How to Configure CRM 2011 for IFD and publish via TMG or UAG

By |2017-12-07T11:50:45+00:00November 1st, 2011|CRM|0 Comments

Scenario

We have a CRM server that we need to configure for IFD. We currently have CRM published internally on http://crm.contoso.com. We have no ADFS server currently set up so we will be setting that up from scratch.

The below steps will take you through the steps of setting up IFD and also explain how you can publish the IDS/ADFS Setup via UAG or TMG.

CRM Server Name = CRMSERVER

UAG Server Name = UAGSERVER

ADFS Server Name = ADFSERVER

Pre-Requisites

You will need the following before we start configuring IFD and ADFS.

Certificate San Names

A Wildcard certificate will be your best bet for this process but if this is not an option for you then you will need the following SAN Names

1. Adfs.contoso.com – URL for ADFS

2. Crm.contoso.com – URL for Internal CRM

3. Dev.contoso.com – CRM Web Service Discovery Domain

4. Auth.contoso.com – CRM External Domain

5. Orgname.contoso.com – URL for External CRM

6. Adfsportal.contoso.com – UAG Trunk URL (Needed only if using UAG to Publish)

External IP Addresses

One IP address will be needed if you’re publishing via UAG

1. Adfs.contoso.com, Adfsportal.contoso.com, dev.contoso.com, auth.contoso.com, orgname.contoso.com

Two IP addresses will be needed if you’re publish via TMG

1. Adfs.contoso.com

2. dev.contoso.com, auth.contoso.com, orgname.contoso.com

External/Internal DNS Records

You will need to create internal and external DNS records for the following

1. adfs.contoso.com – Point to ADFS server

2. adfsportal.contoso.com– Point to ADFS server ( Only Needed if using UAG)

3. dev.contoso.com – Point to CRM server

4. auth.contoso.com – Point to CRM server

5. orgname.contoso.com – Point to CRM server

Disable Loopback Check on ADFS Server

Also disable loopback check on your ADFS server , unless your ADFS URL is the hostname of your server otherwise ADFS won’t authenticate and you will receive a 401.1

1. Click Start, click Run, type regedit, and then click OK.

2. In Registry Editor, locate and then click the following registry key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa

3. Right-click Lsa, point to New, and then click DWORD Value.

4. Type DisableLoopbackCheck, and then press ENTER.

5. Right-click DisableLoopbackCheck, and then click Modify.

6. In the Value data box, type 1, and then click OK.

7. Quit Registry Editor, and then restart your computer.

How to Set up CRM 2011 IFD

These steps explain what we need to run through in the Setup Wizards for CRM and ADFS in a chronological order.

ADFS

1. Install ADFS 2.0 on a Separate Server to CRM named ADFSSERVER

2. Import Certificate from Pre-Reqs onto ADFS site in IIS

3. Configure ADFS and Choose a Stand-Alone Federation Server Deployment

4. Choose the Wildcard/SAN certificate that you requested as part of pre-reqs and select the Federation Service name to be adfs.contoso.com

CRM

1. Open the CRM Deployment manager

2. Right click properties on Microsoft Dynamics CRM and go to the Web Address tab

3. Change the binding tab to HTTPS and configure the following

· Web Application Server

i. Crm.contoso.com

· Organization Web Service

i. Crm.contoso.com

· Discovery Web Service

i. Crm.contoso.com

· Deployment Web Service

i. Crm.contoso.com

4. Open IIS and bind the Wildcard/SAN certificate to CRM Website.

DNS

1. Create a External DNS record for adfs.contoso.com and point it to IP on UAG server and create an internal record for adfs.contoso.com and point it to ADFSSERVER

2. Also Create an Internal record for Crm.contoso.com to point to CRMSERVER

CRM

1. Open the CRM Deployment manager

2. Right click properties on Microsoft Dynamics CRM and configure Claims-Based Authentication Wizard.

3. The Federation Metadata Url will be https://adfs.contoso.com/federationmetadata/2007-06/federationmetadata.xml

4. Select the Wildcard/SAN certificate to use

5. Hit Next and Finish

6. Open the Certificate (Local Computer) MMC Snap in

7. Browse to Wildcard/SAN certificate

8. Right click the certificate, go to all tasks and manage private keys

9. Add the service account responsible for running the CRMAppPool and give it read permissions (Check this by opening IIS on CRMSERVER > Expand server name > application pools and check the identity responsible for running the CRMAppPool. May be running under networkservice account also)

10. Run an IISRESET

ADFS

1. Try browsing to https://crm.contoso.com/federationmetadata/2007-06/federationmetadata.xml to make sure federation metadata loads.

