locked
Claims Based Authentication Configuration fails RRS feed

  • Question

  • I have installed CRM 2011 on one of our servers (server 2008 R2).  I have installed the ADFS (server 2008 R2 as well) on a separate server and configured it (initial configuration).  I am now trying to configure the claims based authentication from the CRM server.

    I receive the error 'URL not available' when I step through the wizard.  I have verified that that the Federation Metadata URL does in fact return an xml page.  I am not prompted for any certificate errors, and the configuration has this part checked when it runs the check.  However, it continues to fail on contacting the URL according to the wizard and does not let me proceed.

    I cannot see why it can't contact the https://federationmetadata... URL when i can browse to it from the same server and it displays the XML page.  I am not prompted for any type of authentication or anything so again I am at a loss.

    Wednesday, November 23, 2011 3:39 PM

Answers

  • Hi Josh,

    Instead of using https://adfs.doctronx.com/federationmetadata/2007-06/federationmetadata.xml use this URL for configuring Relay Party trust, it will work.

    https://adfs.doctronx.com/handlers/FederationMetadata.ashx

    For external relay party also modify the federation metadata url like above mentioned.

     

    Regards,


    Khaja Mohiddin|||||http://www.dynamicsexchange.com/
    • Proposed as answer by Khaja Mohiddin Tuesday, December 27, 2011 10:28 AM
    • Marked as answer by Josh.Adams Wednesday, April 4, 2012 12:55 PM
    Monday, December 5, 2011 8:52 AM

All replies

  • deployment

    Regards, Donna

    Wednesday, November 30, 2011 2:30 PM
  • I'm not entirely sure what you are asking for.  I am deploying CRM 2011 within my organization.  I am trying to make it IFD (Internet Facing Deployment).  I have CRM installed on 1 server and the ADFS installed on a separate server.  Both servers are 2008 R2.  I have looked through other topics related to my problem, but none address my specific issue.  If you need more information, please let me know what I can provide.
    Wednesday, November 30, 2011 5:31 PM
  • I apologize for any confusion.  I was moving the thread to the deployment forum and bumping for more attention.  I'm hoping someone focused on IFD deployments can jump in with an assist.

    Regards, Donna

    Wednesday, November 30, 2011 6:23 PM
  • Hi Josh,

    If I understand the issue correctly, you're seeing a 'URL not available' error on the Environment Diagnostics Wizard page at the end of Claims-Based Configuration, correct?

    Make sure the URL you specify in the wizard includes the federationmetadata.xml, e.g. https://<adfshost>/federationmetadata/2007-06/federationmetadata.xml. Please confirm you can access this URL from the CRM server.

    If so, please paste the federation metadata xml contents as you see it from the CRM server (feel free to replace host names with fake names).

    Thanks,

    Matios

    Friday, December 2, 2011 12:52 AM
  • Hi Josh,

    1. Please check your DNS is resolved or not.

    2. Make sure to add certificate to Website.(Provide port no in URL it its 443 then you need to give https port)

    3. How many times you have configured ADFS till now on the same machine? If you configured so many times we will get URL rewriting issues

    If you receive one of the following errors:

    HTTP 503 Service Unavailable error OR HTTP 404 Not Found error

    This is because the IIS URL Rewrite module is not rewriting the URL correctly. CRM creates rules within the rewrite module, one of these rules is to load the handlers/FederationMetadata.ashx when FederationMetadata/2007-06/FederationMetadata.xml is requested.

    Regards,


    Khaja Mohiddin|||||http://www.dynamicsexchange.com/
    Friday, December 2, 2011 10:42 AM
  • Hello Khaja and thank you for the response. 

     

     

    1. Please check your DNS is resolved or not.

    2. Make sure to add certificate to Website.(Provide port no in URL it its 443 then you need to give https port)

    3. How many times you have configured ADFS till now on the same machine? If you configured so many times we will get URL rewriting issues

     

    1.  DNS resolves correctly from what I can tell.  If I open a browser on both the CRM server and the Federation server and type in the url, it will display the XML page. 

    2.  The certificate for the metadata website, and the crm site have been added to the server.  As well, when I type the URL into the wizard, I have tried using both with https://...:443/* as well as https://.../*.  Whether I specify the port within the URL makes no difference.

    3.  I figured this would be my cause because I had setup the Federation Server numerous times because of naming conventions certificate issues, etc.  I found this site based off what you specified for the third possible cause: http://blogs.msdn.com/b/emeadcrmsupport/archive/2011/05/13/we-receive-http-errors-while-accessing-the-crm-federationmetadata-url.aspx I performed every step outlined except for the deletion of reserved URL's because I don't have any reserved URL's that match the example provided.  Attached are screen shots and hopefully they will provide someone with more insight. 

