locked
ADFS not redirecting back to CRM RRS feed

  • Question

  • (originally posted in the ADFS forum)

    Hello All,

    Scenario: CRM2013 UR2, ADFS 3

    when I try to logon from "the outside" ADFS authenticates the account, but it doesn't redirect back to CRM. I know ADFS is authenticating, because it gives me a message if I type a wrong password.
    There are no error messages/log entries anywhere (ADFS or CRM).

    Internally everything works. This was working before, all I did was replace the certificate (same wildcard for ADFS and CRM).

    I traced the connection in Fiddler and I can see the 302 response from ADFS after authentication, but the target (in Fiddler: Target -> Location) points at ADFS (sts.mydomain.com/....) not at the CRM server.
    When tracing the connection internally, the 302 response contains the correct target (crminternal.mydomain.com/....).

    I'm fairly certain I already tried all the "simple stuff" (rerunning Claims and IFD config in CRM, recreating the IFD relying party trust etc.)

    Anyone seen this before or have an idea?

    Thx in advance!

    Tuesday, January 13, 2015 11:30 PM

All replies

  • Do you follow the steps below?

    Updating the SSL certificate

    1. Add the new certificate to the AD FS server.

      1. Import the new certificate to the AD FS server.
      2. Grant the ADFSAppPool account Read permission to the new certificate
      3. Bind the new certificate to the AD FS website.
    2. Add the new certificate to the Microsoft Dynamics CRM server.

      1. Import the new certificate to the Microsoft Dynamics CRM server.
      2. Grant the CRMAppPool account Read permission to the new certificate
      3. Bind the new certificate to the Microsoft Dynamics CRM website.
    3. Start the Deployment Manager and run the Configure Claims-Based Authentication Wizard to use the new certificate.

    4. On the AD FS server, update all the relying party trusts used by Microsoft Dynamics CRM.

    5. If the certificate subject name changes, update the root domain web addresses to match the new subject name. For more information, see: Configure the Microsoft Dynamics CRM Server 2011 for claims-based authentication in this document.

    6. Run the iisreset command on the AD FS and Microsoft Dynamics CRM servers.

    Wednesday, January 14, 2015 5:47 AM
  • Hello Wilson,

    thx for your reply. Yes, I followed all necessary steps. As I mentioned, the internal config works fine, it's just the external one that doesn't work.

    One thing I noticed, when looking at the XML returned from the relying party's federation metadata, is that the internal url returns the internal CRM name in the ApplicationServiceEndpoint node, whereas the external url returns auth.mydomain.com.

    Internal relying party's federation metadata:

    <fed:ApplicationServiceEndpoint>
       <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
          <Address>https://crmweb.mydomain.com/</Address>
       </EndpointReference>
    </fed:ApplicationServiceEndpoint>

    External:

    <fed:ApplicationServiceEndpoint>
       <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
          <Address>https://auth.mydomain.com/</Address>
       </EndpointReference>
    </fed:ApplicationServiceEndpoint>

    I honestly don't know if this is relevant (clutching at straws here), but if put https://auth.mydomain.com in a browser it redirects me to adfs.

    Thx again for help and/or suggestions.

    Wednesday, January 14, 2015 6:30 PM
  • Hi,

    Have you got anywhere with this?

    I have a similar problem in CRM 2015 with AD FS installed OOTB on 2012R2
    The AD FS redirects all work fine Internally but when using the External setup after you put in your username and password it redirects me to the
    auth.[MYDOMAIN]/FederationMetadata/2007-06/FederationMetadata.xml
    rather than the CRM site.

    (when I set up the AD FS for CRM I had to remove the SPN I added as that made things worse, not sure if that is a 2012R2 thing?)

    Any pointers much appreciacted

    So any pointers would be much appreciated.
    So any pointers would be much appreciated.
    Wednesday, February 11, 2015 2:32 PM
  • Sorted my issue.

    Config Error on my part in.

    AD FS Manager > Trust Relationships > Relying Party Trusts > CRM IFD Relying Party > Properties > Endpoints

    I compared this to the Internal trust setup which was working and realised I had the incorrect Endpoint set, updating the Endpoint solved this issue for me.

    • Proposed as answer by tonkas Thursday, February 12, 2015 8:56 AM
    Thursday, February 12, 2015 8:55 AM
  • Can you elaborate on what you did? The endpoint is set by the metadata -> grayed out.
    Did you change something in your CRM IFD configuration?

    Thx - M.

    Thursday, February 12, 2015 5:50 PM