Adding Relying Party Trust RRS feed

  • Question

  • I am trying to add a relying party trust in the AD FS Manager. According to the documentation about implementing claims-based authentication the data should be in FederationMetadata.xml which is located at https://[url]:443/FederationMetadata/2007-06/FederationMetadata.xml. However, I get the error "An error occurred during an attempt to read the federation metadata. Verify that the specified URL or host name is a valid federation metadata endpoint.... Error message: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel".

    I searched on the computer but could not find the above file. The error message also indicates some other issues. So it seems there are at least a couple of problems. Note that I used a self signed certificate for now which causes some security issues. Nonetheless, that still does not explain the missing FederationMetadata.xml file.

    Wednesday, February 29, 2012 9:42 PM

All replies

  • Hi,

    There is not any physically FederationMetadata.xml file, if you look at the URL rewrite option inside the Microsoft Dynamics CRM website in the IIS you will see that actually that URL is rewritten to /Handlers/FederationMetadata.ashx. Be sure you have the certificate working right on both CRM and AD FS servers and the application pool identity has the necessary permissions on the certificate private keys.

    I would also recommend watching this video http://www.youtube.com/watch?v=T9jZIxDTsBw

    Damian Sinay

    Wednesday, February 29, 2012 11:46 PM
  • Damian, thanks. I guess I will do a new installation again as I just finally got a real wildcard certificate. I can use this for both the CRM and ADFS, correct? As for checking that the certificate works correctly, should I just visit the link https://[url]:443/FederationMetadata/2007-06/FederationMetadata.xml or is there something else to it? How do I check the permissions?

    I will also check the video a bit later.

    Wednesday, February 29, 2012 11:51 PM
  • Hi,

    Yes, you should be able to check the link  https://[url]:443/FederationMetadata/2007-06/FederationMetadata.xml without any problems if you have the certificates in place, I think the video shows also how to configure the permissions on the private keys, anyway that is something you can do while running the mmc application and adding the certificates snap-in and gong to the Personal Certificates store when you see the certificate there you can right click on the certificate and select the All tasks then Manage private keys option, there you will be able to add the application pool identity name and assign rights to the user.

    Damian Sinay

    Wednesday, February 29, 2012 11:58 PM