ADFS Federation Errors when Adding orgs through a CRM IFD

Before I start into my rant/experience today allow me to begin by definging some acronyms pertaining to CRM

CRM – Customer Relationship Management. In our case we are working with Microsoft Dynamics 2015.

IFD – Internet Facing Deployment. This allows you to securely publish CRM to the internet and use AD FS to manage authentication

AD FS – Active Directory Federation Services. This acts as a layer between the internet and your Active Directory and it uses Active Directory credentials to issue tokens to allow published web applications to work over the internet.

And now onto my day.

I just added an org to CRM…It should work. Why doesn’t it work? It worked before…and quickly.

This has been my dialogue this morning. The day was going along as usual, busy busy. I put aside an allotted time frame to complete a task. The task was to create two new CRM orgs, Add their internal and external DNS for the Internet facing deployment and publish them through the proxy. I had done this a week ago with no issues. Today was different, I created the orgs, created the internal DNS, tested that they were working through claims based authentication…beautiful. This is going to go off without a hitch and yknow…everything just worked before.

Wrong!

When I hit the IFD page, I kept getting an AD FS error, when looking at the Event Viewer Logs I was seeing  that there was an issue with the relying party trust. Okay so since I am only mildly competent at AD FS (Active Directory Federation Services), I had to use the process of elimination to troubleshoot this issue.

  1. Check all of my DNS records. Everything looked good.
  2. Check publish rule on proxy…this couldn’t be an issue though because I am getting expected behavior of getting to the AD FS page.
  3. Check to see if claims based authentication was working from the inside and it was.

This must be an issue with AD FS specifically.

I opened AD FS management and recalled that the error was specifically referring to the relying party trust.

Under Trust Relationships I opened Relying Party Trusts and then selected my IFD configuration specifically.

I checked the Relying party’s federation metadata URL

Test Federation Metadata

The federation metadata page is different for each application and gives information on how the application federates with AD FS and what is available or update-able.

Link to a good general federation metadata article

http://docs.oasis-open.org/wsfed/federation/v1.2/ws-federation.pdf

In our case it was what was update-able that was important. I moved on from the Monitoring tab to the Identifiers tab…and found my issue.

All of the Relying party identifiers were not in this list, so all of the new ones that I added were not here but the older working ones were. This explained everything!

My next issue is there is a box to adding relying party identifiers but it was grayed out.

Federation MetaData Identifiers

Ok, well how do I update this list? Off to the right, you have an option to Update from Federation Metadata. This will talk to the relying party and pull in any additional information that needs to be included for federation. This added the sites I was missing, and voila IFD was working again.

Update from Federation MetaData

 

What does the metadata page look like? It looks like this and if you scroll down you will see your sites. CRM updates this page, as to the frequency I need to find out. Anyways the EndPoints are of the most interest to you if working with CRM IFD.

Federation MetaData page

 

 

Leave a comment

Your email address will not be published.


*