Customer Engagement & Dynamics CRM Forum

Expand all | Collapse all

Authentication on premises

  • 1.  Authentication on premises

    SILVER CONTRIBUTOR
    Posted 18 days ago
    Hi all, so in our on premises D365 organisation we have windows authentication only, which is now stopping me from using the App for phones, even when using a per device VPN (heavily focussed on security here). We don't want to expose our org to external access but do want to use the mobile app...

    My question is around IFD and switching to Claims Based Authentication. Will that mean we become less secure . Also, what, of any, are the other benefits to Claims over Windows authentition?

    Any advice is welcome
    Thanks!


    ------------------------------
    Robin Marshall
    Dynamics Competency Centre Lead
    Babcock International
    ------------------------------


  • 2.  RE: Authentication on premises

    GOLD CONTRIBUTOR
    Posted 17 days ago
    Robin,  IFD is a requirement for the mobile App so there is no way round that.
    Are you less secure?  I guess the answer depends on what you mean by less secure. The authentication scheme is no less secure but as you point out you will expose Dynamics to access over the Internet so there will be a risk of someone getting in if they can "guess" a correct username/password combination.

    Claims based authentication for Dynamics on-premises still uses a user's active directory account.

    ------------------------------
    Feridun Kadir
    Principal Consultant, MVP
    Expert CRM Services Ltd
    Stansted
    ------------------------------



  • 3.  RE: Authentication on premises

    Posted 16 days ago
    ​You don't actually need to have CRM exposed to the internet, you just need IFD, which means you can have ADFS and your own DNS all sitting inside your network and access over a VPN.

    Of course these days no one needs to expose CRM via IFD directly to the internet anyway, instead people set up a WAP server in the DMZ, then they can use a host of more secure methods of limiting access.

    ------------------------------
    Dave Bostock
    London
    ------------------------------



  • 4.  RE: Authentication on premises

    GOLD CONTRIBUTOR
    Posted 16 days ago
    @Dave Bostock. Good point on setting up IFD and accessing over a VPN.



    ------------------------------
    Feridun Kadir
    Principal Consultant, MVP
    Expert CRM Services Ltd
    Stansted
    ------------------------------



  • 5.  RE: Authentication on premises

    GOLD CONTRIBUTOR
    Posted 17 days ago
    Robin,
    I believe you can still configure your SSO provider (eg ADFS) to use Multi-Factor Authentication, so that enabling IFD, while exposing you to the public, doesn't have to mean that you're vulnerable to just a username/password.  I haven't set that up before, but here's a sample link from DUO and their ADFS module:
    https://duo.com/docs/adfs

    ------------------------------
    Mike Power
    Senior CRM Solutions Developer
    American University
    Washington DC
    ------------------------------



  • 6.  RE: Authentication on premises

    SILVER CONTRIBUTOR
    Posted 16 days ago
    Hi,

    we have 8.x On-Prem and till last year we used IFD without publishing it to the Internet. Access was only possible via VPN.
    That works in general. But I think that the CRM-app is not really designed to work over a VPN e.g. when you put your iPhone in sleep-mode the VPN gets disconnected (but I think that also depends on your VPN and/or iOS-settings), then the CRM-app would go into offline-mode.
    Even if you then manually reconnect to the VPN you have to manually tap "go online" again in the CRM-app.
    I think there is also a possibilty to activate some kind of "per-App-VPN" that automatically connects to the VPN when a specific app is launched.
    All in all it was very slow and buggy for us.

    We now use IFD with publishing it to the internet and Azure MFA. That works perfectly and the users are very happy.

    Regards,
    Johannes

    ------------------------------
    Johannes .

    ------------------------------



  • 7.  RE: Authentication on premises

    SILVER CONTRIBUTOR
    Posted 15 days ago
    Many thanks Johannes, all sounds promising as our new mobile app model is to have per app VPN access only. This may be a second rate user experience by the sounds of it though but to be honest I think our users would still be happy

    Thanks for your suggestions all of you, plenty to work to get on with!

    ------------------------------
    Robin Marshall
    Dynamics Competency Centre Lead
    Babcock International
    ------------------------------



  • 8.  RE: Authentication on premises

    SILVER CONTRIBUTOR
    Posted 5 days ago
    Hi @Johannes ., any chance you can give some more detail about how you set up IFD internally with access only via VPN?​

    ------------------------------
    Robin Marshall
    Dynamics Competency Centre Lead
    Babcock International
    ------------------------------



  • 9.  RE: Authentication on premises

    SILVER CONTRIBUTOR
    Posted 5 days ago
    Hi Robin,

    sorry, I don't have any technical knowledge of the process. In general i think you just activate IFD but do not publish the site in IIS.

    Regards,
    Johannes

    ------------------------------
    Johannes .
    Albis
    ------------------------------



If you've found this thread useful, dive deeper into User Group community content by role