Have you tried setting your SSL host headers? You have a default site on SBS that uses 443 for remote web workplace. After you installed CRM and set it up to use SSL then you had a second. Problem here is that both sites are using SSL port 443 without a host header. So what you need to do is give them both a sub-domain host header to use for SSL and then you should be fine.
You can verify this is true because you said that typing https://org.crm.yourdomain.com lead you to your default website. This would be true for any site you added to iis that you put on 443 because it has no mechanism to modify the host header through the iis interface for SSL. However, you can do this through script.
You need your website identifiers to run this script and the easiest way to see them is to open iis and click on the server node. All of the websites will populate the right-side display and one of the columns there will list the website id.
Once you have the id's you need, open the cmd prompt and do the following.
cd c:\inetpub\adminscripts
c:inetpub\adminscripts>cscript adsutil.vbs get /w3svc/5/securebindings
The above command is showing you what the secure bindings are, the parameters for the above are as follows:
- get - accessor command
- w3svc - this is the webservice - always the same
- 5 - this is the id of the website (i.e. crm)
- securebindings - this is the property to get or set
So, what you'll probably see when YOU run that command on against your Default Website and your CRM website is the same result, that being:
":443:"
If that's true, then you can simply set the host header for both your default website and your crm website and you should be good to go.
For the rest of this example, I will assume the following
1) CRM Website ID = 5
1a) CRM fake host header = contoso.crm.easiintl.com
2) Default Website ID = 1
2a) Default Website fake host header = www.easiintl.com
3) You used the get command explained above to verify that the secure bindings for both sites is ":443:"
So, you can now run the following commands to set full host headers for both sites:
c:inetpub\adminscripts>cscript adsutil.vbs set /w3svc/5/securebindings ":443:contoso.crm.easiintl.com"
c:inetpub\adminscripts>cscript adsutil.vbs set /w3svc/1/securebindings ":443:www.easiintl.com"
That should be it. You don't need to setup contoso.crm.easiintl.com in IIS host headers either, but you do need to make sure that you use the IFD tool, which you did already, to set the external IFD URL.
Also, External HOST A records will have to exist or be setup for both contoso.crm.easiintl.com and www.easiintl.com and in this case they will point to the same IP address and the firewall simply needs to allow port 443 traffic to be forwarded to your SBS/Webserver where these sites are setup.
Hope this is helpful.
Scott
***@easiintl.com
Tango wrote:
IFD Issue
08-Oct-09
Hi,
I have a SBS2008 environment with a 2008 Server with CRM 4 (& SQL) on it.
Everything is (now) working fine internally.
I run the IFD tool with no errors to external address https://mydomain.com,
internally to http://machinename:5555
DNS resolves on the IFD tool successfully.
Also unticked ipv6 & checked registry to make sure it is pointing to the
right web site which it is.
I have a internal dns record pointing to myorgname.mydomain.com that points
to the crm server
I have an external dns record myorgname.mydomain.com that points to my
public ip (fixed)
when i try externally going to https://myorgname.mydomain.com I get error
message 403 Forbidden access denied.
when I take out the ssl, reconfigure IFD & configure to just go to http I
get the IIS screen.
internally when i go to https://myorgname.mydomain.com i immediately get a
splash screen (not logon page) asking for my credentials which I enter once &
crm opens fine
I enabled tracing & noted no error messages in the file called
machinename-w3wp-CRMWeb-20091007-1
I have changed the ip to 1.1.1.5 & the login screen did appear for the first
time so it would seem that forms based authentication is working.
Being a sbs2008 environment there is no isa. I disabled the firewall on the
sbs box & the problem still exists. I checked the log files on the Netgear
Firewall router & there was no deny rules.
I disabled firewall on router, sbsbox & crm server & problem still existed.
Thanks in advance for any assistance.
Previous Posts In This Thread:
On Thursday, October 08, 2009 5:40 AM
Tango wrote:
IFD Issue
Hi,
I have a SBS2008 environment with a 2008 Server with CRM 4 (& SQL) on it.
Everything is (now) working fine internally.
I run the IFD tool with no errors to external address https://mydomain.com,
internally to http://machinename:5555
DNS resolves on the IFD tool successfully.
Also unticked ipv6 & checked registry to make sure it is pointing to the
right web site which it is.
I have a internal dns record pointing to myorgname.mydomain.com that points
to the crm server
I have an external dns record myorgname.mydomain.com that points to my
public ip (fixed)
when i try externally going to https://myorgname.mydomain.com I get error
message 403 Forbidden access denied.
when I take out the ssl, reconfigure IFD & configure to just go to http I
get the IIS screen.
internally when i go to https://myorgname.mydomain.com i immediately get a
splash screen (not logon page) asking for my credentials which I enter once &
crm opens fine
I enabled tracing & noted no error messages in the file called
machinename-w3wp-CRMWeb-20091007-1
I have changed the ip to 1.1.1.5 & the login screen did appear for the first
time so it would seem that forms based authentication is working.
Being a sbs2008 environment there is no isa. I disabled the firewall on the
sbs box & the problem still exists. I checked the log files on the Netgear
Firewall router & there was no deny rules.
I disabled firewall on router, sbsbox & crm server & problem still existed.
Thanks in advance for any assistance.
