locked
ADFS and CRM 2011 on the same server 2 IP's RRS feed

  • Question

  • Has anyone been able to get ADFS and CRM working on the same server with crm and ADFS using port 443?

    I have 2 NICs with different IP's each IP is assigned to a specific site so that I can use port 443 for the default site and for the crm site. When I have it set this way I get an error saying the relay is:

    MSIS7007: The requested relying party trust 'https://myrp.com/_trust' is unspecified or unsupported. If a relying party trust was specified, it is possible that you do not have permission to access the trust relying party. Contact your administrator for details.
    Additional data: 962d5ed1-c828-4c8e-83f5-cc7a6a26084e

    When I change the CRM port to 444 everything works fine. How is this not working if I have my DNS setup so that my https://myrp.com is pointing to the NIC bound to CRM not the ADFS site...

    My client doesn't want to put ADFS on another box and does not want a port in the URL.

    Thursday, May 5, 2011 12:05 AM

Answers

  • I went ahead with the reinstall, I created a 444 https binding before I did the install. And when I was selecting the certificate I was able to change to port 444 instead of 443. I checked the adfs properties with powershell to verify the port was 444 and it was.

     

    After doing this everything worked like it should all the way through to logging onto the site with claims.

     

    Thank you so much for all your help and pointing me in the right direction.

    Paul

    • Marked as answer by Jim Glass Jr Thursday, May 12, 2011 6:01 PM
    Thursday, May 12, 2011 4:53 PM

All replies

  • Hi,

    I can try to help you. Can you please provide the following information? Assuming that your adfs hostname is adfs.contoso.com and your CRM root domain is also contoso.com (where the external domain is auth.contoso.com):

    1. What do you see when accessing https://adfs.contoso.com/federationmetadata/2007-06/federationmetadata.xml? Does the metadata have information about your ADFS or CRM?
    2. What do you see when accessing https://auth.contoso.com/federationmetadata/2007-06/federationmetadata.xml? Does the metadata have information about your ADFS or CRM?
    3. What are the identifiers listed for the CRM relying party in ADFS? Does it match your CRM deployment? i.e. the org URL(s), external domain (e.g. auth.contoso.com), discovery service (e.g. dev.contoso.com). If this looks more like the ADFS endpoints, then the machine isn't handling the two requests properly and is mixing them up.
    4. You should be accessing your web client with https://org.contoso.com and no other URL. Make sure that the "org" matches exactly the unique name of your org. Aliasing will not work.

    Thanks,
    Matios

    Friday, May 6, 2011 11:37 PM
  • I have been out of the office sorry for the slow response.

    When you say I should be accessing the site with https://org.contoso.com that is what I access externally from, but internally I have it set to https://crm.contoso.com. the crm.contoso.com is the identifier for the relaying trust showing for claims.

     

    Funny thing I see this morning though is now the metadata when I hit the CRM metadata is showing ADFS information. It did not do this last week. It was showing the CRM information. I am going to have to fix this first before I can get back to the original issue. Not sure why its showing the wrong metadata  I have reconfigured claims in CRM and the CRM url is still showing ADFS info.

    Wednesday, May 11, 2011 3:01 PM
  •  

    P.Sutt,

    Per my experience I have not seen this work if we have ADFS and CRM on one box with same port (even if you bind it with different IP's).

    You will have to spare another port for ADFS if you cannot install ADFS on a different box. Created port 444 for ADFS will let you use 443 for CRM and this way no one will have to type the port number while using CRM URL.

    Here is what you can do.

    1. Configure ADFS on 443 then while adding the Cert to ADFS website change the port to 444

    2. Run the following command in poershell to ensure the port is changed:

    Set-adfsproperties –httpsport 444

    3. Now configure CRM to use 443

    4. Proceed with Claims configuration via Deployment Manager and when it asks for your ADFS url make sure your typr the url as https://adfs.contoso.com:444/FederationMetadata/2007-06/FederationMetadata.xml

     

    I guess now this should fix the issue.

     

    So, we are simply configuring ADFS on 444 and not on 443. This way users won't have to type the port while using CRM website.

     

    Hope this helps.


