Partner Portal - Invited partners cannot authenticate

All replies

• 

  

  1

  Sign in to vote

  In the 1.0.0013 release of the Partner Portal (and Customer Portal) for Dynamics CRM 2011, the authentication module has been converted to use Azure AppFabric Access Control Service (ACS). If you wish to continue to use the previous Live ID authentication scheme, then you will need to integrate the login form from the previous packages. If you wish to adopt ACS authentication, then it appears that your ACS configuration is not entirely correct; otherwise, there should be a set of buttons just above the "Live ID Account Transfer" heading for selecting an ACS identity provider.

  Refer to the "Portal Configuration Guide - Windows Azure ACS Authentication.doc" document within the Partner Portal package for details (or take a look here). You will need to add a relying party for your Azure hosted service. When ACS is mis-configured, you should see error responses in Fiddler coming back from Azure ACS.

  There is one other tweak that will need to be done to the web.config to accept the invitation code that is being sent in the email. Add the "invitationCodeKey" attribute:

  	<microsoft.xrm.portal.identityModel>
  		<registration enabled="true" registrationPath="~/confirm-invite" profilePath="~/profile" accountTransferPath="~/login" requiresInvitation="true"
  			requiresChallengeAnswer="false" requiresConfirmation="false" invitationCodeDuration="01:00:00" invitationCodeKey="InvitationCode"/>
  	</microsoft.xrm.portal.identityModel>
  
  

  
  Note: the sign-in button in the screenshot that appears just above the footer is configured for transfering users that are already registered under the previous Live ID authentication scheme and need to be transfered to ACS auth.

   

  Tuesday, December 20, 2011 7:54 PM
• 

  

  0

  Sign in to vote

  John,

  Thank you for your reply. Any suggestions you can provide are appreciated.

  I now see the different log on options (screenshot below) but when an invited partner tries to authenticate for the first time this message appears: Any suggestions you can provide are appreciated.

  ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.

  Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 

  Exception Details: System.IdentityModel.Tokens.SecurityTokenException: ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.

  Here is part of the web.config file:

  <microsoft.identityModel>

  <service>

  <audienceUris>

  <add value="http://tmrportal7.cloudapp.net/"/>

  </audienceUris>

  <federatedAuthentication>

  <wsFederation passiveRedirectEnabled="false" issuer="https://tmrportal7.accesscontrol.windows.net/v2/wsfederation" realm="http://tmrportal7.cloudapp.net/" requireHttps="false"/>

  <cookieHandler requireSsl="false"/>

  </federatedAuthentication>

  <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">

  <trustedIssuers>

  <add thumbprint="CN=tmrportal7.accesscontrol.windows.net" name="https://tmrportal7.accesscontrol.windows.net/"/>

  </trustedIssuers>

  </issuerNameRegistry>

        <serviceCertificate>

          <certificateReference x509FindType="FindByThumbprint" findValue="34BC9F66612D5BA307BDDD977A0431DE2D0C59FF"/>

        </serviceCertificate>

        <certificateValidation certificateValidationMode="None"/>

  </service>

  </microsoft.identityModel>

  <microsoft.xrm.portal.identityModel>

  <registration enabled="true" registrationPath="~/confirm-invite" profilePath="~/profile" accountTransferPath="~/login" requiresInvitation="true"

  requiresChallengeAnswer="false" requiresConfirmation="false" invitationCodeDuration="01:00:00" invitationCodeKey="InvitationCode"/>

  </microsoft.xrm.portal.identityModel>

  

  ---

  Terry McCullagh

  Friday, December 23, 2011 11:07 AM
• 

  

  0

  Sign in to vote

  Terry,

  Try re-entering thumbprint manually (from http://social.technet.microsoft.com/wiki/contents/articles/1898.aspx):

  If you copied the thumbprint from MMC snap-in into config, there is a known problem with copying from the certificate properties window into the config file and getting an extra non-printable character in the text string, which causes the thumbprint match to fail.

  Wednesday, December 28, 2011 1:21 AM
• 

  

  0

  Sign in to vote

  Sergey,

  Thanks for the suggestion.

  I do not see how this affects me since I copied the thumbrint from Azure - a mmc was not accessed for the thumbprint:

  Thanks,

  Terry McCullagh

  

  ---

  Terry McCullagh

  Tuesday, January 3, 2012 9:46 PM
• 

  

  0

  Sign in to vote

  Hi All

  I am experiencing the exact same problem. How to get the login buttons to appear on the login page?

  Thanks.

  Tuesday, January 10, 2012 8:41 PM
• 

  

  1

  Sign in to vote

  The thumbprint value retrieved from the ACS management portal goes under the trustedIssuers element:

   

  <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
  	<trustedIssuers>
  		<add thumbprint="34BC9F66612D5BA307BDDD977A0431DE2D0C59FF" name="https://tmrportal7.accesscontrol.windows.net/"/>
  	</trustedIssuers>
  </issuerNameRegistry>
  

  
  If you have Windows Identity Foundation installed (Microsoft.IdentityModel.dll), then you can obtain the thumbprint from the metadata with the following code:

   

   

  var url = "https://<namespace>.accesscontrol.windows.net/FederationMetadata/2007-06/FederationMetadata.xml";
  var request = WebRequest.Create(url);
  var response = request.GetResponse() as HttpWebResponse;
  using (var stream = response.GetResponseStream())
  {
  	var serializer = new MetadataSerializer();
  	var metadata = serializer.ReadMetadata(stream);
  
  	var entity = metadata as EntityDescriptor;
  
  	if (entity != null)
  	{
  		var thumbprints =
  			from role in entity.RoleDescriptors
  			where role is SecurityTokenServiceDescriptor
  			from key in role.Keys
  			from identifier in key.KeyInfo
  			where identifier is X509RawDataKeyIdentifierClause
  			let x509 = identifier as X509RawDataKeyIdentifierClause
  			let certificate = new X509Certificate2(x509.GetX509RawData())
  			select certificate.Thumbprint;
  
  		foreach (var thumbprint in thumbprints)
  		{
  			Console.WriteLine(thumbprint);
  		}
  	}
  }
  
  

  
  The second thumbprint which is found under the serviceCertificate/certificateReference element is the thumbprint of the cookie encryption certificate that is uploaded to the Azure hosted service. See here for details.

   

   

  <serviceCertificate>
  	<certificateReference x509FindType="FindByThumbprint" findValue="[thumbprint of cookie encrpytion certificate uploaded to Azure hosted service]"/>
  </serviceCertificate>
  

   

  For more details see here.
  

  • Edited by John Leung Wednesday, January 18, 2012 1:07 AM
  • Proposed as answer by Palak Kadakia Monday, January 23, 2012 1:57 AM
  • Marked as answer by Terry McCullagh Monday, January 23, 2012 3:05 PM

  Wednesday, January 18, 2012 12:59 AM
• 

  

  0

  Sign in to vote

  Terry, did you ever get this figured out? 

  I can get the authentication to work fine when running locally from my dev machine as http://localhost, but when i use the azure realm and audience uri i cannot log in.  In fact i dont even see the login screens when i enter a url for the audienceUri and for the realm. 

  Just wondering if you were able to get yours to work?

  Monday, February 6, 2012 11:15 PM