ADFS 2.1 Mex Endpoint Errors with CRM 2011 & Windows Server 2012. Here’s your fix.


When you install ADFS on a Windows Server 2012, the built-in ADFS role included is ADFS 2.1. When setting up Microsoft Dynamics CRM 2011 (UR13+ required), you will get an error message that tells you that IFD Authentication fails when trying to access the discovery service by external applications.

Apparently the documentation for update UR13 says this has been fixed, but not 100% true. There is still the manually steps shown below.

So, when you try to access this via your browser: https://crm.yourdomain.com/xrmservices/2011/discovery.svc?wsdl=wsdll, you will see within the XML a metadata node that contains the following:

<wsx:MetadataReference>

xmlns=”http://www.w3.org/2005/08/addressing“>https://adfs.yourdomain.local/adfs/ls/mex</Address>

wsx:MetadataReference>

Comparing that our Production CRM 2011 Server running on ADFS 2.0 you will see:

<wsx:MetadataReference>

xmlns=”http://www.w3.org/2005/08/addressing“>

https://adfs.yourdomain.local/adfs/services/trust/mex

Solution:

The current solution is to run the PowerShell script provided in http://support.microsoft.com/kb/2828015.

A power shell script will fix the problem with ADFS 2.1 having a known issue publishing metadata for mex endpoints. After configuring claims based authentication in Microsoft Dynamics CRM 2011, mex endpoints are not reachable.

Step 1: Start PowerShell Console

Step 2: Execute the Script contained in KB Article

Step 3: Either Restart both the CRM and ADFS Servers, or restart the ADFS Service, IIS on both machines.

Make sure with all ADFS adventures that your browser cache is clear.

The current solution is to run the PowerShell script provided in http://support.microsoft.com/kb/2828015.

My fellow MVP from down under, George Doubinski ran into this issue late last night, as has now offered to move from Australia, take up US citizenship just to vote for me if I ever decided to run for President!  Thanks George but I might be headed your way!

Update: here’s the new KB link for Windows Server 2012. I have confirmed this is fixed in ADFS 2.1
http://support.microsoft.com/kb/2827748


Microsoft Convergence 2013: ADFS Presentation


Please find my latest presentation on ADFS from Microsoft Convergence 2013. This presentation includes topics like SSL Certificates, DNS Entries, Firewall, Common Deployments, ADFS Proxy Servers, IFD, ADFS Installation, Tips and Tricks, Troubleshooting and ADFS Errors.

Please note the ADFS central link is not yet live on this site. This is the e-book I’m creating for ADFS installations. Stay tuned.

Download: ADFS Best Practices Presentation


CRM 2011: Could not find GUID for server – Update Rollup 11v2 Breaks ADFS


We ran into an authentication issue with Microsoft CRM 2011 using ADFS/IFD running Update Rollup 11v2. After being installed, the external endpoint would no longer display, providing the following error:

CRM2011_UnexpectedError

 

 

 

 

 

The error log from the event viewer showed the following error (Could not find GUID for Server)  immediately before even receiving the ADFS login prompt:

When Update Rollup 11v2 is removed and, CRM functions normally. No errors. Reinstall Update Rollup 11v2 and the same issue as above occurs. A workaround to this issue is changing the Anonymous Authentication identity from specific user (IUSR) to Application pool identity. Steps are below:

Step 1:

On the CRM server, open the Internet Information Services (IIS) Manager

Step 2:  

In IIS Manager, click the CRM site

Step 3:

In the Features View, double-click Authentication

Step 4:

Select Anonymous Authentication , and then click Edit in the Actions pane

Step 5:

In the Edit Anonymous Authentication Credentials dialog box, click the Application pool Identity , and then click Ok:

IISApplicationPoolIdentity

 Step 6.

Perform an IISRESET on CRM and ADFS servers. Now you can browse the ADFS endpoint for External!

Performing this change (recommended by Microsoft support) makes ADFS/IFD endpoint for Microsoft Dynamics CRM 2011 work with Update Rollup 11v2. Reverting this change breaks CRM when Update Rollup 11v2 is installed.

Special thanks to Gage Pennisi, my young apprentice, for identifying and resolving the issue.


CRM 2011: Removing or Reinstalling ADFS Gotchas


ADFS can be very unforgiving if you need to uninstall or reconfigure. The following steps should steer you clear of any issues that you might run into. (ACL List issues are covered on my blog as well).

Step 1:
Uninstall ADFS using the control panel, remove program
NOTE:- ADFS will be shown as an installed update not a program. System will require a reboot.

Step 2:
Open IIS, find the ADFS Website, now delete the folders
Delete LS Folder
Delete ADFS Folder

Step 3:
View ADFS Application Pool
Note: You should see that there no applications now assigned to.
Delete ADFS Application Pool

Step 4:
Delete Program Files\ADFS installation path

Step 5:
IIS Restart

Now you’re ready to reinstall ADFS. Please make sure you download the latest ADFS 2.0 from the Microsoft Download Center, and don’t install/add the ADFS role from the Windows Server.


