locked
401.1 Error and exception message ID4175 in the event logs - help! RRS feed

  • Question

  • Hi all, I've been trying to work on this issue for almost a week now.  We have been setting up a new hosted CRM 2011 deployment using the walk-through and we seem to be stuck at the final stage before deployment.

     

    Here is what’s happening

    IFD is setup and ADFS with wildcard certs - ADFS and CRM Claims based trust appears to be intact.

    Servers are as follows:

    Server1: Roles: Front-end and Deployment Administration Server

    Server2: Roles: Backend Server, Email Router and ADFS

     

    Hostnames are as follows (apologies for the confusing terminology here.  we actually use auth as out hostname for STS and CRM for our Auth (if you're referring back to Microsoft examples)):

    Server1: crm.domain.com, also hosts customer domain: org1.domain.com

    Server2: auth.domain.com – ADFS.

     We are using standard ports (80 and 443) only.

    If I go to https://org1.domain.com/, it performs the redirect to auth.domain.com where you’re prompted for a login.  If I enter DOMAIN\dud and no pwd (i.e. bad user account), I end up with an invalid user / pass.

     If I enter in a correct user pass, like DOMAIN\Administrator, I get redirected back to https://crm.domain.com and I’m prompted for user / pass again. 

    Eventually a 401.1 ensues.

     The only error in Active Directory is below and there are very few resources available online for me to fault find.  If anyone can assist, then that would be great.  We have two clients lined up and we really need to get some traction!!!

      

    Log Name:      Application

    Source:        ASP.NET 4.0.30319.0

    Date:          13/04/2011 9:41:56 PM

    Event ID:      1309

    Task Category: Web Event

    Level:         Warning

    Keywords:      Classic

    User:          N/A

    Computer:      Server1

    Description:

    Event code: 3005

    Event message: An unhandled exception has occurred.

    Event time: 13/04/2011 9:41:56 PM

    Event time (UTC): 13/04/2011 11:41:56 AM

    Event ID: 0f297694956248a4a51c40c6dc883353

    Event sequence: 30

    Event occurrence: 20

    Event detail code: 0

     

    Application information:

        Application domain: /LM/W3SVC/1/ROOT-1-129471273481875000

        Trust level: Full

        Application Virtual Path: /

        Application Path: C:\Program Files\Microsoft Dynamics CRM\CRMWeb\

        Machine name: Server1

     

    Process information:

        Process ID: 5016

        Process name: w3wp.exe

        Account name: DOMAIN\CRMAPPSVC

     

    Exception information:

        Exception type: SecurityTokenException

        Exception message: ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.

       at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.CreateClaims(SamlSecurityToken samlSecurityToken)

       at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)

       at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)

       at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)

       at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)

       at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)

       at Microsoft.Crm.Authentication.Claims.CrmFederatedAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)

       at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()

       at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

     

     

     

    Request information:

        Request URL: https://crm.domain.com:443/default.aspx

        Request path: /default.aspx

        User host address: xxx.xxx.xxx.xxx

        User: 

        Is authenticated: False

        Authentication Type: 

        Thread account name: DOMAIN\CRMAPPSVC

     

    Thread information:

        Thread ID: 71

        Thread account name: DOMAIN\CRMAPPSVC

        Is impersonating: True

        Stack trace:    at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.CreateClaims(SamlSecurityToken samlSecurityToken)

       at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)

       at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)

       at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)

       at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)

       at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)

       at Microsoft.Crm.Authentication.Claims.CrmFederatedAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)

       at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()

       at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

     

    Any assistance would be greatly appreciated.

    Jason.


    Wednesday, April 13, 2011 12:19 PM

Answers

  • Hi Ben et. al.,

    We just had this issue bite us in the *** again, but this time things made a lot more sense.  The issue this time around is to do with the signing federated certs and the auto-rollover feature.  As ADFS is on a different server and it cut over to the new certs today, our other CRM servers have not received the renewed certificate.  When I get home tonight I'll document this a little clearer but it looks like the original problem could be caused by a certificate error.


    Consultant | Nerd | Visionary. http://www.ethertech.com.au/ | http://www.deeperstates.com.au

    Wednesday, March 28, 2012 8:11 AM

All replies

  • Hi Jason,

    I see that you posted this on April 13th. Which is a long time and there are no responses.
    Are you still having issues or it is fixed?