2. In ADFS Console add a Trust Relying Party

3. Choose the option Import data about the relying party published online or on a local network

Federation Metadata address – https://crm.contoso.com/federationmetadata/2007-06/federationmetadata.xml

4. Choose the Display Name to “Internal CRM

5. Select “Permit all users to access this relying party

6. Press Finish and know we will need to add a few Transform Claim Rules

7. Choose “Pass Through or Filter an incoming claim” Template

· Claim Rule Name: Pass Primary SID

· Incoming Claim Type: Primary SID

· Pass through all claim values

8. Choose the “Pass Through or Filter an incoming claim” Template

· Claim Rule Name: Pass UPN

· Incoming Claim Type: UPN

· Pass through all claim values

9. Choose the “Transform an Incoming Claim ” Template

· Claim Rule Name: Transform Windows Account Name to Name

· Incoming Claim Type: Windows Account Name

· Outgoing Claim Type: Name

· Pass through all claim values

10. Press Finish now expand Trust Relationships

11. Go to Claims Provide Trusts and right click on Active Directory and choose edit claim rules

12. Now hit Add Rule

13. Choose the “Send LDAP Attributes as Claims ” Template

· Claim rule name: Send UPN from AD to Claims

· Attribute store: Active Directory

· LDAP Attribute: User Principal Name

· Outgoing Claim Type: UPN

CRM

1. Try browsing to https://crm.contoso.com and you should notice an ADFS screen flicker up and then disappear

2. Now choose Configure Internet-Facing Deployment

· Web Application Server Domain: Contoso.com

· Organization Web Service Domain: Contoso.com

· Discover Web Service Domain: dev.contoso.com

3. Hit Next and use auth.contoso.com for the External domain

DNS

1. Create a External DNS record for auth.contoso.com and point it to the UAGSERVER/TMGSERVER

2. Create a External DNS record for dev.contoso.com and point it to the UAGSERVER/TMGSERVER

3. Create a External DNS record for orgname.contoso.com and point it to the UAGSERVER/TMGSERVER

4. Create a Internal DNS record for auth.contoso.com and point it to the CRMSERVER

5. Create a Internal DNS record for dev.contoso.com and point it to the CRMSERVER

6. Create a Internal DNS record for orgname.contoso.com and point it to the CRMSERVER

ADFS

1. In ADFS Console add a Trust Relying Party

2. Choose the option Import data about the relying party published online or on a local network

Federation Metadata address- https://auth.contoso.com/federationmetadata/2007-06/federationmetadata.xml

4. Choose the Display Name to “External CRM

5. Select “Permit all users to access this relying party

6. Choose “Pass Through or Filter an incoming claim” Template

· Claim Rule Name: Pass Primary SID

· Incoming Claim Type: Primary SID

· Pass through all claim values

7. Choose the “Pass Through or Filter an incoming claim” Template

· Claim Rule Name: Pass UPN

· Incoming Claim Type: UPN

· Pass through all claim values

8. Choose the “Transform an Incoming Claim ” Template

· Claim Rule Name: Transform Windows Account Name to Name

· Incoming Claim Type: Windows Account Name

· Outgoing Claim Type: Name

· Pass through all claim values.

We now have a decision on how we want to publish CRM 2011 IFD, either by UAG or TMG

Option 1 = UAG

Option 2 = TMG

Option 1 – UAG

UAG

Create Authentication Repository

1. Now if we Open the UAG console we need to configure an ADFS authentication repository

2. In the Forefront UAG console, on the Admin menu, click Authentication and Authorization Servers

3. On the Authentication and Authorization Servers dialog box click Add

4. Choose ADFS 2.0 as Server type and on the Add Authentication Server

· Server Name: ADFSSERVER

· Url of Metadata File: https://adfs.contoso.com/FederationMetadata/2007-06/federationmetadata.xml

5. Choose Retrieve Metadata

6. Select the Claim Type Name from the list.

7. Now select ok and close

Create Portal Trunk

1. In the Forefront UAG Management console, right-click HTTPS Connections then click New Trunk

2. Trunk Type will be Portal Trunk click next

3. Settings for the trunk

· Trunk Name – ADFS

· Public Host name- Adfsportal.contoso.com

· Ip Address – External IP address of your choice that has the appropriate DNS records pointing to it.

