I'm trying to understand how to create CRM Organization on Load Balancing network.
I've three web servers (Web01, Web 02, Web03); three application servers (App01, App02, App03) and a SQL Server (SQL01). I already have Load Balancer setup and there is already one organizaiton setup by someone on all web servers. This organization is Internet Facing. Now I want to create one more Organization on same set of Web Servers. Can anyone please help me understand how to setup new Organization on Load Balancer in this scenario?
An important point to know is that there is a difference between a CRM deployment, and the organizations deployed.
The deployment consist of one or more CRM Server, and a SQL Server that can be clustered. A different server can be used as ReportServer and an Exchange Server can be configured as the email router.
Once the servers are deployed, one or many organizations can be configured using the CRM Deployment manager, on one of the front-end CRM Server. All the front-end (load balanced) server can be used to access any organizations configured in the deployment, based on the current user's credentials. When configuring the organization, the Report Server that should be used is assigned to the organization.
Also, if you are using IFD (Internet Facing Deployment), every organizations should have their own DNS entry (orgId.theprefixchoosen.mydomain.intra) that is pointing to the load balancer's IP address, so that CRM can route the users to the appropriate organization. More can be found in Microsoft's documents on configuring IFD.
Creating the new org is no different that normal. You would do this via Deployment Manager on 1 of the servers. This will basically create the needed SQL DB and associated ocnfig entries. To get the IFD portion working, you will also potentially need to add DNS entries to route traffic for that new orgname to your servers.
Related
We have an application which is hosted on the on-premises Windows server (IIS) server
now I created a windows server on azure and building a web app for it.where the application needs to authenticate the user by windows server (DC) using kerbrose protocol but I couldn't find any documentation regarding this from Microsoft's side
Is the above query possible to be implemented in the azure web app?
No, it's not possible. Windows Authentication is something for on-premise deployments. For Azure Web Sites Azure Active Directory is clearly the best option. Sync from AD to Azure Active Directory is also quite easy to setup.
If you still want to absolutely use Windows Auth and host your website on Azure, you can create Windows VM and host your website there. You then need to join the VM to your AD. To this, both VMs must be in the same network. So if your VM is on-premise you will need to create an site-to-site VPN.
For more information, follow this SO which also discussed about this.
If your intention is to join the VM hosting the website to a domain then as others have mentioned, this isn't possible.
However, doing Kerberos authentication itself within an Azure website isn't particularly difficult, but it does require manual implementation. Windows natively handles all of this for you on domain joined machines and and IIS exposes that functionality. Since you can't domain join you have to manually do all that heavy lifting and request and validate the tickets yourself.
This involves creating a service account in Active Directory and keeping the account password in sync. Once you have that you need to indicate to the browser that it needs to negotiate auth, which is done with the WWW-Authenticate: negotiate header on a 401 response. The client, if configured to send tickets, will send a ticket in the Authorization: Negotiate YII... request header on a subsequent response. At this point you need to shove that negotiate header and that original service account password into something that can validate Kerberos tickets. Windows SSPI will do this for you, but it's a pain. I built a library that'll do this for you: Kerberos.NET. YMMV with what works best for you.
All of that said, it may be more beneficial to switch over to a more modern authentication mechanism like OAuth/OpenIDConnect/SAML.
There are several ways depending on if you have to allow access to users who are associated with a on-premise Active Directory or not.
You should have a look at this service: https://learn.microsoft.com/en-us/azure/active-directory-domain-services/
It will offer an Active Directory within Azure where you can domain join your VM to and then using Kerberos as authentication protocol (should work the same way like on prem).
The other option would be to create a new Active Directory within your Virtual Network (via 1 or 2 small Windows Server VMs where you create the AD).
The good thing if you are using Active Directory Domain Services would be that you could extend it to your on-prem Active Directory by synchronizing or federating your on-prem AD.
