Asked by:
Claims Based Authentication Errors

Question
-
Please see http://social.microsoft.com/Forums/en-US/crmdeployment/thread/6c9fd1fd-1574-4798-9b71-beb93576cb04 for the latest description of this problem - I have made some progress in understanding (unfortunately, not in functioning) and have created a new thread.
Thanks!
- Edited by Andrew B Schultz Tuesday, March 22, 2011 10:33 PM
Saturday, March 19, 2011 4:11 PM
All replies
-
Hi Andrew, if you're not using wildcard certs, the claims based auth documentation states that you have to have each server role on its own server. Page 17 "Individual certificates for each host name are only valid if you use different servers for each Web server role. " http://www.microsoft.com/downloads/en/details.aspx?FamilyID=9886ab96-3571-420f-83ad-246899482fb4
I don't know if not satisfying this stated requirement will result in your behavior -- might have to go to Microsoft for that.
My experiences with the wildcard cert have been very positive. If it's not related to that, then it may be related to this on page 23 of the same doc:
The CRMAppPool account and the Microsoft Dynamics CRM encryption certificate
Claims data sent from Microsoft Dynamics CRM to AD FS 2.0 is encrypted using a certificate you specify in the Configure Claims-Based Authentication Wizard. The CRMAppPool account of each Microsoft Dynamics CRM Web application must have read permission to the private key of the encryption certificate.
1. On the Microsoft Dynamics CRM Server 2011, create a Microsoft Management Console (MMC) with the Certificates snap-in console that targets the Local computer certificate store.
2. In the console tree, expand the Certificates (Local Computer) node, expand the Personal store, and then click Certificates.
3. In the details pane, right-click the encryption certificate specified in the Configure Claims-Based Authentication Wizard, point to All Tasks, and then click Manage Private Keys.
4. Click Add, (or select the Network Service account if that is the account you used during Setup) add the CRMAppPool account, and then grant Read permissions.
Best of luck,
Phil
Phil Edry – Altriva Solutions – http://www.altriva.com/AltrivaBlog.aspxMonday, March 21, 2011 9:37 PM -
Thanks for the reply Phil! We actually have the SAN certificates, so it's the same as the wildcard, we're just limited to a certain number of names. We also are using Network Service for the CRMAppPool account, which has access to the certificate.
Thanks for the response,
Andy
Blog: http://andrewbschultz.com @andrewbschultzTuesday, March 22, 2011 3:19 PM -
Got it -- Sorry I couldn't be more helpful. I've got to figure out SAN certs myself here shortly for and domain internal/external mismatch project next month. I'll write back if I discover anything and will monitor your two threads to see if anyone else figures it out first.
Best,
Phil
Phil Edry – Altriva Solutions – http://www.altriva.com/AltrivaBlog.aspxWednesday, March 23, 2011 10:40 PM