At Ledgeview Partners, we see many different technical configurations at our customers’ sites, each one requiring some tweaks here or there. One of the more confusing elements of a CRM 2011 IFD configuration is the distinction between “internal” and “external” URLs used by CRM and ADFS, and the different way these URLs authenticate users. For those of you out there supporting all of these configurations, I thought I would pass along a little tip.
In an IFD deployment, ADFS uses claims-based authentication for users accessing CRM from outside the corporate firewall, and Windows Authentication for users accessing CRM from inside the corporate network. The IFD configuration requires you to assign unique URLs to each authentication scenario. Microsoft’s best-practice recommendation is for internal users to access CRM with the internal URL so they can automatically pass their domain credentials to ADFS via Windows Authentication, and for external users to access CRM with the external URL where they enter their credentials for ADFS via a claims-based authentication form.
The problem with this model is that many CRM users have laptops and work both inside and outside the corporate network, which requires them to either switch between URLs depending on their location, or always use the external URL, thus losing the ability to automatically pass their domain credentials via Windows Authentication when working inside the corporate network.
As a workaround, you can implement the URL Rewrite 2.0 module for IIS 7.x on your ADFS server and configure it to detect whether a caller using the external URL is on the internal network, and if so, force Windows Authentication for that user. This way, ALL users can use the external URL to access CRM, reducing confusion and taking advantage of Windows Authentication when it is available. Here are the steps to install and setup URL Rewrite:
Logon to the ADFS server as a domain admin.
Install the URL Rewrite V.20 module from the IIS website: http://www.iis.net/download/urlrewrite. Click “Install using the Microsoft Web Platform Installer” and follow the instructions to complete the install.
Open a command prompt, type IISRESET and hit enter.
Launch Notepad with “Run as administrator,” browse to C:\inetpub\wwwroot\ and create a file named web.config.