Hi,
A quick Tip when comparing performance on different browsers, did you know in Google Chrome you should use CTRL+SHIFT+ALT + Q to retrieve the performance analyzer window?
Hope this helps
Friday, 25 September 2015
Wednesday, 8 April 2015
Dynamics CRM ADFS Gotchas
Hi All,
I've collated a number of my own notes on troubleshooting ADFS CRM IFD environments. Below are a number of issues which I've faced working on a variety of different clients I hope this is useful, please note some gotchas contain direct links to other blogs or Microsoft KB articles.
Some of this issues are well known others not so much, if you know any other issue that is not listed here please email me on: nuno.m.costa@gmail.com and I'll add it to the below list.
Note: You can also export the certificate from the MMC Certificates Snapin you have it already. otherwise if someone gives you the key and crt you can convert it with the above command.
Chrome Authentication issues
For Chrome authentication issue disable extended protection on IIS ADFS website under ADFS> Is > authentication and disabling extended protection.
Changing ADFS Port
ADFS3.0 Gotchas
Forms not loading on external RPT
The external relying party trust is recognized by ADFS as internal and not loading correctly the forms
MSIS7102: Requested Authentication Method is not supported on the STS.
ADFS 3.0 Outlook Configuration issue Microsoft.Crm.CrmException: Authentication failed
Issues with Outlook configuration when accessing CRM IFD ADFS 3.0
http://blogs.technet.com/b/bshastri/archive/2014/03/20/dynamics-crm-ifd-on-windows-server-2012-r2-adfs-crm-addin-for-outlook.aspx
Issue with the port where ADFS 3 is listening, to fix the issue run the command:
Set-ADFSProperties –nettcpport 809
I've collated a number of my own notes on troubleshooting ADFS CRM IFD environments. Below are a number of issues which I've faced working on a variety of different clients I hope this is useful, please note some gotchas contain direct links to other blogs or Microsoft KB articles.
Some of this issues are well known others not so much, if you know any other issue that is not listed here please email me on: nuno.m.costa@gmail.com and I'll add it to the below list.
Authentication issues
Many of the authentication issues can be related with kerberos, check you have all the SPN's created correctly in particular the server SPN which is often missed.
c:\>setspn -s http/sts1.contoso.com contoso\crmserver$
c:\>setspn -s http/sts1.contoso.com contoso\crmserver$
Certificate has been revoked
An error occurred during an attempt to build the certificate chain for the relying party trust 'https://myCRM.domain.com:444/' certificate identified by thumbprint '6DC995B18B64C7C4089C234D7AB84A425219EA5D'. Possible causes are that the certificate has been revoked, the certificate chain could not be verified as specified by the relying party trust's encryption certificate revocation settings or certificate is not within its validity period.
Resolved by running the following PowerShell command
set-ADFSRelyingPartyTrust -TargetName myCRMRP -EncryptionCertificateRevocationCheck None
Resolved by running the following PowerShell command
set-ADFSRelyingPartyTrust -TargetName myCRMRP -EncryptionCertificateRevocationCheck None
SigningCertificateRevocationCheck : CheckChainExcludeRoot (this is the default value)
EventID: 317
The error above relates to the fact that a check is done against a URL that is contained in the CDP checks run the following command to find out if you able to contact the url:
certutil.exe -verify -urlfetch .\yourCertificate-2014.crt
Disabling the -EncryptionCertificateRevocationCheck None will stop the checks and fixes the issue
Importing IIS certificate:
To import a crt or cer certificate to IIS, first needs to be converted to pfx, you can use OpenSSL tool to do the convertion using the crt and key files.
C:\OpenSSL-Win32\bin>openssl.exe pkcs12 -export -out myPFXCertificate.pfx -inkey MyCertificate.key -in YourCertificate.crt
Note: You can also export the certificate from the MMC Certificates Snapin you have it already. otherwise if someone gives you the key and crt you can convert it with the above command.
