locked
CRM 2011 and ADFS 2.0 Proxy RRS feed

  • Question

  • I'm hoping someone can help me out here. I'm trying to get a grasp on claims based authentication / ADFS

    I have 3 servers setup.

    1 CRM 2011 Server, 1 Server with ADFS 2.0 roles, and 1 server with ADFS Proxy

    Internally when we goto the crm website, we get a popup (not a forms based authentication) asking for creditionals. We enter that, and things work fine.

    Externally, when we try to bring up the crm webiste, we get a error, it never asks us for a username or password.

    There was a problem accessing the site. Try to browse to the site again.
     
    Under ADFS Event viewer on the proxy server, we get the following message:
     
    Log Name:      AD FS 2.0/Admin
    Source:        AD FS 2.0
    Date:          7/24/2011 4:30:59 PM
    Event ID:      364
    Task Category: None
    Level:         Error
    Keywords:      AD FS
    User:          NETWORK SERVICE
    Computer:      CISFED02
    Description:
    Encountered error during federation passive request.
    Additional Data
    Exception details:
    Microsoft.IdentityServer.Protocols.Saml.NoAuthenticationContextException: MSIS7040: None of the requested authentication types are supported by the server.

    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="AD FS 2.0" Guid="{20E25DDB-09E5-404B-8A56-EDAE2F12EE81}" />
        <EventID>364</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000001</Keywords>
        <TimeCreated SystemTime="2011-07-24T21:30:59.435375000Z" />
        <EventRecordID>27</EventRecordID>
        <Correlation ActivityID="{34FE7C63-8C59-49C1-A25E-2E8C58AAED3C}" />
        <Execution ProcessID="956" ThreadID="936" />
        <Channel>AD FS 2.0/Admin</Channel>
        <Computer>CISFED02</Computer>
        <Security UserID="S-1-5-20" />
      </System>
      <UserData>
        <Event xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
          <EventData>
            <Data>Microsoft.IdentityServer.Protocols.Saml.NoAuthenticationContextException: MSIS7040: None of the requested authentication types are supported by the server.
    </Data>
          </EventData>
        </Event>
      </UserData>
    </Event>

    Sunday, July 24, 2011 10:04 PM

Answers

  • Hi Jason,

    Well, install and configure CRM 2011 and ADFS Proxy is not an easy job.

    First question:

    When you configure the initial claims based authentication, should you be using the internal names of the federation server? such as adfs.domain.local?

    Answer: Yes, you need to configure the ADFS with an internal DNS name, like sts1.contoso.com and also this DNS be need a public DNS. (Whit the same name)

     

    Second question:

    Do I need to use the following?

    crminternalserver.domain.local   <-- Yes, en internal DNS like : crminternal.contoso.com
    crmorgname.domain.com   <-- Yes, internal and "EXTERNAL" DNS like: crmorg.contoso.com
    adfsexternal.domain.com  <-- No
    adfsinternal.domain.local  <-- No
    adfsproxy.domain.local  <-- No

    For the ADFS 2.0 and ADFS Proxy you need only one DNS, (again , internal and external).

    First you configure all your claim base authentication internal. Between ADFS and CRM 2011

    Then you configure IFD (You can try access internally)

    Finally you configure ADFS Proxy.

     

    Again, it´s very complicate install ADFS 2.0 + ASFS Proxy + CRM 2011 ... but not impossible :)

    To do this work, I left the guide that I used to configure ADFS + CRM 2011:

    Microsoft Dynamics CRM 2011 and Claims-based Authentication.doc)

    And this guide is for ADFS Proxy:

    AD FS Proxy Step by Step Install Guide

    My advice .... follow the Guide Step by Step

    Regards and Good luck.

     

     

     

     

    Thursday, September 22, 2011 3:13 PM

All replies

  • I have a few questions.

    When you setup the internal CRM site with Claims Based Authentication,
    If you open CRM Deployment Manager, Click on Microsoft Dynamics CRM then click properties, it comes up with addresses for the Web Application servers. Should you put the internal web addresses here? aka crmserver.domain.local

    When you configure the initial claims based authentication, should you be using the internal names of the federation server? such as adfs.domain.local?

    Then when you configure IFD, you only put the last part of the domain, for example domain.com and then the full url for the outside will be crmorgname.domain.com

    Also as far as a certificate, we have a 5 domain ucc.