    Kaustubh Giri

    Thursday, May 12, 2011 1:04 PM
  • Kaustubh Giri,

    This would work great if I can get it working in that way. After I changed the ADFS port to 444 and the port in the binding. I get a 404 when accessing:

    https://sts1.mydomain.ca:444/FederationMetadata/2007-06/FederationMetadata.xml 

    This is my adfs properties:

    HttpPort     :80

    HttpsPort    :444

    Identifier    :http://sts1.mydomain.ca/adfs/services/trust

    Is there a step missing perhaps?

     

    Thanks!


    Thursday, May 12, 2011 2:44 PM
  • P.Sutt,

    Looks you have the correct configuration. Have you tried resetting IIS?
    You might want to Remove the 444 binding on the ADFS website and re-add. Also apply the certificate.

    Hope this works


    Kaustubh Giri
    Thursday, May 12, 2011 3:19 PM
  • I had tried the above before . looking in the ADFS logs I see errors after changing the port. I have tested by changing it back to see if they go away and after I change it to 443 everything is normal.

     

    here are the errors:

     

    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Log Name:      AD FS 2.0/Admin
    Source:        AD FS 2.0
    Date:          5/12/2011 9:27:10 AM
    Event ID:      102
    Task Category: None
    Level:         Error
    Keywords:      AD FS
    User:          NETWORK SERVICE
    Computer:     
    Description:
    There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.

    Additional Data
    Exception details:
    System.ServiceModel.AddressAccessDeniedException: HTTP could not register URL https://+:444/adfs/services/proxytrustpolicystoretransfer/. Your process does not have access rights to this namespace (see http://go.microsoft.com/fwlink/?LinkId=70353 for details). ---> System.Net.HttpListenerException: Access is denied
       at System.Net.HttpListener.AddAll()
       at System.Net.HttpListener.Start()
       at System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen()
       --- End of inner exception stack trace ---
       at System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen()
       at System.ServiceModel.Channels.TransportManager.Open(TransportChannelListener channelListener)
       at System.ServiceModel.Channels.TransportManagerContainer.Open(SelectTransportManagersCallback selectTransportManagerCallback)
       at System.ServiceModel.Channels.HttpChannelListener.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Security.SecurityListenerSettingsLifetimeManager.Open(TimeSpan timeout)
       at System.ServiceModel.Channels.SecurityChannelListener`1.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at Microsoft.IdentityServer.Service.SecurityTokenService.ServiceHostManager.Open(ServiceHostEntry entry)
       at Microsoft.IdentityServer.Service.SecurityTokenService.ServiceHostManager.Open()
       at Microsoft.IdentityServer.Service.SecurityTokenService.STSService.OnStartInternal(Boolean requestAdditionalTime)
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="AD FS 2.0" Guid="{20E25DDB-09E5-404B-8A56-EDAE2F12EE81}" />
        <EventID>102</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000001</Keywords>
        <TimeCreated SystemTime="2011-05-12T15:27:10.384004400Z" />
        <EventRecordID>270</EventRecordID>
        <Correlation />
        <Execution ProcessID="3048" ThreadID="4560" />
        <Channel>AD FS 2.0/Admin</Channel>
        <Computer>XXXXXXX</Computer>
        <Security UserID="S-1-5-20" />
      </System>
      <UserData>
        <Event xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
          <EventData>
            <Data>System.ServiceModel.AddressAccessDeniedException: HTTP could not register URL https://+:444/adfs/services/proxytrustpolicystoretransfer/. Your process does not have access rights to this namespace (see http://go.microsoft.com/fwlink/?LinkId=70353 for details). ---&gt; System.Net.HttpListenerException: Access is denied
       at System.Net.HttpListener.AddAll()
       at System.Net.HttpListener.Start()
       at System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen()
       --- End of inner exception stack trace ---
       at System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen()
       at System.ServiceModel.Channels.TransportManager.Open(TransportChannelListener channelListener)
       at System.ServiceModel.Channels.TransportManagerContainer.Open(SelectTransportManagersCallback selectTransportManagerCallback)
       at System.ServiceModel.Channels.HttpChannelListener.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Security.SecurityListenerSettingsLifetimeManager.Open(TimeSpan timeout)
       at System.ServiceModel.Channels.SecurityChannelListener`1.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at Microsoft.IdentityServer.Service.SecurityTokenService.ServiceHostManager.Open(ServiceHostEntry entry)
       at Microsoft.IdentityServer.Service.SecurityTokenService.ServiceHostManager.Open()
       at Microsoft.IdentityServer.Service.SecurityTokenService.STSService.OnStartInternal(Boolean requestAdditionalTime)</Data>
          </EventData>
        </Event>
      </UserData>
    </Event>

