Solved

Getting 2 Login Windows when accessing CRM externally over ADFS (Proxy)

Posted on 2014-09-05
2
347 Views
Last Modified: 2014-09-12
I have implemented ADFS for internal user access to CRM SSO and no login credentials are required over SSO.

I have placed a ADFS Proxy server in our perimeter network which talks to the internal ADFS server.

When an external user with a mobile device types - https://crm.ourdomain.co.uk you can see the browser address immediately change to sts.ourdomain.co.uk (ADFS Service address) and the external user is presented with a what looks like a Windows Authentication window. It's as if I'm being asked to authenticate against the actual Proxy server. When I enter either my details (domain admin) or admin credentials I am then presented with the sts.ourdomain.co.uk ADFS login window which is what I would expect.

How do I get rid of the first login window?

Things done so far
Resolution 1: Enable Anonymous Authentication on the AD FS 2.0 Proxy server
This was already enabled for my site.
Resolution 2: Enable Windows Authentication on the AD FS 2.0 Federation server farm
This was already enabled for my site.
 
Resolution 3: Enable Forms Authentication on the AD FS 2.0 Federation server farm
This was not enabled. I enabled it.  It did not fix anything, actually.  I would say made things "worse".  When enabled, I get the error.

I have also change the web.config file on both the ADFS and Proxy server to read:
 <localAuthenticationTypes>
      <add name="Integrated" page="auth/integrated/" />
      <add name="Forms" page="FormsSignIn.aspx" />
      <add name="TlsClient" page="auth/sslclient/" />
      <add name="Basic" page="auth/basic/" />

What I can do however is add the sts.ourdomain.co.uk to the browser Trusted Sites (Intranet) as most of the external users will be using iPads, Samsung Galaxy's, and other mobile devices so I'm stuck.
0
Comment
Question by:CTCRM
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
2 Comments
 
LVL 2

Accepted Solution

by:
CTCRM earned 0 total points
ID: 40319387
Nobody has responded to this question and I have since resolved the issue.

I ran the following command on the CRM server. This allows users credentials to be passed from the ADFS server to the CRM server (Trust).

setspn -a http/adfsservername.yourdomainname yourdomainname\CRMservername

Example
setspn -a http/adfssrv.brother.com brother.com\crmappsrv

Also, ensure that the clients browser (IE) has the trusted domain name added into the LOCAL INTRANET settings via browser security settings. If not then the client will receive the additional login box.
0
 
LVL 2

Author Closing Comment

by:CTCRM
ID: 40319390
I have resolved this with the second comment.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question