Wednesday, 8 April 2015

Dynamics CRM ADFS Gotchas

Hi All,

I've collated a number of my own notes on troubleshooting ADFS CRM IFD environments. Below are a number of issues which I've faced working on a variety of different clients I hope this is useful, please note some gotchas contain direct links to other blogs or Microsoft KB articles.

Some of this issues are well known others not so much, if you know any other issue that is not listed here please email me on: and I'll add it to the below list.

Authentication issues
Many of the authentication issues can be related with kerberos, check you have all the SPN's created correctly in particular the server SPN which is often missed.

c:\>setspn -s http/ contoso\crmserver$ 

Certificate has been revoked
An error occurred during an attempt to build the certificate chain for the relying party trust '' certificate identified by thumbprint '6DC995B18B64C7C4089C234D7AB84A425219EA5D'. Possible causes are that the certificate has been revoked, the certificate chain could not be verified as specified by the relying party trust's encryption certificate revocation settings or certificate is not within its validity period.

Resolved by running the following PowerShell command
set-ADFSRelyingPartyTrust -TargetName myCRMRP -EncryptionCertificateRevocationCheck None

SigningCertificateRevocationCheck    : CheckChainExcludeRoot (this is the default value)

EventID: 317

The error above relates to the fact that a check is done against a URL that is contained in the CDP checks run the following command to find out if you able to contact the url:
certutil.exe -verify -urlfetch .\yourCertificate-2014.crt 

Disabling the -EncryptionCertificateRevocationCheck None will stop the checks and fixes the issue

Importing IIS certificate:
To import a crt or cer certificate to IIS, first needs to be converted to pfx, you can use OpenSSL tool to do the convertion using the crt and key files.

C:\OpenSSL-Win32\bin>openssl.exe pkcs12 -export -out myPFXCertificate.pfx -inkey MyCertificate.key -in YourCertificate.crt

Note: You can also export the certificate from the MMC Certificates Snapin you have it already. otherwise if someone gives you the key and crt you can convert it with the above command.

OUTLOOK ADFS 2.1 windows 2012 server
Issues with Outlook configuration when using ADFS on windows 2012 server. Run the below SQL statements to fix the issue:

select *
 from federationprovider

update FederationProvider
set ActiveMexEndpoint = ''

Resolved by changing the ActiveMexEndPoint on the database also powershell available but was not working a hotfix is available (To be tested)

powershell to set ActiveMexEndPoint

PS C:\Users\crm13.admin> Get-CrmAdvancedSetting -ConfigurationEntityName FederationProvider -Setting ActiveMexEndpoint -
Id 8174A23D-C8A0-4612-827C-A697E4E07E7B

Chrome Authentication issues
For Chrome authentication issue disable extended protection on IIS ADFS website under ADFS> Is > authentication and disabling extended protection.

1. On the computer where the web browser is experiencing the issue, start Registry Editor (regedit), and locate the following subkey.

2. In the Lsa subkey, locate the SuppressExtendedProtection value. If the value does not exist, you must add it. To add the value, right-click Lsa, point to New, and then click DWORD (32-bit) Value. Type SuppressExtendedProtection, and then press ENTER.

3. Right-click SuppressExtendedProtection, click Modify, and enter 1 (REG_DWORD).

Also the below registry key will disable all Extended Protection:

Session timeout - Token LifeTime
To increase a user session duration, increase the token Life time by running the following powershell command: 
PS > Add-PSSnapin Microsoft.Adfs.PowerShell 
Get-ADFSRelyingPartyTrust -Name "relying_party"
 set-ADFSRelyingPartyTrust -TargetName MyRelyingPartyName -TokenLifetime 480

Can't connect to federation URL

netsh http show urlacl

this will show reserved HTTP url namespaces, you will find urls that can't resolve SID because ADFs was installed and removed later.

Deleted all stale records

Token Decryption key Issue
Ah encrypted security token was received at the relying party which could not be decrypted. Configure the relying party with a suitable decryption certificate. Current relying party decryption certificate info:
No Certificate Configured ---> Microsoft.IdentityModel.Tokens.EncryptedTokenDecryptionFailedException: ID4036: The key needed to decrypt the encrypted security token could not be resolved from the following security key identifier

AppPool Service account permissions to the certificate and iis reset to make the changes to take effect.

Changing ADFS Port
STS expired click sign-in and get the below error:
Error Details: ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to False


a) Enable user profile loading
b) copy the machine keys
c) Enable NLB in CRM deployment manager

ADFS3.0 Gotchas

Forms not loading on external RPT
The external relying party trust is recognized by ADFS as internal and not loading correctly the forms

MSIS7102: Requested Authentication Method is not supported on the STS.

ADFS 3.0 Outlook Configuration issue Microsoft.Crm.CrmException: Authentication failed
Issues with Outlook configuration when accessing CRM IFD ADFS 3.0 

Issue with the port where ADFS 3 is listening, to fix the issue run the command:
Set-ADFSProperties –nettcpport 809