locked
Dynamics CRM 2011 and ADFS 2.0 Integration with Partner Organisations RRS feed

  • Question

  • I am having an issue setting up access for a Partner Organisation to Dynamics CRM 2011. Claims Based Authentication is setup internally and is working fine for the On-Premises Organisation. The two domains, Partner and On-Premises, are federated via ADFS 2.0 according to http://msdn.microsoft.com/en-us/library/gg188605. A test account is setup in Dynamics CRM 2011 as username@partnerorganisation.local, which is the Partner test accounts UPN. The Partner account seems to authenticate through ADFS fine, no errors are logged on the On-Premises or Partner ADFS servers, the client then hits the Dynamics CRM URL where it prompts for a password 3 times before displaying an error on the main.aspx page for the CRM organisation, shown below.

    If there is no account setup within the CRM organisation that matches the Partner accounts UPN the below screen is displayed, so there must be some authentication happening.

    This issue has me stumped and there is minimal literature out there on Partner organisation integration into CRM. Any help would be appreciated.

    Wednesday, October 10, 2012 1:16 AM

Answers

  • Hi,

    I experienced the exact same problem after installing UR11. Looks like another bug. I would recommend reporting the bug to Microsoft.

    Greetings,

    Pavlos


    Please mark this reply as an answer and vote it as helpful if it helps you find a resolution to your problem.
    View my latest gallery contribution here.
    Visit my blog here.


    • Edited by Pavlos Panagiotidis Wednesday, October 17, 2012 7:24 AM
    • Marked as answer by box57l Wednesday, October 17, 2012 9:32 PM
    Wednesday, October 17, 2012 7:24 AM

All replies

  • Hello,

    in order to get some more details on the authentication that is going on behind the scenes, you can trace the whole traffic during the client authentication using Fiddler. There you should be able to see all the requests that the client sends and watch how the whole token-issuing mechanism works. You should also be able to view any errors that occur during the whole process.

    Please also make sure that the account you are using is a valid Dynamics CRM User and that the user also has security roles assigned in the organization that you are trying to access. You can also compare Group Membership between the existing Active Directory users.

    I think this is an issue that is related to the security groups that the user must be a member of, in order to be able to use your Dynamics CRM Organization.

    Finally, you could also try enabling tracing on the CRM Server and look for any errors there. In case you are not familiar with tracing, you can have a look here.

    Greetings,

    Pavlos


    Please mark this reply as an answer and vote it as helpful if it helps you find a resolution to your problem.

    Wednesday, October 10, 2012 6:18 AM
  • OK an update to the issue, I noticed this little item within the fixes that are included with UR11;<o:p></o:p>

    "Dynamics CRM claims-based authentication does not work with trusted partner Active Directory Federation Service (ADFS) users."

    Great I thought, applied UR 11 to a test environment and bang claims based auth stops working completely. From a Fiddler trace the CRM server doesn’t even redirect to the ADFS server but I can see the following within the request:

    ".Crm.CrmSecurityException&#37;3a&#37;20Could&#37;20not&#37;20find&#37;20GUID&#37;20for&#37;20server&#37;3a&#37;CRMSERVER2011&#37;24&#37;20With&#37;20SearchFilter&#37;3asamAccountName"

    This also corresponds to an entry logged on the CRM server.

    Event Details:

    Event code: 3005

    Event message: An unhandled exception has occurred.

    Event time: 17/10/2012 3:52:14 PM

    Event time (UTC): 17/10/2012 4:52:14 AM

    Event ID: 4f5ae12d23c84e9ba3619709ce73119e

    Event sequence: 26

    Event occurrence: 12

    Event detail code: 0

    Application information:

        Application domain: /LM/W3SVC/1/ROOT-1-129949224574114443

        Trust level: Full

        Application Virtual Path: /

        Application Path: D:\Program Files\Microsoft Dynamics CRM\CRMWeb\

        Machine name: CRMSERVER2011

    Process information:

        Process ID: 5172

        Process name: w3wp.exe

        Account name: DOMAIN\CRMAPPSERVICE

    Exception information:

        Exception type: CrmSecurityException

        Exception message: Could not find GUID for server: CRMSERVER2011$ With SearchFilter:samAccountName

       at Microsoft.Crm.SecurityUtils.GetGuid(String searchItem, String searchFilter, String searchItemLogInfo, Boolean exceptionIfNotfound)

       at Microsoft.Crm.SecurityUtils.GetLocalSystemGuid()

       at Microsoft.Crm.Caching.OrganizationSettingsCacheLoader.LoadCacheData(Guid key, ExecutionContext context)

    Has anyone seen this issue before?
    Wednesday, October 17, 2012 5:10 AM
  • Hi,

    I experienced the exact same problem after installing UR11. Looks like another bug. I would recommend reporting the bug to Microsoft.

    Greetings,

    Pavlos


    Please mark this reply as an answer and vote it as helpful if it helps you find a resolution to your problem.
    View my latest gallery contribution here.
    Visit my blog here.


    • Edited by Pavlos Panagiotidis Wednesday, October 17, 2012 7:24 AM
    • Marked as answer by box57l Wednesday, October 17, 2012 9:32 PM
    Wednesday, October 17, 2012 7:24 AM