Configuring Dynamics CRM IFD with Windows Server 2012 R2 AD FS (ADFS 3.0)

Configuring Dynamics CRM IFD with Windows Server 2012 R2 AD FS (ADFS 3.0)

Hello Everyone!

I was checking how Dynamics CRM IFD goes with new version of AD FS that comes along with Windows Server 2012 R2 (i.e. - ADFS 3.0) and internet search yielded hazy or misleading information. Somewhere it said WAP (Web Application Proxy) is a must which perplexed me more. So thought of setting it up in lab to see what it looks like. Now I have it working in my one VM lab environment and writing this post to share some key experiences.

I had all the CRM pre-requisites in place and got CRM 2013 website working normally. Curious enough I installed, configured AD FS and configured Claims URL for CRM which worked as expected, woo! My first milestone. Obviously, next was to get IFD URL working. Got configuration in place on both AD FS and CRM side and testing IFD URL was not too big of a surprise, I got an error from my STS before I got the sign-in page prompting for username and password. This is what the error reads like in UI:

An error occurred. Contact your administrator for more information.
Error details
•Activity ID: 00000000-0000-0000-0d00-0080000000fd
•Relying party: crmauth.namma.com
•Error time: Thu, 06 Mar 2014 14:58:06 GMT
•Cookie: enabled
•User agent string: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.3; WOW64; Trident/7.0; Touch; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; InfoPath.3)

Here is the report in Event Viewer:

Log Name:      AD FS/Admin
Source:        AD FS
Date:          3/6/2014 6:58:06 AM
Event ID:      364
Task Category: None
Level:         Error
Keywords:      AD FS
User:          BSHASTRIDOMAIN\bshastri
Computer:      bshastriw2012.bshastridomain.local
Description:
Encountered error during federation passive request.

Additional Data
Protocol Name:
wsfed
Relying Party:
https://crm.namma.com:444/

Exception details:
Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.InvalidAuthenticationTypePolicyException: MSIS7102: Requested Authentication Method is not supported on the STS.
   at Microsoft.IdentityServer.Web.Authentication.GlobalAuthenticationPolicyEvaluator.EvaluatePolicy(IList`1 mappedRequestedAuthMethods, AccessLocation location, ProtocolContext context, HashSet`1 authMethodsInToken, Boolean& validAuthMethodsInToken)
   at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.RetrieveFirstStageAuthenticationDomain(Boolean& validAuthMethodsInToken)
   at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.EvaluatePolicy(Boolean& isLastStage, AuthenticationStage& currentStage, Boolean& strongAuthRequried)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthMethodsFromAuthPolicyRules(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthenticationMethods(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

After good digging around on above exception telling “Requested Authentication Method is not supported….” I found the configuration setting which dictates allowed Authentication Methods. This is under AD FS Management Console->Authentication Policies->Global Settings->Edit->. Here is a screenshot:

 

I am on one box setup and browsing IFD URL locally so my request is surely being considered from Intranet by whatever logic is used to decide source of request. I am not sure on what basis a request is labeled Intranet or Extranet by AD FS 3.0, that’s different investigation I am keen on:). Back to the exception, checking Form Authentication method for Intranet allowed to get IFD URL working. This guess was based on the fact that CRM does ask for Form Based Authentication when we browse IFD URL. Below are redirection URLs given by CRM with different wauth parameters:

Browsing internal CRM URL asks for Integrated Authentication:

https://sts.namma.com/adfs/ls/?wa=wsignin1.0\&wtrealm=https%3a%2f%2fcrmint.namma.com%3a444%2f&wctx=rm%3d1%26id%3ded7bd6f6-ca7a-4cf1-ab8d-6a07fc3c3773%26ru%3d%252fdefault.aspx&wct=2014-03-06T16%3a25%3a38Z&wauth=urn%3afederation%3aauthentication%3awindows

Browsing external CRM URL asks for Integrated Authentication:

https://sts.namma.com/adfs/ls/?wa=wsignin1.0\&wtrealm=https%3a%2f%2fcrm.namma.com%3a444%2f&wctx=rm%3d1%26id%3ddf0e3ef6-ddd0-4d13-ad61-086239cf5ffc%26ru%3dhttps%253a%252f%252fcrm.namma.com%253a444%252fdefault.aspx&wct=2014-03-06T16%3a22%3a27Z&wauth=urn%3aoasis%3anames%3atc%3aSAML%3a1.0%3aam%3apassword

Wauth parameter reference can be found here on TechNet.

Hope this helps!

Thank you!

Bhavesh Shastri