Remove From My Forums

CRM 2011 Claims Authentication Fails with ADFS Error

Question
0

Sign in to vote

Hello everyone,

We have been dealing with a very frustrating issue for the past two months, considering the deployment of a CRM 2011 Partner Hosted infrastructure.

The network is consisted of 2 front end servers in NLB configuration, 1 back end server and 1 SQL server.

Following Microsoft's deployment guide, the infrastructure works fine, before configuring Claims authentication. That is, before enabling claims authentication, everything works as it should, both nodes respond correctly and there are not certification errors. We are using a wildcard certificate from GoDaddy.

The problem is the following.

When we configure ADFS and claims authentication, CRM fails to open. We get an error saying:

There was a problem accessing the site. Try to browse to the site again.

If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.

Reference number: 41f008b0-c30b-4c9b-a6bc-f4e34020d5a6

I understand that this is a generic error that does not say much.

Although, all other ADFS links open and work fine. For example, the federation metadata urls work fine with no certificate errors. Note that the ADFS server is installed on the same machine as the SQL server.

SPNs are configured correctly (at least from what I know). I don't know if we need to add anything more.

When we set up ADFS and tried to access CRM, at first we got a permission denied error from the ADFS server. We enabled ASP.net impersonation in IIS authentication and the error changed to the one above.

We enabled logging on the ADFS server and we got the following error:

Error 6/14/2011 3:45:13 PM AD FS 2.0 364 None 242d97c6-fb4c-40df-bc62-8e9c4ebf8bdd "Encountered error during federation passive request.

Additional Data

Exception details:

System.NullReferenceException

at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)

at System.Management.ManagementObject.Initialize(Boolean getObject)

at System.Management.ManagementBaseObject.get_Properties()

at System.Management.ManagementBaseObject.GetPropertyValue(String propertyName)

at Microsoft.IdentityServer.Web.PassiveWmiUtility.SettingsObject.get_Item(String propertyName)

at Microsoft.IdentityServer.Web.PassiveWmiUtility.IsProxy()

at Microsoft.IdentityServer.Web.PassivePolicyManager..ctor()

at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.GetIssuerFriendlyName()

"

We have set up the application servers, IIS and ADFS countless times, every time following Microsoft's guides. Nothing, we always get stuck on that error. It has been two months and we also opened a ticket with Microsoft official support. There are unable to help, it has been a frustrating exchange of emails and logs for the past 2 months with no real progress whatsoever.

I suspect it must be something either with the SPNs configuration or the IIS configuration. I don't know what else to change or reconfigure though.

Any help would be greatly appreciated, we are really stuck here and need to get to the bottom of this. Any ideas or comments that might lead us to the right direction for a solution will again be very helpful.

Thank you very much.

Wednesday, June 15, 2011 9:56 AM

Answers

1

Sign in to vote
Please make sure if you have any duplicate SPN's are exists.

you can check SPN's using this command:

setspn -l servername(display the spn records in server)

Is your CRMAppPool running on Network service or some other identity?

setspn -l servername domain\user(If the apppool is running under identity)

setspn -x(this command will show duplicate spn)

Please remove all the duplicate records and create only one SPN for ADFS

http//adfs.domain.com servername(network service)

http//adfs.domain.com servername domain\user(if the crm is identity is a user)

do iisreset

and try to access https://adfs.domain.com/adfs/ls/IdpInitiatedSignOn.aspx

if this works perfectly then you dont have issues with ADFS, you can step forward.

regards,
Khaja Mohiddin
- Marked as answer by Stavrinos Kyriakou Wednesday, June 22, 2011 2:49 PM
Monday, June 20, 2011 2:41 PM

All replies

0

Sign in to vote

Hello Everyone

After further troubleshooting, we now get the following error in ADFS trace log:

Event 38, AD FS 2.0 Tracing

A request to the policy store service was not authorized.

Still CRM does not work.

Any ideas?

Thursday, June 16, 2011 8:27 AM
0

Sign in to vote

Hi Stavrinos,

Did you add replying party trust and claim rules??

I have configured IFD soo many times, i got this kind of error when accessing CRM withouth adding claim rules.

And also check claim rules for Claim Provider Trust.

regards,
Khaja Mohiddin

Thursday, June 16, 2011 10:04 AM
0

Sign in to vote

Hello Khaja

Yes I have added the necessary claim rules and party trust, following Microsoft's implementation guide.

After further troubleshooting, I have managed to resolve all ADFS problems (it seems that most of the problems were caused by the ASP.net impersonation addition in IIS).

Now, when I try to access CRM, I get a popup asking for credentials. Whatever I put, it just fails with an authentication error.

I believe that this has something to do with wrong SPNs configuration. Is there anyone who has configured a similar environment like this?

What SPNs should I use?

