locked
CRM 2013 ADFS 3.0 IFD RRS feed

  • Question

  • Hi, 

    I have followed this article to configure my setup http://www.interactivewebs.com/blog/index.php/crm-2013/crm-2013-ifd-setup-with-adfs-3-0-on-windows-2012-r2-hosted-setup/ 

    I have two issues I am trying to fix.  

    1.  When i use the internal URL https://servername/org its prompting me for the ADFS user credentials and not using Domain SSO

    2.  When using the External URL https://crm.company.com its also giving me a popup dialog box for credentials instead of the forms paged.  I followed the steps to edit ADFS for forms per the guide. 

    Enable Forms Authentication

    AD FS in Windows Server 2012 R2, forms authentication is not enabled by default.

    1. Log on to the AD FS server as an administrator.

    2. Open the AD FS management console and click Authentication Policies.

    3. Under Primary Authentication, Global Settings, Authentication Methods, click Edit.

    4.  (check) Forms Authentication.

    Wednesday, September 10, 2014 8:25 PM

All replies

  • did you set spn?

    gruss Daniel Ovadia MBSS - Microsoft Dynamics CRM MCNPS

    Thursday, September 11, 2014 9:32 AM
  • I did not
    Thursday, September 11, 2014 12:44 PM
  • It should fix your issue http://fkbase.info/node/156

    gruss Daniel Ovadia MBSS - Microsoft Dynamics CRM MCNPS

    Thursday, September 11, 2014 1:06 PM
  • Thanks Daniel I will give it a read and let you know, I appreciate the fast reply.  
    Thursday, September 11, 2014 1:27 PM
  • So i created both a ADFS and CRM SPN  reset everything and I still get the popup for internal URL.   Actually its worse now I cant even login I figured out how to delete the SPNS and reset everything again.    

    When I go to https://servername/org 



    setspn -s http/adfs.domain.com Domain\ADFS$  

    setspn -s http/crm2013 domain\CRMAppPool 



    • Edited by pslager Thursday, September 11, 2014 8:34 PM
    Thursday, September 11, 2014 8:20 PM
  • Hi,

    check for duplicate records SETSPN /x and http://support.microsoft.com/kb/321044/en-us

    You need only the spn for your Webservice account CRMAppPool and only if you run NLB cluster..

    To delte spn http://social.technet.microsoft.com/Forums/de-DE/542f3b30-41f6-4299-b373-5b1f3dc16269/delete-spn?forum=identitylifecyclemanager

    adfs can you update the metadata successfully?


    gruss Daniel Ovadia MBSS - Microsoft Dynamics CRM MCNPS



    Thursday, September 11, 2014 9:09 PM
  • I ran SETSPN/x no duplicated existed. 

    We are not running NLB at all.  So do I only need the Auth.company.com SPN?  

    I already deleted the SPN's so I can at least sign in. 

    What do you mean update the metadata successfully sorry not familiar with that process.  Is this what you mean http://technet.microsoft.com/en-us/library/adfs2-help-how-to-manually-update-a-trust-from-federation-metadata(v=ws.10).aspx ? 

    When I go to the CRM deployment administrator right click the org and select browse I get an error.  Then When I look ad the ADFS admin logs on the ADFS server it shows this.  Basically its trying to load the wrong URL test is the name of the CRM org the actual URL should be https://crm.company.com not sure why its trying to load test there must have been a mistake in the configuration its been a while since I configured this so not really sure where.  

    Encountered error during federation passive request. 

    Additional Data 

    Protocol Name: 
    wsfed 

    Relying Party: 
    https://test.company.com/ 

    Exception details: 
    Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.InvalidAuthenticationTypePolicyException: MSIS7102: Requested Authentication Method is not supported on the STS.
       at Microsoft.IdentityServer.Web.Authentication.GlobalAuthenticationPolicyEvaluator.EvaluatePolicy(IList`1 mappedRequestedAuthMethods, AccessLocation location, ProtocolContext context, HashSet`1 authMethodsInToken, Boolean& validAuthMethodsInToken)
       at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.RetrieveFirstStageAuthenticationDomain(Boolean& validAuthMethodsInToken)
       at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.EvaluatePolicy(Boolean& isLastStage, AuthenticationStage& currentStage, Boolean& strongAuthRequried)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthMethodsFromAuthPolicyRules(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthenticationMethods(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)


    • Edited by pslager Friday, September 12, 2014 2:17 PM
    Friday, September 12, 2014 2:07 PM
  • Hi,

    yes this I mean http://technet.microsoft.com/en-us/library/adfs2-help-how-to-manually-update-a-trust-from-federation-metadata(v=ws.10).aspx

    Its correct when u browse via deployment and already setted up ifd and claims then it is the correct url.


    gruss Daniel Ovadia MBSS - Microsoft Dynamics CRM MCNPS

    Friday, September 12, 2014 2:46 PM
  • you dont need auth.domain.com as spn you need your adfs url to be setup against your crmapppool account. but in all standalone it should run without spn.

    i think this is your adfs url: https://adfs.company.com

    so you need from access external two ip one for crm and one for adfs url


    gruss Daniel Ovadia MBSS - Microsoft Dynamics CRM MCNPS

    Friday, September 12, 2014 3:08 PM