CRM 2011: ADFS Error – Each identifier for a relying party trust must be unique

When deploying ADFS/IFD solution, you will most likely want to build a seperate ADFS server. Since ADFS is Microsoft’s STS (Security Token Service) many of their applications including Microsoft Dynamics CRM 2011 will be federating with it for single sign-on within your enterprise.

ADFS can be setup on a single server, and can work with multiple instances (Dev, Test, Production) or deployments of Microsoft Dynamics CRM 2011 as show below:

The gotcha is the names of the CRM Organizations across the multiple CRM deployments. You cannot have duplicate organization names between dev, test and production. So for example an organization named CRM, cannot be used in both DEV, TEST and PROD when using ADFS. This will give you the following error message:

An error occurred during an attempt to access to the AD FS configuration database (Write to). Each identifier for a replying party trust must be unique across all replying party trust. This error is because the indentifier in this case CRM is referenced by the identifier https://crm.domainname.com. Once you add in DEV, the duplication occurs when you then try to add TEST and PROD.

A CRM Organization name change is required to use one ADFS server for three seperate deployments, so CRM would become CRMDEV,CRMTEST & CRM, hence eliminating the duplication in identifiers, hence the error. Enjoy!