locked
ADFS/Claims configuration (internal) asks for credentials RRS feed

  • Question

  • Hi,

     

    we have configured claims based auth for CRM2011 with the ClaimsBasedDocumentation and the Video Tut. We are on page 30 (Test internal claims-based authentication / 11:55 in Video). If the user in the video calls "https://internalcrm.contoso.com" from the ADFS-Server, there are no credentials required. If i call my internal CRM Url, i am asked for user credentials (Windows Authentication, not ADFS Authentication). If i enter the information, crm is opened, all works fine. So i have tried to add the following urls to the local intranet sites "https://adfs.<domain>.com" and "https://internalcrm.<domain>.com". I also have added the "Automatic logon only in Intranet zone". Now i am getting following error.

     

    <form id="aspnetForm" action="/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=https%3a%2f%2finternalcrm.<domain>.com%3a444%2f&wctx=rm%3d1%26id%3d63e5df54-51a3-4a23-91bb-de8aba66a8ea%26ru%3d%252fdefault.aspx&wct=2011-07-26T17%3a55%3a23Z&wauth=urn%3afederation%3aauthentication%3awindows" method="post">
    Error
    adfs.<domain>.com
    There was a problem accessing the site. Try to browse to the site again.
    If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.
    Reference number: 4184c985-35a6-454a-b551-413a8a7118f0
    </form>

     

    Eventlog 1 of ADFS:

    Log Name:      AD FS 2.0/Admin
    Source:        AD FS 2.0
    Date:          7/26/2011 7:55:23 PM
    Event ID:      364
    Task Category: None
    Level:         Error
    Keywords:      AD FS
    User:          NETWORK SERVICE
    Computer:      ADFS.<domain>.com
    Description:
    Encountered error during federation passive request.

    Additional Data

    Exception details:
    Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.ServiceModel.FaultException: ID3242: The security token could not be authenticated or authorized.
       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.Issue(Message request, WCFResponseData responseData)
       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, Uri& replyTo)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSecurityToken(SecurityToken securityToken, WSFederationMessage incomingMessage)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseForProtocolRequest(FederationPassiveContext federationPassiveContext, SecurityToken securityToken)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponse(SecurityToken securityToken)

    System.ServiceModel.FaultException: ID3242: The security token could not be authenticated or authorized.
       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.Issue(Message request, WCFResponseData responseData)
       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)


    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="AD FS 2.0" Guid="{20E25DDB-09E5-404B-8A56-EDAE2F12EE81}" />
        <EventID>364</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000001</Keywords>
        <TimeCreated SystemTime="2011-07-26T17:55:23.651702400Z" />
        <EventRecordID>206</EventRecordID>
        <Correlation ActivityID="{4184C985-35A6-454A-B551-413A8A7118F0}" />
        <Execution ProcessID="736" ThreadID="2576" />
        <Channel>AD FS 2.0/Admin</Channel>
        <Computer>ADFS.<domain>.com</Computer>
        <Security UserID="S-1-5-20" />
      </System>
      <UserData>
        <Event xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
          <EventData>
            <Data>Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---&gt; System.ServiceModel.FaultException: ID3242: The security token could not be authenticated or authorized.
       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.Issue(Message request, WCFResponseData responseData)
       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, Uri&amp; replyTo)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSecurityToken(SecurityToken securityToken, WSFederationMessage incomingMessage)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseForProtocolRequest(FederationPassiveContext federationPassiveContext, SecurityToken securityToken)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponse(SecurityToken securityToken)

    System.ServiceModel.FaultException: ID3242: The security token could not be authenticated or authorized.
       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.Issue(Message request, WCFResponseData responseData)
       at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)

    </Data>
          </EventData>
        </Event>
      </UserData>
    </Event>

    ---------------------------------------------------------------------------------------

    Eventlog 2 of ADFS:

    Log Name:      AD FS 2.0/Admin
    Source:        AD FS 2.0
    Date:          7/26/2011 7:55:23 PM
    Event ID:      342
    Task Category: None
    Level:         Error
    Keywords:      AD FS
    User:          NETWORK SERVICE
    Computer:      ADFS.<domain>.com
    Description:
    Token validation failed. See inner exception for more details.

    Additional Data

    Exception details:
    MSIS3111: Non domain user is not supported by AD FS 2.0.

    This request failed.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="AD FS 2.0" Guid="{20E25DDB-09E5-404B-8A56-EDAE2F12EE81}" />
        <EventID>342</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000001</Keywords>
        <TimeCreated SystemTime="2011-07-26T17:55:23.647796400Z" />
        <EventRecordID>205</EventRecordID>
        <Correlation ActivityID="{4184C985-35A6-454A-B551-413A8A7118F0}" />
        <Execution ProcessID="2428" ThreadID="1132" />
        <Channel>AD FS 2.0/Admin</Channel>
        <Computer>ADFS.<domain>.com</Computer>
        <Security UserID="S-1-5-20" />
      </System>
      <UserData>
        <Event xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
          <EventData>
            <Data>MSIS3111: Non domain user is not supported by AD FS 2.0.</Data>
          </EventData>
        </Event>
      </UserData>
    </Event>

     

     

    From the crm-server the url "https://internalcrm.<domain>.com" works fine. The problem occurs, if im accessing from an other client than the crm-server.

