During a recent engagement, I wanted to test my plan by setting up an IFD Deployment in an Azure VM. In this blog post, I will be focusing only on setting up an IFD environment in an Azure VM; I won’t be going in to details about setting up and configuring ADFS .

General information about setting up an IFD environment in CRM 2016 could be found here.

Architecture

IFD deployment Azure VM

DNS Requirement

To set up Claims-based authentication on a Dynamics CRM server, we need two DNS host entries created.

  1. internalcrm.crmlabspro.com – This would be the url accessed by internal network users.
  2. sts.crmlabspro.com – This would be the url pointing to the security token service (ADFS).

To setup IFD we need a minimum of 3 DNS host entries.

  1. crmlabspro.crmlabspro.com – CRMLabsPro is the organisation name; we need DNS host entries created for each organisation in our CRM server.
  2. dev.crmlabspro.com – Discovery service url
  3. auth.crmlabspro.com – This is the external IFD url.

To manage externally exposed DNS entries, I purchased a domain (crmlabspro.com) from GoDaddy.com for $1.97 for a year. It’s up to you to choose the provider, but we need an external domain where we can create host entries for the external urls we need.

Creating the Virtual Server in Azure

Since we already have some preconfigured Dynamics CRM 2016 virtual machine images stored in Azure, I was able to create new virtual machine with Windows Server 2012 R2, Dynamics CRM 2016, ADFS and Certificate Services within minutes.

Do not forget to open port 444 and 443 to be used by the CRM and the ADFS. Even if you forget, you can add the ports later by navigating to the “Endpoints” tab of the VM page.

Virtual server Azure

 

If possible, it’s best to use static IPs for both private and public IP addresses. This minimizes the need to update DNS information whenever the dynamics IP addresses get changed.

But for this Lab, I’m going to live with the Dynamic IPs to keep the running costs down.

Creating Public DNS Host Records for External Facing URLs

You have to create DNS host entries to point to your VM’s public IP address using the DNS management service of your domain provider (in this case GoDaddy).

create public DNS host external facing urls

 

Creating Host Entries for the Internal URLs

Open up the hosts file located in “<systemdrive>:\Windows\System32\drivers\etc” using notepad and create the following host records pointing to the server’s internal IP. In this example, the internal IP is 10.0.0.6.

creating host entries internal urls

Create an HTTPS Binding in IIS for the CRM

Open up Internet Information Services; right click on the Microsoft Dynamics CRM web site and click on Edit Bindings.

create https binding IIS CRM

 

Click on the Add button.

site bindings dynamics crm

 

In the Type drop down, select https; in the Port field, type “444” or any other port that you wish to bind https to. As this is an all-in-one deployment, ADFS has already taken the port 443, and it is a requirement for the ADFS to be installed in the default https port 443. Select the wild card certificate for your organisation (*.crmlabspro.com).

site bindings dynamics crm 2

 

Click OK.

add site binding

 

Select the http binding on port 80 and remove it by clicking the Remove button.

site bindings dynamics crm 3

 

Close the Site Bindings dialog box.

Configuring Claims-based Authentication for Internal Access

Configure claims-based authentication on the CRM server using the instructions provided in this article: Configure the Microsoft Dynamics CRM Server for claims-based authentication.

Remember to include the https port number (444) while specifying Microsoft Dynamics CRM Properties.

dynamics crm properties

 

Also remember to customize the sts (ADFS) URL to match what you’ve setup.

configure claims-based authentication wizard

 

You should see the below message if claims-based authentication setup is successful. Note the URL to configure as a relying party of the security token service (ADFS).

configure claims-based authentication wizard 2

 

Configuring ADFS for Internal Claims-based Authentication

Follow the steps provided in the article Configure the ADFS server for claims-based authentication on TechNet.

Make sure that you specify the https port (444) while specifying the relying party URL. (See image below)

configure ADFS internal claims based authentication

 

Adding ADFS Website to the Local Intranet Zone

Follow the steps provided in the article Add the ADFS website to the Local intranet security zone on TechNet.

Test Internal Claims-based Access

Follow the steps provided in the article Test internal claims-based authentication  on TechNet to test whether the internal claims-based access is setup properly.

Configuring Claims-based Authentication for External Access

Follow the steps provided in the article Configure the Microsoft Dynamics CRM server for IFD onTechNet.

Ensure that you specify the https port number (444) while configuring the internet facing deployment.

internet-facing deployment configuration wizard

 

While specifying the IFD server URL, make sure that you specify the https port (444).

internet-facing deployment configuration wizard 2

 

Your configuration must be similar to the image below.

internet-facing deployment configuration wizard 3

 

Configure the ADFS Server for IFD

Follow the steps provided in the article Configure the ADFS server for IFD on TechNet.

Make sure that you specify the https port (444) while specifying the IFD url as a relying party. (See image below)

add relying party trust wizard

 

Your external host names must be displayed in the “Identifiers” tab of the Add relying party trust wizard. (See image below)

add relying party trust wizard 2

 

Test External Claims-based Authentication

Follow the steps in the article Test external claims-based authentication on TechNet.

Your IFD deployment must be now fully functional as in the screenshot below. Note the certificate error displayed due to the certificate being not created by a Trusted Certification Authority.

trusted certification authority IFD deployment

 

I hope that this will help you when you get a requirement to setup an IFD facing deployment in Azure. Reach out to me if you have any further queries.