locked
Issue with Claims Based Authentication in CRM 2013 RRS feed

  • Question

  • Hi,

    I am facing problems enabling Claims Based Authentication for Dynamics CRM 2013. I followed almost every guide available in the internet, and simply CANNOT get it to work. I am clueless and lost, so I need your assistance please.

    Okay, so here's what I did and what happened:

    1. Before CBA, enabled HTTPS for Dynamics CRM 2013, works perfectly.

    2. Installed ADFS 2.0 in a separate server, added certificate to IIS (blah blah...) and configured ADFS. By the way, I am using two certificates (a wildcard for CRM and a specific one i.e. adfs.domain.com for the ADFS website). Although they are both added to the Windows Cert Store with a CA in the trusted authority (and the default website loads without any warning), after I am done with the ADFS configuration and check the Token-Signing and Token-Decryption certificates, it says CA is not added, and I have to install them in trusted authority (IDK why that happens, I'm clueless). Anyways, I add them and everything works fine till now.

    3. I check the adfs.domain.com/<the_entire_goddamn_url> and it resolved from different servers without any warning. So that means the DNS works fine, meh?

    4. Enable CBA from Deployment Manager, and receive the internalcrm.domain.com/<the_entire_goddamn_url> and it again resolves from different servers without any warning. DNS works and correct again, I believe?

    5. Add Relying Party Trust, and the rules; everything according to the official guide. All done, and I try hitting the URL https://internalcrm.domain.com and it gives me a white page with message "An error has occurred" and some generic Microsoft error text (I don't remember that) and a god damn guid! (I hate this page). No errors in event viewer, nowhere.

    What could possibly have gone wrong? Any idea?


    Admin QuikView Solution for CRM 2013

    Wednesday, April 30, 2014 1:11 PM

All replies

  • Anyone got anything to help?


    Admin QuikView Solution for CRM 2013

    Monday, May 5, 2014 4:55 AM
  • Configure claim based authentication is a complicated task, so I suggest you do it according to Microsoft White Paper. I had written some tips in this post http://blog.csdn.net/ghostbear/article/details/21995377, and try to get the White Paper in here http://blogs.msdn.com/b/crm/archive/2014/02/14/white-paper-refresh-configure-ifd-for-crm-server.aspx

    Monday, May 5, 2014 7:52 AM
  • Hi Jeff,

    Your first link doesn't work. I tried the Claims Based Authentication again from scratch for probably the Nth time (I lost track of how many times I have been doing this) according to the white paper. I still keep getting the same error. Following is my configuration:

    • Server A : Dynamics CRM Front End Role + Deployment Role (CRM running on port 443 using wildcard certificate)
    • Server B : Dynamics CRM Back End Role + ADFS (ADFS running on default website port 443 using wildcard certificate)
    • Server C : SQL Server
    • Server D : Domain Controller

    I see this error when I try to access https://internalcrm.domain.loc from Server A or Server D, but when I try to access it from Server B it keeps prompting me for username and password even though I enter the correct credentials. Also from Server A or D, the URL https://adfs.domain.loc/adfs/ls/IdpInitiatedSignon.aspx seems to work and asks me to sign in and sign out but from Server B it keeps prompting for credentials.

    And as usual, no error logs in event viewer.


    Admin QuikView Solution for CRM 2013

    Monday, May 5, 2014 10:44 AM
  • Hi 

    I can assure you that you'll see an event in the ADFS server - you should check what you get there and post it here


    Please vote if you find my post helpful - Thanks

    Monday, May 5, 2014 11:35 AM
  • Hi TZ00KI,

    I indeed found logs in the ADFS Server. It states "The security token could not be authenticated or authorized.".

    The Event Viewer entry is as follows:

    Encountered error during federation passive request.

