Microsoft Convergence 2013: ADFS Presentation

Please find my latest presentation on ADFS from Microsoft Convergence 2013. This presentation includes topics like SSL Certificates, DNS Entries, Firewall, Common Deployments, ADFS Proxy Servers, IFD, ADFS Installation, Tips and Tricks, Troubleshooting and ADFS Errors.

Please note the ADFS central link is not yet live on this site. This is the e-book I’m creating for ADFS installations. Stay tuned.

Download: ADFS Best Practices Presentation

CRM 2011: ADFS Service Federated Metadata Error – Keyset does not exist

Reviewing a client’s ADFS configuration,  I found an unusually error message in the ADFS service federation metadata saying “Keyset does not exist”.

After searching for all the usually culprits, this turned out to be one of the most commonly forgotten issues – Giving access to the service account to manage the private keys for the certificate.

This can be accomplished by openning the MMC, and adding the snapin for Certificate Management. Ensure your add using the Computer Acount. Once the Certificate MMC is launched, you can find the certificate in the personal certificate store, and right click on it, all tasks, maanged proviate keys.

You can now add the service account and give it the proper permissions as seen below:













You will need to do this both on the CRM and ADFS Servers (any server using your certificate for CRM).

CRM 2011: ADFS SSL Certifcate Expiration (Auto-Rollover) and CRM is now down.

CRM 2011 ADFS comes with a unqiue feature: Auto-Rollover for SSL Certification expiration. You must load the new SSL certificate on the box prior to the Auto-Rollover. We are finding out this might be as automatic as once thought.

If your ADFS console looks like the following and your CRM is not working the steps are listed below:



From the CRM Deployment Manager, run the through the configuration wizards for setting up both Claims based Authentication and Internet Facing Deployment (IFD). These located on the top right of the CRM deployment manager. You just need to click next through again, all the values will be there from your existing setup. Next, Restart the IIS Server (IISReset on a administrator command prompt) on the CRM Server as shown below:



Next, on the ADFS server, locate the ADFS Windows Service in services, and restart the service, the issue and IISRestart command as above. You may also restart the service from the command line:




Now you should be able to succesfully use your CRM system again. Enjoy

Please see my other posts about enabled auto-rollover:



CRM 2011: ADFS certificate expiration – Yellow Warning Triangle in ADFS Management Console

ADFS uses standard SSL certificates to secure it’s communicatons. SSL certificates are not static, and often change on a yearly basis. This will cause the warning condition in the ADFS management console as seen below:

 Once you enter the ADFS management console, under the relying party trust you will see:





Once you replace the certificate in the MMC or IIS manager, upon restarting the ADFS Service the message will still be displayed. Using powershell, you can update the ADFS cache mechanism by entering the following commands:





A great blog post from Rhys Goodwin about troubleshooting ADFS issues: