locked
IFD for two CRM install instances with the same ADFS installation? RRS feed

  • Question

  • We have a production and then a development environment for CRM. The production instance has IFD configured with ADFS (ADFS Proxy server in DMZ), and now we'd like to do the same for development using the existing ADFS infrastructure. I configured IFD on dev, but when browsing the FederationMetadata.xml file on it gives the error..

    Unhandled Exception: System.ServiceModel.FaultException`1[[Microsoft.Xrm.Sdk.OrganizationServiceFault, Microsoft.Xrm.Sdk, Version=5.0.0.0, Culture=neutral, PublicKeyToken=000000000000]]: System.Security.Cryptography.CryptographicException: Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #57C6B399Detail: <OrganizationServiceFault xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/xrm/2011/Contracts"> <ErrorCode>-2147220970</ErrorCode> <ErrorDetails xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Collections.Generic" /> <Message>System.Security.Cryptography.CryptographicException: Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #000000</Message> <Timestamp>2014-06-02T23:02:54.7723578Z</Timestamp> <InnerFault i:nil="true" /> <TraceText i:nil="true" /> </OrganizationServiceFault> Keyset does not exist Not available Not available

    Searching on that error indicates I should make sure the CRM App Pool has sufficient permission to the certificate, which I've done till I'm blue in the face.

    Then I started to wonder if it having two CRM installations for one ADFS server was even supported, or if I need to have a local install of ADFS on the dev server?

    Thanks all,

    -g

    Tuesday, June 3, 2014 6:54 PM

All replies

  • I have the exact same problem did you ever figure out your issue.  I have CRM 2013 and CRM 2016 and I am trying to use the same ADFS server and get the exact same error as you.  
    Wednesday, January 6, 2016 3:28 PM
  • I've not seen definitive documentation either way as to whether it is supported and/or possible to use one ADFS server to support 2 CRM deployments.

    However, this seems a strange architecture. If you want/need 2 separate CRM deployments, then it would be most consistent for each to use a separate ADFS server/farm to maintain complete independence of each deployment. The main alternative would be one CRM deployment with multiple organisations, connected to 1 ADFS server/farm (though this is not an option for mixed CRM versions)


    Microsoft CRM MVP - http://mscrmuk.blogspot.com/ http://www.excitation.co.uk

    Wednesday, January 6, 2016 4:24 PM
    Moderator
  • Though it is indeed not recommended to use single ADFS server for multiple CRM deployments as it will be your single point of failure. But you can use single ADFS server with multiple CRM deployments. each deployment will be using same sts endpoints. e.g. https://login.rootdomin.com/FederationMetadata/2007-06/FederationMetadata.xml  but you have to set different sub-domains for each deployments.

    like ...

    Production Configuration : [point to production env]

       dev.rootdomain.com

       auth.rootdomain.com

       farm.rootdomain.com

    Staging Env: [below entries point to test env]

      devstg.rootdomain.com

      authstg.rootdomain.com

      farmstg.rootdomain.com

    NOTE : you should have wildcard cert *.rootdomain.com for above configuration.

    now come to your issue. Please re-check certificate on CRM node or best is to export from existing server and reload and assign permissions to app pool account (manage key).  also do an IISRESET on crm server, restart adfs service and re-check.


    ja


    • Edited by Ja08 Friday, January 8, 2016 1:51 PM
    Friday, January 8, 2016 5:33 AM
  • Hi,

    As Ja08 writes, you can have multiple CRMs on one ADFS server. You have to make different relying party trusts on the ADFS server though. I've seen the cryptographic error a couple of times and IIRC I got rid of it by running through the ADFS/IFD wizards and refreshing the metadata on the ADFS machine if it doesn't help with making sure that the accounts running the services can access the certificates. You might also need an IISReset and restart the ADFS service.

    Regards


    Rickard Norström Developer CRM-Konsulterna
    http://www.crmkonsulterna.se
    Swedish Dynamics CRM Forum: http://www.crmforum.se
    My Blog: http://rickardnorstrom.blogspot.se

    Monday, January 11, 2016 7:45 AM