ADFS can be very unforgiving if you need to uninstall or reconfigure. The following steps should steer you clear of any issues that you might run into. (ACL List issues are covered on my blog as well).
Uninstall ADFS using the control panel, remove program
NOTE:- ADFS will be shown as an installed update not a program. System will require a reboot.
Open IIS, find the ADFS Website, now delete the folders
Delete LS Folder
Delete ADFS Folder
View ADFS Application Pool
Note: You should see that there no applications now assigned to.
Delete ADFS Application Pool
Delete Program Files\ADFS installation path
Now you’re ready to reinstall ADFS. Please make sure you download the latest ADFS 2.0 from the Microsoft Download Center, and don’t install/add the ADFS role from the Windows Server.
When deploying ADFS/IFD solution, you will most likely want to build a seperate ADFS server. Since ADFS is Microsoft’s STS (Security Token Service) many of their applications including Microsoft Dynamics CRM 2011 will be federating with it for single sign-on within your enterprise.
ADFS can be setup on a single server, and can work with multiple instances (Dev, Test, Production) or deployments of Microsoft Dynamics CRM 2011 as show below:
The gotcha is the names of the CRM Organizations across the multiple CRM deployments. You cannot have duplicate organization names between dev, test and production. So for example an organization named CRM, cannot be used in both DEV, TEST and PROD when using ADFS. This will give you the following error message:
An error occurred during an attempt to access to the AD FS configuration database (Write to). Each identifier for a replying party trust must be unique across all replying party trust. This error is because the indentifier in this case CRM is referenced by the identifier https://crm.domainname.com. Once you add in DEV, the duplication occurs when you then try to add TEST and PROD.
A CRM Organization name change is required to use one ADFS server for three seperate deployments, so CRM would become CRMDEV,CRMTEST & CRM, hence eliminating the duplication in identifiers, hence the error. Enjoy!
Several customers are reporting issues since installing rollup 5 which is not uninstallable:
- Workflow based Organizations (many levels deep)
- ADFS / IFD Deployments
- CRM Email Router and Outlook Clients ( Cannot access the webservices)
A hotfix was originally released but now has been disgarded. Micorosft has now released UR6 to fix some of the issue(s) introduced with UR 5.
When installing ADFS to support your CRM 2011 IFD installation, if you have any errors or stop the install, the install will leave directories under the default website that need to be deleted.
You can run this from the command prompt:
appcmd delete app “Default Web Site/adfs/ls
This will delete the website. You can also view the application pool in IIS to see all applications still associated to the application pool as shown:
During the CRM 2011 installation process for ADFS/IFD, you will notice issues when resolving external non matching internal domain references (crm.microsoft.com to crm.go.local) especially when using the SSL certficates. This can take hours of tracing and troubleshooting to realize its related to a new lookback feature introduced with Windows 2003 Server SP1.
The solution is to add to key BackConnectionHostNames to the registry, with the DNS, most likely your ADFS and internalcrm webserver FQDN (fully qualified domain names ie xxxx.companyname.com)
Click Start, click Run, type regedit, and then click OK.
In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_04.Right-click MSV1_0, point to New, and then click Multi-String Value.
Type BackConnectionHostNames, and then press ENTER.
Right-click BackConnectionHostNames, and then click Modify.
In the Value data box, type the host name or the host names (Adfs.companyname.com the external address for the ADFS system) for the sites that are on the local computer, and then click OK.
Quit Registry Editor, and then restart the IISAdmin service from the command prompt using IISRestart