     

    Friday, December 2, 2011 7:45 PM
  • Hello Matios and Khaja.

    Matios you are correct, that is where I get the error and the exact error message I get.  The URL does include the .xml extension.  Here is the exact URL https://adfs.doctronx.com/federationmetadata/2007-06/federationmetadata.xml

    Below is a screen shot of what I get when I type it into a URL.  The xml itself is not being displayed on the page, but as you can see, it resolves something because the logo changes to the CRM logo in both the Tab and the Address Bar. 

    Khaja - DNS works correctly from what I can tell as the browser resolves the name correctly.  I don't know if XML language is supposed to be displayed or not, but as you can see, the browser is blank even though the site is resolved, if that makes sense.  The certificate has been added and I have tried specifying the url with 443 port included and excluded and it doesn't work.  As for your third possible cause, I believed this to be the culprit at first, because I did redo the Federation several times before getting it right.  (previous setups completed successfully but naming needed to be changed to meet our internal naming convention.  However, after falling the steps on this site: http://blogs.msdn.com/b/emeadcrmsupport/archive/2011/05/13/we-receive-http-errors-while-accessing-the-crm-federationmetadata-url.aspx I still can't get it to work.

     

    Friday, December 2, 2011 8:12 PM
  • Update:

    My screenshot was removed so if you need me to include some let me know how/where to upload it to see it.  Also, I found something strange and I'm not sure what to make of it, other than it's a DNS issue, but I do not know how to resolve it.

    The URL I am using is https://adfs.doctronx.com/federationmetadata/2007-06/federationmetadata.xml.  As stated earlier, the browser will resolve the site becuase it adds the CRM logo to the address bar and the tab displays the same logo with doctronx.com.  However, the pane that displays the XML is blank.  I am not prompted for any certificate errors or warnings either.

    Now, if I type into the browser https://<computer name>.dtx.local/federationmetadata/2007-06/federationmetadata.xml I get a security warning about the certificate. If I choose continue anyway, it displays the XML language all throughout the browser. 

    Update 12/2/11 4:47 p.m.:

    As stated previously when, I enter the url as adfs.doctronx.com/federation* and a blank page is displayed in the web browser, I am able to right click on the page and view the source code.  The source code looks just like the XML code displayed as if I browsed to <computer name>.dtx.local/federation*.

    • Edited by Josh.Adams Friday, December 2, 2011 10:53 PM
    Friday, December 2, 2011 8:18 PM
  • Hi Josh,

    Instead of using https://adfs.doctronx.com/federationmetadata/2007-06/federationmetadata.xml use this URL for configuring Relay Party trust, it will work.

    https://adfs.doctronx.com/handlers/FederationMetadata.ashx

    For external relay party also modify the federation metadata url like above mentioned.

     

    Regards,


    Khaja Mohiddin|||||http://www.dynamicsexchange.com/
    • Proposed as answer by Khaja Mohiddin Tuesday, December 27, 2011 10:28 AM
    • Marked as answer by Josh.Adams Wednesday, April 4, 2012 12:55 PM
    Monday, December 5, 2011 8:52 AM
  • OK I have to have something wrong somewhere.  I tried your response Khaja and still comes back with unavailable.  Should I scrap my ADFS server and start over?  I have uninstalled, and reinstalled the CRM.  I had no errors during that so I am at a loss now.
    Monday, December 5, 2011 8:51 PM
  • Hi Josh,

    You dont need to Install the CRM and ADFS again, you just need to configure the ADFS again from this location (C:\Program Files\Active Directory Federation Services 2.0).

    If there is a issue with handlers in IIS Manager then you need to re-install the IIS from Server Manager.

     

    Regards, 


    Khaja Mohiddin|||||http://www.dynamicsexchange.com/
    Tuesday, December 6, 2011 8:47 AM
  • Hello, I've had the same problem as the OP and I solved it using

    https://adfs.doctronx.com/handlers/FederationMetadata.ashx

    as Khaja Mohiddin proposed. However, I was wondering if this issue could cause connection problems for Outlook for CRM IFD as well. The home realm url for ADFS is supposedly https://adfs.contoso.com/adfs/services/trust/mex , but I cannot access this endpoint because of a "Service Unavailable" error.

    Wednesday, December 21, 2011 3:52 AM