locked
MS CRM 2013 IFD redirect with wauth parameter RRS feed

  • Question

  • Hello,

    in my current projekt we have an IFD deployment with acces for a partner company. In a tested one-server deployment it worked really fine. But there we got a redirected URL from the AD FS with a wauth parameter which had the value urn:afederation. In our multi server deployment the redirected URL includes a wauth parameter with the value SAML 1.0 and password.

    It worked with one-server deployment, because the token from partner company's IDP is of the type SAML 2.0. But now the URL including SAML 1.0 and we get an error, which says MS CRM 2013 requried a token from type SAML 1.0.

    After removing the wauth from the redirected URL we get acces to the system.

    Is it possible to change the redirected URL and remove the wauth parameter?

    Thank you very much in advanced.

    Daniel 

    Tuesday, January 20, 2015 9:32 AM

Answers

  • Good morning,

    I found the answer after hint from Microsoft and some more research in the right direction. You can set a null value for the wauth parameter, which will be send to the client by ms crm. This change must be done in the CONFIC_MSCRM database. To do so you have two possible ways. You can use the OrgDBOrgSettingsTool (http://support.microsoft.com/kb/2691237?wa=wsignin1.0) or through a direct Update on the database with this statement:

    UPDATE [MSCRM_CONFIG].[dbo].[FederationProviderProperties]  
    SET NVarCharColumn = ''  
    WHERE ColumnName = 'IfdAuthenticationMethod'

    This property have three valid values: 1. urn:federation:authentication:windows 2. urn:oasis:names:tc:SAML:1.0:am:password 3. null (set just a empty string).
    Of course first of all I changes the value to the sent vlaue by the partner IDP, but Microsft could not say for sure if it has some impact on a other area from the application.

    With the null value ADFS will pass through every typ of Authenticationtyp to MS CRM.

    Best regards,

    Daniel

    • Marked as answer by Daniel Glab Friday, February 20, 2015 7:48 AM
    Friday, February 20, 2015 7:48 AM

All replies

  • So after some more research I found out that our enviroment works with ADFS 2.0 and it doesn't matter if the wauth parameter is part of the URL.

    Have someone an idea why ADFS 2.0 doesn't throw an exception and the ADFS 3.0 does?

    Tuesday, January 27, 2015 12:43 PM
  • Good morning,

    I found the answer after hint from Microsoft and some more research in the right direction. You can set a null value for the wauth parameter, which will be send to the client by ms crm. This change must be done in the CONFIC_MSCRM database. To do so you have two possible ways. You can use the OrgDBOrgSettingsTool (http://support.microsoft.com/kb/2691237?wa=wsignin1.0) or through a direct Update on the database with this statement:

    UPDATE [MSCRM_CONFIG].[dbo].[FederationProviderProperties]  
    SET NVarCharColumn = ''  
    WHERE ColumnName = 'IfdAuthenticationMethod'

    This property have three valid values: 1. urn:federation:authentication:windows 2. urn:oasis:names:tc:SAML:1.0:am:password 3. null (set just a empty string).
    Of course first of all I changes the value to the sent vlaue by the partner IDP, but Microsft could not say for sure if it has some impact on a other area from the application.

    With the null value ADFS will pass through every typ of Authenticationtyp to MS CRM.

    Best regards,

    Daniel

    • Marked as answer by Daniel Glab Friday, February 20, 2015 7:48 AM
    Friday, February 20, 2015 7:48 AM