Getting 2 Login Windows when accessing CRM externally over ADFS (Proxy)

I have implemented ADFS for internal user access to CRM SSO and no login credentials are required over SSO.

I have placed a ADFS Proxy server in our perimeter network which talks to the internal ADFS server.

When an external user with a mobile device types - https://crm.ourdomain.co.uk you can see the browser address immediately change to sts.ourdomain.co.uk (ADFS Service address) and the external user is presented with a what looks like a Windows Authentication window. It's as if I'm being asked to authenticate against the actual Proxy server. When I enter either my details (domain admin) or admin credentials I am then presented with the sts.ourdomain.co.uk ADFS login window which is what I would expect.

How do I get rid of the first login window?

Things done so far
Resolution 1: Enable Anonymous Authentication on the AD FS 2.0 Proxy server
This was already enabled for my site.
Resolution 2: Enable Windows Authentication on the AD FS 2.0 Federation server farm
This was already enabled for my site.
 
Resolution 3: Enable Forms Authentication on the AD FS 2.0 Federation server farm
This was not enabled. I enabled it.  It did not fix anything, actually.  I would say made things "worse".  When enabled, I get the error.

I have also change the web.config file on both the ADFS and Proxy server to read:
 <localAuthenticationTypes>
      <add name="Integrated" page="auth/integrated/" />
      <add name="Forms" page="FormsSignIn.aspx" />
      <add name="TlsClient" page="auth/sslclient/" />
      <add name="Basic" page="auth/basic/" />

What I can do however is add the sts.ourdomain.co.uk to the browser Trusted Sites (Intranet) as most of the external users will be using iPads, Samsung Galaxy's, and other mobile devices so I'm stuck.
LVL 2
CTCRMInfrastructure EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

CTCRMInfrastructure EngineerAuthor Commented:
Nobody has responded to this question and I have since resolved the issue.

I ran the following command on the CRM server. This allows users credentials to be passed from the ADFS server to the CRM server (Trust).

setspn -a http/adfsservername.yourdomainname yourdomainname\CRMservername

Example
setspn -a http/adfssrv.brother.com brother.com\crmappsrv

Also, ensure that the clients browser (IE) has the trusted domain name added into the LOCAL INTRANET settings via browser security settings. If not then the client will receive the additional login box.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CTCRMInfrastructure EngineerAuthor Commented:
I have resolved this with the second comment.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Dynamics

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.