Friday, December 15, 2017

Use the same ADFS Server for multiple On Premises Environment - Dynamics 365 for Finance & Operations On Premises Installation

Hi All

According to the Microsoft documentation you should have an ADFS Server for each On Premise Environment.

As per my understanding, the reason is related to the workflowClientId that is an hard coded value in  the \Publish-ADFSApplicationGroup.ps1 Powershell script.
Check my post as well.

Due to this reason, in order to use the same ADFS Server you have to add a new Host in the Application definition of the ADFS:

  1. AD FS Manager, Application Groups, open "Microsoft Dynamics 365 for Operations On-premises" 
  2. Open Native application "Microsoft Dynamics 365 for Operations On-premises - Native application" 
  3. Add Redirect URI of new environment (DNS) and select Add button to include, press OK
  4. Open Native application "Microsoft Dynamics 365 for Operations On-premises - Financial Reporting - Native application" 
  5. Add Redirect URI of new environment (DNS) and select Add button to include, press OK
  6. Open Web API "Microsoft Dynamics 365 for Operations On-premises - Web API" 
  7. In the "Relying party identifiers" section, add the new Environment URL with and without "namespaces/AXSF. This is very important in order to avoid any issues with Microsoft Office addins.
    Something like:
    1. https://XXXX/namespaces/AXSF
    2. https://XXXX

Till Soon!


Silvio Fabrizio said...

Is your ADFS server configured for D365FFO external access with additional WAP server in DMZ?

I'm currently in the middle of configuring ADFS WAP for D365FFO and have have a external client redirection issue. The WAP website is published with ADFS authentication for Web and MSOFBA and connecting to "MS D365 for Operations On-Premises - Web Application" ADFS Relaying Party Name.

The redirection issues is that the D365 for Operations Web application is redirecting the external client the internal ADFS server but as the ADFS server is located in internal network, it's DNS name is not solved.

What would be your suggestion?

nbrowne1 said...

We're using a WAP to connect to our Test D365FO On-Prem environment from the Web.

Our configuration is as basic as possible:
1 - Wizard setup of the WAP connection to ADFS with appropriate SSL Cert
2 - Open Remote Access MMC
3 - Setup a "passthrough" entry to the D365FO On-Prem URL with appropriate SSL Cert - a wildcard in our case (eg

Manuel Schöpf said...

Hi Denis,
do you think it would also be possible modifying the ApplicationName String in the Publish-ADFSApplicationGroup script to Prod and Test instead of adding the DNS-entry?

Charles COLOMBEL said...

Silvio Fabrizio, do you find a solution for the internal ADFS redirection ?

nbrowne1 : how user has been authentifiate ? if i setup with passthrough, D365 can be reach but redirect me automatically on my ADFS server for authentification, how you manage this ?


nbrowne1 said...

Charles COLOMBEL - it is meant to redirect you to ADFS. The pass through is so you can securely get to D365 on-prem then logon as normally. You should be logging into D365 on-prem through ADFS normally from within your network as well.