locked
Claims based auth sending to the wrong URL. RRS feed

  • Question

  • I have deployed crm 2011 with claims based auth. However when I try to connect it appears that one part of the process is receiving the wrong url. I'm doing this through a LB so that might be a complicating factor, but it doesn't appear to be the primary cause. I'm also using a verisign wildcard cert for all certs.

    I have the CRM web server on port 444. The default web server (ADFS) on 443.

    My CRM properties page I have for all entries;

    extcrm.externaldomain:443

    The actual server is on 444, but the LB is translating the port from 443 to 444. In the advanced tab I have LB checked, and the external URL of extcrm.externaldomain.

    In the claims config I have;

    https://adfs.externaldomain/federationmetadata/2007-06/federationmetadata.xml

    When I check the federation metadata it shows what appears to be the correct information as below;

    - <fed:TargetScopes>
    - <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
      <Address>https://extcrm.externaldomain/</Address>
      </EndpointReference>
      </fed:TargetScopes>
    - <fed:ApplicationServiceEndpoint>
    - <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
      <Address>https://extcrm.externaldomain/</Address>
      </EndpointReference>
      </fed:ApplicationServiceEndpoint>
    - <fed:PassiveRequestorEndpoint>
    - <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
      <Address>https://extcrm.externaldomain/</Address>
      </EndpointReference>
      </fed:PassiveRequestorEndpoint>

    The address is there appears to be driven by the properties setting in CRM - which makes sense to me.

    I created a Relying Party as follows;

    https://auth.externaldomain/FederationMetadata/2007-06/FederationMetadata.xml

    Everything in there appears to be in order. The auth VIP is on a different IP to the extcrm VIP and translates to the correct ADFS website on 443. I'm a little unsure if this is correct or not - should it be pointing to the CRM web server on 444?

    Now what actually happens is; When I hit the external URL I get an error saying "Error adfs.externaldomain There was a problem". In the event logs I get an entry that says;

    A token request was received for a relying party identified by the key 'https://emp1crmpin02:444/', but the request could not be fulfilled because the key does not identify any known relying party trust. 
    
    Key: https://emp1crmpin02:444/ 
    
    This request failed. 
    
    User Action 
    
    If this key represents a URI for which a token should be issued, verify that its prefix matches the relying party trust that is configured in the AD FS configuration database.

    So the token that is being passed to ADFS appears to be the URI of the actual hostname of the CRM server. My problem is that I can't see ANY configs that even show that host name let alone let me change it.

    It looks like when I add the Relying Trust that the metadata is incorrect as the identified being displayed is the internal host name.

    Just to be clear I have the following config.....

    External VIP adsf.externaldomain > Default Web Server with ADSF installed at 443

    External VIP extcrm.externaldomain > Web Server (same box) at 444

    DNS extcrm.externaldomain > External extcrm VIP

    DNS adfs.externaldomain > External adfs VIP

    DNS auth.externaldomain > External extcrm VIP

    DNS dweb.externaldomain > External extcrm VIP

     

    Any suggestions would be greatly appreciated.

    Thanks


    Dave
    Thursday, March 17, 2011 12:09 AM

All replies