CRM 2011: ADFS Service Federated Metadata Error – Keyset does not exist

Reviewing a client’s ADFS configuration,  I found an unusually error message in the ADFS service federation metadata saying “Keyset does not exist”.

After searching for all the usually culprits, this turned out to be one of the most commonly forgotten issues – Giving access to the service account to manage the private keys for the certificate.

This can be accomplished by openning the MMC, and adding the snapin for Certificate Management. Ensure your add using the Computer Acount. Once the Certificate MMC is launched, you can find the certificate in the personal certificate store, and right click on it, all tasks, maanged proviate keys.

You can now add the service account and give it the proper permissions as seen below:













You will need to do this both on the CRM and ADFS Servers (any server using your certificate for CRM).

CRM 2011: ADFS certificate expiration – Yellow Warning Triangle in ADFS Management Console

ADFS uses standard SSL certificates to secure it’s communicatons. SSL certificates are not static, and often change on a yearly basis. This will cause the warning condition in the ADFS management console as seen below:

 Once you enter the ADFS management console, under the relying party trust you will see:





Once you replace the certificate in the MMC or IIS manager, upon restarting the ADFS Service the message will still be displayed. Using powershell, you can update the ADFS cache mechanism by entering the following commands:





A great blog post from Rhys Goodwin about troubleshooting ADFS issues:

Using CRM 4 with Required Client Side Certificates?

We could not find a document or knowledge base article as to where a CRM 4.0 Customer had installed and was using client side certificates with the REQUIRED flag checked.

It turns out that while you can setup IIS to accept client side certificates selecting the REQUIRED option will break CRM functionality:

  • Configuring the Outlook Client
  • Load Data function in the Email Router Configuration Wizard
  • Async Service Processing System Jobs
  • Registering Plugs.

This has been confirmed by Microsoft Support as is not specific to CRM but rather to applications dependent on calling webservices. The only option is to not set the REQUIRED flag, which defeats the purpose of required certificates.