ADFS 3.0 (ADFS 2.2) Relying Party Keeps Prompting For Credentials RRS feed

  • Question

  • I have ADFS 3.0 (or ADFS 2.2 in some places) and I have Dynamics CRM 2011 running in IFD mode with two other ASP.NET Relying Parties (RP).  If I log into each RP prior to logging into CRM 2011, everything is fine.  If I log into CRM 2011 prior to any of the RPs, the RP will just prompt for credentials. Here are some scenarios:

    - CRM, RP1, RP2

    --- CRM logs in fine

    --- RP1 continually prompts for credentials

    --- RP2 continually prompts for credentials

    - RP1, RP2, CRM

    --- RP1 logs in fine

    --- RP2 logs in fine

    --- CRM logs in fine

    - RP1, CRM, RP2

    --- RP1 logs in fine

    --- CRM logs in fine

    --- RP2 continually prompts for credentials

    This setup works perfect under ADFS 2.0.  I watched the fiddler traces and everything looks fine.  CRM is manipulating the claims auth token.  If I change the setting and make each relying party require it's own sign in, everything works seemless.  To better explain the setup:

    1 ADFS Server

    1 CRM 2011 Server configured for IFD.

    1 Web server with two ASP.net applications.  They are configured to use single sign on as described by the CRM 2011 SDK.

    Again, this works perfectly fine in ADFS 2.0, just not ADFS 3.0.  The interesting part is that if I go to RP1, it prompts me for credentials once and loads.  Then if I load RP2, it does not prompt for credentials and it loads fine.  Then I load CRM, again it does not prompt me for credentials and loads fine and everything plays nicely together. 

    If I load CRM first, it prompts me for credentials and then loads fine.  Then I go to RP1 and it is a continuous loop of credential prompting.  Then got to RP2, same problem as RP1.  CRM still functions fine through all of this.

    Now the case of RP1, CRM, RP2.  I load RP1 and it prompts for credentials then loads.  Then I go to CRM, it does not prompt for credentials and loads fine.  Then I go to RP2 and it is a continuous prompt for credentials.  RP1 and CRM still work seamlessly together.

    So this must have something to do with CRM altering the token, or why would RP1, RP2, CRM work correctly?

    Thanks for any help!

    Monday, March 24, 2014 2:02 PM

All replies

  • Well after tinkering and tinkering and getting nothing to work.  We changed the ADFS server back to Windows Server 2012 (not R2) and running ADFS 2.1.  Everything works like a dream.  So, basically CRM 2011 does not work well with ADFS 3.0 (ADFS 2.2).  Or more specifically, ADFS 3.0 (ADFS 2.2) has just made way to many changes that do not work well with CRM 2011.
    Thursday, April 3, 2014 8:23 PM