    If you are still experiencing issues then I would suggest troubleshooting CLAIMS (ADFS) as you are getting Auth challenge while getting redirected to ADFS URL. (If my understanding is correct)

    Have you changed ADFS ApplicationPool (IIS) to use Domain Account or it is Network Service? Also what is the CRMAppPool (IIS)?
    Are your Service Princilap Names (SPN's) correctly applied? (this might fix the issue)

    You might want to use FiddlerTool (WebDebugger) to understand which URL is causing an issue and then can start your troubleshooting.
    NOTE: You will need to enable HTTPS decrypt in fiddler (Tools => Fiddler Options => HTTPS)

    Hope this helps.


    Kaustubh Giri
    Thursday, May 12, 2011 1:47 PM
  • Hi Jason

     

    I am seeing this precise issue and cannot get to the bottom of it. Did you manage to get it working and if so how?

     

    Thanks

    Ben

    Tuesday, September 20, 2011 7:32 PM
  • 1. Do you have ADFS and CRM on separate servers?

    2. Try applying the following registry keys on both ADFS and CRM Servers:
    1. Click Start, click Run, type regedit, and then click OK.
    2. In Registry Editor, locate and then click the following registry key:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
    3. Right-click Lsa, point to New, and then click DWORD Value.
    4. Type DisableLoopbackCheck, and then press ENTER.
    5. Right-click DisableLoopbackCheck, and then click Modify.
    6. In the Value data box, type 1, and then click OK.
    7. Quit Registry Editor, and then reset IIS.

     

    3. Do you have ADFS Application Pool running as Network Service or Domain Account?
    If a domain account then you are missing SPN's

    4. What is the AppPool Account running as for CRM Website?
    If it is a Domain Account then check if you have the correct HTTP/ SPN's set. You DON'T need Org1.domain.com SPNs

     

    Hope this info helps.


    Kaustubh Giri
    Tuesday, September 20, 2011 7:41 PM
  • Hi Kaustubh

     

    Here's the answers to your questions.

    1. ADFS and CRM are installed on the same server.

    2. I have tried this and it hasn't changed anything.

    3. ADFS service is running as Network Service

    4. CRM AppPool is running as Network Service.

     

    ADFS is installed into the default website so is using HTTP port 443. CRM is running in a separate website on HTTPS port 444.

     

    Just to clarify here is the chain of events...

    1. Go to https://orgname.domain.com:444 and redirects to ADFS login screen, i.e. https://adfs.domain.com/...

    2. Log in successfully using DOMAIN\UserName and password.

    3. Redirects to https://externalcrm.domain.com:444 and prompts for Username and Password, i.e. using Windows Authentication.

    4. Event log shows exactly the same error as Jason posted.

     

    Any ideas what might be happening here?

     

    Thanks

    Ben

    Tuesday, September 20, 2011 7:55 PM
  • Ben,

     

    Thanks for more info.

    I am guessing the issue is on the ADFS configuration. We are probably missing a Relying Party Trust and the Rules.

    So the error we have is:

    Exception message: ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.

    Check if you have an external Replying Party trust rule created just like you have for the Internal url. So the Internal URL is configured for Turst as https://crm.domain.com
    You might want to create another relying party trust as https://auth.domain.com (this is the url you used while configuring IFD). This should create all external endpoints.

     

    Summary:

    Confirm you have two relying party trusts in ADFS (One for Internal CRM URL and the other one for the External which points to the auth.domain.com {you may have used auth or somethign else while configuring IFD})


    Kaustubh Giri
    Tuesday, September 20, 2011 8:03 PM
  • Hi Guys,  

    I'm sorry I can't be of more help here.  We did solve the problem and I wish I had reported back to the forums on this as well.  There are one of two solutions if I recall, to solve this problem.  The first is along the same lines that Kaustubh Kiri is pointing you in.  If I recall issues with the trusting certificates and a missing variable in the ADFS identifiers.

    The second is ensuring you have a reliable time source.  Around this same time, we had issues with our front-facing servers obtaining AD time and would resort to BIOS clocks, which in our VM environment, were all over the place.

    Once we setup a reliable time infrastructure throughout, we found quite a few problems disappear.

    Hope this helps.

     

     


    Consultant | Nerd | Visionary. http://www.ethertech.com.au/ | http://www.deeperstates.com.au
    Wednesday, September 21, 2011 9:37 AM
  • Hi Kaustubh

    Both the internal and external relying party trusts are set up and appear to be correct.

