Please find my latest presentation on ADFS from Microsoft Convergence 2013. This presentation includes topics like SSL Certificates, DNS Entries, Firewall, Common Deployments, ADFS Proxy Servers, IFD, ADFS Installation, Tips and Tricks, Troubleshooting and ADFS Errors.
Please note the ADFS central link is not yet live on this site. This is the e-book I’m creating for ADFS installations. Stay tuned.
Download: ADFS Best Practices Presentation
Reviewing a client’s ADFS configuration, I found an unusually error message in the ADFS service federation metadata saying “Keyset does not exist”.
After searching for all the usually culprits, this turned out to be one of the most commonly forgotten issues – Giving access to the service account to manage the private keys for the certificate.
This can be accomplished by openning the MMC, and adding the snapin for Certificate Management. Ensure your add using the Computer Acount. Once the Certificate MMC is launched, you can find the certificate in the personal certificate store, and right click on it, all tasks, maanged proviate keys.
You can now add the service account and give it the proper permissions as seen below:
You will need to do this both on the CRM and ADFS Servers (any server using your certificate for CRM).
CRM 2011 ADFS comes with a unqiue feature: Auto-Rollover for SSL Certification expiration. You must load the new SSL certificate on the box prior to the Auto-Rollover. We are finding out this might be as automatic as once thought.
If your ADFS console looks like the following and your CRM is not working the steps are listed below:
From the CRM Deployment Manager, run the through the configuration wizards for setting up both Claims based Authentication and Internet Facing Deployment (IFD). These located on the top right of the CRM deployment manager. You just need to click next through again, all the values will be there from your existing setup. Next, Restart the IIS Server (IISReset on a administrator command prompt) on the CRM Server as shown below:
Next, on the ADFS server, locate the ADFS Windows Service in services, and restart the service, the issue and IISRestart command as above. You may also restart the service from the command line:
Now you should be able to succesfully use your CRM system again. Enjoy
Please see my other posts about enabled auto-rollover: