Asked by:
Dynamics 365 Update 2 (OnPremise) connection issue with IFD

Question
-
Hi all,
I've installed a new CRM 2016 Update 2 (dynamics 365) on a Windows Server 2012 R2. I also configured ADFS (Windows Server 2016) to authenticate with CRM (IFD) acording to this document https://technet.microsoft.com/en-us/library/gg188600.aspx.
I am trying to connect to the crm enviroment using this connection string (using xrmtoolbox, other sdk tools will also fail)
ServiceUri=https://org.crm.dev.lab/org;AuthType=IFD;Domain=dev;UserName=user;Password=password;LoginPrompt=Never;
(changes some of the Infos for various reasons)
If I try to connect I will get following Error
Microsoft.Xrm.Tooling.Connector.CrmServiceClient Error 2 20.06.2017 10:56:00 Unable to Login to Dynamics CRM
Microsoft.Xrm.Tooling.Connector.CrmServiceClient Error 2 20.06.2017 11:32:09 Source : System.ServiceModel
Method : ReadResponse
Date : 20.06.2017
Time : 11:32:09
Error : ID3242: The security token could not be authenticated or authorized.
Stack Trace : at System.ServiceModel.Security.WSTrustChannel.ReadResponse(Message response)
at System.ServiceModel.Security.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)
at Microsoft.Xrm.Sdk.Client.ServiceConfiguration`1.Issue(AuthenticationCredentials authenticationCredentials)
at Microsoft.Xrm.Sdk.Client.ServiceConfiguration`1.AuthenticateInternal(AuthenticationCredentials authenticationCredentials)
at Microsoft.Xrm.Sdk.Client.ServiceConfiguration`1.AuthenticateFederationInternal(AuthenticationCredentials authenticationCredentials)
at Microsoft.Xrm.Sdk.Client.ServiceConfiguration`1.Authenticate(AuthenticationCredentials authenticationCredentials)
at Microsoft.Xrm.Tooling.Connector.CrmWebSvc.ClaimsIFDFailOverAuth[T](IServiceManagement`1 servicecfg, Uri homeRealm, ClientCredentials userCredentials, ClientCredentials deviceCredentials, Int32 depthLevel, Boolean tryNetworkCred)
at Microsoft.Xrm.Tooling.Connector.CrmWebSvc.CreateAndAuthenticateProxy[T](IServiceManagement`1 servicecfg, Uri ServiceUri, Uri homeRealm, ClientCredentials userCredentials, ClientCredentials deviceCredentials, String LogString)
at Microsoft.Xrm.Tooling.Connector.CrmWebSvc.DiscoverOrganizations(Uri discoveryServiceUri, Uri homeRealmUri, ClientCredentials clientCredentials, ClientCredentials deviceCredentials)
at Microsoft.Xrm.Tooling.Connector.CrmWebSvc.InitCRM2011Service()Someone on the Forum mentioned to change the Connection string like this:ServiceUri=https://org.crm.dev.lab/org;AuthType=IFD;UserName=user@dev.lab;Password=password;LoginPrompt=Never;
But using this connection string I will face this error
Microsoft.Xrm.Tooling.Connector.CrmServiceClient Error 2 20.06.2017 11:33:07 Unable to Login to Dynamics CRM
Microsoft.Xrm.Tooling.Connector.CrmServiceClient Error 2 20.06.2017 11:33:30 Source : Microsoft.Xrm.Sdk
Method : GetIssuerEndpoint
Date : 20.06.2017
Time : 11:33:30
Error : The authentication endpoint Kerberos was not found on the configured Secure Token Service!
Stack Trace : at Microsoft.Xrm.Sdk.Client.IssuerEndpointDictionary.GetIssuerEndpoint(TokenServiceCredentialType credentialType)
at Microsoft.Xrm.Sdk.Client.ServiceConfiguration`1.AuthenticateInternal(AuthenticationCredentials authenticationCredentials)
at Microsoft.Xrm.Sdk.Client.ServiceConfiguration`1.AuthenticateFederationInternal(AuthenticationCredentials authenticationCredentials)
at Microsoft.Xrm.Sdk.Client.ServiceConfiguration`1.Authenticate(AuthenticationCredentials authenticationCredentials)
at Microsoft.Xrm.Tooling.Connector.CrmWebSvc.ClaimsIFDFailOverAuth[T](IServiceManagement`1 servicecfg, Uri homeRealm, ClientCredentials userCredentials, ClientCredentials deviceCredentials, Int32 depthLevel, Boolean tryNetworkCred)
at Microsoft.Xrm.Tooling.Connector.CrmWebSvc.CreateAndAuthenticateProxy[T](IServiceManagement`1 servicecfg, Uri ServiceUri, Uri homeRealm, ClientCredentials userCredentials, ClientCredentials deviceCredentials, String LogString)
at Microsoft.Xrm.Tooling.Connector.CrmWebSvc.DiscoverOrganizations(Uri discoveryServiceUri, Uri homeRealmUri, ClientCredentials clientCredentials, ClientCredentials deviceCredentials)
at Microsoft.Xrm.Tooling.Connector.CrmWebSvc.InitCRM2011Service()I also came across this article https://community.dynamics.com/crm/b/magnetismsolutionscrmblog/archive/2013/09/20/the-authentication-endpoint-kerberos-was-not-found-on-the-configured-secure-token-service but this seems not be the case in our Enviroment.
Does anyone has an advice?
Thanks
Julian
Tuesday, June 20, 2017 10:00 AM
All replies
-
Can you check the ADFS Admin event log on the ADFS server ? If ADFS fails to authenticate the user, it should write an error message here, though some of the ADFS errors are more useful than others
Microsoft CRM MVP - http://mscrmuk.blogspot.com/ http://www.excitation.co.uk
- Proposed as answer by Andrii ButenkoMVP, Moderator Tuesday, June 20, 2017 2:26 PM
- Unproposed as answer by Hüppauff, Julian Friday, June 23, 2017 11:14 AM
Tuesday, June 20, 2017 12:30 PMModerator -
Hi David,
I've tested both connectionstrings. If I try the first connection string I get an "Unknown user name or bad password" Error.
Searching for releated Threads tells me I need to supply the Username with Domain. https://community.dynamics.com/crm/f/117/t/184882But If I try to use the secound one I will not get any log entrys within the ADFS or Securtiy Eventlog.
Thanks for your Help
Regards
Julian
- Edited by Hüppauff, Julian Friday, June 23, 2017 7:54 AM
Friday, June 23, 2017 7:50 AM -
Hi I am experiencing the exact same issue and wondering if you already got it fixed and if you could share. Thanks for your time.Wednesday, September 20, 2017 2:10 PM
-
Well, this was to do with the ADFS upgraded from 2.0 to 3.0, which now requires every username with domain.
This command worked in ADFS 2.0:
CrmSvcUtil.exe /out:DynamicsCRMProxy.cs /url:https://crm.xcorp.com/mycrm/XRMServices/2011/Organization.svc /domain:xcorp/username:userid password:1234567! /namespace:ns /serviceContextName:DynamicsProxyContext
But in ADFS 3.0, the same command generated this exception: "ID3242: The security token could not be authenticated or authorized"
In ADFS 3.0, the userid requires to have domain in it - passing domain to domain switch is not enough!
CrmSvcUtil.exe /out:DynamicsCRMProxy.cs /url:https://crm.xcorp.com/mycrm/XRMServices/2011/Organization.svc /domain:xcorp /username:userid@xcorp.com password:1234567! /namespace:ns /serviceContextName:DynamicsProxyContext
Thursday, September 21, 2017 6:54 PM