Microsoft Dynamics CRM 2011 log-in issue due to AD FS Certificate Rollover

  • [アーティクル]

Recently, we came across an interesting issue where in without changing anything in CRM server or ADFS server , authentication starts failing for all users . Every time when we try to access CRM external URL or CRM internal URL we get prompted continuously for URL https://<auth.domain.com>.

Once we enter our credentials we receive following error :- 

HTTP Error 401 - Unauthorized Access is denied.

An error has occurred.

 

 

We receive following error in event viewer of ADFS server (Application and Services Logs -> ADFS 2.0 -> Admin ) :-

 Exception information:

Exception type: SecurityTokenException

Exception
message: ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.

at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.CreateClaims(SamlSecurityToken samlSecurityToken)

at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)

at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)

at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)

at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)

at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)

at Microsoft.Crm.Authentication.Claims.CrmFederatedAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)

at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()

at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

 OR

Encountered error during federation passive request. 

Additional Data

Exception details:

Microsoft.IdentityServer.Web.AuthenticationFailedException: ID3034: Authentication failed.

at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)   

at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, Uri& replyTo)

at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSecurityToken(SecurityToken securityToken, WSFederationMessage incomingMessage)

at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseForProtocolRequest(FederationPassiveContext federationPassiveContext, SecurityToken securityToken)

at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponse(SecurityToken securityToken)

 

The signing certificate in AD FS shows two Token-decrypting and Token-signing certificates with one Primary and one Secondary status:-

 

 

As you can see, there are two signing certificates, the second signing certificate was created by AD FS automatically because the first signing certificate was reaching it's expiration date. This feature - AD FS creating a new self-signed certificate when the old one nears expiration - is called Auto Certificate Rollover.

 In the CRM server database it still has the old certificate entry and hence the authentication starts failing. The issue will get resolved once the database gets updated with new values after we re-configure.

 

Cause

The Token-signing certificate and Token-Decrypting certificate in ADFS gets automatically renewed by AD FS , by Auto Certificate Rollover feature because these certificates reached their expiration date. This feature - AD FS creating a new self-signed certificate when the old one nears expiration - is called Auto Certificate Rollover. 

Resolution

 In ADFS management Console update the Federation metadata URLs and do an IIS reset on CRM server. Next, restart the ADFS service.

If above steps do not resolve the issue please follow below steps:-

1) In CRM server go to Deployment Manager and then disable the Claims Based Authentication.

2) Do an IISReset on CRM server

3) Re-configure Claims- Based Authentication from Deployment manager keeping all the settings same.

4) Re-configure IFD through deployment manager.

5) Do an IISRESET again on CRM server

6) In ADFS management console in ADFS server , update the corresponding Federation
Metadata URLs.

Comments

  • Anonymous
    July 23, 2012
    We discovered this in the worst possible way as our hosted CRM environment became inaccessible about a month ago.While the cause was relatively clear, and the remedy not overly difficult to discern, it is good to see it all explained - thanks, Arpita.

  • Anonymous
    August 30, 2012
    pogo69Thank You!

  • Anonymous
    October 31, 2012
    Hi...I have wild card certificate which is going to expire on 21st nov,2012.So please tell me what are the steps which I have to follow to to update certificate and ADFS 2.0.1.Does I have to attached renewed certificate again to default website and CRM website.2.Does I have to add these entry again to MMC for personal and Trusted certificate.If Not,then do let me know what are the steps that need to perform as still there are 20 days for certificate expiration.Please Help...It's urgent.

  • Anonymous
    November 05, 2012
    The comment has been removed

  • Anonymous
    November 05, 2012
    Apart from the wildcard certificate if the Token-decrypting and Token-signing certificates are going to get expired ADFs server will handle it by re-creating these certificate but you need to follow the steps I have mentioned in my blog in RESOLUTION section.

  • Anonymous
    November 16, 2012
    Dear friend this is the good post and this post is really appreciative and informatics .I interested this post too much.<a href="<a href="www.attestationcertificate.in/.../">Certificate Authentication</a>

  • Anonymous
    November 27, 2012
    Thanks for sharing your info. I really appreciate your efforts and I will be waiting for your further write ups thanks once again.

  • Anonymous
    December 18, 2012
    Thanks so much Johny Walker. So, will get few other blogs on ADFS soon.

  • Anonymous
    March 21, 2013
    Thanks a ton Arpita.I was stuffing around with this issue since morning. Would have saved me half a day only if I would have found your article before.ThanksSapan

  • Anonymous
    July 10, 2013
    (This comment has been deleted per user request)

  • Anonymous
    August 30, 2013
    It helped me during Production deployment. Thank you so much.

  • Anonymous
    November 07, 2013
    Thanks Guys! I'm happy that this blog helped you guys for fixing issue in your production environment.

  • Anonymous
    May 04, 2014
    Hi,I am using a different IDP for ws-federation. But IDP does not support encrypted assertions. Is there a way to disable the encryption requirement in CRM.Thanks,

  • Anonymous
    September 01, 2015
    very Interesting :)

  • Anonymous
    September 07, 2015
    Númber de refer 08d1b212-103e-4b14-8a33-27be9fc9fd9e my Crm 2011 show me this why?

  • Anonymous
    October 19, 2015
    Hi Richardo, The reference number will not help. Can you go to ADFS server--> event viewer ---> Application and service logs---> Admin --> ADFS --> check the error here every time you get an error in UI.