Hi Andrew, if you're not using wildcard certs, the claims based auth documentation states that you have to have each server role on its own server. Page 17 "Individual certificates for each host
name are only valid if you use different servers for each Web server role.
"
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=9886ab96-3571-420f-83ad-246899482fb4
I don't know if not satisfying this stated requirement will result in your behavior -- might have to go to Microsoft for that.
My experiences with the wildcard cert have been very positive. If it's not related to that, then it may be related to this on page 23 of the same
doc:
The CRMAppPool
account and the Microsoft Dynamics CRM encryption certificate
Claims data sent from Microsoft Dynamics CRM to AD FS 2.0 is encrypted using a certificate you specify in the Configure Claims-Based Authentication
Wizard. The CRMAppPool account of each Microsoft Dynamics CRM Web application must have read permission to the private key of the encryption certificate.
1.
On the Microsoft Dynamics CRM Server 2011, create a Microsoft Management Console (MMC) with the
Certificates snap-in console that targets the
Local computer certificate store.
2.
In the console tree, expand the Certificates (Local
Computer) node, expand the Personal
store, and then click Certificates.
3.
In the details pane, right-click the encryption certificate specified in the Configure Claims-Based Authentication Wizard, point to
All Tasks, and then click Manage Private Keys.
4.
Click
Add, (or select the Network Service account if that is the account you used during Setup)
add the CRMAppPool account, and then grant
Read permissions.
Best of luck,
Phil
Phil Edry – Altriva Solutions –
http://www.altriva.com/AltrivaBlog.aspx
