Active Directory Federation Services (ADFS) performs a lot of tasks when it comes to authenticating users into CRM securely. One of those tasks in particular is a certification revocation check to validate that the certificates being used are still valid. ADFS completes this process by reaching out to certification revocation lists (CRLs) over TCP port 80 – basic HTTP communication.
What we’ve seen is that businesses will want to lock down their ADFS servers just to be on the “safe side” and that includes closing TCP Port 80 outbound (e.g. no internet access). If left in its default state, ADFS will break and cause authentication to fail as it knows that it is supposed to check the CLRs to validate the certificate before issuing a token to allow a user into CRM. If it cannot do this, it will not issue a token. You may see an error similar to the following in the ADFS event viewer logs after a failed authentication attempt:
Event ID: 364
Microsoft.IdentityServer.AuthenticationFailedException: MSIS3014: The encryption certificate of the relying party trust ‘https://crm.domain.com/’ identified by thumbprint ’01DEDF6E6F532BF7357457EBEC31DA82SFDA1234′ is not valid. It might indicate that the certificate has been revoked, has expired, or that the certificate chain is not trusted. —>
Microsoft.IdentityServer.Service.SecurityTokenService.RevocationValidationException: MSIS3014: The encryption certificate of the relying party trust ‘https://crm.domain.com/’ identified by thumbprint ’01DEDF6E6F532BF7357457EBEC31DA82SFDA1234′ is not valid. It might indicate that the certificate has been revoked, has expired, or that the certificate chain is not trusted.
So what are your options?
- Have your networking team open TCP 80 outbound on the ADFS server(s). This would also apply to all ADFS Proxies or WAP servers. While opening a port might seem less secure at face value it would actually be the opposite as ADFS is able to validate the certificates being used.
- The less preferred, but still acceptable, method would be turning off the Certificate Revocation Check of ADFS. The check is controlled individually for each relying party in ADFS so it would need to be turned off for all one by one. To do this open an admin PowerShell prompt and issue the following command:
Set-ADFSRelyingPartyTrust -TargetName <relyingpartytrustName> -EncryptionCertificateRevocationCheck None
Jujhar Singh announced at Convergence EMEA at Azure Express Route is now available for CRM Online. Why is this important to you and your business?
CRM online is public cloud. Azure Express Route will allow dedicated network connections from your MPLS network to CRM Online. This will dramatically help improve not only connectivity to CRM Online, but also the ability to leverage Azure Services for your CRM data. This connectivity is big private cloud advantage that has just been neutralized and another step towards better integration as a hybrid cloud.
Read about it here:
Interesting resolution here, as the Microsoft documentation states to enter the https://dev.crm.dynamics.com/ORGANIZATIONNAME. It turns out this is NOT the actual name of your organization but the GUID!
Per the error message, we went into CRMOnline and checked out the developer resource as seen below:
Notice the organization name is A GUID. This is GUID/NAME required to use the discovery service. Since we were configuring the email router, you can see how it was used below:
After that, we were successfully able to use the CRM Online Disovery Service. Also of note, CRMOnline has two different discovery end points, one for CRMOnline above, and one for Office365 below. Make sure that you identify where the customer’s CRMOnline is hosted.
Office 365 discovery url: https://disco.crm.dynamics.com/ORGANIZATIONNAME
Several customers have reported the CRM 4.0 or 2007 endpoint is showing a 404 error is no longer working after applying update Rollup 10/11. A SQL script is required to fix the issue. Please note that since this is a direct-sql update to the MSCRM_CONFIG database, please contact your partner or Microsoft for assistance in updating your system.
Best practice would be to uninstall the Update Rollup 11 and to see if that fixes the endpoint issue (don’t forget to restart IIS) If not, then you might not have a choice to either wait for a fix or patch from Microsoft, or apply the SQL Statement at your own risk. The SQL script will update the FederationProviderProperties on the NVarCharColumn changing/updating the several paths associated to the MSCRMServices/2007/XXXXXXX.asmx.
Microsoft has scheduled Update Rollup 12 to resolve this error. Please talk to Microsoft or your partner for the script to temporarily resolve this issue until Rollup 12 is released late December.