Přihlásit
Microsoft.com
 
Microsoft
 
 
 
Microsoft >
CRM 2011 IFD - windows prompts externally (just started out of the blue)

Unanswered CRM 2011 IFD - windows prompts externally (just started out of the blue)

  • 3. května 2012 14:29
     
     
    Přihlásit se a hlasovat
    0

    Hi All

    About a year ago I successfully configured our internal CRM 2011 with ADFS/IFD (after much fun and learning)

    This has been working great.  This morning, when accessing CRM external after logging into the ADFS page I immediately start getting the dreaded "three windows login" prompts and then a 401 error.  This is happening for all users on all systems on various networks.

    If this was a new install, this is something I may expect.  However, this has been working fine for the most part.

    I have all the links, read all the documents and watched all the videos as it relates to setting up IFD.

    My wildcard SSL certificate is not expired (yet) (that was my first guess).

    Anyone run into this and what was done to fix (and any insight of what caused it woudl be great too)  There was NOTHING done on the servers for weeks.

    Cheers
    Nick

    Nick

     

Všechny reakce

  • 4. května 2012 5:15
     
     
    Přihlásit se a hlasovat
    0

    Hi Nick,

                    Did you check the certificate expiration on the 3 certificates that ADFS has configured? The service communications, the token-decrypting and the toke-signing are all valid?

    Regards,
    Damian Sinay

     
  • 4. května 2012 20:20
     
     
    Přihlásit se a hlasovat
    0
    Yup.  They all use the same wildcard cert.

    Nick

     
  • 5. května 2012 2:12
     
     
    Přihlásit se a hlasovat
    0

    Hi All

    While not 100% sure, it appears to be the fact that the wildcard cert was about to expire soon (in a couple of weeks) was what was causing the issue.  I ended up renewing the cert (had to eventually anyway) and after re-installing and reapplying security, etc.  Things went back to normal.

    Unfortunately, CRM 2011 IFD setup has a lot of moving parts and variables that can cause major grief, even after you think you have it working 100%.

    Thanks Damian for contributing to this post.

    Cheers

    Nick

    Nick

     
  • 31. března 2013 1:23
     
     
    Přihlásit se a hlasovat
    0

    Our wildcard cert was about to expire, so we installed a new wildcard cert in IIS, set bindings for CRMsite and DefaultSite.  Now suddenly we cannot access via IFD/ADFS.  Do I need to completely redo the ADFS settings, and go through re-configuring Claims Based Authentication and IFD in Deployment Manager?  I am getting the "cannot find Relying Party Trust" error.

    Any help would be greatly appreciated.

    Ken Compter

     
  • 31. března 2013 1:33
     
     
    Přihlásit se a hlasovat
    0
    Be sure you granted the CRM Apppool user, usually network service permissions to manage the private key of the new cert. This can be done with mmc then add certificates.

    Regards,
    Damian Sinay

     
  • 31. března 2013 13:56
     
     
    Přihlásit se a hlasovat
    0
    When I add the cert, it looks like CN=*synactonline.net, OU=IT OU="Synact etc. .  The expired cert is CN=ADFS Signing . adfs.synactonline.net .  The Cert Path on the original is ADFS Signing - adfs.synactonline.net.  For the new cert it has 4 levels starting with GeoTrust.  So it appears I am doing something wrong.  Should I be creating a completely new Relying Trust?

    Ken Compter

     
  • 31. března 2013 17:24
     
     
    Přihlásit se a hlasovat
    0
    Well I got it working by re-installing the Relying Party Trusts.  Go figure.

    Ken Compter