Categories

Single Sign-on with Dynamics CRM External URL

Single Sign-on with Dynamics CRM External URL

Recently I was setting up an Internet Facing Deployment (IFD) for a new Dynamics CRM 2013 implementation. Luckily the process has not changed much since CRM 2011, and there are many blogs and even a whitepaper that cover the topic. 

One of the biggest pain points is that the CRM claims based / IFD configuration publishes two access URLs, one each for internal and external use. The external url does not allow for windows integrated single-sign on, and the internal URL cannot be accessed from the public internet.  

Dynamics CRM: Internal vs. External URLs
CRM URL Type Default ADFS Authentication Method Single Sign-on Publicly Accessible
Internal (crm.contoso.local) Integrated Windows Authentication (IWA) Yes No
External (crm.contoso.com) Forms-based Authentication (FBA) No Yes

 

Rather than force users to suffer the pain of two URLs or a credential prompt every session, we choose to use just the external URL and dynamically change the authentication method. Now we point everyone to the same address and the login is processed using the best possible experience.   

To do this, we adjusted the ADFS server web.config to drop the wauth query parameter. CRM uses this parameter to force the use of forms-based authentication.   

  1. Access the ADFS server
  2. As administrator, create a web.config file in C:\inetpub\wwwroot. 
  3. Add the following XML, which sets the default authentication mode to windows and uses the IIS URL Rewrite module to drop the “wuath” parameter from internal IP addresses.  If your internal IP range is not 192.168.*.* then you should edit the regular expression appropriately.  
  4. Perform an IIS Reset (command prompt --> iisreset) on the ADFS server
  5. Test the external url from machines inside and outside the network

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.web>
        <authentication mode="Windows" />
    </system.web>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="String wauth parameter" enabled="true" stopProcessing="true">
                <match url="(.*)" />
                <conditions trackAllCaptures="true">
                    <add input="{REMOTE_ADDR}" pattern="192\.168\.[0-9]{1,3}\.[0-9]{1,3}" />
                    <add input="{QUERY_STRING}" pattern="(.*)(wauth=.*)(.*)" />
                </conditions>
                <action type="Redirect" url="{R:0}?{C:1}{C:3}" appendQueryString="false" />
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>
<!-- Remove wauth paramter to force windows authentication on local address -->

If everything goes well, from inside the network you will get integrated windows authentication.  From outside the network you should see the forms based login aspx page.   

While you are making changes to ADFS settings, I would recommend customizing the forms based login page to add a logo or other branding.    

As a side note, to achieve single-sign on with integrated windows authentication, all of the following must be true:

  1. You are accessing CRM from a domain joined computer
  2. You are within the same network as CRM and ADFS
  3. Browser is Internet Explorer or Chrome
  4. Website is in the Intranet Zone, or the security settings are customized to allow passing of windows credentials.

Learn more about DMC's Microsoft Dynamics CRM services.

Comments

Thabiso
# Thabiso
Hi, when I try this I get a 500 - Internal server error. I ideas how I can get around this? This is for MS CRM 2015, Windows 2008 R2 and ADFS 2.0. Your assistance will be greatly appreciated.
Tobias
# Tobias
Hi,
When I do like this and then try to access the site, both from internal and external url, I get 500 - Internal server error.

Any suggestions?

Thanks for your article.
Petri Asikainen
# Petri Asikainen
Thanks!
I used this same idea to fix external crm authentication to adfs proxy. In my case crm was appending "wauth=urn%3afederation%3aauthentication%3awindows" to query string.
By Using following rewrite I forced adfs proxy to use form authentication with crm.











gluu.org
# gluu.org
I appreciate the efforts you have put in this site and all the information you provide in post is too good, informative and useful.
Jim Koerner
# Jim Koerner
This info has worked great for us up until now. We updated to ADFS 3.0 it is no longer based on IIS thus we lost the rewrite capability. Not sure if you have run into this yet or have an idea/workaround on how to do it with ADFS 3.0

Post a comment

Name (required)

Email (required)

CAPTCHA image
Enter the code shown above:

Categories

Related Blog Posts