There have been times when we need to configure IFD and both, ADFS and CRM are installed on same server.
In case of Windows server 2008, we need to install ADFS 2.0 and in Windows server 2012 standard, ADFS 2.1 comes by default as a part of windows features, we just need to install and configure ADFS. But in both cases, ADFS gets installed on Default website in IIS. Hence we used to change the port of ADFS to 444 directly from the IIS default website and CRM (https) remains on 443. So that we could easily browse CRM IFD URL as https://orgname.domainame.com without appending port to the URL.
But this is not the same with Windows server 2012 R2, as ADFS 3.0 on Windows server 2012 R2 does not depend on IIS. So in that case, as ADFS port cannot be changed we used to change CRM (https) port to 444. As a result of which the users need to browse CRM IFD URL as https://orgname.domainame.com:444.
But sometimes the requirement is that they should not be required to append the port in IFD URL. To achieve this we should have ADFS to use port 444 instead which can be done by some PowerShell commands.
We have outlined below our experience and learning during IFD configuration on such Windows server 2012 R2 having both ADFS 3.0 and CRM installed on same server.
1) Firstly install ADFS 3.0 on Windows Server 2012 R2,
2) Now after that configure ADFS 3.0. You can get the detailed steps of configuring ADFS 3.0 and IFD from here.
3) During the configuration of ADFS 3.0, you will come across following screen where you can clearly see that, you can only configure the Federation Service Name and *not* the port which could be done with earlier ADFS versions and earlier windows server versions.
1) Hence after configuring ADFS 3.0 and IFD. You need to run some commands in PowerShell, but before that first you need to check how many URLs are reserved by ADFS already, so that for them you can run some PowerShell commands,
netsh http show urlacl
The above command will display the list of reserved URLs. As you can see below form the list, the highlighted 2 URLs are reserved by ADFS 3.0 on port 443 i.e. https://+:443/adfs/ and https://+:443/FederationMetadata/2007-06/
5) Now we need to first delete them using following PowerShell commands.
netsh http del urlacl https://+:443/adfs/
netsh http del urlacl https://+:443/FederationMetadata/2007-06/
6) After deleting them you need to execute following commands to add them on port 444.
netsh http add urlacl https://+:444/adfs/ user=”NT SERVICE\adfssrv” delegate=yes
netsh http add urlacl https://+:444/FederationMetadata/2007-06/ user=”NT SERVICE\adfssrv” delegate=yes
7) Finally run following command
Set-ADFSProperties -HttpsPort 444
Note: If you change the Port of ADFS to 444 from default port then it will give following warning. It means, if you set ADFS on 444, then you will not be able to register mobile device in ADFS, hence you will not be able to develop Mobile device app for CRM.
8) After performing above step, you need to restart the “Active Directory Federation Services”.
9) Now if your FederationMetadata URL is shifted to port 444, then it will look likehttps://sts1.adventure25.com:444/federationmetadata/2007-06/federationmetadata.xmland if you browse this URL then it will not work, as shown in the below screen. So there seems to be some issue with ADFS 3.0 configuration
10) Microsoft says ADFS 3.0 does not depend on IIS i.e. not installed under default website of IIS, and this is true, because you will not find any ADFS related files under default website of IIS
11) But still if you go to IIS and set the binding of Default Website to port 444, then it starts working as shown in below screen:
12) After completing above steps, first you need to change the CRM website port to 443, then you need to configure Web Address Properties, Claim Based, IFD from Deployment Manager to this new Federation Metadata URL, and then update the relying party in ADFS. Then IFD will start working and you just need to browse it like https://orgname.domainame.com