    In the ADFS 2.0 Management console I can see the external relying party trust shows the organisation URLs on the identifiers tab. This has been an issue before when the list of identifiers hasn't been updated to include new organisations, however, I can see the organisation URL that I am trying to access so don't think this is the problem.

    I've successfully installed IFD in 2 other cases without this problem. The only thing that is different in this case is that it ADFS and CRM are installed on the same server with ADFS running in the default website on port 443 and CRM running on port 444. Previously I have installed ADFS and CRM on separate servers, both in the default website, so both ADFS and CRM are running on SSL port 443. I don't know whether this is related or not.

    I will try recreating the external relying party trust and reconfiguring IFD and see if that helps.

    Thanks
    Ben 

    Wednesday, September 21, 2011 9:37 AM
  •  

    Thanks Jason, ADFS and CRM are on the same server so don't think the time thing can be related and can't spot anything missing in the ADFS identifiers.

     

    Kaustubh,

    Recreating the relying party trust and IFD hasn't resolved the issue. Looking at the event log error it does point to an error in the CRM application so I enabled tracing. Below is the event log error and CRM trace...

     

    Event Log


    Log Name:      Application
    Source:        ASP.NET 4.0.30319.0
    Date:          21/09/2011 11:04:22
    Event ID:      1309
    Task Category: Web Event
    Level:         Warning
    Keywords:      Classic
    User:          N/A
    Computer:      CRMSERVER.DOMAIN.local
    Description:

    Event code: 3005 Event message: An unhandled exception has occurred. Event time: 21/09/2011 11:04:22 Event time (UTC): 21/09/2011 10:04:22 Event ID: ec82dc34198a406589e71dee24df82f8 Event sequence: 5 Event occurrence: 2 Event detail code: 0  Application information:     Application domain: /LM/W3SVC/2/ROOT-1-129610728852785052     Trust level: Full     Application Virtual Path: /     Application Path: C:\Program Files\Microsoft Dynamics CRM\CRMWeb\     Machine name: CRMSERVER  Process information:     Process ID: 4768     Process name: w3wp.exe     Account name: NT AUTHORITY\NETWORK SERVICE  Exception information:     Exception type: SecurityTokenException     Exception message: ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.
       at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.CreateClaims(SamlSecurityToken samlSecurityToken)
       at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)
       at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)
       at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)
       at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
       at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
       at Microsoft.Crm.Authentication.Claims.CrmFederatedAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
       at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
       at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

      Request information:     Request URL: https://auth.domain.co.uk:444/default.aspx     Request path: /default.aspx     User host address: 192.168.16.1     User:      Is authenticated: False     Authentication Type:      Thread account name: NT AUTHORITY\NETWORK SERVICE  Thread information:     Thread ID: 12     Thread account name: NT AUTHORITY\NETWORK SERVICE     Is impersonating: True     Stack trace:    at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.CreateClaims(SamlSecurityToken samlSecurityToken)
       at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)
       at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)
       at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)
       at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
       at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
       at Microsoft.Crm.Authentication.Claims.CrmFederatedAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
       at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
       at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

      Custom event details: 
    Event Xml:

    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="ASP.NET 4.0.30319.0" />
        <EventID Qualifiers="32768">1309</EventID>

        <Level>3</Level>

        <Task>3</Task>

        <Keywords>0x80000000000000</Keywords>

        <TimeCreated SystemTime="2011-09-21T10:04:22.000000000Z" />

        <EventRecordID>12339</EventRecordID>

        <Channel>Application</Channel>

        <Computer>CRMSERVER.DOMAIN.local</Computer>

        <Security />

      </System>

      <EventData>

        <Data>3005</Data>

        <Data>An unhandled exception has occurred.</Data>

        <Data>21/09/2011 11:04:22</Data>

        <Data>21/09/2011 10:04:22</Data>

        <Data>ec82dc34198a406589e71dee24df82f8</Data>

        <Data>5</Data>

        <Data>2</Data>

        <Data>0</Data>

        <Data>/LM/W3SVC/2/ROOT-1-129610728852785052</Data>

        <Data>Full</Data>

        <Data>/</Data>

        <Data>C:\Program Files\Microsoft Dynamics CRM\CRMWeb\</Data>

        <Data>CRMSERVER</Data>

        <Data>

        </Data>

        <Data>4768</Data>

        <Data>w3wp.exe</Data>

        <Data>NT AUTHORITY\NETWORK SERVICE</Data>

        <Data>SecurityTokenException</Data>

        <Data>ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.

