2

I have one server with ADFS-2.0 and a few websites on it. One of the websites is Dynamics CRM which listens on a specific IP address on port 443.

Dynamics CRM provides a metadata file for configuration purposes which could be used to configure a relaying party trust with ADFS. It is accessible with the URL

https://auth.contoso.com/FederationMetadata/2007-06/federationmetadata.xml

The problem is that ADFS-2.0 installs a service which registers following urlacl

https://+:443/FederationMetadata/2007-06/

This means the result of accessing the URL https://auth.contoso.com/FederationMetadata/2007-06/federationmetadata.xml is the metadata file of ADFS, not the one of Dynamics CRM.

I've tried to delete the default urlacl and added (one of them at a time)

https://192.168.1.2:443/FederationMetadata/2007-06/ https://adfs.mydomain.com:443/FederationMetadata/2007-06/

but neither of them worked. Instead the ADFS-service failed to startup complete.

Is there any way to bind this service to a IP address? At the moment I see only two alternatives

  1. Bind the service to a non standard port. This leads to problems because this means that also the ADFS website has to use a non-standard HTTPS-port.

  2. Install ADFS-2.0 on a different server (this is my favorite alternative - however it is not possible in every situation...)

Arun Vinoth - MVP
  • 314
  • 1
  • 3
  • 15
ccellar
  • 213
  • 2
  • 14

3 Answers3

2

I'm making the assumption that Dynamics has its own website and does not use the default website. This may be totally incorrect.

Either way, if they are separate sites why don't you simply setup HTTPS Host Headers and ensure the default site and the dynamics site are both specifically assigned or bound to a certain host header or IP. You can always assign multiple IPs to the same NIC on the machine.

IIS SSL Host Header Command:

appcmd set site /site.name:"Name of Website in IIS" /+bindings.[protocol='https',bindingInformation='*:443:Host Header']
Brent Pabst
  • 6,059
  • 2
  • 23
  • 36
  • Because the Windows Service of AD FS 2.0 listens on all IP addresses. You are correct with your assumption. We have configured the binding for the website, but the service catches all request for this specific url – ccellar Oct 02 '12 at 14:59
  • As I recall, if you are running a FS-S box and even an FS-P they both rely on IIS to catch the requests, the service is just a local intermediary that the IIS process then communicates with, this allows for integrated logon and a web form based logon in the case of the proxy server. Is that not what you are seeing? If so you just need to update the IP bindings for the default website from `*` to whatever IP you want it to use. – Brent Pabst Oct 02 '12 at 15:31
0

I had the exact same configuration and was also looking for similar resolution. After a lot of searching I found this which explains workaround for starting ADFS on port different than 443. Unfortunately I was unable to successfully implement it, but I am not sure whether the problem was my specific configuration or the workaround in general.

Also I did not try playing with the urlacl - it seems like the problem could be right there. Use netsh http show urlacl to see the three urls that are added by ADFS.

So try it if you have the chance.

At the end I settled for the second option - installing ADFS on different machine which is basically MS proffered solution.

Stoinov
  • 578
  • 2
  • 9
  • 15
0

I know the question is about binding ADFS on a specific IP and on that I can't help you.
The question is also a few years old, but my answer still applies for the ones who want to run ADFS and Dynamics CRM on same port.

What I can say is that I've got Dynamics CRM 2016 working along with ADFS on the standard HTTPS port 443.

You can see the full story in here: Install Microsoft Dynamics CRM 2016 with IFD and ADFS on the same server using port 443

Basically you can use the url https://auth.contoso.com/Handlers/FederationMetadata.ashx to get the Dynamics Federation Metadata instead of https://auth.contoso.com/FederationMetadata/2007-06/federationmetadata.xml

Or, you can change Dynamics CRM web.config and have the metadata being provided on another path.

Community
  • 1
taborda
  • 11
  • 4