    --------------------------------------------------------------------------------------------------------------------------------

    Log Name:      AD FS 2.0/Admin
    Source:        AD FS 2.0
    Date:          5/12/2011 9:27:10 AM
    Event ID:      201
    Task Category: None
    Level:         Error
    Keywords:      AD FS
    User:          NETWORK SERVICE
    Computer:     
    Description:
    The Federation Service SAML protocol listener  encountered an Access Denied error while trying to register one or more endpoint URLs. This condition typically occurs when the ACL for the endpoint URL is missing or the HTTP namespace in the ACL is not a prefix match of the endpoint URL.

     The SAML protocol listener  could not be opened.

    User Action
    Ensure that a valid ACL for each of the URLs has been configured on this computer.

    Additional Data
    Exception details:
    System.ServiceModel.AddressAccessDeniedException: HTTP could not register URL https://+:444/adfs/services/proxytrustpolicystoretransfer/. Your process does not have access rights to this namespace (see http://go.microsoft.com/fwlink/?LinkId=70353 for details). ---> System.Net.HttpListenerException: Access is denied
       at System.Net.HttpListener.AddAll()
       at System.Net.HttpListener.Start()
       at System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen()
       --- End of inner exception stack trace ---
       at System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen()
       at System.ServiceModel.Channels.TransportManager.Open(TransportChannelListener channelListener)
       at System.ServiceModel.Channels.TransportManagerContainer.Open(SelectTransportManagersCallback selectTransportManagerCallback)
       at System.ServiceModel.Channels.HttpChannelListener.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Security.SecurityListenerSettingsLifetimeManager.Open(TimeSpan timeout)
       at System.ServiceModel.Channels.SecurityChannelListener`1.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at Microsoft.IdentityServer.Service.SecurityTokenService.ServiceHostManager.Open(ServiceHostEntry entry)
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="AD FS 2.0" Guid="{20E25DDB-09E5-404B-8A56-EDAE2F12EE81}" />
        <EventID>201</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000001</Keywords>
        <TimeCreated SystemTime="2011-05-12T15:27:10.383004400Z" />
        <EventRecordID>269</EventRecordID>
        <Correlation />
        <Execution ProcessID="3048" ThreadID="4560" />
        <Channel>AD FS 2.0/Admin</Channel>
        <Computer>XXXXXXXX</Computer>
        <Security UserID="S-1-5-20" />
      </System>
      <UserData>
        <Event xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
          <EventData>
            <Data>SAML protocol listener </Data>
            <Data>System.ServiceModel.AddressAccessDeniedException: HTTP could not register URL https://+:444/adfs/services/proxytrustpolicystoretransfer/. Your process does not have access rights to this namespace (see http://go.microsoft.com/fwlink/?LinkId=70353 for details). ---&gt; System.Net.HttpListenerException: Access is denied
       at System.Net.HttpListener.AddAll()
       at System.Net.HttpListener.Start()
       at System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen()
       --- End of inner exception stack trace ---
       at System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen()
       at System.ServiceModel.Channels.TransportManager.Open(TransportChannelListener channelListener)
       at System.ServiceModel.Channels.TransportManagerContainer.Open(SelectTransportManagersCallback selectTransportManagerCallback)
       at System.ServiceModel.Channels.HttpChannelListener.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Security.SecurityListenerSettingsLifetimeManager.Open(TimeSpan timeout)
       at System.ServiceModel.Channels.SecurityChannelListener`1.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at Microsoft.IdentityServer.Service.SecurityTokenService.ServiceHostManager.Open(ServiceHostEntry entry)</Data>
          </EventData>
        </Event>
      </UserData>
    </Event>

    Thursday, May 12, 2011 3:36 PM
  • You are getting 404 because the https://+:444/adfs/services/proxytrustpolicystoretransfer URL is not registered.

