locked
CRM 2011 IFD - ADFS Error RRS feed

  • Question

  • We are currently trying to demo CRM 2011 as an internet facing deployment, using AD FS 2.0. I have tried to configure claims-based authentication, but now when I browse to the internal deployment I get an error screen when I input my user credentials

    The AD FS 2.0 application event viewer is logging these two events everytime I submit a logon request -

    Event description -

    EVENT 364

    Encountered error during federation passive request.

     

    Additional Data

     

    Exception details:

    Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.ServiceModel.FaultException: MSIS3127: The specified request failed.

       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.Issue(Message request, WCFResponseData responseData)

       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)

       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)

       --- End of inner exception stack trace ---

       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)

       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, Uri& replyTo)

       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, MSISSession& session)

       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSerializedToken(String signOnToken, WSFederationMessage incomingMessage)

       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSecurityToken(SecurityToken securityToken, WSFederationMessage incomingMessage)

       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseForProtocolRequest(FederationPassiveContext federationPassiveContext, SecurityToken securityToken)

       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponse(SecurityToken securityToken)

     

    System.ServiceModel.FaultException: MSIS3127: The specified request failed.

       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.Issue(Message request, WCFResponseData responseData)

       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)

       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)

     

    EVENT 111

    The Federation Service encountered an error while processing the WS-Trust request.

    Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue

     

    Additional Data

    Exception details:

    System.ArgumentException: ID4216: The ClaimType 'Name' must be of format 'namespace'/'name'.

    Parameter name: claimType

       at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)

       at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult.End(IAsyncResult ar)

       at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.EndProcessCore(IAsyncResult ar, String requestAction, String responseAction, String trustNamespace)

     

     Any help regarding this would be very much appreciated.

    Regards


    • Edited by green1867 Wednesday, February 29, 2012 2:48 PM
    Wednesday, February 29, 2012 2:10 PM

Answers

All replies

  • Hi,

    Did you add the Relying party trust in ADFS?

    Regards,


    Khaja Mohiddin http://www.dynamicsexchange.com/ http://about.me/KhajaMohiddin

    Wednesday, February 29, 2012 2:15 PM
  • Hi Khaja,

    Many thanks for the response. Yes I have enabled this.

    Do you have any other suggestions?

    Kindest regards

    Wednesday, February 29, 2012 2:32 PM
  • I've been experiencing the exact same problems Green1867!

    CRM can be a difficult beast to tame and there seems to be a lack of community support on it. Very frustrating...

    Much help on  this matter would be absolutely appreciated.

    Wednesday, February 29, 2012 3:46 PM
  • Are you able to access the "https://internalcrm.domain.com/federationmetadata/3007-06/federationmetadata.xml" without any issues?

    Khaja Mohiddin http://www.dynamicsexchange.com/ http://about.me/KhajaMohiddin

    Wednesday, February 29, 2012 4:10 PM
  • Hi Khaja, I was able to verify this fine.

    https://internalcrm.********.com/federationmetadata/2007-06/federationmetadata.xml

    Wednesday, February 29, 2012 4:35 PM
  • Green1867 - has a resolution for this issue been satisfied?
    Monday, March 5, 2012 2:06 PM
    • Marked as answer by green1867 Wednesday, March 7, 2012 1:07 PM
    Monday, March 5, 2012 2:32 PM
  • Thanks Khaja - I was able to recheck the claim rules and resolve the issue
    Wednesday, March 7, 2012 1:08 PM