We recently setup CRM 2015 and ADFS 2.2 (the version that comes on Server 2012 R2, aka ADFS 2.2) on new servers for a customer. Everything configured fine and initial tests proved successful when logging in with the domain admin account used to set everything up. However, we quickly found an issue when other users tried to access CRM via the external URL. At the ADFS login page, a user would enter his or her credentials as usual and try to login but rather than giving a 302 redirect back to CRM for access, it redirected back to the ADFS login page. This presented no errors on screen or in the CRM event viewer – it was as if we never tried logging in. If we purposefully entered invalid credentials, it provided the error regarding incorrect user ID or password so we knew authentication against AD was taking place successfully and that something was wrong with the passing of the token. Also of note was the fact that despite the external URL not working, all users were able to access CRM just fine using the internal (pass-through auth) URL.
Nothing appeared in the ADFS Admin event viewer logs but upon closer inspection, the Security log in the event viewer on the ADFS server was loading up with Audit Failure notifications – Event ID 4625. The failure reason indicated “Unknown user name or bad password” for the ADFS service account. As any logical person would assume, we figured the account was locked out, the password expired, or we entered invalid credentials during setup. Unfortunately, upon resetting the password in Active Directory, the audit failures persisted.
After some digging around, we uncovered that adding the ADFS service account to the Windows Authorization Access Group in Active Directory was the resolution. The members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects. We added the account to the group, restarted the ADFS service, and all users were then able to access CRM via the external URL as expected! Another great tip from the CFE team!