Answered by:
CRM 2011 IFD - ADFS Error

Question
-
We are currently trying to demo CRM 2011 as an internet facing deployment, using AD FS 2.0. I have tried to configure claims-based authentication, but now when I browse to the internal deployment I get an error screen when I input my user credentials
The AD FS 2.0 application event viewer is logging these two events everytime I submit a logon request -
Event description -
EVENT 364
Encountered error during federation passive request.
Additional Data
Exception details:
Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.ServiceModel.FaultException: MSIS3127: The specified request failed.
at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.Issue(Message request, WCFResponseData responseData)
at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, Uri& replyTo)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, MSISSession& session)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSerializedToken(String signOnToken, WSFederationMessage incomingMessage)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSecurityToken(SecurityToken securityToken, WSFederationMessage incomingMessage)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseForProtocolRequest(FederationPassiveContext federationPassiveContext, SecurityToken securityToken)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponse(SecurityToken securityToken)
System.ServiceModel.FaultException: MSIS3127: The specified request failed.
at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.Issue(Message request, WCFResponseData responseData)
at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
EVENT 111
The Federation Service encountered an error while processing the WS-Trust request.
Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Additional Data
Exception details:
System.ArgumentException: ID4216: The ClaimType 'Name' must be of format 'namespace'/'name'.
Parameter name: claimType
at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult.End(IAsyncResult ar)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.EndProcessCore(IAsyncResult ar, String requestAction, String responseAction, String trustNamespace)
Any help regarding this would be very much appreciated.
Regards
- Edited by green1867 Wednesday, February 29, 2012 2:48 PM
Wednesday, February 29, 2012 2:10 PM
Answers
-
Hi Green,
Please recheck the claim rules for your internal and external URL's.
Regards,
Khaja Mohiddin
http://www.dynamicsexchange.com
http://about.me/KhajaMohiddin- Marked as answer by green1867 Wednesday, March 7, 2012 1:07 PM
Monday, March 5, 2012 2:32 PM
All replies
-
Hi,
Did you add the Relying party trust in ADFS?
Regards,
Khaja Mohiddin http://www.dynamicsexchange.com/ http://about.me/KhajaMohiddin
Wednesday, February 29, 2012 2:15 PM -
Hi Khaja,
Many thanks for the response. Yes I have enabled this.
Do you have any other suggestions?
Kindest regards
Wednesday, February 29, 2012 2:32 PM -
I've been experiencing the exact same problems Green1867!
CRM can be a difficult beast to tame and there seems to be a lack of community support on it. Very frustrating...
Much help on this matter would be absolutely appreciated.
Wednesday, February 29, 2012 3:46 PM -
Are you able to access the "https://internalcrm.domain.com/federationmetadata/3007-06/federationmetadata.xml" without any issues?
Khaja Mohiddin http://www.dynamicsexchange.com/ http://about.me/KhajaMohiddin
Wednesday, February 29, 2012 4:10 PM -
Hi Khaja, I was able to verify this fine.
https://internalcrm.********.com/federationmetadata/2007-06/federationmetadata.xml
Wednesday, February 29, 2012 4:35 PM -
Green1867 - has a resolution for this issue been satisfied?Monday, March 5, 2012 2:06 PM
-
Hi Green,
Please recheck the claim rules for your internal and external URL's.
Regards,
Khaja Mohiddin
http://www.dynamicsexchange.com
http://about.me/KhajaMohiddin- Marked as answer by green1867 Wednesday, March 7, 2012 1:07 PM
Monday, March 5, 2012 2:32 PM -
Thanks Khaja - I was able to recheck the claim rules and resolve the issueWednesday, March 7, 2012 1:08 PM