URL Rewriting for user-friendly URLs with Dynamics CRM 2011

Anyone who has attempted to configure Dynamics CRM 2011 with an Internet-Facing Deployment (IFD) knows that it is no trivial task. Where there are blog posts that discuss setting up an IFD, and Microsoft documentation for configuring the IFD, they often assume that ADFS and Dynamics CRM are installed on the same server, and that there is only one Dynamics CRM front-end server. Unfortunately, real-world implementations don’t always follow that.

For example, take the following configuration:

  • a Dynamics CRM front-end server on the internal network, providing services to internal clients
  • a Dynamics CRM front-end server in an Internet-facing zone, providing services to external clients
  • a separate ADFS server accessible to internal and external clients

Dynamics CRM with IFD requires a combination of ADFS relaying party trusts and DNS configuration to get things working. One caveat with IFDs is that the internal and external host names for the Dynamics CRM front-end servers must be different because, externally, the host name includes the CRM organization name. Where, internally, you may have https://icrm.contoso.com/crm, externally you would have https://crm.contoso.com.

Let’s flesh out our sample implementation and requirements:

  • icrm.contoso.com is our internal Dynamics CRM front-end server, accessible only on the internal network
  • ecrm.contoso.com is our external Dynamics CRM front-end server, accessible to our internal network and the public Internet
  • adfs.contoso.com is our ADFS server, accessible to our internal network and the public Internet
  • We have two Dynamics CRM organizations: CRM and CRM-Test.
  • We want our internal and external (public Internet) clients to access CRM using the same URLs: crm.contoso.com and crm-test.contoso.com. In other words, we don’t want the two-URL problem outlined above.

The last bit has nothing to do with Dynamics CRM: it is all done in IIS. Let me explain how.

IFD Host Names and DNS Configuration

In order to get Dynamics CRM configured for the IFD, your internal DNS and external DNS must be set as needed to allow internal and external clients to resolve to all Dynamics CRM and ADFS host names.

One poorly-documented part of the IFD setup is what the host names should point to in the Internet Facing Deployment Configuration Wizard. The Discovery Web Service Domain (something like dev.contoso.com) and the “external domain where your Internet-facing servers are located” (something like auth.contoso.com) must both resolve to a Dynamics CRM front-end server, not the ADFS server. Be sure to set up these host names to resolve to your internal/external Dynamics CRM servers.

So, in our sample environment, our internal and external DNS has the following entries:

  • contoso.com zone:
    • icrm (internal DNS only)
    • ecrm (internal and external DNS)
    • adfs (internal and external DNS)
    • auth (internal and external DNS, points to icrm internally and ecrm externally)
    • dev (internal and external DNS, points to icrm internally and ecrm externally)
    • crm (internal and external DNS, points to ecrm internally and externally)
    • crm-test (internal and external DNS, points to ecrm internally and externally)

The DNS configuration, if wrong, at best, will break your IFD, and at worst break all access to Dynamics CRM, so be sure to get it right. If you get it right, and you configure the IFD right, your setup would work as follows:

This unfortunately is not what we want. Instead, we want our users to use the external client domains whether they are internal or external. To do this requires no change to Dynamics CRM; rather, the solution is through Internet Information Services (IIS).

Rewriting URLs with IIS

Here’s what happens with the above configuration:

  1. User enters https://crm.contoso.com or https://crm-test.contoso.com in their browser.
  2. The request is sent to the internal Dynamics CRM server, icrm.contoso.com.
  3. Dynamics CRM calls ADFS to get credentials for the user.
  4. ADFS can’t resolve the user’s credentials, because the host name is not known to ADFS.
  5. User can’t access Dynamics CRM.

Here’s what needs to happen:

  1. User enters https://crm.contoso.com or https://crm-test.contoso.com in their browser.
  2. The request is sent to the internal Dynamics CRM server, ecrm.contoso.com.
  3. IIS and the URL Rewrite module running on ecrm.contoso.com examine the request and identifies it as coming from an internal client (by IP address).
  4. If the request is coming from an internal client, IIS redirects the client to https://icrm.contoso.com/crm or https://icrm.contoso.com/crm-test.
  5. Everything else works as expected.

