locked
Help please, CRM 2011 IFD installation error - Event 364 - Encountered error during federation passive request RRS feed

  • Question

  • Hi,

    I have been struggling for days with this error and decided not to suffer in silence.

    I managed to install the IFD as per video demo using the self generating cert. However, when accessing it from external, the "certificate error" is annoying. so I got a wildcard cert and a single domain cert from Godaddy and created a new server and do the entire installation from ground up again.

    However, at the step of internal access, I hit with this problem when trying to access from https://crm.productionserver.com:5555. Firstly, the Windows Security box popup (connecting to crm2011.localdomain), I typed the domain user id and password, the next webpage threw up error - adfs.productionserver.com. from the white color webpage and the url, it seemed to be from the adfs authentication page (url is https://adfs.productionserver.com/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=https%3a%2f%2fcrm.productionserver.com%3a5555%2f&wctx=rm%3d1%26id%3d6de4b80a-4397-493d-af70-bcf3ee791174%26ru%3d%252fdefault.aspx&wct=2011-08-01T00%3a38%3a32Z&wauth=urn%3afederation%3aauthentication%3awindows)

    From the event log, windows application log shows no error message, the Applications and Services Logs -> AD FS 2.0 ->Admin folder recorded 2 error events, first was event 317 and next was event 364 as shown below.

    I verify the cert thru ADFS 2.0 Management, ADFS 2.0 -> Service->Certiicates, the Service communication cert is ok. But the token-decryption and token-signing cert showed error -> This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authoritites store.

    What can I do to fix this ???

    Thank you,

     

    5Albert

    Log Name:      AD FS 2.0/Admin
    Source:        AD FS 2.0
    Date:          1/8/2011 8:41:02 AM
    Event ID:      317
    Task Category: None
    Level:         Error
    Keywords:      AD FS
    User:          NETWORK SERVICE
    Computer:    CRM2011.localdomain
    Description:
    An error occurred during an attempt to build the certificate chain for the relying party trust 'https://crm.productionserver.com:5555/' certificate identified by thumbprint 'D45A4373D61013B8C3EF486E4E7FF2C6BBB3E209'. Possible causes are that the certificate has been revoked, the certificate chain could not be verified as specified by the relying party trust's encryption certificate revocation settings or certificate is not within its validity period.

    You can use Windows PowerShell commands for AD FS 2.0 to configure the revocation settings for the relying party encryption certificate.
    Relying party trust's encryption certificate revocation settings: CheckChainExcludeRoot
    The following errors occurred while building the certificate chain: 
    Unknown error.
    Unknown error.
     

    User Action:
    Ensure that the relying party trust's encryption certificate is valid and has not been revoked.
    Ensure that AD FS 2.0 can access the certificate revocation list if the revocation setting does not specify "none" or a "cache only" setting.
    Verify your proxy server setting. For more information about how to verify your proxy server setting, see the AD FS 2.0 Troubleshooting Guide (http://go.microsoft.com/fwlink/?LinkId=182180).
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="AD FS 2.0" Guid="{20E25DDB-09E5-404B-8A56-EDAE2F12EE81}" />
        <EventID>317</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000001</Keywords>
        <TimeCreated SystemTime="2011-08-01T00:41:02.196918600Z" />
        <EventRecordID>25</EventRecordID>
        <Correlation ActivityID="{07F1E74B-79B9-4CF9-BFD5-EA519B60E16F}" />
        <Execution ProcessID="4900" ThreadID="4752" />
        <Channel>AD FS 2.0/Admin</Channel>
        <Computer>crm2011.localdomain</Computer>
        <Security UserID="S-1-5-20" />
      </System>
      <UserData>
        <Event xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
          <EventData>
            <Data>https://crm.productionserver.com:5555/</Data>
            <Data>D45A4373D61013B8C3EF486E4E7FF2C6BBB3E209</Data>
            <Data>CheckChainExcludeRoot</Data>
            <Data>Unknown error.
    Unknown error.
    </Data>
          </EventData>
        </Event>
      </UserData>
    </Event>

    Log Name:      AD FS 2.0/Admin
    Source:        AD FS 2.0
    Date:          1/8/2011 8:41:02 AM
    Event ID:      364
    Task Category: None
    Level:         Error
    Keywords:      AD FS
    User:          NETWORK SERVICE
    Computer:      crm2011.localdomain
    Description:
    Encountered error during federation passive request.

    Additional Data

    Exception details:
    Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.ServiceModel.FaultException: ID3242: The security token could not be authenticated or authorized.
       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.Issue(Message request, WCFResponseData responseData)
       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, Uri& replyTo)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, MSISSession& session)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSerializedToken(String signOnToken, WSFederationMessage incomingMessage)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSecurityToken(SecurityToken securityToken, WSFederationMessage incomingMessage)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseForProtocolRequest(FederationPassiveContext federationPassiveContext, SecurityToken securityToken)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponse(SecurityToken securityToken)

    System.ServiceModel.FaultException: ID3242: The security token could not be authenticated or authorized.
       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.Issue(Message request, WCFResponseData responseData)
       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)


    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="AD FS 2.0" Guid="{20E25DDB-09E5-404B-8A56-EDAE2F12EE81}" />
        <EventID>364</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000001</Keywords>
        <TimeCreated SystemTime="2011-08-01T00:41:02.201802600Z" />
        <EventRecordID>26</EventRecordID>
        <Correlation ActivityID="{07F1E74B-79B9-4CF9-BFD5-EA519B60E16F}" />
        <Execution ProcessID="3872" ThreadID="3080" />
        <Channel>AD FS 2.0/Admin</Channel>
        <Computer>crm2011.localdomain</Computer>
        <Security UserID="S-1-5-20" />
      </System>
      <UserData>
        <Event xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
          <EventData>
            <Data>Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---&gt; System.ServiceModel.FaultException: ID3242: The security token could not be authenticated or authorized.
       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.Issue(Message request, WCFResponseData responseData)
       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, Uri&amp; replyTo)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, MSISSession&amp; session)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSerializedToken(String signOnToken, WSFederationMessage incomingMessage)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSecurityToken(SecurityToken securityToken, WSFederationMessage incomingMessage)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseForProtocolRequest(FederationPassiveContext federationPassiveContext, SecurityToken securityToken)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponse(SecurityToken securityToken)

    System.ServiceModel.FaultException: ID3242: The security token could not be authenticated or authorized.
       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.Issue(Message request, WCFResponseData responseData)
       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)

    </Data>
          </EventData>
        </Event>
      </UserData>
    </Event>

     

     


    Monday, August 1, 2011 1:11 AM

Answers

  • Thanks Curt,

    I actually resolved the problem, because the Cert was purchased, Some how, it was not in the "trusted root provider" folder, I saw a video that we can simply drag the cert from one folder to another, I follow that but it does not seem to work. I did an export cert and import them into the "trusted root provider" folder and it works nicely now

    Albert

    Monday, August 8, 2011 8:49 AM

All replies