On Friday, October 09, 2009 8:32 AM
Newbie wrote:
You need to check that the SPN has been configured against the CRM service
You need to check that the SPN has been configured against the CRM service
account.
On Friday, October 09, 2009 6:15 PM
Tango wrote:
Thanks for your response.everything is working fine internallyeven if i go to
Thanks for your response.
everything is working fine internally
even if i go to the external address internally ie
https://myorgname.mydomain.com it works fine.
I disabled firewalls & problem still existed. At the end of the day it is
only using port 443 anyway, Isnt it. Im thinking its something to do with
networking.
Thanks again for your time
"Newbie" wrote:
On Monday, October 12, 2009 7:59 AM
Tango wrote:
Any other ideas would be greatly appreciated.Thank you"Tango" wrote:
Any other ideas would be greatly appreciated.
Thank you
"Tango" wrote:
On Monday, October 12, 2009 8:57 AM
Dave Ireland wrote:
do you have an SSL certificate for the https://myorganme.mydomain.com address
do you have an SSL certificate for the https://myorganme.mydomain.com
address installed on the server?
Dave Ireland
On Monday, October 12, 2009 9:43 AM
Tango wrote:
Hi Dave,Thanks for your post.Yes I do have the certificate installed. (its a
Hi Dave,
Thanks for your post.
Yes I do have the certificate installed. (its a self issued wildcard
certificate)
when I go to https://myorganme.mydomain.com from an internal machine the
page comes up straight away after i enter credentials once. I get a
credentials screen & not the forms based screen asking for credentials. After
crm comes up padlock appears with no error message.
even if the external user didnt have the certificate installed I would have
thought the ssl error message would have appeared asking the user if they
wanted to proceed & at worst the forms based login screen would have
appeared. Is that correct?
Thanks again
Todd
"Dave Ireland" wrote:
On Monday, October 12, 2009 10:04 AM
Tango wrote:
Ive also created a certificate myorg.mydomain.com & installed it on my laptop
Ive also created a certificate myorg.mydomain.com & installed it on my laptop
outside the network & I do get asked if i wish to proceed which i say yes
then get the error message.
CRM site internally is a new site (not default) & I chnaged the bindings to
use both the wil;dcard certificate & the newly created certificate & problem
still existed.
I think were getting close :)
Thanks in advance
"Tango" wrote:
On Thursday, October 15, 2009 11:25 AM
Tango wrote:
Turns out https://myorganme.mydomain.com was going tohttps://remote.mydomain.
Turns out https://myorganme.mydomain.com was going to
https://remote.mydomain.com which handles remote access, outlook web access
on the SBS box.
So what i need to do is somehow keep all of that going & point
https://myorganme.mydomain.com to my second server
Do I need to add a host header on the crm site??
Any assistance is greatly appreciated.
"Tango" wrote:
On Thursday, October 15, 2009 12:25 PM
Tango wrote:
Hi,Turns out that error messages were because the external request were
Hi,
Turns out that error messages were because the external request were going
to my remote web workplace web site on the sbs server. not the crm site on
the 2nd server.
I only have 1 external ip address. & have a public dns record that points to
remote.mydomain.com & another record pointing to mycrmorg.mydomain.com with
the same external ip.
Are internal dns records also required? I already have them.
I have spent 2 weeks trying to get this going. Surely there must be an
article somewhere that outlines getting CRM going on a sbs2008 environment
with a second server....
It took me a week to work out that you have to right click & run as
administrator when running the ifd tool even though my account had local
admin access.
Thanks in advance
Todd
"Tango" wrote:
On Monday, October 19, 2009 1:08 AM
Phil wrote:
If I understand correctly you have:- two internal servers, each with a
If I understand correctly you have:
- two internal servers, each with a seperate web site (remote & CRM IFD)
- both web sites are encrypted (https) and set to the default port (443)
- one external IP address
- two extrenal DNS entries pointing to the same external IP address.
If this is the case then you cannot do what you are asking without additional
work.
When you request either of your web sites from outside your office they both
resolve to the same IP address. When the packets reach your firewall/router
all it knows is the destination IP address and port number. You will have
configured the firewall / router to forward traffic on your external IP
address and port 443 to your internal SBS server for the remote access site.
Since the connections are encrypted the firewall / router has no way of
telling whether the original request was for your remote access site or your
IFD site.
The simplest option is to get a second IP address from your service provider.
The next easiest way to make this work is to move one of the web sites to a
different port number and configure your firewall / router to forward traffic
to this port accordingly (since I do not know what model firewall / router you
have I cannot guarantee this is possible). You will also then need to specify
the port number in the URL when you connect to the web site.
Another option would be to install ISA internally and reverse proxy both
sites through it. This way the router can still send all traffic to one place
and ISA can take care of the routing based on the actual site name requested.
ISA will need to be the SSL endpoint for both sites so it can decrypt the
packets and route them appropriately.
Hope this helps,
Phil.
"Tango" wrote:
Submitted via EggHeadCafe - Software Developer Portal of Choice
EggHeadCafe Chat Chaos in Silverlight Released Today
http://www.eggheadcafe.com/tutorials/aspnet/325ea67e-d6c4-4811-b096-54f31bdede5d/eggheadcafe-chat-chaos-in.aspx