4. Add ADFS Authentication Server created above and hit next

5. Choose the Wildcard/SAN certificate and choose next

6. Choose use UAG Forefront Endpoint Policies

7. Hit Finish and Activate Settings (Make a note of Metadata file) “https://adfs.contoso.com/InternalSite/ADFSv2Sites/ADFS/FederationMetadata/2007-06/FederationMetadata.xml

ADFS

1. Click Start, point to Programs, point to Administrative Tools, and then click AD FS 2.0 Management.

2. Under the AD FS 2.0Trust Relationships folder, right-click Relying Party Trusts, and then click Add Relying Party Trust to open the Add Relying Party Trust Wizard.

3. On the Welcome page, click Start.

4. On the Select Data Source page, do one of the following:

5. Use Federation metadata URL “https://UAGSERVER.contoso.com/InternalSite/ADFSv2Sites/ADFS/FederationMetadata/2007-06/FederationMetadata.xml

6. On the Specify Display Name page, in Display name type UAG and then click Next.

7. On the Choose Issuance Authorization Rules page, click Permit all users to access this relying party, and then click Next.

8. Click Next to save your relying party trust information.

9. On the Finish page, click Close. This action automatically displays the Edit Claim Rules dialog box.

10. Choose “Pass Through or Filter an incoming claim” Template

· Claim Rule Name: Pass Primary SID

· Incoming Claim Type: Primary SID

· Pass through all claim values

11. Choose the “Pass Through or Filter an incoming claim” Template

· Claim Rule Name: Pass UPN

· Incoming Claim Type: UPN

· Pass through all claim values

12. Choose the “Transform an Incoming Claim” Template

· Claim Rule Name: Transform Windows Account Name to Name

· Incoming Claim Type: Windows Account Name

· Outgoing Claim Type: Name

· Pass through all claim values

13. Press Finish now expand Trust Relationships

14. Go to Claims Provide Trusts and right click on Active Directory and choose edit claim rules

15. Now hit Add Rule

16. Choose the “Send LDAP Attributes as Claims ” Template

· Claim rule name: Send UPN from AD to Claims

· Attribute store: Active Directory

· LDAP Attribute: User Principal Name

· Outgoing Claim Type: UPN

UAG

Publish CRM 2011

1. Open the UAG Console

2. Publish the CRM server using the Microsoft Dynamics CRM 2011 template

3. In the main portal properties page on the ADFS Trunk, in Applications, click Add.

4. On the Select Application page of the Add Application Wizard, select Web, and then select Microsoft Dynamics CRM 2011. Then click Next.

5. On the Configure Application page, specify the name CRM 2011. This name will appear in the portal. Then click next.

6. Choose Configure an Application Server

7. On the web servers page the Address should be the internal URL of CRM which is crm.contoso.com

8. The public hostname will be the Organization host name of “Orgname.contoso.com

9. On the Authentication select the ADFS 2.0 Authentication Server and choose 401 Request

10. In the Forefront UAG Management console, in the application list, click the AD FS 2.0 application, click Edit, and on the Application Properties dialog box, on the Authentication tab, select the Allow unauthenticated access to web server check box.

11. On the Forefront UAG server in the Forefront UAG Management console, publish the Microsoft Dynamics CRM Discovery Web Service domain “dev.contoso.com” using the Other Web Application (application specific name) template.

12. On the web servers page the Address should be the internal URL of crm.contoso.com

13. The public hostname will be the External Url “dev.contoso.com

14. On the Authentication select the ADFS 2.0 Authentication Server and choose 401 Request

15. On the Portal Link page, clear the Add a portal and toolbar link check box.

16. On the Forefront UAG server in the Forefront UAG Management console, publish the external domain selected during configuration of IFD for Microsoft Dynamics CRM which is auth.contoso.com using the Other Web Application (application specific name) template.