URL Rewriting rules live in the web.config file in the Dynamics CRM installation directory (by default, C:\Program Files\Microsoft Dynamics CRM\CRMWeb). Open this file and add the following to the <rules> section.

<rule name="Redirect Internal Connections" stopProcessing="true">
<match url="(.*)" />
<conditions trackAllCaptures="true">
<add input="{REMOTE_ADDR}" pattern="192\.168\.[0-9]{1,3}\.[0-9]{1,3}" />
<add input="{HTTP_HOST}" pattern="([^\.]*)\.(.*)" />
</conditions>
<action type="Redirect" url="https://icrm.contoso.com/{C:1}/{R:1}" appendQueryString="true" redirectType="Found" />
</rule>

The only changes you need to make to the above are:

  1. Change the regular expression pattern in the REMOTE_ADDR line to match your internal IP addresses. (Google has a nice tool to help with this.)
  2. Change the url in the Redirect line to match the host name of your internal Dynamics CRM server.

Do that, test it extensively (internally and externally), and then tell your users that the one URL they use to access Dynamics CRM is the only one they need to remember.

20 comments to URL Rewriting for user-friendly URLs with Dynamics CRM 2011

  • This is a brilliant way to understand and learn more about the awesome list of features and functions of Dynamics CRM. Now it is much easier to configure, extend and implement the product according to your needs and specifications for an easy crm management.

  • Christian

    Thanks for this great article, very useful. I am just wondering does that redirect rule should be prior the other 3 ADFS default rules? I guess so but that’s new for me.

    Regards,
    Christian

  • Raza Ali

    I have installed Dynamics CRM on IIS port 5555. I am trying to implement a URL rewrite rule so that users (even on the intranet) would simply type http://myserver/crm/ and it would rewrite that to http://mysever:5555/. I am getting an access denied error when I try to do this.

    Any tips?

  • Raza Ali

    Sorry for the last post. It turned out to be a regexp issue. Now the issue is that child links are not being resolved for some reason. RequestURL = “” in the failed request log. Page appears blank.

  • There is a little bug with this, which you may want to look out for. Our organization name is “CRM”. Our Regex detected URLs starting with CRM, and redirected them. On the external server, this broke reporting, because reports call a URL “crmreports.aspx”. Tweaking the regex fixed it.

    In other words: be sure to test everything! :)

  • Phil Farnsworth

    trackallcaptures above requires url rewrite 2.0.

    Under Server 2008 R2, url rewrite 2.0 breaks dyanmics completely. Subsequently you’ll get a 403/404 or 500 error. Uninstalling url rewrite 2.0 doesn’t solve the problem, subsequent to removal of urlrewrite 2.0 you’ll get an error “The requested page cannot be accessed because the related configuration data for the page is invalid.” out of the original web.config file.

    There appears to be something else that you are doing to get this to work.

  • In our experience, URL Rewrite 2.0 does not break Dynamics completely. Our users run Dynamics every day, internally and externally, with these rewrite rules in place.

    You may want to try this link for troubleshooting hints: http://support.microsoft.com/kb/942055

  • Phil Farnsworth

    I’m sure that you do, but it appears you did something else in your configuration to get it to work. If I take a clean IFD install of dynamics and apply URL Rewrite 2.0 to it, and change nothing else, dynamics breaks.

    Just FYI.

    Thanks.

  • ChristianV

    Why not use multiple ADFS relaying parties?
    That is one for the internal (icrm.domain.com) and one for the organization (external: org.domain.com)?

    The ADFS form will only be provided for the external org.domain.com while AD SSO is used on the internal.

