locked
Error messages 364 and 317 when trying to access Internal CRM RRS feed

  • Question

  • Hi,

    I am trying to configure CRM 2011 IFD, however I am running into these two errors when I authenticate to the internal link (internalcrm.xxxx.com:444). I have re imported the SSL certs but to no avail and I can view/verify the FederationMetaData url (https://sts.xxxxxx/federationmetadata/2007-06/federationmetadata.xml) and get no cert errors.

    So when I enter my credentials I get this page -

    With these errors in the event log -

    365 Details:

    Encountered error during federation passive request.

    Additional Data

    Exception details:
    Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.ServiceModel.FaultException: ID3242: The security token could not be authenticated or authorized.
       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.Issue(Message request, WCFResponseData responseData)
       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, Uri& replyTo)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, MSISSession& session)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSerializedToken(String signOnToken, WSFederationMessage incomingMessage)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSecurityToken(SecurityToken securityToken, WSFederationMessage incomingMessage)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseForProtocolRequest(FederationPassiveContext federationPassiveContext, SecurityToken securityToken)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponse(SecurityToken securityToken)

    System.ServiceModel.FaultException: ID3242: The security token could not be authenticated or authorized.
       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.Issue(Message request, WCFResponseData responseData)
       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)

    317 Details:

    An error occurred during an attempt to build the certificate chain for the relying party trust 'https://internalcrm.xxxx/' certificate identified by thumbprint 'xxxxx'. Possible causes are that the certificate has been revoked, the certificate chain could not be verified as specified by the relying party trust's encryption certificate revocation settings or certificate is not within its validity period.

    You can use Windows PowerShell commands for AD FS 2.0 to configure the revocation settings for the relying party encryption certificate.
    Relying party trust's encryption certificate revocation settings: CheckChainExcludeRoot
    The following errors occurred while building the certificate chain:  
    Unknown error.
     

    User Action:
    Ensure that the relying party trust's encryption certificate is valid and has not been revoked.
    Ensure that AD FS 2.0 can access the certificate revocation list if the revocation setting does not specify "none" or a "cache only" setting.
    Verify your proxy server setting. For more information about how to verify your proxy server setting, see the AD FS 2.0 Troubleshooting Guide (http://go.microsoft.com/fwlink/?LinkId=182180).

    Please help!

    Thursday, March 29, 2012 11:24 AM

Answers

  • Thanks for the response Jamie. I resolved the issue by creating a new set of self-signed certs.

    Thursday, March 29, 2012 2:23 PM

All replies

  • I don't think those event id's correspond with types of errors.  Other than that I do not have any other guidance at this time.  

    Have you read the adfs claims-based documents that come with the implementation guide?


    Jamie Miley
    Check out my about.me profile!
    http://mileyja.blogspot.com
    Linked-In Profile
    Follow Me on Twitter!

    Thursday, March 29, 2012 2:08 PM
    Moderator
  • Thanks for the response Jamie. I resolved the issue by creating a new set of self-signed certs.

    Thursday, March 29, 2012 2:23 PM
  • Thanks for the response Jamie. I resolved the issue by creating a new set of self-signed certs.

    hi green,

    will you please help me to resolve it.

    tell me if i am wrong, u mean u r using self signed certs for CBA IFD.

    so are you using two certs for adfs and crm or onw for both.

    i am facing the same issue as u have mentioned.

    please hemo me trouble shoot it.

    thanks,

    yes.sudhanshu


    yes.sudhanshu

    http://bproud2banindian.blogspot.com
    http://ms-crm-2011-beta.blogspot.com

    Thursday, May 24, 2012 6:42 AM
  • Hi Sudhanshu,

    Create a new Self Signed wild card certificate and configure the IFD again. You can also use two certs for ADFS and CRM.

    But the certificate which you use for CRM should include the auth, dev, org and internal subject alternative names. Its better to use Self Signed wild card for practice.  


    Regards,


    Khaja Mohiddin
    http://www.dynamicsexchange.com
    http://about.me/KhajaMohiddin

    Thursday, May 24, 2012 9:15 AM
  • Yes Khaja is right. This is how I resolved this error. This is fine for development/testing purposes.

    If you intend to use commercially then you may want to purchase from a recognised authority.

    Thursday, May 24, 2012 9:44 AM