There are more informations regarding these scenarios here:
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-hybrid-identity
For a Azure App Service - Web App you would connect it to your Azure Active Directory (AAD) and use the hybrid identity model to allow users who originate from an on-prem AD access to it:
https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad
Hope this helps a bit, it is a rather complicated topic you are digging into.
I have written a web application that is, typically, installed internally by customers (based on IIS/MSSQL server).
When a customer wants to provide external access to the application, we offer the following supported scenarios:
Publish the application in their DMZ (pretty standard deployment).
Use our own platform where we host the application in our own cloud infrastructure for them.
However, because I have more and more customers who misunderstand the requirements for publishing an internal application, I would like to add a "one click" way of providing that service.
My idea is to have a reverse proxy installed on the customer's web server that will connect to a cloud server we control. When the application starts, it will connect to our server, authenticate and maintain the connection. When a user wants to use the application, she will use an URL that directs it to our server (say https://myapp.mycompany.org/CustomerID or https://CustomerID.myapp.mycompany.org). The server will then lookup the list of connections from reverse proxy to find the one matching the customer ID and, if found, use that connection to relay the end user connection.
In essence, that is the same thing as what Azure Application proxy or TeamViewer do, only without the need for using Azure AD or TeamViewer.
Is there an existing framework I can use for building such a service ? I know I can write it on my own but that is quite a large development.
I got a web DMZ server, that hosts an "Extranet" ASP.NET application. I want that users should authenticate to this application using the same user and password that they use on their Windows at work. (we are using Active Directory)
I want to know what the best way is -the most secure way - to connect from the DMZ web server to the Active Directory.
For now I saw two possibilities:
- RODC
- LDAP Over SSL (LDAPS)
Are there any other option you recommend? What other options should I consider? Any limitation, or potential problems with any of those solution?
It exist a Microsoft document talking about that :
Active Directory Domain Services in the Perimeter Network (Windows Server 2008)
You can also take inspiration from Microsoft consideration on installing an Exchange Front-end computer into a DMZ
Front-End and Back-End Server Topology Guide for Exchange Server 2003 and Exchange 2000 Server
I am working on a large application in team environment. We use to Team Foundation Server to control source code with VS2010.We are using LAN to connect TFS which works great in an small office but now we need to connect TFS through Internet.
What actually I want to know that we have many developers they reside in different location worldwide. We want to download there work directly in the TFS server through Internet like LAN. We will have also connect LAN users who work on this application and want to connect both kind of users parallel.
Note: WE DON'T WANT TO USE VPN.
Is there any possibility to do this kind of work in TFS? Any Help will be appreciated.
You can definately expose TFS over the internet. TFS is basically a set of web services hosted in IIS, just make your server internet-visible and you're set.
There are some security best practices you probably want to consider though:
1) You should configure an SSL cert in IIS and connect to TFS using HTTPS (an option when connecting in VS).
2) You should place your SQL Server database on a separate machine that is not directly exposed to the internet (but is visible to the Application Tier server). SSRS should reside on the AT server, the DB and SSAS should be on the Data Tier server.
Good morning,
I have found that many of my customers have MS Access already installed on their PCs. Although Access is very limited as a data store, I have found that it is great for deploying low-cost front-ends for entry level customers.
I want to start renting a VPS, so I can host customer databases using Microsoft SQL Server 2008, which they can access using a locally stored Access front-end. I do have a few questions though:
In order to access the remotely hosted databases, and use the security features, would the VPS need to be set up as a domain controller, using AD DS? If I am hosting multiple customer databases, this is not an option.
What I envisage is being able to set up a simple MS Access front end, to access a MS SQL Server database on my VPS. For security, I would want the database to use the Windows account on the client machine to authenticate, and also to provide basic data change tracking.
Is this possible? Or, will I need to set up a server for each client and have it configured as a domain controller, etc?
You can have many databases on the same server, so for each client you d not need to setup a separate domain controller. Only the connection strings will be different.
You can use SSL for establishing connection with the remote server to make the process more secure. You can also make a few web services to play with the data (CRUD operations), this would also make things more manageable.
take care :)