Monday, June 20, 2011 1:40 PM
1

Sign in to vote
Please make sure if you have any duplicate SPN's are exists.

you can check SPN's using this command:

setspn -l servername(display the spn records in server)

Is your CRMAppPool running on Network service or some other identity?

setspn -l servername domain\user(If the apppool is running under identity)

setspn -x(this command will show duplicate spn)

Please remove all the duplicate records and create only one SPN for ADFS

http//adfs.domain.com servername(network service)

http//adfs.domain.com servername domain\user(if the crm is identity is a user)

do iisreset

and try to access https://adfs.domain.com/adfs/ls/IdpInitiatedSignOn.aspx

if this works perfectly then you dont have issues with ADFS, you can step forward.

regards,
Khaja Mohiddin
- Marked as answer by Stavrinos Kyriakou Wednesday, June 22, 2011 2:49 PM
Monday, June 20, 2011 2:41 PM
0

Sign in to vote

Khaja,

You suggestion above worked like a charm.

I have been working with MS support for the past two months and weren't even near the resolution.

Thanks for the support.

Have a beer on me ;-)

Wednesday, June 22, 2011 2:50 PM
0

Sign in to vote
;)

Regards,
Khaja Mohiddin
- Proposed as answer by Curt Spanburgh MVP ModeratorMVP, Moderator Wednesday, June 22, 2011 7:16 PM
Wednesday, June 22, 2011 4:19 PM
0

Sign in to vote

Hi Khaja,

I have configured the ADFS 2.0 but i am not able to browse the URL which you specified above. Can you help me out to configure it as required.

https://adfs.domain.com/adfs/ls/IdpInitiatedSignOn.aspx

Thanks, Ankit Shah
Inkey Solutions, India.
Microsoft Certified Business Management Solutions Professionals
http://www.inkeysolutions.com/MicrosoftDynamicsCRM.html

Wednesday, August 10, 2011 11:48 AM
0

Sign in to vote

Hello Mohiddin,

I am not sure how i can removed duplicate records and how i can create only one SPN for ADFS

alos when i go to the site

it says u are nto sign in ...and when i try to sign in the dialogue box it opens it doesnt accept the domain\user of the machine installaed ADFS 2.0.

I dont have access to the actual active directory...i just got a user account who has full privileges on AD and using it to login in another machine, i installed ADFS 2.0 on that machine .

ALso if i do: setspn -l ADFSuser

i get some info but it doesnt show any URL associated with it.

Please answer

Thanks in advance

Thursday, August 25, 2011 9:22 PM
0

Sign in to vote

Hi Khaa Mohiddin

I am using adfs server for our CRM 2011 IFD, it is working all user , it is not working newly created user getting reference number error

i have checked https://adfs.domain.com/adfs/ls/IdpInitiatedSignOn.aspx this url, new users are not able login

please let us know how to use the below url, both are not working for us

http//adfs.domain.com servername(network service) (server name means adfs server or crm server, what about the netwrok service)

http//adfs.domain.com servername domain\user(if the crm is identity is a user)

Regards

Boobalan

Wednesday, July 25, 2012 10:44 AM
0

Sign in to vote

Hi Boobalan,

This thread has closed long ago. I suggest you to create a new thread for this issue.

And you need to check your claim rules for this issue.

Regards,
Khaja Mohiddin
http://www.dynamicsexchange.com
http://about.me/KhajaMohiddin

Wednesday, July 25, 2012 1:26 PM
0

Sign in to vote

Thanks for the information, Khajai

I have raised the new thread

how to check the claim rules same rules working for old users

as per your url https://adfs.domain.com/adfs/ls/IdpInitiatedSignOn.aspx , we are able login the old user newly created users are not able to login getting reference number error

Thursday, July 26, 2012 11:33 AM

Hello,

I have configured ADFS 2.1 on Windows Server 2012 for CRM 2011, I always pop up login mesage box 3 times and authentication fails

HTTP Error 401 - Unauthorized: Access is denied.

Below metadata works fine

https://sts1.qsmoving.com/federationmetadata/2007-06/federationmetadata.xml
https://internalcrm.qsmoving.com:444/FederationMetadata/2007-06/FederationMetadata.xml

Discovery Service - Working

https://internalcrm.qsmoving.com:444/XRMServices/2011/Discovery.svc

Organization Service - Working

https://internalcrm.qsmoving.com:444/QSM052013/XRMServices/2011/Organization.svc

Organization Data Service – HTTP Error 401 - Unauthorized: Access is denied

https://internalcrm.qsmoving.com:444/QSM052013/XRMServices/2011/OrganizationData.svc

I checked everything, I am not able to trace where is the issue.

Any help really appreciated.

thanks

udayan

Thursday, October 10, 2013 10:24 PM

Answered by:

CRM 2011 Claims Authentication Fails with ADFS Error

Question

Answers

All replies