    Looks you have permissions issue while setting ADFS website ports. Probably you are running into a User Access Control (UAC) issue.
    Did you try running the PowerShell command I provided earlier?
    NOTE: Make sure PowerShell is running as Administrator. Make sure everything you try is running as Administrator.

    Until the URL with port 444 is registered correctly you won't be able to fix this.


    Kaustubh Giri
    Thursday, May 12, 2011 3:42 PM
  • Thanks for the reply,

    Here is what I did:

    (I do run everything as admin.)

    1. Configure ADFS on 443 then while adding the Cert to ADFS website change the port to 444

    ------- ADFS was already installed and configured , All I did was change the binding in IIS to 444 (i deleted and readded and applied the certificate)

    2. Run the following command in poershell to ensure the port is changed:

    Ran powershell as administrator and did the following  command (it told me to restart ADFS services so I did. I have since restarted the server)

    Set-adfsproperties –httpsport 444

    Is it possible that I have to uninstall and reinstall ADFS, and do the above again?
    Thursday, May 12, 2011 4:02 PM
  • On the Server that hosts ADFS can you try running the following command (Command Prompt)

    NETSH HTTP SHOW URLACL

    See if there are any errors listed under any urls.
    Follow my steps mentioned on this post:

    http://social.msdn.microsoft.com/Forums/en-US/crmdeployment/thread/4be115f3-8f24-46a5-9ee2-31dd9643c23f


    In your env we are experiencing issues with registering the URL's with port 444.

    You could try using some other port for testing example: 445 (just for testing). If this works on 445 then the issue is only with binding 444 with ADFS on that server. If it still doesn't work with 445 then the ADFS DB could be corrupt. You may start with fresh setsup of ADFS.

     


    Kaustubh Giri

    • Edited by Kaustubh Giri Thursday, May 12, 2011 4:09 PM correction
    Thursday, May 12, 2011 4:09 PM
  • I have no errors listed,

    but all the URL's that correspond to ADFS still have 443 tied to them, Should I delete them? I have tried 445 and it does not work also. I have no problems trying a fresh install at this point if deleting them does not work.

        Reserved URL            : http://+:80/adfs/services/
            User: NT SERVICE\adfssrv
                Listen: Yes
                Delegate: Yes
                SDDL: D:(A;;GA;;;S-1-5-80-2246541699-21809830-3603976364-117610243-975697593)

        Reserved URL            : https://+:443/adfs/services/
            User: NT SERVICE\adfssrv
                Listen: Yes
                Delegate: Yes
                SDDL: D:(A;;GA;;;S-1-5-80-2246541699-21809830-3603976364-117610243-975697593)

        Reserved URL            : https://+:443/FederationMetadata/2007-06/
            User: NT SERVICE\adfssrv
                Listen: Yes
                Delegate: Yes
                SDDL: D:(A;;GA;;;S-1-5-80-2246541699-21809830-3603976364-117610243-975697593)

        Reserved URL            : https://+:443/adfs/fs/federationserverservice.asmx
            User: NT SERVICE\adfssrv
                Listen: Yes
                Delegate: Yes
                SDDL: D:(A;;GA;;;S-1-5-80-2246541699-21809830-3603976364-117610243-975697593)

    Thursday, May 12, 2011 4:17 PM
  • I went ahead with the reinstall, I created a 444 https binding before I did the install. And when I was selecting the certificate I was able to change to port 444 instead of 443. I checked the adfs properties with powershell to verify the port was 444 and it was.

     

    After doing this everything worked like it should all the way through to logging onto the site with claims.

     

    Thank you so much for all your help and pointing me in the right direction.

    Paul

    • Marked as answer by Jim Glass Jr Thursday, May 12, 2011 6:01 PM
    Thursday, May 12, 2011 4:53 PM