Asked by:
CRM 2013 ADFS 3.0 IFD

Question
-
Hi,
I have followed this article to configure my setup http://www.interactivewebs.com/blog/index.php/crm-2013/crm-2013-ifd-setup-with-adfs-3-0-on-windows-2012-r2-hosted-setup/
I have two issues I am trying to fix.
1. When i use the internal URL https://servername/org its prompting me for the ADFS user credentials and not using Domain SSO
2. When using the External URL https://crm.company.com its also giving me a popup dialog box for credentials instead of the forms paged. I followed the steps to edit ADFS for forms per the guide.
Enable Forms Authentication
AD FS in Windows Server 2012 R2, forms authentication is not enabled by default.
1. Log on to the AD FS server as an administrator.
2. Open the AD FS management console and click Authentication Policies.
3. Under Primary Authentication, Global Settings, Authentication Methods, click Edit.
4. (check) Forms Authentication.
Wednesday, September 10, 2014 8:25 PM
All replies
-
did you set spn?
gruss Daniel Ovadia MBSS - Microsoft Dynamics CRM MCNPS
Thursday, September 11, 2014 9:32 AM -
I did notThursday, September 11, 2014 12:44 PM
-
It should fix your issue http://fkbase.info/node/156
gruss Daniel Ovadia MBSS - Microsoft Dynamics CRM MCNPS
Thursday, September 11, 2014 1:06 PM -
Thanks Daniel I will give it a read and let you know, I appreciate the fast reply.Thursday, September 11, 2014 1:27 PM
-
So i created both a ADFS and CRM SPN reset everything and I still get the popup for internal URL. Actually its worse now I cant even login I figured out how to delete the SPNS and reset everything again.
When I go to https://servername/org
setspn -s http/adfs.domain.com Domain\ADFS$
setspn -s http/crm2013 domain\CRMAppPool
- Edited by pslager Thursday, September 11, 2014 8:34 PM
Thursday, September 11, 2014 8:20 PM -
Hi,
check for duplicate records SETSPN /x and http://support.microsoft.com/kb/321044/en-us
You need only the spn for your Webservice account CRMAppPool and only if you run NLB cluster..
To delte spn http://social.technet.microsoft.com/Forums/de-DE/542f3b30-41f6-4299-b373-5b1f3dc16269/delete-spn?forum=identitylifecyclemanager
adfs can you update the metadata successfully?
gruss Daniel Ovadia MBSS - Microsoft Dynamics CRM MCNPS
- Edited by Daniel Ovadia Thursday, September 11, 2014 9:15 PM
Thursday, September 11, 2014 9:09 PM -
I ran SETSPN/x no duplicated existed.
We are not running NLB at all. So do I only need the Auth.company.com SPN?
I already deleted the SPN's so I can at least sign in.
What do you mean update the metadata successfully sorry not familiar with that process. Is this what you mean http://technet.microsoft.com/en-us/library/adfs2-help-how-to-manually-update-a-trust-from-federation-metadata(v=ws.10).aspx ?
When I go to the CRM deployment administrator right click the org and select browse I get an error. Then When I look ad the ADFS admin logs on the ADFS server it shows this. Basically its trying to load the wrong URL test is the name of the CRM org the actual URL should be https://crm.company.com not sure why its trying to load test there must have been a mistake in the configuration its been a while since I configured this so not really sure where.
Encountered error during federation passive request.
Additional Data
Protocol Name:
wsfed
Relying Party:
https://test.company.com/
Exception details:
Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.InvalidAuthenticationTypePolicyException: MSIS7102: Requested Authentication Method is not supported on the STS.
at Microsoft.IdentityServer.Web.Authentication.GlobalAuthenticationPolicyEvaluator.EvaluatePolicy(IList`1 mappedRequestedAuthMethods, AccessLocation location, ProtocolContext context, HashSet`1 authMethodsInToken, Boolean& validAuthMethodsInToken)
at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.RetrieveFirstStageAuthenticationDomain(Boolean& validAuthMethodsInToken)
at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.EvaluatePolicy(Boolean& isLastStage, AuthenticationStage& currentStage, Boolean& strongAuthRequried)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthMethodsFromAuthPolicyRules(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthenticationMethods(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)- Edited by pslager Friday, September 12, 2014 2:17 PM
Friday, September 12, 2014 2:07 PM -
Hi,
yes this I mean http://technet.microsoft.com/en-us/library/adfs2-help-how-to-manually-update-a-trust-from-federation-metadata(v=ws.10).aspx
Its correct when u browse via deployment and already setted up ifd and claims then it is the correct url.
gruss Daniel Ovadia MBSS - Microsoft Dynamics CRM MCNPS
Friday, September 12, 2014 2:46 PM -
you dont need auth.domain.com as spn you need your adfs url to be setup against your crmapppool account. but in all standalone it should run without spn.
i think this is your adfs url: https://adfs.company.com
so you need from access external two ip one for crm and one for adfs url
gruss Daniel Ovadia MBSS - Microsoft Dynamics CRM MCNPS
Friday, September 12, 2014 3:08 PM