MS CRM 2011 IFD Configuration RRS feed

  • Question

  • Hello,

    I am trying to set up claims based authentication and IFD fro MS CRM 2011 and facing problem.

    I have 2 servers. 1 for CRM and 1 for ADFS. CRM 2011 installation works fine. The problem comes up when I try to set up claims. 

    I follow the guide, but when I try to open crm after internal claim configuration, I get a popup window requiring credentials.

    If I click cancel, I am prompt with an IIS error page saying that authentication has failed. If I insert credentials I get the same prompt 3 times and then I get an error 401 authentication failed.

    I noticed that when I click cancel, the hostname is the address of my adfs server, which means that redirection to adfs works, it just doesn't take me to CRM afterwards. If I disable claims, CRM works fine.

    Thanks in advance.

    Monday, October 3, 2011 12:16 PM

All replies

  • Hi Any-CRM2011-Learner ;)


    Well, I had the same problem. 

    I´m not very sure but I think that are a problem in the ADFS´s configuration  (Relying party trust) or something like that.

    You said that you when your clic cancel, on the logon prompt, the address of the page is from your ADFS (Example: https://sts1.contoso.com ) so, means that CRM 2011 is requesting the authentication to ADFS, but maybe you need to check the relaying party Trust in the ADFS.

    So, my advice is that you follow this guide from the page 27 (Configure the AD FS 2.0 server for claim-bases authentication)

    Configuring Claim-Based Authentication

    And see the page 24 (The CRMAppPool Account and ghe CRM encryption certificate) where said how to give permission on certificate CRMAppPool´s Account.


    Good luck, is not easy .... but not imposible.
    Tuertolin :) 

    Wednesday, October 5, 2011 6:51 PM
  • It looks like you are missing the SPN for the ADFS service account. See the whitepaper "Microsoft Dynamics CRM 2011 and Claims-based Authentication" Section "Test internal claims-based authentication"

    "If the Microsoft Dynamics CRM Server 2011 Web site again fails to display, you may need register the AD FS 2.0 server as a ServicePrincipalName (SPN). Rerun the Configure Claims-Based Authentication Wizard and advance to the Specify the security token service page. Note the AD FS 2.0 server in the Federation metadata URL (for example, sts1.contoso.com).

    1.   Open a command prompt.

    2.   Type the following commands: (replace your data in the example command below)

    ·      c:\>setspn -a http/sts1.contoso.com  contoso\crmserver$

    ·      c:\>iisreset

    3.   Retry browsing to the Microsoft Dynamics CRM Server 2011 Web site."

    My Blog | Microsoft Dynamics CRM proposal on stackexchange
    Saturday, October 8, 2011 7:13 PM
  • Had same issue disable loopback check on ADFS server as mentioned in Pre-Reqs here http://support.risualblogs.com/blog/2011/11/01/how-to-set-up-crm-2011-ifd-and-publishing-via-tmg-or-uag/

    • Proposed as answer by Wharf FC Thursday, November 3, 2011 10:33 AM
    Thursday, November 3, 2011 10:33 AM
  • Hi,

     I did all those. But whenever i tried to log in to claim base CRM, I got certificate error, Seems like certificate is issued for different server not my CRM server. But I'm testing on one Virtual box and I only have one server @_@. I used selfsigned certificate.

    Monday, July 30, 2012 6:05 AM