

@David, it is not that simple just you wrote to remove http binding.... if we do that users will get different error messages like ... "The webpage cannot be found" - the thread is all about URL rewrite and not about the installation itself. same standard IFD configuration is doing great job with crm 2011, 2013 and 2015 along with both protocols. BUT NOT with Dynamics CRM 2016.

thanks.

Was this reply helpful? Yes No
http://.Interactive... on at

Like (0)

Report
Copy link

Link copied!

My bad. I did not RTFQ well enough. Though you were just wanting it to error out with the http. I understand now you want it to redirect to https like it was easy to do in earlier version.

It would be possible to set a rule in the web.config, but you would need to do a rule for each org.

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report
Copy link

Link copied!

NO that is not correct, rules are not at org level ! Please note Rewrite Rule is on IIS website level so once configured every request hits will be routed to HTTPS.... so it is a one time effort.

now come to the main point we were not supposed to add rewrite rules in legacy version due to the fact that once IFD is configured CRM is smart enough to push the request to sts sign in page. but not with CRM 2016 so far...

Was this reply helpful? Yes No
Neal Santin 106 on at

Like (0)

Report
Copy link

Link copied!

We experienced the same issue on our 2016 upgrade. Just entering the URL will push to HTTPS, however explicitly entering http:// triggered the windows authentication prompt (on an IFD deployment).

We debated testing disabling WindowsAuthentication on the site, but in the end we added a custom HTTP-HTTPS URL Rewrite and moved it to the top, which seems to work fine .

Here is the rule that you can add to your web.config file:

<rule name="HTTP to HTTPS redirect" enabled="true" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Found" />
</rule>

Was this reply helpful? Yes No
Community Member on at

Like (2)

Report
Copy link

Link copied!

As a workaround/hack We already added the Rules on our Front-end nodes to avoid users angriness.

The MAIN question is what i posted initially.

"is it a bug? or it is by design, if yes then why? what is the logic behind this.."

thanks.

Was this reply helpful? Yes No
Damian Sinay on at

Like (0)

Report
Copy link

Link copied!

Hi,

I just ran into this same issue and fixed it by adding an extra URL Rewrite rule as explained in this article www.jppinto.com/.../automatically-redirect-http-requests-to-https-on-iis7-using-url-rewrite-2-0

hope this helps

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report
Copy link

Link copied!

@All, Hello :) kindly note that the main purpose/mission line for this thread is what i posted initially.... "is it a bug? or it is by design, if yes then why? what is the logic behind this.." - there are many workarounds but if it is a bug, MS (ADFS/CRM) team should look into that and provide a fix to give administrators a smooth configuration experience just as with CRM 2011/2013/2015.

Thanks.

Was this reply helpful? Yes No