ADFS 2.1 Mex Endpoint Errors with CRM 2011 & Windows Server 2012. Here’s your fix.


When you install ADFS on a Windows Server 2012, the built-in ADFS role included is ADFS 2.1. When setting up Microsoft Dynamics CRM 2011 (UR13+ required), you will get an error message that tells you that IFD Authentication fails when trying to access the discovery service by external applications.

Apparently the documentation for update UR13 says this has been fixed, but not 100% true. There is still the manually steps shown below.

So, when you try to access this via your browser: https://crm.yourdomain.com/xrmservices/2011/discovery.svc?wsdl=wsdll, you will see within the XML a metadata node that contains the following:

<wsx:MetadataReference>

xmlns=”http://www.w3.org/2005/08/addressing“>https://adfs.yourdomain.local/adfs/ls/mex</Address>

wsx:MetadataReference>

Comparing that our Production CRM 2011 Server running on ADFS 2.0 you will see:

<wsx:MetadataReference>

xmlns=”http://www.w3.org/2005/08/addressing“>

https://adfs.yourdomain.local/adfs/services/trust/mex

Solution:

The current solution is to run the PowerShell script provided in http://support.microsoft.com/kb/2828015.

A power shell script will fix the problem with ADFS 2.1 having a known issue publishing metadata for mex endpoints. After configuring claims based authentication in Microsoft Dynamics CRM 2011, mex endpoints are not reachable.

Step 1: Start PowerShell Console

Step 2: Execute the Script contained in KB Article

Step 3: Either Restart both the CRM and ADFS Servers, or restart the ADFS Service, IIS on both machines.

Make sure with all ADFS adventures that your browser cache is clear.

The current solution is to run the PowerShell script provided in http://support.microsoft.com/kb/2828015.

My fellow MVP from down under, George Doubinski ran into this issue late last night, as has now offered to move from Australia, take up US citizenship just to vote for me if I ever decided to run for President!  Thanks George but I might be headed your way!

Update: here’s the new KB link for Windows Server 2012. I have confirmed this is fixed in ADFS 2.1
http://support.microsoft.com/kb/2827748


CRM 2011 Ribbon bar Missing after applying update Rollups? Here’s your fix.


A co-worker of mine was testing a CRM 2011 On Premise implementation where he had recently updated to rollup 12/13. He started to notice that the ribbon bar was completely missing!blankribbonbar

 

 

 

 

 

 

My first response was to clean out your cache, and try it from another machine, as well as use the IE Private Browsing Session. The IE private browsing session did help resolve the problem, but this was not the solution.

In reviewing some issues further, we found a blog from Ben Klopfer about a similar issue. Ben reported the permanent fix is:

Log in to CRM as an administrator.

  1. Go to Settings > Administration.
  2. Click System Settings.
  3. On the “Customizations” tab, uncheck Load pages in the most recent version of Internet Explorer.

After making the change, Ben’s fix works great and the ribbon bar is now available. Ben’s original blog can be found here: http://thinketg.com/dynamics-crm-2011-ru-12-blank-ribbon-issue-resolution/. Thanks Ben!

 

 


Microsoft Convergence 2013: ADFS Presentation


Please find my latest presentation on ADFS from Microsoft Convergence 2013. This presentation includes topics like SSL Certificates, DNS Entries, Firewall, Common Deployments, ADFS Proxy Servers, IFD, ADFS Installation, Tips and Tricks, Troubleshooting and ADFS Errors.

Please note the ADFS central link is not yet live on this site. This is the e-book I’m creating for ADFS installations. Stay tuned.

Download: ADFS Best Practices Presentation


CRM 2011: Could not find GUID for server – Update Rollup 11v2 Breaks ADFS


We ran into an authentication issue with Microsoft CRM 2011 using ADFS/IFD running Update Rollup 11v2. After being installed, the external endpoint would no longer display, providing the following error:

CRM2011_UnexpectedError

 

 

 

 

 

The error log from the event viewer showed the following error (Could not find GUID for Server)  immediately before even receiving the ADFS login prompt:

When Update Rollup 11v2 is removed and, CRM functions normally. No errors. Reinstall Update Rollup 11v2 and the same issue as above occurs. A workaround to this issue is changing the Anonymous Authentication identity from specific user (IUSR) to Application pool identity. Steps are below:

Step 1:

On the CRM server, open the Internet Information Services (IIS) Manager

Step 2:  

In IIS Manager, click the CRM site

Step 3:

In the Features View, double-click Authentication

Step 4:

Select Anonymous Authentication , and then click Edit in the Actions pane

Step 5:

In the Edit Anonymous Authentication Credentials dialog box, click the Application pool Identity , and then click Ok:

IISApplicationPoolIdentity

 Step 6.

Perform an IISRESET on CRM and ADFS servers. Now you can browse the ADFS endpoint for External!

