The Microsoft Dynamics CRM Blog
News and views from the Microsoft Dynamics CRM Team

Internet Facing Deployment (IFD) Installation Basics

Internet Facing Deployment (IFD) Installation Basics

  • Comments 15

Hi, I recently started owning the Internet Facing Deployment (IFD) feature set within the CRM team and so in this blog I would share some of my thoughts and insights. I have also noted that there are no IFD related blogs on CRM so far, so this should be a good start. J

clip_image002IFD allows the customers to configure their CRM system to be reachable from outside the intranet (i.e. internet or outside of the firewall). The main difference when using IFD vs. typical on-premise deployment is how users are authenticated. When using the on-premise version, IIS handles most of the authentication via integrated windows authentication. There are however custom CRM authentication handler modules registered during setup to assist in the process. In IFD, the web site is opened for anonymous access and the authentication relies on the presence of the CRM ticket cookie. This cookie is obtained by starting off from a sign-in page.

Any page request that does not contain the CRM ticket cookie also gets redirected to it. This page deletes any expired CRM ticket cookies and if the user has provided correct credentials at the sign-in page, a new CRM ticket cookie would be written and used in later requests.

To install an IFD enabled CRM system, the install xml needs to have the following node in the crminstall.xml, under the path <CRMSetup><Server>. You will see that there isn’t too much information listed below, so the difference between an on-premise deployment with or without IFD should not be much. I will explain the difference later.

<ifdsettings enabled="true">

<internalnetworkaddress>157.55.160.202-255.255.255.255</internalnetworkaddress>

<rootdomainscheme>https</rootdomainscheme>

<sdkrootdomain>myDomain</sdkrootdomain>

<webapplicationrootdomain>myDomain</webapplicationrootdomain>

</ifdsettings>

Node details:

  1. The <ifdsettings> node is the root node containing all the details that the CRM server needs to enable IFD.
  2. The “enabled” attribute indicates if the IFD is to be enabled or not.
  3. The <internalnetworkaddress> is used to separate out internal vs. external request IP address. The internal requests will continue to go though the usual on-premise authentication, whereas external requests will go though the IFD. This is also known as SPLA authentication. SPLA stands for Service Provider Licensing Agreement. The value is specified in the IPAddress-IPAddressMask format and multiple values can be specified by separating them with a semicolon.
  4. The <sdkrootdomain> and the <webapplicationrootdomain> nodes are used to define the sdk and web application root domains. These should ideally be fully qualified domain names and can be same if sdk and application servers are located on the same box.

The installation of an IFD enabled CRM server is pretty simple but CRM setup does not provide any UI support for it so the IFD needs to be enabled via an xml install. Also once CRM is installed there is no easy out of box way (tools) to enable it. There is however a support tool that customers can download and use.

The support tool can be downloaded from:

http://www.microsoft.com/downloads/details.aspx?FamilyID=69089514-6e5a-47e1-928b-4e4d4a8541c0&DisplayLang=en

The documentation to use the tool and more on Microsoft Dynamics CRM 4.0 Internet Facing Deployment Scenarios can be found at:

http://www.microsoft.com/downloads/details.aspx?FamilyID=3861e56d-b5ed-4f7f-b2fd-5a53bc71dafc&DisplayLang=en

Ok. Now lets talk about difference between an on-premise and IFD enabled on-premise deployment. On the IFD enabled deployment you would see the following.

1) A new regkey 'IfdInternalNetworkAddress' with string value in format IPAddress-IPAddressMask. This contains the value of the node <internalnetworkaddress>

2) Three new DeploymentProperties in the config database (MSCRM_CONFIG).

     a. 'IfdRootDomainScheme',

     b. 'IfdSdkRootDomain',

     c. 'IfdWebApplicationRootDomain',

select * from DeploymentProperties where ColumnName like ‘Ifd%’

Each entry has the string (NVarCharColumn) value set to the values from the config xml. The Id field in the deployment property is the deployment id.

select id from Deployment

3) Updated <crm.authentication> node in the web.config file

<authentication strategy="OnPremise " />

-->

<authentication strategy="ServiceProviderLicenseAgreement" />

4) Anonymous access being enabled on the CRM website and all web pages under it.

5) The url used to access IFD is different from on-premise. It is in the form https://myOrganizaitonName.myDomain. Jagan Peri’s blog post covers this in more detail: http://blogs.msdn.com/crm/archive/2008/08/01/microsoft-dynamics-crm-urls.aspx

You should also checkout the latest version of SDK (version 4.0.6). It has some great examples of adding web pages in an IFD enabled CRM server and more.

