Remove From My Forums

CRM 2013 ADFS 3.0 IFD

Question
0

Sign in to vote

Hi,

I have followed this article to configure my setup http://www.interactivewebs.com/blog/index.php/crm-2013/crm-2013-ifd-setup-with-adfs-3-0-on-windows-2012-r2-hosted-setup/

I have two issues I am trying to fix.

1. When i use the internal URL https://servername/org its prompting me for the ADFS user credentials and not using Domain SSO

2. When using the External URL https://crm.company.com its also giving me a popup dialog box for credentials instead of the forms paged. I followed the steps to edit ADFS for forms per the guide.

Enable Forms Authentication

AD FS in Windows Server 2012 R2, forms authentication is not enabled by default.

1. Log on to the AD FS server as an administrator.

2. Open the AD FS management console and click Authentication Policies.

3. Under Primary Authentication, Global Settings, Authentication Methods, click Edit.

4. (check) Forms Authentication.

Wednesday, September 10, 2014 8:25 PM

All replies

0

Sign in to vote

did you set spn?
gruss Daniel Ovadia MBSS - Microsoft Dynamics CRM MCNPS

Thursday, September 11, 2014 9:32 AM
0

Sign in to vote

I did not

Thursday, September 11, 2014 12:44 PM
0

Sign in to vote

It should fix your issue http://fkbase.info/node/156
gruss Daniel Ovadia MBSS - Microsoft Dynamics CRM MCNPS

Thursday, September 11, 2014 1:06 PM
0

Sign in to vote

Thanks Daniel I will give it a read and let you know, I appreciate the fast reply.

Thursday, September 11, 2014 1:27 PM
0

Sign in to vote
So i created both a ADFS and CRM SPN reset everything and I still get the popup for internal URL. Actually its worse now I cant even login I figured out how to delete the SPNS and reset everything again.

When I go to https://servername/org

setspn -s http/adfs.domain.com Domain\ADFS$

setspn -s http/crm2013 domain\CRMAppPool
- Edited by pslager Thursday, September 11, 2014 8:34 PM
Thursday, September 11, 2014 8:20 PM
0

Sign in to vote
Hi,

check for duplicate records SETSPN /x and http://support.microsoft.com/kb/321044/en-us

You need only the spn for your Webservice account CRMAppPool and only if you run NLB cluster..

To delte spn http://social.technet.microsoft.com/Forums/de-DE/542f3b30-41f6-4299-b373-5b1f3dc16269/delete-spn?forum=identitylifecyclemanager

adfs can you update the metadata successfully?

gruss Daniel Ovadia MBSS - Microsoft Dynamics CRM MCNPS
- Edited by Daniel Ovadia Thursday, September 11, 2014 9:15 PM
Thursday, September 11, 2014 9:09 PM
0

Sign in to vote
I ran SETSPN/x no duplicated existed.

We are not running NLB at all. So do I only need the Auth.company.com SPN?

I already deleted the SPN's so I can at least sign in.

What do you mean update the metadata successfully sorry not familiar with that process. Is this what you mean http://technet.microsoft.com/en-us/library/adfs2-help-how-to-manually-update-a-trust-from-federation-metadata(v=ws.10).aspx ?

When I go to the CRM deployment administrator right click the org and select browse I get an error. Then When I look ad the ADFS admin logs on the ADFS server it shows this. Basically its trying to load the wrong URL test is the name of the CRM org the actual URL should be https://crm.company.com not sure why its trying to load test there must have been a mistake in the configuration its been a while since I configured this so not really sure where.
Encountered error during federation passive request.

Additional Data

Protocol Name:
wsfed

Relying Party:
https://test.company.com/

Exception details:
Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.InvalidAuthenticationTypePolicyException: MSIS7102: Requested Authentication Method is not supported on the STS.
at Microsoft.IdentityServer.Web.Authentication.GlobalAuthenticationPolicyEvaluator.EvaluatePolicy(IList`1 mappedRequestedAuthMethods, AccessLocation location, ProtocolContext context, HashSet`1 authMethodsInToken, Boolean& validAuthMethodsInToken)
at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.RetrieveFirstStageAuthenticationDomain(Boolean& validAuthMethodsInToken)
at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.EvaluatePolicy(Boolean& isLastStage, AuthenticationStage& currentStage, Boolean& strongAuthRequried)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthMethodsFromAuthPolicyRules(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthenticationMethods(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
- Edited by pslager Friday, September 12, 2014 2:17 PM
Friday, September 12, 2014 2:07 PM
0

Sign in to vote

Hi,

yes this I mean http://technet.microsoft.com/en-us/library/adfs2-help-how-to-manually-update-a-trust-from-federation-metadata(v=ws.10).aspx

Its correct when u browse via deployment and already setted up ifd and claims then it is the correct url.
gruss Daniel Ovadia MBSS - Microsoft Dynamics CRM MCNPS

Friday, September 12, 2014 2:46 PM
0

Sign in to vote

you dont need auth.domain.com as spn you need your adfs url to be setup against your crmapppool account. but in all standalone it should run without spn.

i think this is your adfs url: https://adfs.company.com

so you need from access external two ip one for crm and one for adfs url
gruss Daniel Ovadia MBSS - Microsoft Dynamics CRM MCNPS

Friday, September 12, 2014 3:08 PM

Asked by:

CRM 2013 ADFS 3.0 IFD

Question

All replies