    Do I need to use the following?

    crminternalserver.domain.local
    crmorgname.domain.com
    adfsexternal.domain.com
    adfsinternal.domain.local
    adfsproxy.domain.local

    Just trying to wrap my head around all of this.

    Tuesday, August 2, 2011 1:50 AM
  • Anybody?
    Wednesday, August 3, 2011 2:08 AM
  • For your first post, I would try to enable debug/trace on the ADFS server to see if it gives more information. From the error it sounds like the CRM server might be trying to do the passive request using a different SAML type than the ADFS claim issuer is configured to accept. Like if ADFS is setup to use HTTP Post and CRM is trying to send Artifact resolution. I am not sure how to specify to CRM which SAML binding type to use.

    I would also try to run Fiddler to see what the external request to the ADFS proxy or serve looks like.

    Not sure about your 2nd question but if the CRM server is on a .local domain then I would expect it to refer to ADFS as on a .local domain too.

    Thanks,


    If this answers your question, please use the "Answer" button to say so | Ben Cline
    Thursday, August 4, 2011 3:42 AM
  • Hi Jason,

    Well, install and configure CRM 2011 and ADFS Proxy is not an easy job.

    First question:

    When you configure the initial claims based authentication, should you be using the internal names of the federation server? such as adfs.domain.local?

    Answer: Yes, you need to configure the ADFS with an internal DNS name, like sts1.contoso.com and also this DNS be need a public DNS. (Whit the same name)

     

    Second question:

    Do I need to use the following?

    crminternalserver.domain.local   <-- Yes, en internal DNS like : crminternal.contoso.com
    crmorgname.domain.com   <-- Yes, internal and "EXTERNAL" DNS like: crmorg.contoso.com
    adfsexternal.domain.com  <-- No
    adfsinternal.domain.local  <-- No
    adfsproxy.domain.local  <-- No

    For the ADFS 2.0 and ADFS Proxy you need only one DNS, (again , internal and external).

    First you configure all your claim base authentication internal. Between ADFS and CRM 2011

    Then you configure IFD (You can try access internally)

    Finally you configure ADFS Proxy.

     

    Again, it´s very complicate install ADFS 2.0 + ASFS Proxy + CRM 2011 ... but not impossible :)

    To do this work, I left the guide that I used to configure ADFS + CRM 2011:

    Microsoft Dynamics CRM 2011 and Claims-based Authentication.doc)

    And this guide is for ADFS Proxy:

    AD FS Proxy Step by Step Install Guide

    My advice .... follow the Guide Step by Step

    Regards and Good luck.

     

     

     

     

    Thursday, September 22, 2011 3:13 PM
  • Tuertolin:

    I'm building an environment and would like to confirm with you the design (The goal is to not have Outside traffic terminating at all directly to the inside of our network).  We have a Cisco firewall that has three interfaces (Outside, Inside and DMZ):

    DMZ we would have:

    - (1) Server w/ CRM 2011 Front End Role

    Inside (LAN) we would have:

    - (1) Server w/ CRM 2011 Async & Sandbox Roles

    - (1) Server w/ SQL 2008 R2 (DB & SSRS)

    or, would I have to do something like this ---->

    DMZ we would have:

    (1) Server that has:

    - CRM Front End Service (Port 5555)
    - ADFS 2.0 Proxy (Port 80/443)

    Inside (LAN) we would have:

    (1) Server that has:

    - CRM Backend services
    - Async Service
    - Sandbox Service
    - ADFS 2.0

    (1) Server that has:

    - SQL 2008 R2 (DB & SSRS)

    Thank you,

    Stangride

    Tuesday, May 22, 2012 4:28 AM
  • Dear Tuertolin,

    I am getting the same error as Jason got. My senario is same.

    My question is, do we need IFD or we can use ADFS proxy only with claim based authentication?

    My senario:

    1 CRM 2013

    1 ADFS 2.0

    1 ADFS  Proxy

    1 SQL Server

    1 AD

    Flow which I have in my mind:

    Client --> CRM Server --> Redirect to ADFS for authenticate
     
    Client --> ADFS proxy --> ADFS Server --> Client
     
    Client --> CRM Server (this time authenticated)

    Regards

    Gyan


    GYAN SHUKLA

    Tuesday, December 9, 2014 10:14 AM