locked
Configuring Federated CRM 2011 w/ External Website Host for IFD - 403 Error using Claims-Based Authentication RRS feed

  • Question

  • We're configuring a Federated CRM 2011 using a server for AD and FD, then CRM on a VM on that server, and an external webhost for our domain.

    We can get everything running happily with Claims-Based authentication disabled, but goes immediately to 403 error when accessing with CBA enabled. 

    Setup matches the tutorials, with exception of DNS forwarding, as the DNS is handled externally from the web host. 

    Metadata XLM validates internally and externally. 

    Where should I start with troublshooting?


    • Edited by PITmhep Friday, November 2, 2012 5:18 PM
    Thursday, November 1, 2012 9:27 PM

All replies

  • Revised title to be more concise. 
    Friday, November 2, 2012 5:19 PM
  • Hi,

    you could start by tracing the traffic created using Fiddler. Maybe you can find out more about where the process is failing. Is it the STS that is causing the issue or Dynamics CRM?

    Can you clarify your setup a little more? Have you installed ADFS? 

    You can also take a look at the ADFS Event Viewer (ADFS 2.0 -> Admin Events).

    Greetings,

    Pavlos


    Please mark this reply as an answer and vote it as helpful if it helps you find a resolution to your problem.
    View my latest gallery contribution here.
    Visit my blog here.

    Friday, November 2, 2012 6:14 PM
  • ADFS is installed on the physical server. CRM is installed on a VM on that server. 

    We are uncertain whether STS is the issue. Connection is fine and outside access works when Claims-based Authentication is Disabled, but we get error 403 when it is enabled.

    We are using a certificate that is not a wildcard certificate, but rather for remote.domainname.com

    Thank you for the other tips!

    Friday, November 2, 2012 9:35 PM
  • Hi,

    if I'm not mistaken you must be using 2 certificates, one for the ADFS, one for Dynamics CRM. Is that the case?

    Have you checked if the users running the ADFS and the CRM Application Pools have enough privileges to be able to read the certificates?

    Greetings,

    Pavlos


    Please mark this reply as an answer and vote it as helpful if it helps you find a resolution to your problem.
    View my latest gallery contribution here.
    Visit my blog here.

    Saturday, November 3, 2012 7:09 AM
  • I did not realize that was the case. We have the same certificate in use on both servers, but it is not a wildcard certificate.
    Monday, November 5, 2012 5:19 PM
  • Hi,

    how can you be using the same certificate without it being a wildcard certificate for both servers since the ADFS and the CRM Server both need to be on a different subdomain (i.e. adfs.contoso.com and crm.contoso.com)? Furthermore, the ADFS and the CRM subdomains must be resolvable for every client. Have you checked if you can resolve the ADFS host on your client using nslookup for example?

    Can you please elaborate a bit on your setup?

    Greetings,

    Pavlos


    Please mark this reply as an answer and vote it as helpful if it helps you find a resolution to your problem.
    View my latest gallery contribution here.
    Visit my blog here.

    Monday, November 5, 2012 8:04 PM
  • We do have a certificate for remote.contoso for the ADFS and a certifiate for crm.contoso for the CRM. Sorry!
    Wednesday, November 7, 2012 10:09 PM