Publishing CRM Internet Facing Deployment using Web Application Proxy and

If you've been following the TMG/UAG product line for a while you'll know that those products
are end of life.   The official announcement was recently made on the Server & Cloud Blog <https://blogs.technet.com/b/server-cloud/archive/2013/12/17/important-changes-to-the-forefront-product-line.aspx>

I've been working on deploying Web Application Proxy with one of my customers recently in an effort to transition them off UAG.   We were successful in getting SharePoint working quickly but we ran into some problems with CRM.   Given how new WAP is I thought it would be appropriate to document what we had to do in order to get it working.

The customer has 3 externally facing URLs that we need to publish via WAP:

https://auth.crm.contoso.com/

https://org.crm.contoso.com/

https://discovery.crm.contoso.com/

 

Additionally WAP and ADFS are published at

https://fs.contoso.com/

 

The default configuration of WAP is to translate internal URLs to external URLs when you do pass-through authentication.   We had configured the org URL as ADFS pre-auth.  The discovery and auth URLs both used pass-through authentication.    The
external and internal names were the same and we used split DNS to handle internal versus external traffic.

The way CRM does authentication when using an internet facing deployment and ADFS is with the HTTP POST binding back to the auth URL.   The auth URL issues a DOMAIN cookie and redirects to the org URL.  In our case the domain cookie was scoped to *.crm.contoso.com.   The org web application gets the cookie and lets the user in. 

This breaks down with WAP because it attempts to remap the outbound cookie from the auth web application and reissue it under the external name (auth.crm.contoso.com).    When we redirect to the org URL it can't see the cookie because the browser doesn't pass it back.   The org URL then redirects back to ADFS, which redirects to auth, which reissues the cookie.   As you can see we're stuck in an infinite redirect loop.   Eventually ADFS gets tried of this and fails issuing the following error in the log:

 

Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made '6' requests in the last '3'
seconds. Contact your administrator for details.

   at
Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.UpdateLoopDetectionCookie(WrappedHttpListenerContext
context)

   at
Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.SendSignInResponse(WSFederationContext
context, MSISSignInResponse response)

   at
Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext
protocolContext, PassiveProtocolHandler protocolHandler)

   at
Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext
context)

 

The solution for this is to tell Web Application Proxy not to translate the outbound URLs in the response header.   This can be done via powershell and the Set-WebApplicationProxyApplication cmdlet.

 

https://technet.microsoft.com/en-us/library/dn283415.aspx

 

 
 
 Set-WebApplicationProxyApplication -ID <id of auth web app> -DisableTranslateUrlInResponseHeaders
 

 

 

Now WAP will ignore the outbound cookie and let it pass along to the client as CRM had intended.   Presto!