    User and all servers are in the same domain.

    Kind regards,

    Markus


    Tuesday, July 26, 2011 5:58 PM

All replies

  • On which server are you trying to open CRM? If you cannot browse to CRM using the deployment manager, than your certificate may be causing the issue. A few things to confirm:

    1. Did you properly install the wildcard certificate from a 3rd party cert auth? Self signed certificates have given me nothing but headaches.
    2. Is AD FS 2.0 installed on the Default Website?
    3. Is CRM set up for HTTPS bindings and IIS site set up as well (using port 443)? These need to match, so go into IIS and confirm these are the same in IIS as they are in the Deployment Manager.
    4. Did you create a DNS Record for the AD FS Server name?
    5. Can you browse to the AD FS Metadate file without certificate issues? If so, where did you install the Wildcard Certificate?
    6. Did you grant Read permissions to the Certificate using the same service account that runs under the CRMAppPool (typically this is Network Service, but if it's something else, you'll need to add it, then grant Read Permissions

    However, if you can browse to CRM from the Deploymeny manager, and the above question check out, you should be fine. You won't be able to hit CRM outside the CR server until you're done configuring the IFD on both CRM and ADFS. I believe in the Video (though I may be wrong) CRM and AD FS were installed on the same server.


    --Dodd
    Tuesday, August 2, 2011 4:03 PM
  • Shot in the dark here.....

     

    I had this issue when I installed our IFD. I eventually had to edit the web.config file for ADFS itself and change the order of the authentication methods.

    It was originally like this:

     

    <microsoft.identityServer.web>
     <localAuthenticationTypes>
     <add name="Integrated" page="auth/integrated/" />
     <add name="Forms" page="FormsSignIn.aspx" /> 
     <add name="TlsClient" page="auth/sslclient/" />
     <add name="Basic" page="auth/basic/" />
     </localAuthenticationTypes>
    

    I need to move the line <add name="Forms" page="FormsSignIn.aspx" /> above the <add name="Integrated" page="auth/integrated/" /> line, so when I was done I had

     

     

    <microsoft.identityServer.web>
     <localAuthenticationTypes>
     <add name="Forms" page="FormsSignIn.aspx" />
     <add name="Integrated" page="auth/integrated/" />
     <add name="TlsClient" page="auth/sslclient/" />
     <add name="Basic" page="auth/basic/" />
     </localAuthenticationTypes>
    
    

    That's what made the Windows authentication box stop popping up for me.

     

     



    Wednesday, August 3, 2011 4:13 PM
  • Hi!

     

    @MDodd73,

    If i call internalcrm... on CRM-Server --> It works

    If i call internalcrm... on ADFS-Server --> Error

    If i call internalcrm... on SQL-Server --> Error

    1. We are using self signed in our dev environment

    2. Yes

    3. Yes

    4. Yes

    5. Yes, We have installed like described in the Video/Doc. --> 1. Install on IIS (ADFS), 2. Selected in step 3 of Service creation (ADFS) - We doesnt have a wildcard certificate for ADFS

    6. Yes

     

    I dont think its a certificate issue. I have set up the external claims based authentication and it works like a charm. Just internal i have these problems...

    • Proposed as answer by hallan Sunday, April 29, 2012 6:01 PM
    • Unproposed as answer by hallan Sunday, April 29, 2012 6:01 PM
    Wednesday, August 10, 2011 7:55 AM
  • I had same problem setting up a lab environment, simple fix for me was:

    Add both sites to the Intranet Sites Zone in IE (https://*.treyresearch.net & https://*.adatum.com) on the adfsclient computer, this enables the follwoing IE option:

    User Authentication -> Automatic Logon only in Intranet Zone.


    Tony

    Sunday, April 29, 2012 6:05 PM
  • Hi,

    Did you create SPN record for ADFS?

    Please check the list of SPN's using "setspn -x"

    If SPN record is not created for ADFS then create using this syntax,

    "setspn -a https/adfs.<domain>.com machinename"

    Thanks & Regards,

    Khaja Mohiddin.


    Khaja Mohiddin
    http://www.dynamicsexchange.com
    http://about.me/KhajaMohiddin

    Monday, April 30, 2012 1:13 PM
  • Hi m.konrad, did you get the issue resolved?  If so, please take a few minutes to share the resolution for others and mark any responses that helped as Helpful.

    Thank you,


    Regards, Donna

    Thursday, June 14, 2012 2:51 PM