locked
Problem with setting up Claims Based Configuration (going for IFD) RRS feed

  • Question

  • Good morning all (and sorry for the long post)!
    I'm attempting to setup CRM2011 as an IFD in our environment - upgrading from CRM 4.0, and I've run across a slight problem:
    I've installed the CRM2011 and I can see the page on the localhost. As soon as I configure Claims Based Authentication on the site, it says:
    Not Authorized
    HTTP Error 401. The requested resource requires user authentication.
    If I remove the Claims Based Authentication it works just fine (from the local server host)
    I've been using http://www.youtube.com/watch?v=ZD5qaa-G99E as a guideline to try and get this configured (with the exception of running both roles on the same machine), and have gotten up to the point of testing with little incident, but am drawing a blank with why I'm having this problem. I can access the federation metadata url for both the ADFS and the CRM, but when I browse to https://crm2011.domain.com:5555, it tries to authenticate to server-name.domain.local and (obviously) fails.
    I've setspn for the adfs server service account and the crm hostnames (using their respective FQDN). I've also granted security permissions to the CRM Web Application Pool Identity for the certificate being used by the website.
    In the event viewer, each time I attempt to browse to the site, I see (under "Applications and Services Logs -> AD FS2.0 -> Admin"):
    Event ID 323
    The Federation Service could not authorize token issuance for the caller 'DOMAIN\<user>'
    on behalf of the subject 'DOMAIN\<user>'
    to the relying party 'https://crm.domain.com:5555/'. Please see event 501 with the same instance id for the caller identity. Please see event 502 with the same instance id for OnBehalfOf identity, if any.
    Exception details: 
    Microsoft.IdentityServer.Service.IssuancePipeline.OnBehalfOfAuthorizationException: MSIS5009: The impersonation authorization failed for caller identity 
    I've googled/followed up on various forums to see if anything suggested might help. I'm going to start a server reboot and head to bed.. I'll update more tomorrow if the reboot (and rest) helped me solve anything.
    If anybody has thoughts, though, I welcome the suggestions!
    System Information:
    CRM 2011 vanilla install on fresh Windows 2008 R2
     - URL: https://crm.domain.com:5555*
     - SQL 2005 located on seperate machine
     - Email Router not currently installed, however once this issue is resolved it might be.
     - All CRM Roles configured to run on single server
     - Configured to run Claims-Based Authentication with *.domain.com certificate, pointing to ADFS metadata on same system
      - Internal Federation Metabase xml page is viewable with no errors or problems 
    ADFS 2.0 vanilla install on same server as CRM 2011
     - URL: https://adfs.domain.com*
     - Installed as a Standalone Server
     - Added Relying Party Trust and configured with Claim Rules for Passing the Primary SID, the UPN, and Transforming the Windows Account Name to Name (as outlined in above Youtube video)
     - Updated the Active Directory Claims Provider TrustClaim Rules to send the UPN information (via LDAP) from the Active Directory to the Claims
     - No problem viewing the metabase xml page
    Monday, October 3, 2011 10:21 AM

All replies

  • Did you manage to resolve this,I have exactly the same issue. as soon as claims based is configured I get the 401 error about authentication.
    Thursday, April 19, 2012 10:14 AM