none
Unable to successfully create the External Relying Party Trust for Microsoft Dynamics CRM 2011

    Question

  • I have referred the Article 2546710.

    Microsoft Dynamics CRM is using another port(i.e 444) and that is defined in the Web Address tab.

    I have followed all the steps, but still I am facing the same error.

    Need it Urgently.

    Thank You.

    Friday, July 12, 2013 3:21 PM

Answers

  • You already have amhi2012plc.com for the internal federation metadata URL so I think you can't use it for the discovery web service domain as well.

    Try changing it to something like dev.amhi2012plc.com or whatever you choose but it must be different from all the other URLs. Don't forget to add an extra for the name you choose to the external DNS.

    • Marked as answer by Rakesh Borde Tuesday, July 16, 2013 4:18 AM
    Monday, July 15, 2013 7:05 AM
    Moderator
  • Yes, it is the right solution.  What you must enter in the field is a URL that resolves to the CRM server that has the discovery web service. But the URL must not be the same as any of the other identifiers as you have found out.

    If all the CRM server roles are installed on one computer then the DNS entries will all resolve to the same server but it is possible to have CRM server roles installed over several computers.

    • Marked as answer by Rakesh Borde Tuesday, July 16, 2013 4:18 AM
    Monday, July 15, 2013 8:19 AM
    Moderator

All replies

  • Can you provide a bit more information about your environment please? Do you have ADFS 2.0 and CRM on different servers or the same server?

    What port is CRM using?

    For the internal relying party you need a unique URL such as internalcrm.domain.com, for the external relying part you need a URL for the org such as myorg.domain.com. The URLs must be unique.

    Friday, July 12, 2013 3:42 PM
    Moderator
  • I am using Windows Server 2012. So ADFS feature comes with it...just had to install ADFS. ADFS & CRM are on the same server.

    My server name is AMHI2012 & organization name is AMHIDev.

    In IIS I have made 1) "Default Web Site" binding of https to port 443
                                2) "MS CRM Dynamics" binding of https to port 444

    Then I have installed 1) ADFS
                                   2) Configured Claim based Authentication for internal access.

    In the "View Log File" it gives

    Internal Federation Metadata URL: amhi2012.pcl.com:444/FederationMetadata/2007-06/FederationMetadata.xml

    For the internal relying party i got 

    The identifiers here is: amhi2012.pcl.com:444

    And while Configuring " Claim based Authentication for external access" i.e  IFD Configuration.
    I have provided following values :

    Web Application Server Domain: pcl.com:444
    Organization Web Service Domain: pcl.com:444
    Web Service Discovery Domain: amhi2012.pcl.com:444

    And finally when I ADD new Relying Party Trust for IFD
    It gives that unique Identiifer error.

    The identifiers here are:

    auth.pcl.com:444
    amhidev.pcl.com:444
    amhi2012.pcl.com:444


    So i think the "amhi2012.pcl.com:444" identifier is repeated bt if it is so..what should i put values in "Web Service Discovery Domain" for  Claim based Authentication for external access" i.e  IFD Configuration.

    Thanks for your reply..!!

     
    Monday, July 15, 2013 5:20 AM
  • If you have Windows 2012, then I think this will be ADFS 2.1, which needs some extra configuration - see http://support.microsoft.com/kb/2828015

    Microsoft CRM MVP - http://mscrmuk.blogspot.com/ http://www.excitation.co.uk

    Monday, July 15, 2013 6:14 AM
    Moderator
  • Yes.. ia m using Windows Server 2012.
    I have even applied Microsoft Dynamics CRM 2011 Update Rollup 13.

    Do i still need to do the steps given in that link?

    • Edited by Rakesh Borde Monday, July 15, 2013 6:21 AM Correctin in the reply
    Monday, July 15, 2013 6:18 AM
  • You already have amhi2012plc.com for the internal federation metadata URL so I think you can't use it for the discovery web service domain as well.

    Try changing it to something like dev.amhi2012plc.com or whatever you choose but it must be different from all the other URLs. Don't forget to add an extra for the name you choose to the external DNS.

    • Marked as answer by Rakesh Borde Tuesday, July 16, 2013 4:18 AM
    Monday, July 15, 2013 7:05 AM
    Moderator
  • Yeah my Internal Federation Metadata URL is : amhi2012.pcl.com:444

    So i tried changing discovery web service domain as dev.pcl.com for new Relying Party Trust for IFD.
    I followed the things told by you by adding it in DNS host file too and  it worked.

    Now after opeing the crm it shows the discovery service url as dev.pcl.com
    Is that right?

    I want to ask that what actually must be put in Web Service Discovery Domain ?
    Adding this different one i.e dev.pcl.com
    is it the right solution..won't it create any further problems?

    Monday, July 15, 2013 7:56 AM
  • Yes, it is the right solution.  What you must enter in the field is a URL that resolves to the CRM server that has the discovery web service. But the URL must not be the same as any of the other identifiers as you have found out.

    If all the CRM server roles are installed on one computer then the DNS entries will all resolve to the same server but it is possible to have CRM server roles installed over several computers.

    • Marked as answer by Rakesh Borde Tuesday, July 16, 2013 4:18 AM
    Monday, July 15, 2013 8:19 AM
    Moderator
  • Here all the CRM server roles are installed on one computer.

    Thank you..for your help.

    Bt now i am facing an another issue regarding certificates error.

    "There is a problem with this website's security certificate."

    after clicking  "Continue  to this website(not recommended)" i am redirected to the login page.

    I tried installing that certificate but still every time i have to do as above.

    Actually what i did was the certificate i created during the IFD setup at first had 30 days validity.
    I came to know about it after ADFS installation , so again i created the certificate with more days validity.
    But as per my knowledge we can't uninstall ADFS (from Windows server 2012) so using powershell i added the certificate in ADFS  in Service Communications,Token -decryption & Token-Signing.

    And followed the further installation.

    But now i am facing this problem..

    Even on an another PC when i click "Continue  to this website(not recommended)" it displays "The page cannot be displayed"

    I am confused what the cause could be ?

    Monday, July 15, 2013 10:49 AM
  • Well that's another question.

    For IFD in CRM, all SSL certificates should be trusted certificates purchased from a certification authority such as Thwate, VeriSign or GoDaddy. Because of the multiple URLs that need to be covered a wildcard certificate (such as *.pcl.com) is probably the most cost effective.

    Are you using self-signed certificates? If so, I strongly urge you to switch to a trusted certificate provider.

    Monday, July 15, 2013 11:38 AM
    Moderator
  • Yeah.. I am using self-signed certificate.

    Thanks for your help.
    Monday, July 15, 2013 12:15 PM
  • Now I am configuring Email Router on the sam server.
    I am using online service provider.

    As we discussed above in  Web Service Discovery Domain we added new entry i.e dev.pcl.com & even in DNS

    The CRM shows dev.pcl.com as the discovery service URL and before IFD configuration it was AMHI2012.pcl.com.

    What should i provide the discovery service URL ?

    When I used https// dev.pcl.com / orgname

    and clicked "Load Data" it gave an error as

    "Metadata contains a refernce that cannot be resolved"

    https: //dev.pcl.com:444 /XrmServices /2011/ Discovery.svc ?wdl

    Can u give me the solution?

    Tuesday, July 16, 2013 2:04 PM
  • In the E-mail Router deployment setting you should enter the internal URL for your organization which I think in your case is  https://amhi2012.pcl.com:444 

    Wednesday, July 17, 2013 10:27 AM
    Moderator