17. On the web servers page the Address should be the internal URL of crm.contoso.com

18. The public hostname will be the External Url “auth.contoso.com

19. On the Authentication select the ADFS 2.0 Authentication Server and choose 401 Request

20. On the Portal Link page, clear the Add a portal and toolbar link check box.

21. Make Sure the CRM 2011 application is above the External domain and discovery service domain

Option 2 – TMG

TMG

1. On TMG create a Web listener called CRM IFD

2. Select “Require SSL secure connection with clients

3. Select External and assign the 2 IP’s to the listener that you have assigned for “auth.contoso.com, dev.contoso.com , orgname.contoso.com and adfs.contoso.com

4. Assign the “Appropriate Wildcard Certificate or San Certificate

5. Make sure the Web Listener is set to “No Authentication

6. Hit Next and Finish

7. Now we need to create a publishing rule, press “Publish Web Sites” in the Firewall policy tasks column

8. Name the rule “Publish CRM Organization IFD

9. Select “Allow

10. Choose “Publish a Single Web Site or Load Balancer

11. Now choose “Use SSL to connect to the published Web server or server farm

12. Internal Site name will be “Orgname.contoso.com” (make sure you have created an internal DNS record for this or it wont work” also select use a computer name and type in the name of your CRM server “CRMSERVER”

13. Don’t enter a path and just press next

14. The public name will be “https://orgname.contoso.com” and again leave the path blank

15. Select the web listener you created earlier “CRM IFD

16. Select “No Delegation, and client cannot authenticate directly

17. Make sure the rule applies to “All Users” and hit next and finish

Now we need to create 3 more Web Publishing Rules for auth, dev.contoso.com and adfs.contoso.com

 

Auth.contoso.com

1. Press “Publish Web Sites” in the Firewall policy tasks column

2. Name the rule “Publish CRM Auth IFD

3. Select “Allow

4. Choose “Publish a Single Web Site or Load Balancer

5. Now choose “Use SSL to connect to the published Web server or server farm

6. Internal Site name will be “Auth.contoso.com” (make sure you have created an internal DNS record for this or it wont work” also select use a computer name and type in the name of your CRM server “CRMSERVER”

7. Don’t enter a path and just press next

8. The public name will be “https://Auth.contoso.com” and again leave the path blank

9. Select the web listener you created earlier “CRM IFD

10. Select “No Delegation, and client cannot authenticate directly

11. Make sure the rule applies to “All Users” and hit next and finish

Dev.contoso.com

1. Press “Publish Web Sites” in the Firewall policy tasks column

2. Name the rule “Publish CRM Discovery IFD

3. Select “Allow

4. Choose “Publish a Single Web Site or Load Balancer

5. Now choose “Use SSL to connect to the published Web server or server farm

6. Internal Site name will be “Dev.contoso.com” (make sure you have created an internal DNS record for this or it wont work” also select use a computer name and type in the name of your CRM server “CRMSERVER”

7. Don’t enter a path and just press next

8. The public name will be “https://Dev.contoso.com” and again leave the path blank

9. Select the web listener you created earlier “CRM IFD

10. Select “No Delegation, and client cannot authenticate directly

11. Make sure the rule applies to “All Users” and hit next and finish

Adfs.contoso.com

1. Press “Publish Web Sites” in the Firewall policy tasks column

2. Name the rule “Publish ADFS

3. Select “Allow

4. Choose “Publish a Single Web Site or Load Balancer

5. Now choose “Use SSL to connect to the published Web server or server farm

6. Internal Site name will be “Adfs.contoso.com

7. Don’t enter a path and just press next

8. The public name will be “https://Adfs.contoso.com” and again leave the path blank

9. Select the web listener you created earlier “CRM IFD

10. Select “No Delegation, and client cannot authenticate directly

11. Make sure the rule applies to “All Users” and hit next and finish

You should now have CRM IFD all published and Working Smile

Leave A Comment

like what you see? 

Sign-up to our newsletter and never miss out on the latest blogs, events and tech news from the world of risual
SUBSCRIBE!
Give it a try, you can unsubscribe anytime.