Validation Error When Installing New Front-End CRM 2011 Server - ADFS Encryption Certificate Permissions RRS feed

  • Question

  • We're running a CRM 2011 Internet-Facing Deploying with ADFS. When we try to install the Front-End server role on our existing CRM deployment, we get the following error message: "The encryption certificate 'CN=*.example.com, OU=Domain Control Validated, O=*.example.com' cannot be accessed by the CRM service account. 
    We went to the local certificate store on the new front-end server and verified that the certificate was installed in the personal store and that the crm service account did have read permission on the private key for the certificate but we were still getting the error. Unable to resolve this issue, we disabled IFD and Claims auth then installed CRM successfully then reenabled IFD and Claims. We haven't had any issues using the new server - Claims Authentication seems to work perfectly. Unfortunately, we've continued to have this problem on each new Front-End server since we enabled Claims.
    Is this due to some configuration error on our part? Is there a more correct way to install the new front-end server without having to disable Claims Auth temporarily? 
    Friday, June 24, 2011 5:43 PM

All replies

  • Did you get this resolved - we are getting the same issue
    Monday, September 12, 2011 11:31 PM
  • Hopefully there is some kind of fix for this... We have no front-end server to disable Claims Based Auth from.... so no way to fix this issue on our side!!

    any help would be greatly appreciated.. or if you know a way to disable claims in the database directly?

    Monday, December 5, 2011 6:26 PM
  • Hello Chris,

    I have to agree with you... this is a very frustrating aspect of adding more servers to a deployment.  I've managed to get round this by first installing backend components, e.g. backend server and deployment server roles.   Once completed, you can edit the server configuration (Control Panel > Uninstall/change), or rerun the setup files, and include the Front End server role.  Unfortunately, I can't see a why of installing the CRM website to any other sites except the Default Web Site.

    Hope this works for you,


    Thursday, April 12, 2012 2:57 PM