       at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.CreateClaims(SamlSecurityToken samlSecurityToken)

       at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)

       at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)

       at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)

       at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)

       at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)

       at Microsoft.Crm.Authentication.Claims.CrmFederatedAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)

       at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()

       at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&amp; completedSynchronously)

     

    </Data>

        <Data>https://auth.domain.co.uk:444/default.aspx</Data>

        <Data>/default.aspx</Data>

        <Data>192.168.16.1</Data>

        <Data>

        </Data>

        <Data>False</Data>

        <Data>

        </Data>

        <Data>NT AUTHORITY\NETWORK SERVICE</Data>

        <Data>12</Data>

        <Data>NT AUTHORITY\NETWORK SERVICE</Data>

        <Data>True</Data>

        <Data>   at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.CreateClaims(SamlSecurityToken samlSecurityToken)

       at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)

       at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)

       at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)

       at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)

       at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)

       at Microsoft.Crm.Authentication.Claims.CrmFederatedAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)

       at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()

       at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&amp; completedSynchronously)

    </Data>

      </EventData>

    </Event>

     

     

    CRM Trace

     

    # CRM Tracing Version 2.0

     # LocalTime: 2011-09-21 11:07:19.470

     # Categories:

     # CallStackOn: No

     # ComputerName: CRMSERVER

     # CRMVersion: 5.0.9688.1244

     # DeploymentType: OnPremise

     # ScaleGroup:

     # ServerRole: AppServer, AsyncService, DiscoveryService, ApiServer, HelpServer, DeploymentService, SandboxServer, DeploymentManagementTools 

    [2011-09-21 11:07:19.470] Process: w3wp |Organization:00000000-0000-0000-0000-000000000000 |Thread:   12 |Category: Platform.Sdk |User: 00000000-0000-0000-0000-000000000000 |Level: Error | ServiceModelTraceRedirector.TraceData

     ><TraceRecord xmlns="http://schemas.microsoft.com/2009/10/IdentityModel/TraceRecord" Severity="Error"><Description>Handled exception.</Description><AppDomain>/LM/W3SVC/2/ROOT-1-129610728852785052</AppDomain><Exception><ExceptionType>System.IdentityModel.Tokens.SecurityTokenException, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType><Message>ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.</Message><StackTrace>   at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.CreateClaims(SamlSecurityToken samlSecurityToken)
    >   at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)
    >   at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)
    >   at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)
    >   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
    >   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
    >   at Microsoft.Crm.Authentication.Claims.CrmFederatedAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
    >   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
    >   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&amp;amp; completedSynchronously)
    >   at System.Web.HttpApplication.ApplicationStepManager.ResumeSteps(Exception error)
    >   at System.Web.HttpApplication.System.Web.IHttpAsyncHandler.BeginProcessRequest(HttpContext context, AsyncCallback cb, Object extraData)
    >   at System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr)
    >   at System.Web.Hosting.ISAPIRuntime.ProcessRequest(IntPtr ecb, Int32 iWRType)
    ></StackTrace><ExceptionString>System.IdentityModel.Tokens.SecurityTokenException: ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.</ExceptionString></Exception></TraceRecord>

    [2011-09-21 11:07:19.562] Process: w3wp |Organization:00000000-0000-0000-0000-000000000000 |Thread:   12 |Category: Application |User: 00000000-0000-0000-0000-000000000000 |Level: Error | ErrorInformation.LogError

    >MSCRM Error Report:
    --------------------------------------------------------------------------------------------------------
    Error: ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.
    Error Message: ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.
    Source File: Not available
    Line Number: Not available
    Request URL: https://auth.domain.co.uk:444/default.aspx

    Stack Trace Info: [SecurityTokenException: ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.]
       at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.CreateClaims(SamlSecurityToken samlSecurityToken)
       at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)
       at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)
       at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)
       at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
       at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
       at Microsoft.Crm.Authentication.Claims.CrmFederatedAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
       at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
       at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

    [2011-09-21 11:07:19.611] Process: w3wp |Organization:00000000-0000-0000-0000-000000000000 |Thread:   12 |Category: Platform |User: 00000000-0000-0000-0000-000000000000 |Level: Error | ExceptionConverter.ConvertMessageAndErrorCode

