CRM 2016 - Problem with Claims-Based Authentication RRS feed

  • Question

  • Hi,
    I'm testing the CRM 2016 migration in my company.

    I installed CRM 2016 Update 0.1 otherwise the organization import failed.
    After that every time I reboot the server, I can't access to CRM and in the ADFS log I see this error:

    Log Name:      AD FS/Admin
    Source:        AD FS
    Date:          02/03/2016 11:24:26
    Event ID:      364
    Task Category: None
    Level:         Error
    Keywords:      AD FS
    User:          ACME\ADFS2.Service
    Computer:      METCRM03.acme.lan
    Encountered error during federation passive request.

    Additional Data

    Protocol Name:

    Relying Party:

    Exception details:
    Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made '6' requests in the last '1' seconds. Contact your administrator for details.
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.UpdateLoopDetectionCookie(WrappedHttpListenerContext context)
       at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.SendSignInResponse(WSFederationContext context, MSISSignInResponse response)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

    After few hours, I can access to CRM.


    Wednesday, March 2, 2016 11:31 AM

All replies

  • Hi,

    I have seen this once myself but I can't remember what I did to resolve it. Try to go through both ADFS and IFD wizards in the deployment manager and update the metadata in the ADFS setting. It might have been some issues with certificates so you might want to redo the grant rights to the relevant accounts.


    Rickard Norström Developer CRM-Konsulterna
    Swedish Dynamics CRM Forum: http://www.crmforum.se
    My Blog: http://rickardnorstrom.blogspot.se

    Wednesday, March 2, 2016 11:37 AM
  • Hi, 

    having the same issue. Working Claim-based / IFD installation on 2016 breaks after installing 0.1 update. 

    I receive additional on CRM server an event log "the locator service failed to flush cache locatorcache crm" after going through ADFS / IFD wizards...


    P.S.: May the requirements for the certificates have changed? I'm using a wildcard, but know that e.g. Skype (Lync) servers refuses to work with wildcard

    • Edited by Bernhard Marx Thursday, March 3, 2016 8:11 AM typos / additional content
    Thursday, March 3, 2016 8:09 AM
  • Hi,

    I saw somewhere else that the 0.1 update has broken IFD settings for other organizations. Maybe you need to go through the entire IFD/ADFS setup.


    Rickard Norström Developer CRM-Konsulterna
    Swedish Dynamics CRM Forum: http://www.crmforum.se
    My Blog: http://rickardnorstrom.blogspot.se

    Thursday, March 3, 2016 8:31 AM
  • Hi Rickard,

    thanks for quick reply. Is there a way to totally remove the settings. Tried already to disable Claim-Based / IFD. But starting the wizard it still remerbers configuration...

    Do you have an idea how to manually flush the upper named cache? May be this resolves the issue?



    Thursday, March 3, 2016 8:35 AM
  • Hi,

    No, I don't know if you can. But if you go through ALL steps in setting up an IFD you should overwrite the settings and you should get confirmation that everything works along the way.


    Rickard Norström Developer CRM-Konsulterna
    Swedish Dynamics CRM Forum: http://www.crmforum.se
    My Blog: http://rickardnorstrom.blogspot.se

    Thursday, March 3, 2016 8:46 AM
  • Are you using a Web Application Proxy (WAP) ? If so, you may need to set DisableTranslateUrlInResponseHeaders - see https://blogs.msdn.microsoft.com/javaller/2014/01/13/publishing-crm-internet-facing-deployment-using-web-application-proxy-and/

    Microsoft CRM MVP - http://mscrmuk.blogspot.com/ http://www.excitation.co.uk

    Thursday, March 3, 2016 11:41 AM
  • Hi David,

    thanks for your reply. mhmmm... Not that I know. Currently I'm "offsite" conntected via DirectAccess (DA). I'm quite not sure if the WAP is used by default. The "real" IFD part is transparent mapped (no handling on TMG - just forwardig to ADFS server) through TMG 2010...


    P.S.: will check when I'm "inside" the Network :-)

    Thursday, March 3, 2016 11:47 AM
  • Hi all,

    tried now to Login:

    1) internal via ClaimsBased: failed

    2) internal via IFD: passed

    3) DirectAccess via IFD: passed

    4) DirectAccess via ClaimsBased: passed

    Don't know whats going on ...


    Friday, March 4, 2016 1:55 PM
  • in my case after some hours the CRM works

    I think there is a problem between STS and CRM, in particular in authentication lifetime token :-(


    Friday, March 4, 2016 2:32 PM
  • I have the exact same issue (although it never starts working), I uninstalled 0.1 update and it works fine with no changes. 
    Thursday, March 10, 2016 5:11 PM
  • Hi John,

    during testing I did the same. After uninstallation Claims-based worked again without issues. But please check the version of your crm databases as uninstalling 0.1 reverted my (crm)databases back to Version 7.x.x.x.