  • Andreas Meyer

    Hi,
    this seems to be an interesting post.
    However, we face a more difficult situation. The environment and also the DNS is divided in Intranet (.xxx) and Internet (.yyy), let’s say .net and .com. Certificates govern these Zones. We cannot call .net-URLs from .com, neither .com-URLs from .net.
    The CRM-Server must reside somewhere and naturally lies in the .net (the internal) zone.
    Consequently from inside we cannot use IFD at all. Since any call – coming from a .net-place – to a .com-URL is blocked by the certificate which is an internal policy which I cannot overrule.
    The only thing we could do is two bindings to the CRM-site, one with https (for .com) and one with http for .net.
    This would work if it weren’t for the E-Mail-Router. The E-Mail-Router of course is on the CRM internal server, so coming from .net. Since IFD is configured it tries to authenticate as it must do and then tries to call the .com-configuration (for https is configured for the outside internet). This naturally is blocked by the certificate again.
    I do not see any way around this. Do you?
    With your example domain every host comes from the same domain name (contoso.com), so there is no such problem.
    We have ReverseProxies which could tunnel the traffic. But this doesn’t work either because the crucial URLs for the discovery web service (web) and also for auth cannot be routed since the CRM-Server tells the client these URLs on application level upon first contact. The ReverseProxy cannot touch and reroute application level information (osi-7) but only information from the transportation level (Osi-3). So the client gets the URL and then unpacks it and shouts it into the net from whereever it is at.
    We are here at our wits end and Microsoft most likely won’t budge.
    Are separate DNS-zones for Intranet and Internet so uncommon?
    I just wonder.
    Do you have any ideas?

    Regards
    Andreas

  • Andreas — not sure how to advise. As it is, I think Microsoft did a poor job of engineering this part of CRM; the fact that everything is so dependent on URLs, and the URLs differ based on configuration (IFD or internal), and you can’t have both, and the simple process of configuring an IFD is complicated, makes me cringe. It could have been so much easier.

    My suggestion would be to open a ticket with Microsoft and see what can be done. I was lucky to have gotten a very good ADFS engineer who helped me set up the IFD. As good as he was, he did say that some things simply can’t be done. It may be that the only “easy” way to handle on-premises CRM is to assume 100% internal or 100% external access, and configure accordingly.

  • Sudhanshu Sahoo

    Hi,

    thanks for posting such designed descriptions.
    just need to ask one things, when you have installed MS CRM in internet and intranet side, you must have used the same DB. so here have you used the SPN to manage the URLs for CRM for the different App serevres for CRM.

    i mean i can have 2 CRM servers(iCRM01 and iCRM02) with NLB in Intranet and also 2(eCRM01,eCRM02) on internet as NLB.
    So i ll install crm in iCRM01 1st with new instance. then i ll install in iCRM02 with considering existing instance.
    Also i ll do the same things for eCRM01 and eCRM02 with existing instance.
    but my question is, how the webservices URL and CRM URL will be managed for the iCRM02 and eCRM01/02? is it by using SPN or how?

    Your inputs will be really helpful.

    Tons of thanks in advance.

    Regards,
    Sudhanshu

  • Unfortunately, I have no idea the answer to your question, I haven’t worked in a NLB environment with CRM, nor am I an expert on SPNs or ADFS. Sorry!

  • Sudhanshu

    Thanks, Brian.
    So is your scenario covers the Internet and Intranet scenario as described in the MS Planning Doc?
    if anytime is come your way as my scenario, plz post here. many ppl are looking for it..

    regards,
    sudhanshu

  • Dede

    Hi Brian,

    I tried what you listed in the post, but no luck.
    When I make the above changes to the web.config neither my internal nor my external addresses work. I get 500 – Internal server error. Our internal network is 10.10.1.1-254 so I used: pattern=”\b(?:10)\.(?:10)\.([?:10])\.([0-9]{1,3})\b”
    We have crm.domain.com:444 and internalcrm.domain.com:444 and I would love to use just crm.domain.com:444

    Any help or insight would be greatly appreciated.
    Dede

  • @Dede,

    Try this for your pattern: 10\.10\.1\.[0-9]{1,3}

    That would catch every IP address that starts with 10.10.1 …

  • Hi Brian,

    We have a similar problem, but we have only one CRM server for internal and external access and one ADFS Server.

    What change we have to make to the configuration explained here?

    Best Regards
    Rodrigo

  • It should work the same even if you have one CRM server, assuming your internal users can access it using both the “internal format” URL (org name after the slash) and the “external format” URL (org name as a subdomain). Just put the rules on the one server.

  • Hi Brian,

    I took you example and extended it to also redirect internal URLs to external URLs when a users try to access an internal URL from outside the network.

    Thanks for your very informative post.

    Regards,
    Alan.

  • @alano, thanks for extending this solution and covering those use cases — there is definitely a need to ensure internal URLs work externally, as well!

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>