Claims Based Authentication Errors RRS feed

All replies

  • Hi Andrew, if you're not using wildcard certs, the claims based auth documentation states that you have to have each server role on its own server. Page 17 "Individual certificates for each host name are only valid if you use different servers for each Web server role. " http://www.microsoft.com/downloads/en/details.aspx?FamilyID=9886ab96-3571-420f-83ad-246899482fb4

    I don't know if not satisfying this stated requirement will result in your behavior -- might have to go to Microsoft for that.

    My experiences with the wildcard cert have been very positive. If it's not related to that, then it may be related to this on page 23 of the same doc:

     The CRMAppPool account and the Microsoft Dynamics CRM encryption certificate

    Claims data sent from Microsoft Dynamics CRM to AD FS 2.0 is encrypted using a certificate you specify in the Configure Claims-Based Authentication Wizard. The CRMAppPool account of each Microsoft Dynamics CRM Web application must have read permission to the private key of the encryption certificate.

    1.     On the Microsoft Dynamics CRM Server 2011, create a Microsoft Management Console (MMC) with the Certificates snap-in console that targets the Local computer certificate store.

    2.     In the console tree, expand the Certificates (Local Computer) node, expand the Personal store, and then click Certificates.

    3.     In the details pane, right-click the encryption certificate specified in the Configure Claims-Based Authentication Wizard, point to All Tasks, and then click Manage Private Keys.

    4.     Click Add, (or select the Network Service account if that is the account you used during Setup)  add the CRMAppPool account, and then grant Read permissions.

    Best of luck,


    Phil Edry – Altriva Solutions – http://www.altriva.com/AltrivaBlog.aspx
    Monday, March 21, 2011 9:37 PM
  • Thanks for the reply Phil! We actually have the SAN certificates, so it's the same as the wildcard, we're just limited to a certain number of names. We also are using Network Service for the CRMAppPool account, which has access to the certificate.

    Thanks for the response,


    Blog: http://andrewbschultz.com @andrewbschultz
    Tuesday, March 22, 2011 3:19 PM
  • Got it -- Sorry I couldn't be more helpful. I've got to figure out SAN certs myself here shortly for and domain internal/external mismatch project next month. I'll write back if I discover anything and will monitor your two threads to see if anyone else figures it out first.



    Phil Edry – Altriva Solutions – http://www.altriva.com/AltrivaBlog.aspx
    Wednesday, March 23, 2011 10:40 PM