locked
ADFS + Federated Domain + Web Resource + Sitemap = FAIL RRS feed

  • Question

  • In preparation for a large client who is going live in a couple months with the same scenario, we setup an internal environment that:

    1. Is setup and working properly with ADFS/IFD on Domain A

    2. Can federate logins for an external Domain B (separate ADFS server on Domain B talks to ADFS on Domain A)

    This works well until we come to a web resource (in this case an html/silverlight web resource) that is linked from the sitemap.

    When logging in from Domain B (federated across the 2 ADFS servers), the sitemap link does not work, and gives the error shown below - as you can see it appears there is an additional query parameter 'whr' that is getting tacked on and blows up the CRM Parameter Filter.

    I have not yet tried the old CRM 4 trick for not restricting querystring params (I think it was a registry or some other setting) - I assume that will give us a workaround, but wanted to see if anyone has seen this behavior.

    Exception message: CRM Parameter Filter - Invalid parameter 'whr=http://sts.XXXXXXXXX.com/adfs/services/trust' in Request.QueryString on page /Handlers/WebResource.ashx
    The raw request was 'GET /WebResources/va_/QuickSearch.html?pagemode=iframe&whr=http[%]3a[%]2f[%]2fsts.XXXXXXXXXX.com[%]2fadfs[%]2fservices[%]2ftrust' called from https://orgname.XXXXXXXXX.com/main.aspx.

    Tuesday, August 23, 2011 3:14 PM

Answers

  • For the record the workaround is to use the DisableParameterFilter = 1 DWORD registry key. But I still think this is probably a bug. It might be an ADFS configuration issue, but that seems unlikely given that everything else seems to work ok.
    Tuesday, August 23, 2011 3:27 PM

All replies

  • For the record the workaround is to use the DisableParameterFilter = 1 DWORD registry key. But I still think this is probably a bug. It might be an ADFS configuration issue, but that seems unlikely given that everything else seems to work ok.
    Tuesday, August 23, 2011 3:27 PM
  • Parameter filtering is a mechanism used for validating page parameters in CRM. By disabling the filter there can be security implications. There was indeed a bug where WHR parameter was not recognized in the scenario described above. This has been fixed in Update Rollup 11 for CRM 2011. From http://support.microsoft.com/kb/2739504:

    • When multiple secure token services (STS) are used to access Microsoft Dynamics CRM 2011, the WHR parameter (Home Realm) that was added to the CRM sitemap is blocked by the parameter filter unexpectedly

    Murali


    Friday, October 12, 2012 12:56 AM