locked
Problem with changing the AD FS token signing certificate for CRM 2011 RRS feed

  • Question

  • When I swap the ADFS token signing certificate in ADFS management console, CRM 2011 will no longer authenticate users via IFD (get secondary logon box), toggle the certificate back and CRM starts working again. I've tried restarting services, restarting the server but no joy

    Adfs and crm are on the same server but on different iis ports The new certificate is based on the webserver template and has a subject name less than 128 characters, the private key has been shared the adfs service account (network service)and for good measure the crm application pool service account. The crm web site uses a separate wildcard certificate also used for the adfs service communications

    I've looked at these resources:

    AD FS 2.0: How to Replace the SSL, Service Communications, Token-Signing, and Token-Decrypting Certificates http://social.technet.microsoft.com/wiki/contents/articles/2554.aspx

    Enabling AD FS 2.0 token signing http://technet.microsoft.com/en-us/library/gg188574.aspx - I *haven't* set this

    CRM trace: ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.

    Eventid: 77, AD FS 2.0 Tracing Encountered error during federation passive sign-in using SSO token.Exception details:Microsoft.IdentityServer.Web.SingleSignOnTokenException: MSIS7006: The single sign on token is not valid. at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseForProtocolRequest(FederationPassiveContext federationPassiveContext, SecurityToken securityToken) at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponse(SecurityToken securityToken)

    Eventid: 52, AD FS 2.0 Tracing. Security token is expired. Exception details:ID4255: The SecurityToken is rejected because the validation time is out of range. ValidTo: '15/02/2012 18:59:36' ValidFrom: '15/02/2012 10:59:36' Current time: '22/03/2012 15:17:29'

    This last event is weird since this certificate with that specified start and end dates is not present in the adfs management tool under certificates (nor under adfs powershell Get-ADFSCertificate)

    It would be great if someone could confirm the steps required to get this working and answer these questions:

    a) SinceTrustedIssuerCertificateValidation is not set does anything need to be done in crm deployment admin (like run through the claims based auth wizard again)

    b) The [MSCRM_CONFIG].[dbo].[Certificates] database has two entries of type 'TrustedIssuer' for the same ‘Name’. Is this where the expired certificate event logentry comes from??

    c) Is there a CRM powershell command that exposes the details of the certificates from the CRM certificates table?

    Many thanks

    David

    Thursday, March 22, 2012 7:19 PM

All replies

  • Just to add that after leaving the new certificate in place overnight all is working. 

    HOWEVER someone please give a view on what is the missing link re ?synchronising the new certificate to CRM.  I don't want to try this on our production system until I know what is going on

    Thanks

    David

    Friday, March 23, 2012 9:59 AM
  • This is the advice from Microsoft support, a KB is likely to be published quite soon:

    1)In CRM server go to Deployment  Manager and then disable the Claims Based Authentication.

    2)Do an IISReset on CRM server

    3) Re-configure Claims- Based Authentication 

    4) Re-configure IFD through deployment manager.

    5) Do an IISRESET again on CRM server

    6) In ADFS management console in ADFS server , update the corresponding Federation Metadata URLs

    • Proposed as answer by The_Mr_Clean Monday, May 28, 2012 3:34 PM
    Thursday, April 12, 2012 9:35 AM
  • This is the advice from Microsoft support, a KB is likely to be published quite soon:

    1)In CRM server go to Deployment  Manager and then disable the Claims Based Authentication.

    2)Do an IISReset on CRM server

    3) Re-configure Claims- Based Authentication 

    4) Re-configure IFD through deployment manager.

    5) Do an IISRESET again on CRM server

    6) In ADFS management console in ADFS server , update the corresponding Federation Metadata URLs

    Thank you, just tried this after scratching our heads why ADFS and CRM had stopped working - we installed it a year ago and the certs self renewed but obviously needed to do this.

    Monday, May 28, 2012 3:41 PM
  • This is the advice from Microsoft support, a KB is likely to be published quite soon:

    1)In CRM server go to Deployment  Manager and then disable the Claims Based Authentication.

    2)Do an IISReset on CRM server

    3) Re-configure Claims- Based Authentication 

    4) Re-configure IFD through deployment manager.

    5) Do an IISRESET again on CRM server

    6) In ADFS management console in ADFS server , update the corresponding Federation Metadata URLs

    Thank you very much!!!!!! Worked in a minute...

    BR, Damjan


    Lpd

    Tuesday, January 15, 2013 11:07 AM