    >System.IdentityModel.Tokens.SecurityTokenException: Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #A8D6EBA8: System.IdentityModel.Tokens.SecurityTokenException: ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.
    >   at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.CreateClaims(SamlSecurityToken samlSecurityToken)
    >   at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)
    >   at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)
    >   at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)
    >   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
    >   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
    >   at Microsoft.Crm.Authentication.Claims.CrmFederatedAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
    >   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
    >   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

    [2011-09-21 11:07:19.615] Process: w3wp |Organization:00000000-0000-0000-0000-000000000000 |Thread:   12 |Category: Platform.Sdk |User: 00000000-0000-0000-0000-000000000000 |Level: Error | ServiceModelTraceRedirector.TraceData
    ><TraceRecord xmlns="http://schemas.microsoft.com/2009/10/IdentityModel/TraceRecord" Severity="Error"><Description>Handled exception.</Description><AppDomain>/LM/W3SVC/2/ROOT-1-129610728852785052</AppDomain><Exception><ExceptionType>System.ArgumentException, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType><Message>ID0013: The value must be an absolute URI.
    >Parameter name: value</Message><StackTrace>   at Microsoft.IdentityModel.Protocols.WSFederation.WSFederationMessage.SetUriParameter(String parameter, String value)
    >   at Microsoft.Crm.Authentication.Claims.CrmFederatedAuthenticationModule.SendToIdentityProvider(RedirectLocation redirectLocation)
    >   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
    >   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&amp;amp; completedSynchronously)
    >   at System.Web.HttpApplication.ApplicationStepManager.ResumeSteps(Exception error)
    >   at System.Web.HttpApplication.System.Web.IHttpAsyncHandler.BeginProcessRequest(HttpContext context, AsyncCallback cb, Object extraData)
    >   at System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr)
    >   at System.Web.Hosting.ISAPIRuntime.ProcessRequest(IntPtr ecb, Int32 iWRType)
    ></StackTrace><ExceptionString>System.ArgumentException: ID0013: The value must be an absolute URI.
    >Parameter name: value</ExceptionString></Exception></TraceRecord>

     

     

     

     

    Wednesday, September 21, 2011 10:20 AM
  • Hi All

    Just thought I would let you know that I installed ADFS on a separate server and reinstalled CRM into the default website and was able to get IFD working.

    Seems there are some issues with installing ADFS and CRM on the same server but not sure what!

    Cheers
    Ben 

    Wednesday, October 19, 2011 11:29 AM
  • Hi Ben et. al.,

    We just had this issue bite us in the *** again, but this time things made a lot more sense.  The issue this time around is to do with the signing federated certs and the auto-rollover feature.  As ADFS is on a different server and it cut over to the new certs today, our other CRM servers have not received the renewed certificate.  When I get home tonight I'll document this a little clearer but it looks like the original problem could be caused by a certificate error.


    Consultant | Nerd | Visionary. http://www.ethertech.com.au/ | http://www.deeperstates.com.au

    Wednesday, March 28, 2012 8:11 AM
  • Greetings,

    I fought this issue for a few hours, here is what fixed the problem for me (ADFS and CRM are on separate servers):

    1)  Time sync – servers were off by about 15 minutes, this is a basic configuration step I missed during the initial build.  Thanks for the prompt in this thread by Jason.

    2)  Updated federation metadata on ADFS "Relying Party Trusts".  The trust was marked as disabled.

    3)  Re-ran CRM Deployment manager, both "Configure Clams-Based Authentication" and "Configure Internet Facing Deployment".  Just clicked "Next" through the wizard – no changes to the configuration information.

    4)  Reboot both servers

    Steps 1 and 2 were not enough to reset the trust, I needed to run step 3 to complete the fix.  I was told that sometimes this has to be repeated, it worked the first time for me.

    Cheers!

    Monday, September 9, 2013 3:36 PM
  • Hi Curt,

    I was able to resolve the same issue with step 3. Instead of rebooting the server I just ran iisreset and it started working.

    The explanation is that the Token signing certificates on the ADFS were renewed (by default every 12 months) and the CRM did not update them.

    there is an option to extend the cert expiration, but it's not advised, so I just scheduled a reminder to do this again after a year.

    Friday, January 3, 2014 4:56 PM