locked
Dynamics 365 Update 2 (OnPremise) connection issue with IFD RRS feed

  • Question

  • Hi all,

    I've installed a new CRM 2016 Update 2 (dynamics 365) on a Windows Server 2012 R2. I also configured ADFS (Windows Server 2016) to authenticate with CRM (IFD) acording to this document https://technet.microsoft.com/en-us/library/gg188600.aspx.

    I am trying to connect to the crm enviroment using this connection string (using xrmtoolbox, other sdk tools will also fail)

    ServiceUri=https://org.crm.dev.lab/org;AuthType=IFD;Domain=dev;UserName=user;Password=password;LoginPrompt=Never;

    (changes some of the Infos for various reasons)

    If I try to connect I will get following Error

    Microsoft.Xrm.Tooling.Connector.CrmServiceClient    Error    2    20.06.2017 10:56:00  Unable to Login to Dynamics CRM
    Microsoft.Xrm.Tooling.Connector.CrmServiceClient    Error    2    20.06.2017 11:32:09  Source    : System.ServiceModel
    Method    : ReadResponse
    Date    : 20.06.2017
    Time    : 11:32:09
    Error    : ID3242: The security token could not be authenticated or authorized.
    Stack Trace    : at System.ServiceModel.Security.WSTrustChannel.ReadResponse(Message response)
       at System.ServiceModel.Security.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)
       at Microsoft.Xrm.Sdk.Client.ServiceConfiguration`1.Issue(AuthenticationCredentials authenticationCredentials)
       at Microsoft.Xrm.Sdk.Client.ServiceConfiguration`1.AuthenticateInternal(AuthenticationCredentials authenticationCredentials)
       at Microsoft.Xrm.Sdk.Client.ServiceConfiguration`1.AuthenticateFederationInternal(AuthenticationCredentials authenticationCredentials)
       at Microsoft.Xrm.Sdk.Client.ServiceConfiguration`1.Authenticate(AuthenticationCredentials authenticationCredentials)
       at Microsoft.Xrm.Tooling.Connector.CrmWebSvc.ClaimsIFDFailOverAuth[T](IServiceManagement`1 servicecfg, Uri homeRealm, ClientCredentials userCredentials, ClientCredentials deviceCredentials, Int32 depthLevel, Boolean tryNetworkCred)
       at Microsoft.Xrm.Tooling.Connector.CrmWebSvc.CreateAndAuthenticateProxy[T](IServiceManagement`1 servicecfg, Uri ServiceUri, Uri homeRealm, ClientCredentials userCredentials, ClientCredentials deviceCredentials, String LogString)
       at Microsoft.Xrm.Tooling.Connector.CrmWebSvc.DiscoverOrganizations(Uri discoveryServiceUri, Uri homeRealmUri, ClientCredentials clientCredentials, ClientCredentials deviceCredentials)
       at Microsoft.Xrm.Tooling.Connector.CrmWebSvc.InitCRM2011Service()

    Someone on the Forum mentioned to change the Connection string like this:ServiceUri=https://org.crm.dev.lab/org;AuthType=IFD;UserName=user@dev.lab;Password=password;LoginPrompt=Never;

    But using this connection string I will face this error

    Microsoft.Xrm.Tooling.Connector.CrmServiceClient    Error    2    20.06.2017 11:33:07  Unable to Login to Dynamics CRM
    Microsoft.Xrm.Tooling.Connector.CrmServiceClient    Error    2    20.06.2017 11:33:30  Source    : Microsoft.Xrm.Sdk
    Method    : GetIssuerEndpoint
    Date    : 20.06.2017
    Time    : 11:33:30
    Error    : The authentication endpoint Kerberos was not found on the configured Secure Token Service!
    Stack Trace    : at Microsoft.Xrm.Sdk.Client.IssuerEndpointDictionary.GetIssuerEndpoint(TokenServiceCredentialType credentialType)
       at Microsoft.Xrm.Sdk.Client.ServiceConfiguration`1.AuthenticateInternal(AuthenticationCredentials authenticationCredentials)
       at Microsoft.Xrm.Sdk.Client.ServiceConfiguration`1.AuthenticateFederationInternal(AuthenticationCredentials authenticationCredentials)
       at Microsoft.Xrm.Sdk.Client.ServiceConfiguration`1.Authenticate(AuthenticationCredentials authenticationCredentials)
       at Microsoft.Xrm.Tooling.Connector.CrmWebSvc.ClaimsIFDFailOverAuth[T](IServiceManagement`1 servicecfg, Uri homeRealm, ClientCredentials userCredentials, ClientCredentials deviceCredentials, Int32 depthLevel, Boolean tryNetworkCred)
       at Microsoft.Xrm.Tooling.Connector.CrmWebSvc.CreateAndAuthenticateProxy[T](IServiceManagement`1 servicecfg, Uri ServiceUri, Uri homeRealm, ClientCredentials userCredentials, ClientCredentials deviceCredentials, String LogString)
       at Microsoft.Xrm.Tooling.Connector.CrmWebSvc.DiscoverOrganizations(Uri discoveryServiceUri, Uri homeRealmUri, ClientCredentials clientCredentials, ClientCredentials deviceCredentials)
       at Microsoft.Xrm.Tooling.Connector.CrmWebSvc.InitCRM2011Service()

    I also came across this article https://community.dynamics.com/crm/b/magnetismsolutionscrmblog/archive/2013/09/20/the-authentication-endpoint-kerberos-was-not-found-on-the-configured-secure-token-service but this seems not be the case in our Enviroment.

    Does anyone has an advice?

    Thanks

    Julian


    Tuesday, June 20, 2017 10:00 AM

All replies

  • Can you check the ADFS Admin event log on the ADFS server ? If ADFS fails to authenticate the user, it should write an error message here, though some of the ADFS errors are more useful than others

    Microsoft CRM MVP - http://mscrmuk.blogspot.com/ http://www.excitation.co.uk

    Tuesday, June 20, 2017 12:30 PM
    Moderator
  • Hi David,

    I've tested both connectionstrings. If I try the first connection string I get an "Unknown user name or bad password" Error.
    Searching for releated Threads tells me I need to supply the Username with Domain. https://community.dynamics.com/crm/f/117/t/184882

    But If I try to use the secound one I will not get any log entrys within the ADFS or Securtiy Eventlog.

    Thanks for your Help

    Regards

    Julian


    Friday, June 23, 2017 7:50 AM
  • Hi I am experiencing the exact same issue and wondering if you already got it fixed and if you could share. Thanks for your time.
    Wednesday, September 20, 2017 2:10 PM
  • Well, this was to do with the ADFS upgraded from 2.0 to 3.0, which now requires every username with domain.

    This command worked in ADFS 2.0:

    CrmSvcUtil.exe /out:DynamicsCRMProxy.cs /url:https://crm.xcorp.com/mycrm/XRMServices/2011/Organization.svc /domain:xcorp/username:userid password:1234567! /namespace:ns /serviceContextName:DynamicsProxyContext

    But in ADFS 3.0, the same command generated this exception: "ID3242: The security token could not be authenticated or authorized"

    In ADFS 3.0, the userid requires to have domain in it - passing domain to domain switch is not enough!

    CrmSvcUtil.exe /out:DynamicsCRMProxy.cs /url:https://crm.xcorp.com/mycrm/XRMServices/2011/Organization.svc /domain:xcorp /username:userid@xcorp.com password:1234567! /namespace:ns /serviceContextName:DynamicsProxyContext


    Thursday, September 21, 2017 6:54 PM