OUTLOOK ADFS 2.1 windows 2012 server
Issues with Outlook configuration when using ADFS on windows 2012 server. Run the below SQL statements to fix the issue:
http://quantusdynamics.blogspot.co.uk/2014/01/dynamics-crm-2013-adfs-21-with-windows.html
http://quantusdynamics.blogspot.co.uk/2014/01/dynamics-crm-2013-adfs-21-with-windows.html
select *
from federationprovider
update FederationProvider
set ActiveMexEndpoint = 'https://myadfs.domain.com/adfs/services/trust/mex'
Resolved by changing the ActiveMexEndPoint on the database also powershell available but was not working a hotfix is available (To be tested)
Hotfix: http://support.microsoft.com/kb/2827748/en-us
Hotfix: http://support.microsoft.com/kb/2827748/en-us
powershell to set ActiveMexEndPoint
PowerShell: http://support.microsoft.com/kb/2828015/en-gb?
PS C:\Users\crm13.admin> Get-CrmAdvancedSetting -ConfigurationEntityName FederationProvider -Setting ActiveMexEndpoint -
Id 8174A23D-C8A0-4612-827C-A697E4E07E7B
PowerShell: http://support.microsoft.com/kb/2828015/en-gb?
PS C:\Users\crm13.admin> Get-CrmAdvancedSetting -ConfigurationEntityName FederationProvider -Setting ActiveMexEndpoint -
Id 8174A23D-C8A0-4612-827C-A697E4E07E7B
Chrome Authentication issues
For Chrome authentication issue disable extended protection on IIS ADFS website under ADFS> Is > authentication and disabling extended protection.
1. On the computer where the web browser is experiencing the issue, start Registry Editor (regedit), and locate the following subkey.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
2. In the Lsa subkey, locate the SuppressExtendedProtection value. If the value does not exist, you must add it. To add the value, right-click Lsa, point to New, and then click DWORD (32-bit) Value. Type SuppressExtendedProtection, and then press ENTER.
3. Right-click SuppressExtendedProtection, click Modify, and enter 1 (REG_DWORD).
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
2. In the Lsa subkey, locate the SuppressExtendedProtection value. If the value does not exist, you must add it. To add the value, right-click Lsa, point to New, and then click DWORD (32-bit) Value. Type SuppressExtendedProtection, and then press ENTER.
3. Right-click SuppressExtendedProtection, click Modify, and enter 1 (REG_DWORD).
Also the below registry key will disable all Extended Protection:
Session timeout - Token LifeTime
To increase a user session duration, increase the token Life time by running the following powershell command:
To increase a user session duration, increase the token Life time by running the following powershell command:
PS > Add-PSSnapin Microsoft.Adfs.PowerShell
Get-ADFSRelyingPartyTrust -Name "relying_party"
set-ADFSRelyingPartyTrust -TargetName MyRelyingPartyName -TokenLifetime 480
Can't connect to federation URL
Command
netsh http show urlacl
this will show reserved HTTP url namespaces, you will find urls that can't resolve SID because ADFs was installed and removed later.
Deleted all stale records
Deleted all stale records
Token Decryption key Issue
Ah encrypted security token was received at the relying party which could not be decrypted. Configure the relying party with a suitable decryption certificate. Current relying party decryption certificate info:
No Certificate Configured ---> Microsoft.IdentityModel.Tokens.EncryptedTokenDecryptionFailedException: ID4036: The key needed to decrypt the encrypted security token could not be resolved from the following security key identifier
No Certificate Configured ---> Microsoft.IdentityModel.Tokens.EncryptedTokenDecryptionFailedException: ID4036: The key needed to decrypt the encrypted security token could not be resolved from the following security key identifier
Resolution:
AppPool Service account permissions to the certificate and iis reset to make the changes to take effect.
Changing ADFS Port
STS expired click sign-in and get the below error:
Error Details: ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to False
Resolution:
a) Enable user profile loading
b) copy the machine keys
c) Enable NLB in CRM deployment manager
ADFS3.0 Gotchas
Forms not loading on external RPT
The external relying party trust is recognized by ADFS as internal and not loading correctly the forms
MSIS7102: Requested Authentication Method is not supported on the STS.
ADFS 3.0 Outlook Configuration issue Microsoft.Crm.CrmException: Authentication failed
Issues with Outlook configuration when accessing CRM IFD ADFS 3.0
http://blogs.technet.com/b/bshastri/archive/2014/03/20/dynamics-crm-ifd-on-windows-server-2012-r2-adfs-crm-addin-for-outlook.aspx
Issue with the port where ADFS 3 is listening, to fix the issue run the command:
Set-ADFSProperties –nettcpport 809
Subscribe to:
Posts (Atom)