locked
single server IFD/ADFS - federationmetadata URL is pointing to wrong site? RRS feed

  • Question

  • I am following the Configure Claims-based Authentication for Microsoft Dynamics CRM 2011 whitepaper.  ADFS and CRM are being installed to the same server with ADFS running on port 443 and CRM on 5555.  After installing ADFS 2.0, I verified the URL https://sts1.mydomain.com/federationmetadata/2007-06/federationmetadata.xml works. 

    After running through the Configure Claims-Based Authentication Wizard it gives me the URL of:

    https://dyn1int.mydomain.com:5555/FederationMetadata/2007-06/FederationMetadata.xml to use as the STS relying party.  This URL does not come up in a browser since port 5555 is running CRM, and not ADFS.  "dynint1.mydonmain.com:5555" is the web address I used for the Dynamics CRM web address bindings.

    I tried using the same URL, but on port 443 (and not 5555) and the configuration lets me continue, but in the end does not work, so I figured I would back track to the first error I encountered.  Please advise. 

    The MS whitepaper is a little bit confusing in that their examples seem to jump back and forth between single server and multi-server configurations using examples that show the CRM site on 444, and then also giving examples of ADFS on 444.

    Monday, July 30, 2012 7:53 PM

Answers

  • I got this working.  What happened was I originally used FQDN SSL certificates rather than a wildcard.  With all the different DNS aliases CRM requires I went back and created a wildcard certificate.  But I forgot to grant my CRM service account read rights to the wildcard certificate.  Once I did that everything worked according to the whitepaper. 
    • Marked as answer by tickermcse76 Tuesday, July 31, 2012 1:15 AM
    Tuesday, July 31, 2012 1:15 AM

All replies

  • Another question that I have is do I need two distinct DNS domains to setup both internal and external IFD?  For example can I use extdyn.mydomain.com and intdyn.mydomain.com?  Or does "mydomain.com" need to be distinct?
    Monday, July 30, 2012 8:00 PM
  • I got this working.  What happened was I originally used FQDN SSL certificates rather than a wildcard.  With all the different DNS aliases CRM requires I went back and created a wildcard certificate.  But I forgot to grant my CRM service account read rights to the wildcard certificate.  Once I did that everything worked according to the whitepaper. 
    • Marked as answer by tickermcse76 Tuesday, July 31, 2012 1:15 AM
    Tuesday, July 31, 2012 1:15 AM