CRM 2011: How to Confirm the PrimaryComputer (ADFS Server) in a ADFS Server Farm


While working on setting up an ADFS server farm, I was wondering how I can quickly tell if the ADFS server I was the primary computer.  A quick review of an the ADFS Powershell Snapin provide a commmand to retrieve the ADFS role: get-adfssyncproperties

 

 

 

 

 

Of course, if you open the ADFS Wizard, you will be told that this is not the primary computer as well as seen below. Just takes a little longer to find it 🙂


CRM 2011: ADFS Error – Each identifier for a relying party trust must be unique


When deploying ADFS/IFD solution, you will most likely want to build a seperate ADFS server. Since ADFS is Microsoft’s STS (Security Token Service) many of their applications including Microsoft Dynamics CRM 2011 will be federating with it for single sign-on within your enterprise.

ADFS can be setup on a single server, and can work with multiple instances (Dev, Test, Production) or deployments of Microsoft Dynamics CRM 2011 as show below:

The gotcha is the names of the CRM Organizations across the multiple CRM deployments. You cannot have duplicate organization names between dev, test and production. So for example an organization named CRM, cannot be used in both DEV, TEST and PROD when using ADFS. This will give you the following error message:

An error occurred during an attempt to access to the AD FS configuration database (Write to). Each identifier for a replying party trust must be unique across all replying party trust. This error is because the indentifier in this case CRM is referenced by the identifier https://crm.domainname.com. Once you add in DEV, the duplication occurs when you then try to add TEST and PROD.

A CRM Organization name change is required to use one ADFS server for three seperate deployments, so CRM would become CRMDEV,CRMTEST & CRM, hence eliminating the duplication in identifiers, hence the error. Enjoy!

 


CRM 2011: ADFS 503 Error and How to Fix It!


When implementing ADFS to support Internet Facing Deployments (IFD) for CRM 2011 Claims Based Authentication, many administrators will experience an ADFS 503 error when trying the endpoint for both internal CRM and auth within a browser. The error message is usually 503, service not available. A simple IISreset might do the trick but for these cases it will not.

Previously, the undocumented fix was to use the handlers/FederationMetadata.ashx URL instead of the complete https://internalcrm.domain.com/FederationMetadata/2007–06/FederationMetadata.xml.

The issue behind why the 503 occurs, is because the URL was previously reserved in the Access Control List (ACL). Because of how the URL’s are reserved (before instead of after installation) and change of bindings and ports will leave the reserve URL already in place for /FederationMetadata/2007-06 etc.

From the CRM Server (or ADFS for external trust), using an adminstrative command prompt, issue the following command:

netsh http show urlacl (note: you can also use the > to pipe the output to a text file etc)

You are looking for the reservations made by ADFS:

 

 

 

 

 

 

Now delete the old URL reserveration by entering the following command:

netsh http delete urlacl url=https://+:443/FederationMetadata/2007-06

 

 

 

The URL has been deleted, you will need to reconfigure Claims Based but clicking on the wizard in the deployment manger again, re-stepping through the same steps (next,next,next etc). Now try the URL again and the ADFS 503 error will be gone!

Special thanks to Dan Francis @ Microsoft for contiuning to share ADFS tips together. Enjoy.

 

 

 

 


CRM 2011: ADFS Service Federated Metadata Error – Keyset does not exist


Reviewing a client’s ADFS configuration,  I found an unusually error message in the ADFS service federation metadata saying “Keyset does not exist”.

After searching for all the usually culprits, this turned out to be one of the most commonly forgotten issues – Giving access to the service account to manage the private keys for the certificate.

This can be accomplished by openning the MMC, and adding the snapin for Certificate Management. Ensure your add using the Computer Acount. Once the Certificate MMC is launched, you can find the certificate in the personal certificate store, and right click on it, all tasks, maanged proviate keys.

You can now add the service account and give it the proper permissions as seen below:

 

 

 

 

 

 

 

 

 

 

 

 

You will need to do this both on the CRM and ADFS Servers (any server using your certificate for CRM).


CRM 2011: ADFS certificate expiration – Yellow Warning Triangle in ADFS Management Console


ADFS uses standard SSL certificates to secure it’s communicatons. SSL certificates are not static, and often change on a yearly basis. This will cause the warning condition in the ADFS management console as seen below:

 Once you enter the ADFS management console, under the relying party trust you will see:

 

 

 

 

Once you replace the certificate in the MMC or IIS manager, upon restarting the ADFS Service the message will still be displayed. Using powershell, you can update the ADFS cache mechanism by entering the following commands:

 

 

 

 

A great blog post from Rhys Goodwin about troubleshooting ADFS issues:

http://blog.rhysgoodwin.com/windows-admin/adfs-2-0-in-a-forest-trust-environment/