how to add users to CRM 2011 from a federated trust? RRS feed

  • Question

  • I just configured claim based authentication, which works and now I've set up a federated trust to another federated domain (PSW.COM) using the instructions on the microsoft whitepaper but I'm struggling to add users from PSW.com.

    I've tried PSW\username, username and username@psw.com but none seem to work.

    Which on second re-reading of  this http://social.microsoft.com/Forums/is/crm/thread/639b4fb5-172c-4c63-b095-addb847443d8 would suggest that I've done something wrong.

    The bit I'm not 100% sure about is this one, setting up the federated trust

    On the partner company’s federation server, create a relying party trust for the AD FS 2.0 server used with Microsoft Dynamics CRM Server 2011. Use the following settings:

    • Data Source: the path to the AD FS 2.0 server used with Microsoft Dynamics CRM Server 2011 federation data.
    • Rule type: Issuance Transform Rules
    • Claim rule template: Send LDAP Attributes as Claims
    • Claim rule name: LDAP UPN --> Claim UPN (or something descriptive)
    • LDAP Attribute: User-Principal-Name
    • Outgoing Claim Type: UPN

    What url I should use here, adfs 2.0 or CRM? I mean this https://adfs.com/federationmetadata/2007-06/federationmetadata.xml or https://crm.com/federationmetadata/2007-06/federationmetadata.xml


    Musings on Information Technology


    Forgot to add that the error on the trace log is rather unhelpful:  Unable to find user user@psw.com under the AD root path or Unable to get find user psw\user: System.Runtime.InteropServices.COMException (0x8007052E): Logon failure: unknown user name or bad password.
    Tuesday, August 28, 2012 7:06 PM


  • To answer my own question, it's https://adfs.com/federationmetadata/2007-06/federationmetadata.xml the url I needed.

    I can also confirm that adding users using the UPN works too, i.e. camelbak@psw.com. User details were not pulled back, I guess this is because there are no claims defined.

    The one really annoying thing is that I'm not 100% sure what I have done to make it work, I did bounce IIS and signed in again but other than that not too sure.

    Musings on Information Technology

    Wednesday, August 29, 2012 7:02 AM