    Could upgrade them anymore to Version 8.0 (RTM of CRM 2016). Only (quick) Chance was to restore them from backup.

    I look to me that uninstalling 0.1 reverts the databases only from versioning, because during upgrading the System threw Errors that this Version is not upgradable as there are some version issues...



    Thursday, March 10, 2016 9:38 PM
  • We opened a support ticket with Microsoft and they have acknowledged it as a bug and are working on a fix for this (with no ETA)

    From MS Support :

    Cause: It’s a known bug with recently reported in 0.1 Update for CRM 2016.

     Possible Case for the Issue: There were major code changes in Ara UR1 for authentication. The affected code is in Microsoft.Crm.Core.Security.Identity.IdentityExtensions.GetUserPrincipalName(). We are unable to cast to a from type ClaimsIdentity to a new type CrmIdentity.

    Therefore, the variable is null, and we cannot retrieve the information.

    • Proposed as answer by Markus Alter Friday, April 1, 2016 2:51 PM
    Wednesday, March 23, 2016 4:28 PM
  • Hello John,

    did you already get a solution from Microsoft? We are facing the same issue in our internal CRM 2016.
    Otherwise we will open a new support ticket as well...

    Thanks in advance!


    Friday, April 1, 2016 2:46 PM
  • Markus - there is no Solution yet from Microsoft on this. We are not holding our breath!
    Tuesday, April 12, 2016 8:39 PM
  • Ok, thank you, John. That was the answer I expected ...

    Wednesday, April 13, 2016 6:49 AM
  • We have been facing the same issue in our development environment after upgrading to 2016 0.1, we opened a support ticket to Microsoft for this specific case, they confirmed it's a bug of 0.1 that will be resolved in next update 0.2, they also said they will eventually send us a Critical-on-Demand fix as soon as it will be available within the upcoming weeks, so if you're in a hurry, I suggest you to open an incident as well.
    Monday, April 18, 2016 10:25 AM
  • Does anybody have something I can reference to? I've been working with MS support for a couple of weeks now and with no succes or acknowledgment of the bug. 



    Monday, April 18, 2016 6:33 PM
  • They acknowledged it's a bug. Just have to wait for the COD to come out.
    Wednesday, April 20, 2016 7:36 AM
  • I've had this issue as well, luckely i didn't needed 0.1 to import our organisation so i could revert back to the point prior to the install of 0.1... I hope ms adjusted their testing so they also include a cba/ifd deployment....
    Monday, April 25, 2016 5:49 PM
  • Hi All,

    As I'm having same issue, is someone already have a solution to solve this issue? I am not facing this issue in my server CRM DEV but having the issue in CRM PROD (all CRM Server is connecting to the same ADFS server.

    This might be helpful, if so mark this as "Answer" or "Vote as helpful"

    Friday, April 29, 2016 7:18 AM
  • Hi All,

    Is someone already get the hotfix yet? Can you share it or can you tell me how to request the hotifx to Microsoft?

    This might be helpful, if so mark this as "Answer" or "Vote as helpful"

    Wednesday, May 11, 2016 10:06 AM
  • I've received the hotfix and this solve the issue for me.

    Just open a support call with Microsoft and refer to this thread. That should be enough. It's a know issue.

    Monday, May 30, 2016 9:25 AM
  • I have this exact same issue, and have been trying for quite a while to get the hotfix to no avail.  No one is able to find it for me without a KB article number, even with this forum thread.  Anyone who's successfully gotten this hotfix have a KB or other reference number to share to make things easier?  Thanks!
    Thursday, June 2, 2016 8:47 PM
  • This issue is fixed in the recently released service pack for CRM 2016
    Friday, June 3, 2016 1:16 PM
  • We're on 2016 Update 0.1, and I did see that the fix would supposedly be included in 0.2.  But I can't find any evidence that 0.2 is out yet - do you have a link?  Thanks!
    • Edited by Allison W Friday, June 3, 2016 4:51 PM
    Friday, June 3, 2016 4:51 PM
  • Yes, it was due in 0.2 but it looks like Microsoft have now included the fix is in the service pack - here's the link:


    • Proposed as answer by Allison W Tuesday, June 7, 2016 4:02 PM
    Monday, June 6, 2016 7:53 AM
  • Can confirm that the SP fixed this IFD/ADFS problem for me (once I worked around the bloody SQL error that was preventing upgrade - see https://community.dynamics.com/crm/f/117/p/201943/522692 for details on that.
    Tuesday, June 7, 2016 4:02 PM
  • it seems that sp1 solves the bug!
    Thursday, June 23, 2016 2:30 PM