Configuring Dynamics CRM IFD with Windows Server 2012 R2 AD FS (ADFS 3.0)

  • [アーティクル]

Configuring Dynamics CRM IFD with Windows Server 2012 R2 AD FS (ADFS 3.0)

Hello Everyone!

I was checking how Dynamics CRM IFD goes with new version of AD FS that comes along with Windows Server 2012 R2 (i.e. - ADFS 3.0) and internet search yielded hazy or misleading information. Somewhere it said WAP (Web Application Proxy) is a must which perplexed me more. So thought of setting it up in lab to see what it looks like. Now I have it working in my one VM lab environment and writing this post to share some key experiences.

I had all the CRM pre-requisites in place and got CRM 2013 website working normally. Curious enough I installed, configured AD FS and configured Claims URL for CRM which worked as expected, woo! My first milestone. Obviously, next was to get IFD URL working. Got configuration in place on both AD FS and CRM side and testing IFD URL was not too big of a surprise, I got an error from my STS before I got the sign-in page prompting for username and password. This is what the error reads like in UI:

An error occurred. Contact your administrator for more information.
Error details
•Activity ID: 00000000-0000-0000-0d00-0080000000fd
•Relying party: crmauth.namma.com
•Error time: Thu, 06 Mar 2014 14:58:06 GMT
•Cookie: enabled
•User agent string: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.3; WOW64; Trident/7.0; Touch; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; InfoPath.3)

Here is the report in Event Viewer:

Log Name:      AD FS/Admin
Source:        AD FS
Date:          3/6/2014 6:58:06 AM
Event ID:      364
Task Category: None
Level:         Error
Keywords:      AD FS
User:          BSHASTRIDOMAIN\bshastri
Computer:      bshastriw2012.bshastridomain.local
Description:
Encountered error during federation passive request.

Additional Data
Protocol Name:
wsfed
Relying Party:
https://crm.namma.com:444/

Exception details:
Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.InvalidAuthenticationTypePolicyException: MSIS7102: Requested Authentication Method is not supported on the STS.
   at Microsoft.IdentityServer.Web.Authentication.GlobalAuthenticationPolicyEvaluator.EvaluatePolicy(IList`1 mappedRequestedAuthMethods, AccessLocation location, ProtocolContext context, HashSet`1 authMethodsInToken, Boolean& validAuthMethodsInToken)
   at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.RetrieveFirstStageAuthenticationDomain(Boolean& validAuthMethodsInToken)
   at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.EvaluatePolicy(Boolean& isLastStage, AuthenticationStage& currentStage, Boolean& strongAuthRequried)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthMethodsFromAuthPolicyRules(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthenticationMethods(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

After good digging around on above exception telling “Requested Authentication Method is not supported….” I found the configuration setting which dictates allowed Authentication Methods. This is under AD FS Management Console->Authentication Policies->Global Settings->Edit->. Here is a screenshot:

 

I am on one box setup and browsing IFD URL locally so my request is surely being considered from Intranet by whatever logic is used to decide source of request. I am not sure on what basis a request is labeled Intranet or Extranet by AD FS 3.0, that’s different investigation I am keen on:). Back to the exception, checking Form Authentication method for Intranet allowed to get IFD URL working. This guess was based on the fact that CRM does ask for Form Based Authentication when we browse IFD URL. Below are redirection URLs given by CRM with different wauth parameters:

Browsing internal CRM URL asks for Integrated Authentication:

https://sts.namma.com/adfs/ls/?wa=wsignin1.0\&wtrealm=https%3a%2f%2fcrmint.namma.com%3a444%2f&wctx=rm%3d1%26id%3ded7bd6f6-ca7a-4cf1-ab8d-6a07fc3c3773%26ru%3d%252fdefault.aspx&wct=2014-03-06T16%3a25%3a38Z&wauth=urn%3afederation%3aauthentication%3awindows

Browsing external CRM URL asks for Integrated Authentication:

https://sts.namma.com/adfs/ls/?wa=wsignin1.0\&wtrealm=https%3a%2f%2fcrm.namma.com%3a444%2f&wctx=rm%3d1%26id%3ddf0e3ef6-ddd0-4d13-ad61-086239cf5ffc%26ru%3dhttps%253a%252f%252fcrm.namma.com%253a444%252fdefault.aspx&wct=2014-03-06T16%3a22%3a27Z&wauth=urn%3aoasis%3anames%3atc%3aSAML%3a1.0%3aam%3apassword

Wauth parameter reference can be found here on TechNet.

Hope this helps!

Thank you!

Bhavesh Shastri

Comments

  • Anonymous
    January 01, 2003
    @Lou Bergstrom: I haven't read the refreshed IFD doc yet. But I don't think it would have any info coz CRM 2013 is yet to officially announce support for Server 2012 R2/ADFS 3.0.
  • Anonymous
    January 01, 2003
    Thanks Arpita! I haven't tried configuring Outlook client on said VM. I will try that out in near future and see how it goes..
  • Anonymous
    March 06, 2014
    Bhavesh,

    Great post! Did you happen to reference the refreshed IFD doc? Thanks for sharing.
  • Anonymous
    March 07, 2014
    The refreshed doc is here: http://www.microsoft.com/en-us/download/details.aspx?id=41701
    and does address the need to enable forms authentication. The doc is written using WS12 R2.
  • Anonymous
    March 07, 2014
    The comment has been removed
  • Anonymous
    March 12, 2014
    Thanks Bhavesh...really helped us a lot.. Did you happen to see if in this configuration and environment where we have ADFS 3.0 and Server 2012 R2, if we are able to configure Outlook...Do we have any other setting to enable to do to configure outlook successfully.
  • Anonymous
    March 20, 2014
    Dynamics CRM IFD on Windows server 2012 R2 ADFS (aka ADFS 3.0) – CRM Addin for Outlook
    Hearing
  • Anonymous
    June 11, 2014
    It works for me either. I don't know why it considers external access as Intranet though ...
  • Anonymous
    July 14, 2014
    Thank you Bhavesh. This helped me in one of my cases and I fixed the problem in like 5 minutes.
  • Anonymous
    August 06, 2014
    We blogged the entire process here: http://www.interactivewebs.com/blog/index.php/general-tips/crm-2013-ifd-setup-with-adfs-3-0-on-windows-2012-r2-hosted-setup/

    This may help.
  • Anonymous
    September 15, 2014
    You're a star! This saved me from many hours of trial and error. Thanks :)
  • Anonymous
    September 23, 2014
    Great post! After many trials and errors, this make my workingday successfully!
    Thank you
  • Anonymous
    December 02, 2014
    Great article!! This helped me.
  • Anonymous
    January 14, 2015
    Thanks a lot it solves my error.
  • Anonymous
    January 22, 2015
    "I am not sure on what basis a request is labeled Intranet or Extranet by AD FS 3.0" -> did you ever find the answer to this question? I'm wondering the same thing;-)
  • Anonymous
    February 06, 2015
    Hi there, will adfs 3.0 and MS CRM 2015 work?
  • Anonymous
    August 26, 2015
    The comment has been removed
  • Anonymous
    February 12, 2016
    @Matthieu,
    If request is from ADFS WAP(Proxy) it's considered external.
  • Anonymous
    March 19, 2016
    Great research! Worked for me.
  • Anonymous
    February 22, 2018
    Great post, I conceive blog owners should learn a lot from this web blog its real user pleasant.So much superb information on here :D.
  • Anonymous
    April 04, 2018
    This article is in fact a nice one it assists new the web users, who are wishing for blogging.