The CRM SDK 4.0.6 can be downloaded from: http://www.microsoft.com/downloads/details.aspx?FamilyID=82E632A7-FAF9-41E0-8EC1-A2662AAE9DFB&displaylang=en

Cheers,

Shashi Ranjan

  • PingBack from http://housesfunnywallpaper.cn/?p=6643

  • Hi,

    What about multi-tenancy? Do you have any idea how to achieve that?

  • Hi, I deployed IFD by using the CRM40IFDTool but I'm  having big issues to configure my Outlook Clients in order to access CRM from the Internet.

    Scenario:

    -Outlook Clients work fine from the internal network BUT they have to be attached to the domain and they have to log in as domain users onto the machine.

    -web interface works fine from inside and outside

    -Outlook clients do NOT work over the internet. I'm able to establish the initial connection but when the Organization associated page comes up, I see no organization listed. I tried to trace this problem from my firewall and I saw a 401 authentication error. The client is able to reach the URL http://PCname.domainname.com/MSCRMServices/2007/SPLA/CrmDiscoveryService.asmx as anonymous user but then it is not able to switch to integrated Windows security.

    One more thing: if I try to browse the signin.aspx page from IE I get the Windows logon prompt first and then the signin.aspx page as shown above.

    Please help!!!this is a blocking issue for me!

  • Hi, I deployed IFD by using the CRM40IFDTool but I'm  having big issues to configure my Outlook Clients in order to access CRM from the Internet.

    Scenario:

    -Outlook Clients work fine from the internal network BUT they have to be attached to the domain and they have to log in as domain users onto the machine.

    -web interface works fine from inside and outside

    -Outlook clients do NOT work over the internet. I'm able to establish the initial connection but when the Organization associated page comes up, I see no organization listed. I tried to trace this problem from my firewall and I saw a 401 authentication error. The client is able to reach the URL http://PCname.domainname.com/MSCRMServices/2007/SPLA/CrmDiscoveryService.asmx as anonymous user but then it is not able to switch to integrated Windows security.

    One more thing: if I try to browse the signin.aspx page from IE I get the Windows logon prompt first and then the signin.aspx page as shown above.

    Please help!!!this is a blocking issue for me!

  • I've just deployed a multi-tenant CRM 4.0 (sitting on HMC 4.0) it's not too bad. The main key points I'd recommend are;

    Ensure you have a wildcard SSL

    In DNS setup a wildcard A record (can only be done through the command line if you using Windows Server DNS, so when you create new CRM organisations, you don't need to keep updating DNS with the orgname.domain.com pointing to your CRM site.

    I you're using ISA 2006 like us, make sure the listener and publishing rule are correct e.g. *.domain.com for the published site etc.

    I'd read about having to add host headers to IIS, but as it turned out I didn't need to thankfully otherwise it's a bit pointless doing multi-tenancy as you'd need to contstantly update the web site with new host headers.

  • hi for IFD to work pl. ensure that your website is enabled to work in anonymous mode in IIS.

    Also pl. ensure that under your website in IIS, MSCRMServices, 2007 and SPLA folder are all enabled for anonymous access. Some times when you flip the top root node of the site to anonymous, these folder do not get set correctly for anonymous access.

    Also if you are accessing the signin page from outside network and seeing the AD popup. pl double check the access mode on the signin page and all its parent folders in the IIS.

  • All done with little struggle

    mask 255.255.255.255 ?

    i will post all details later on !!!

    Jameel

    Abbottabad.

  • Is there an updated version of the tool?  It crashed when trying to run on server 2008 and I cannpt find details of the steps to produce the results manually.

    Derek

  • I have a customer who is using CRM and would like to use IFD. what do i need to advise the customer to setup on there side

  • We are thinking of having the IFD CRM server on our DMZ zone (out side of domain firwall) and allow the network traffic through firewall.  When we do this setup what Server Role needs to be installed on the IFD CRM server?

  • I have completed the IFD+On Premise setup on CRM 4.0 with Update Rollup 5 installed. I now run into the situation where I get the Integrated Windows Authentication (IWA) login prompt then I am redirected to the Forms Based login.

    How do I bypass the IWA completely?

    FYI, I had it working properly for some time but recently the IWA has made its way back.

  • Ignore my previous post. But please do leave the post for others to view.

    The problem was that I went into super-Network mode and entered the true class C subnet mask (255.255.255.0).

    I changed it to a full 32-bit mask (255.255.255.255) and it works as expected.

  • how to find the existing CRM site is on premise or IFD.

  • The article is good. I would comment that if a user is already windows authenticated, is there a way to bypass the login form and get the cookie automatically?

  • Can anyone point me to any article dealing with the issue of having custom code hosted within an iframe on a form or using external javascript files within the onload event of forms?

Page 1 of 1 (15 items)
Leave a Comment
  • Please add 7 and 2 and type the answer here:
  • Post