Recently I was setting up an Internet Facing Deployment (IFD) for a new Dynamics CRM 2013 implementation. Luckily the process has not changed much since CRM 2011, and there are many blogs and even a whitepaper that cover the topic.
One of the biggest pain points is that the CRM claims based / IFD configuration publishes two access URLs, one each for internal and external use. The external url does not allow for windows integrated single-sign on, and the internal URL cannot be accessed from the public internet.
Dynamics CRM: Internal vs. External URLs
CRM URL Type |
Default ADFS Authentication Method |
Single Sign-on |
Publicly Accessible |
Internal (crm.contoso.local) |
Integrated Windows Authentication (IWA) |
Yes |
No |
External (crm.contoso.com) |
Forms-based Authentication (FBA) |
No |
Yes |
Rather than force users to suffer the pain of two URLs or a credential prompt every session, we choose to use just the external URL and dynamically change the authentication method. Now we point everyone to the same address and the login is processed using the best possible experience.
To do this, we adjusted the ADFS server web.config to drop the wauth query parameter. CRM uses this parameter to force the use of forms-based authentication.
- Access the ADFS server
- As administrator, create a web.config file in C:\inetpub\wwwroot.
- Add the following XML, which sets the default authentication mode to windows and uses the IIS URL Rewrite module to drop the “wuath” parameter from internal IP addresses. If your internal IP range is not 192.168.*.* then you should edit the regular expression appropriately.
- Perform an IIS Reset (command prompt --> iisreset) on the ADFS server
- Test the external url from machines inside and outside the network
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<authentication mode="Windows" />
</system.web>
<system.webServer>
<rewrite>
<rules>
<rule name="String wauth parameter" enabled="true" stopProcessing="true">
<match url="(.*)" />
<conditions trackAllCaptures="true">
<add input="{REMOTE_ADDR}" pattern="192\.168\.[0-9]{1,3}\.[0-9]{1,3}" />
<add input="{QUERY_STRING}" pattern="(.*)(wauth=.*)(.*)" />
</conditions>
<action type="Redirect" url="{R:0}?{C:1}{C:3}" appendQueryString="false" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
<!-- Remove wauth paramter to force windows authentication on local address -->
If everything goes well, from inside the network you will get integrated windows authentication. From outside the network you should see the forms based login aspx page.
While you are making changes to ADFS settings, I would recommend customizing the forms based login page to add a logo or other branding.
As a side note, to achieve single-sign on with integrated windows authentication, all of the following must be true:
- You are accessing CRM from a domain joined computer
- You are within the same network as CRM and ADFS
- Browser is Internet Explorer or Chrome
- Website is in the Intranet Zone, or the security settings are customized to allow passing of windows credentials.
Learn more about DMC's Microsoft Dynamics CRM services.