Problem using Internal and External addresses with Claim based auth and IFD

Posted on 2011-03-21
Last Modified: 2012-05-11
Hi All

I'm trying to get my system setup to use IFD for the external addresses and have a separate internal address that internal users use, so that they don't have to authenticate using IFD.

I have followed the new guide for setting up Claims based auth & IFD, and IFD works fine for both internal and extenral users, but I cannot get the internal address working. When I try the Internal address on the local LAN, I get a windows login prompt, and even if I type the users name and password in the in domain\username and username formats it doesn't login.

Anyone have any pointers?



Question by:WayneATaylor
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 29

Expert Comment

by:Feridun Kadir
ID: 35179216
Did you set up two relying parties in AD FS?  You need two, one specifying the internal address and one specifying the external address.
LVL 10

Author Comment

ID: 35179222

Yes I did do this. The only difference in the two is the endpoint address, is that correct?

LVL 29

Expert Comment

by:Feridun Kadir
ID: 35221686
That is correct.
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

LVL 10

Author Comment

ID: 35221736
Its still not working for me then, I get connect fine on the External address. I get the ADFS login fine and all works, but when I try and use the Internal address I get the windows login and cannot get into it!


Accepted Solution

petesvendson earned 500 total points
ID: 36013681
If you are getting prompted for credentials when attempting to access CRM over the internal access point you need to keep in mind that CRM is redirecting the request to ADFS with a URL indicating that the user has a Kerberos ticket. Meaning Kerberos traffic must resolve.

1. Make sure that your FQDN name for ADFS is in the Intra net site zone in IE (by default IE will only send Kerberos tickets to Intranet sites

2. Ensure that you have a HOST SPN for the ADFS URL under the Machine Account (assuming that KernelMode Auth is turned ON on the ADFS website. (Yes I did mean HOST SPN and not HTTP SPN ADFS need HOST. By default Kernel Mode Int auth should be turned on -- if not then the SPN goes under the SVC account running your ADFS IIS AppPool Account.

Most likely you are running into Issue #1. If not let me know and we can drill further.
LVL 10

Author Closing Comment

ID: 37381532
I actually reinstalled and it seemed to work in  the end!

Featured Post

Enroll in May's Course of the Month

May’s Course of the Month is now available! Experts Exchange’s Premium Members and Team Accounts have access to a complimentary course each month as part of their membership—an extra way to increase training and boost professional development.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
CRM 2011 SSRS Question 12 101
Fetch XML Unions? 3 839
CRM 2011 Product/Price List Configuration 7 92
CRM 2011 On Premise / http connection working / https connection not working 6 94
Automatically creating a Trello card using data from a Microsoft Dynamics CRM record turned out to be an easy project that yielded great results.  Here's how I did this for an internal team at General Code.
Desired Skill Set for Microsoft Dynamics CRM Technical Resources – Part I
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit If you want to manage em…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question