ADFS internal authentication does not recognise trusted domain RRS feed

  • Question

  • Hi

    I am setting up internal claims based authentication. Scenario is we have premise CRM 2013 installed on multiple Azure VMs in domain AAA. We have a VPN to a site in our offices with domain BBB. ADFS is set up in our offices. We've got appropriate certificates and have been able to set up ADFS, claims based authentication and all the claim rule/relying party stuff. It all looks fine as far as we can see.

    But when we create a new user in CRM called BBB\username it fails to connect and get the firstname/last name and gives an error if we save saying domain not reachable. Enabling tracing on CRM shows a message

    Unable to get DNS name of domain BBB: System.Net.Sockets.SocketException (0x80004005): No such host is known

    So CRM appears not to know that it needs to go via ADFS to get the domain data for users in domain BBB.

    I've set up quite a few instances of CRM and IFD, but not in this exact configuration. Any ideas? I'm wondering if it needs some sort of SPN or a DNS entry. 

    I've simplified the situation a little -  ie are using SSD offloading and load balancing, but these are not relevant I think. CRM continues to work within the server group



    Monday, October 27, 2014 5:37 PM

All replies

  • Error code 0x80004005 is 'Access Denied', so you may have a permission issue. Having said that, I wouldn't expect any security on simple DNS lookups, so any permission issues are probably more around AD. What trusts do you have between AAA and BBB ?

    Microsoft CRM MVP - http://mscrmuk.blogspot.com/ http://www.excitation.co.uk

    Monday, October 27, 2014 7:39 PM
  • Thanks - should have looked at the error code. But that implies the account used cannot access the DNS? We're using a special domain service account (on AAA) to run the CRM App pools, as is recommended.

    There is no trust relationship between domains AAA and BBB - hence using ADFS.

    This suggest anything? I will give some thought to permissions


    Monday, October 27, 2014 7:43 PM
  • do you see the adfs authentication page when browsing to the organization url? if not you must create a new zone for the domain and point the organiaztionurl to the crm frontend server.

    also check adfs relying trusts if the username is enabled and if your organization is in the list of identifiers also u must update from federation metadata with success.

    gruss Daniel Ovadia MBSS - Microsoft Dynamics CRM MCNPS

    Tuesday, October 28, 2014 8:46 AM