Performing this change (recommended by Microsoft support) makes ADFS/IFD endpoint for Microsoft Dynamics CRM 2011 work with Update Rollup 11v2. Reverting this change breaks CRM when Update Rollup 11v2 is installed.

Special thanks to Gage Pennisi, my young apprentice, for identifying and resolving the issue.


CRM 2011: Removing or Reinstalling ADFS Gotchas


ADFS can be very unforgiving if you need to uninstall or reconfigure. The following steps should steer you clear of any issues that you might run into. (ACL List issues are covered on my blog as well).

Step 1:
Uninstall ADFS using the control panel, remove program
NOTE:- ADFS will be shown as an installed update not a program. System will require a reboot.

Step 2:
Open IIS, find the ADFS Website, now delete the folders
Delete LS Folder
Delete ADFS Folder

Step 3:
View ADFS Application Pool
Note: You should see that there no applications now assigned to.
Delete ADFS Application Pool

Step 4:
Delete Program Files\ADFS installation path

Step 5:
IIS Restart

Now you’re ready to reinstall ADFS. Please make sure you download the latest ADFS 2.0 from the Microsoft Download Center, and don’t install/add the ADFS role from the Windows Server.


CRM 2011: Additional ADFS Claims Provider causes HomeRealm URL Error


The home realm URL issue is introduced when we attempt to add another active directory or claims provider for a domain outside our cloud domain to create single sign on. (SSO). Microsoft Internet Explorer has the ability to support this and we have no issues connecting via the browser.

However, Microsoft Outlook as well as third-party applications currently are not ready to support multiple home realm URLs. This issue is becoming more and more apparent as customers
move to more cloud based services for requiring SSO.

Microsoft has addressed this issue for the outlook client, by creating the following registry key:

Registry String: HomeRealmUrl: https://adfs.domain.com/adfs/services/trust/mex

under the registry entry:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MSCRMClient

This Microsoft article explains this more in detail here:

http://msdn.microsoft.com/en-us/library/gg188615.aspx

This can be a gotcha for third-party ISV’s that are not coded to support multiple home realm domains.


CRM 2011: How to Confirm the PrimaryComputer (ADFS Server) in a ADFS Server Farm


While working on setting up an ADFS server farm, I was wondering how I can quickly tell if the ADFS server I was the primary computer.  A quick review of an the ADFS Powershell Snapin provide a commmand to retrieve the ADFS role: get-adfssyncproperties

 

 

 

 

 

Of course, if you open the ADFS Wizard, you will be told that this is not the primary computer as well as seen below. Just takes a little longer to find it 🙂


CRM 2011: 2007 Endpoint 404 error no longer working after Update Rollup 10/11 is applied


Several customers have reported the CRM 4.0 or 2007 endpoint is showing a 404 error is no longer working after applying update Rollup 10/11. A SQL script is required to fix the issue. Please note that since this is a direct-sql update to the MSCRM_CONFIG database, please contact your partner or Microsoft for assistance in updating your system.

Best practice would be to uninstall the Update Rollup 11 and to see if that fixes the endpoint issue (don’t forget to restart IIS) If not, then you might not have a choice to either wait for a fix or patch from Microsoft, or apply the SQL Statement at your own risk. The SQL script will update the FederationProviderProperties on the NVarCharColumn changing/updating the several paths associated to the MSCRMServices/2007/XXXXXXX.asmx.

Microsoft has scheduled Update Rollup 12 to resolve this error. Please talk to Microsoft or your partner for the script to temporarily resolve this issue until Rollup 12 is released late December.

 


CRM 2011: ADFS Error – Each identifier for a relying party trust must be unique


When deploying ADFS/IFD solution, you will most likely want to build a seperate ADFS server. Since ADFS is Microsoft’s STS (Security Token Service) many of their applications including Microsoft Dynamics CRM 2011 will be federating with it for single sign-on within your enterprise.

ADFS can be setup on a single server, and can work with multiple instances (Dev, Test, Production) or deployments of Microsoft Dynamics CRM 2011 as show below:

The gotcha is the names of the CRM Organizations across the multiple CRM deployments. You cannot have duplicate organization names between dev, test and production. So for example an organization named CRM, cannot be used in both DEV, TEST and PROD when using ADFS. This will give you the following error message:

An error occurred during an attempt to access to the AD FS configuration database (Write to). Each identifier for a replying party trust must be unique across all replying party trust. This error is because the indentifier in this case CRM is referenced by the identifier https://crm.domainname.com. Once you add in DEV, the duplication occurs when you then try to add TEST and PROD.

A CRM Organization name change is required to use one ADFS server for three seperate deployments, so CRM would become CRMDEV,CRMTEST & CRM, hence eliminating the duplication in identifiers, hence the error. Enjoy!