    Additional Data

    Exception details:
    Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.ServiceModel.FaultException: ID3242: The security token could not be authenticated or authorized.
       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.Issue(Message request, WCFResponseData responseData)
       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, Uri& replyTo)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, MSISSession& session)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSerializedToken(String signOnToken, WSFederationMessage incomingMessage)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSecurityToken(SecurityToken securityToken, WSFederationMessage incomingMessage)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseForProtocolRequest(FederationPassiveContext federationPassiveContext, SecurityToken securityToken)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponse(SecurityToken securityToken)

    System.ServiceModel.FaultException: ID3242: The security token could not be authenticated or authorized.
       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.Issue(Message request, WCFResponseData responseData)
       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)

    EDIT: I executed some PS scripts as mentioned here http://manyrootsofallevilrants.blogspot.in/2013/08/adfs-issues-id3242-security-token-could.html and the adfs error went away, but now I see a generic CRM error as follows:

    I turned on CRM tracing but didn't see any error.


    Admin QuikView Solution for CRM 2013


    • Edited by Anupam Bishui Monday, May 5, 2014 12:50 PM
    • Proposed as answer by nina.peneva Monday, May 5, 2014 4:19 PM
    • Unproposed as answer by nina.peneva Monday, May 5, 2014 4:19 PM
    Monday, May 5, 2014 12:14 PM
  • Dynamotion, In my opinion we would install ADFS in a separate server. below is my experience about how to configure claim based for Dynamics CRM 2013.

    My Lab Environment as following:

    AD + Dynamics CRM 2013: Windows Server 2012 R2 (Machine 1)

    ADFS: Windows Server 2012 R2 (Machine 2)


    Configuration Steps:

    1. Install Active Directory Certification Application on Machine 1

    2. Apply a domain certification on Machine 1, please mind that the common name of the certification should be wildcard format e.g. *.dynamics.local.

    3. Setup Dynamics CRM to support SSL binding in IIS using applied certification, and Modify related settings in Dynamics CRM Deployment Management.

    4. Install certification applied on step 2 into Machine 2, and configure ADFS settings on it. (you can get more detail in white paper)

    5. Setup DNS rules in Machine 1. (you can get more detail in white paper)

    6. Enable Dynamics CRM Claim Based Authentication in Dynamics CRM Deployment Management.

    7. Configure ADFS settings. (you can get more detail in white paper)

    8.Enable Dynamics CRM IFD  in Dynamics CRM Deployment Management.

    9.Done.


    • Proposed as answer by Chen Xiong Wednesday, May 7, 2014 10:14 AM
    Tuesday, May 6, 2014 1:19 AM
  • Hi Jeff,

    I tried your approach, installed ADFS in my SQL box, followed the Microsoft white paper and additionally used setspn for the ADFS server. Seems to be working perfectly now! :)

    Could you tell me if CRM 2013 has any issues with ADFS being installed in either of the CRM Servers, or is it something that I doing wrong? I tried installing ADFS in both the front end and back end CRM Servers, but it didn't work.


    Admin QuikView Solution for CRM 2013

    Tuesday, May 6, 2014 6:33 AM
  • I found below information in white paper, are you sure you fit all of requests as white paper mentioned.

    If you are deploying on Windows Server 2008 or Windows Server 2012, and you are installing AD FS on the same server as Microsoft Dynamics CRM, AD FS installs on the default website. Before installing AD FS, you must create a new website for Microsoft Dynamics CRM Server.
    This does not apply to Windows Server 2012 R2 as Windows Server 2012 R2 does not depend on IIS.

    Wednesday, May 7, 2014 10:14 AM
  • Hi Jeff,

    Yes, CRM is installed in a new Website running on port 5555, and the default website was left for ADFS. Also, CRM website was only on the front end server, the back end server didn't have CRM website installed. The IIS in the backend server only had the default website left for the ADFS.


    Admin QuikView Solution for CRM 2013

    Thursday, May 8, 2014 5:10 AM
  • I have a very similar problem, on https the CRM doesn't work, while everything is working fine on http. My environment is a little different (I have a NLB and 2 full installations). On the second server I have some problems on the certificates and that i think is preventing the users to log. It's weird because i can see the ADFS login screen (even if it's not logging). Also the metadata service is available on https (for both servers), and I'm able to see the discovery service on https :S If someone has more info would be great. Also I setup IFD on other 3 scenarios without particular problems but on this I don't know what to do.
    Monday, May 19, 2014 2:45 AM