locked
CRM and Sharepoint Integration - (401) Unauthorized - when setting Trusted Security Token Issuer RRS feed

  • Question

  • Hi, I have Sharepoint 2013 on premise and CRM 2016 on premise that I want to enable server to server integration on. The account I am using to run the commands is an admin on both the CRM and Sharepoint servers. Both servers are setup with claims auth, and the CRM server uses ADFS 3.0 for authentication. The email address for the account is the same in Sharepoint and CRM.

    I get this:

    An error occurred while downloading and parsing the json metadata document.  Exception: System.Net.WebException: The remote server returned an error: (401) Unauthorized.

    at System.Net.WebClient.DownloadDataInternal(Uri address, WebRequest& request)    
    at System.Net.WebClient.DownloadData(Uri address)    
    at Microsoft.SharePoint.Administration.SPSecurityTokenServiceJsonMetadataClient.DownloadMetadata(Uri metadataEndpointUri)`
    `System.Net.WebException: The remote server returned an error: (401) Unauthorized.    
    at System.Net.WebClient.DownloadDataInternal(Uri address, WebRequest& request)    
    at System.Net.WebClient.DownloadData(Uri address)    
    at Microsoft.SharePoint.Administration.SPSecurityTokenServiceJsonMetadataClient.DownloadMetadata(Uri metadataEndpointUri)    
    at Microsoft.SharePoint.Administration.Claims.SPTrustedProviderBase.UpdateFromMetadataFeed(Boolean isFirstTime)    
    at Microsoft.SharePoint.Administration.Claims.SPTrustedProviderBase..ctor(SPPersistedObject parent, String name, String description, X509Certificate2 certificate, Uri metadataEndPoint, SPSecurityTokenServiceJsonMetadataDocument metadataDocument)    
    at Microsoft.SharePoint.Administration.Claims.SPTrustedProviderBase..ctor(SPPersistedObject parent, String name, String description, Uri metadataEndPoint)    
    at Microsoft.SharePoint.PowerShell.SPCmdletNewTrustedSecurityTokenIssuer.CreateDataObject()    
    at Microsoft.SharePoint.PowerShell.SPNewCmdletBase`1.InternalProcessRecord()    
    at Microsoft.SharePoint.PowerShell.SPCmdlet.ProcessRecord()`


    When running this command in Sharepoint Managent Shell:

    New-SPTrustedSecurityTokenIssuer –Name "crm" –IsTrustBroker:$false –MetadataEndpoint https://internalcrm.domain.com/XrmServices/2015/metadataendpoint.svc/json?orgName=CRMORG

    The servers are in the same domain. I can download the json if I use that URL and authenticate as the current user. Could ADFS be causing the issue here? Are there any considerations for when using CRM with ADFS? Which user should have access to CRM? I tried giving the SP_Farm service account CRM privileges but that didnt work either.

    Thanks


    • Edited by pipnz Monday, September 5, 2016 2:19 AM
    Monday, September 5, 2016 2:19 AM

All replies

  • Did you get this resolved? We have the same issue trying to integrate Dynamics CRM 2016 SP1 and SharePoint 2016.

    SP is running on Windows server 2016 Tech Preview 5, Configured for Windows Auth and SAML (ADFS 2.0)

    CRM is running on windows server 2012 R2, Configured with ADFS 2.0. it is IFd, and Claims Based configured.

    SQL server is sql 2014, on Win server 2012 R2.

    All software is running under service accounts created for each application (i.e crm is running as Domain\ServiceDynApp, sharepoint is running as Domain\ServiceSPService)

    right now we only have 2 users in CRM,

    we are trying to do a POC however right now, it is looking like we won't get it set up in time, and budget will be allocated elsewhere with other crm products, if we don't work this out. any help would be greatly appreciated.

    Monday, September 12, 2016 2:59 PM
  • No I have had no replies or further progress.
    Monday, September 12, 2016 11:04 PM
  • I ran into this problem and created a case with Microsoft CRM Support. Apparently there is a known issue/bug with CRM 2016 that doesn't allow this to work if you try using https in the MetadataEndPoint, which makes it problematic in IFD installations. To get this working, you will have to temporarily do the following items before running the SharePoint PowerShell command:

    1.  Disable CRM IFD

    2.  Disable CRM Claims Configuration

    3.  Remove the https binding on the CRM Web site and add back the http binding for the CRM Web site. 

    4.  Run CRM Deployment Manager and change the properties of the deployment for the Web Address to use http instead of https.

    5.  Run an IISReset on the CRM Server to ensure this is now accessible via http.

    6.  Run the SharePoint PowerShell commands (you should be able to access the MetadataEndpoint using http vs. https now if you put it in the browser (and it should prompt to download a .json file).

    7.  Once the SharePoint commands are finished running, you need to reverse the changes above in CRM to re-enable IFD.

    8. Change the CRM Web Address to use https in the CRM Deployment Properties.

    9.  Remove the http binding on the CRM Web site and add back the https binding, selecting the correct SSL Certificate.

    10.   Run the Configure CRM Claims in the CRM Deployment Manager.  (keep the existing settings)

    11.  Run the Configure IFD in the CRM Deployment Manager (keep existing settings).

    12.  Run an IISReset on the CRM Server.

    13.  Verify that both the CRM Internal URL and External URLs are accessible and finish out the rest of the steps in the CRM SharePoint configuration listed here - https://msdn.microsoft.com/en-us/library/gg334768.aspx


    Chad Rexin


    • Proposed as answer by Chad Rexin Thursday, September 29, 2016 10:04 PM
    • Edited by Chad Rexin Friday, September 30, 2016 2:24 PM small clarification on step 6
    Thursday, September 29, 2016 10:03 PM
  • Hi Chad,

    Do you know of any way to get this to work without disabling and reconfiguring IFD?

    Friday, June 23, 2017 5:20 PM