Configuring Dynamics CRM IFD with Windows Server 2012 R2 AD FS (ADFS 3.0)


Configuring Dynamics CRM IFD with Windows Server 2012 R2 AD FS (ADFS 3.0)

Hello Everyone!

I was checking how Dynamics CRM IFD goes with new version of AD FS that comes along with Windows Server 2012 R2 (i.e. – ADFS 3.0) and internet search yielded hazy or misleading information. Somewhere it said WAP (Web Application Proxy) is a must which perplexed me more. So thought of setting it up in lab to see what it looks like. Now I have it working in my one VM lab environment and writing this post to share some key experiences.

I had all the CRM pre-requisites in place and got CRM 2013 website working normally. Curious enough I installed, configured AD FS and configured Claims URL for CRM which worked as expected, woo! My first milestone. Obviously, next was to get IFD URL working. Got configuration in place on both AD FS and CRM side and testing IFD URL was not too big of a surprise, I got an error from my STS before I got the sign-in page prompting for username and password. This is what the error reads like in UI:

An error occurred. Contact your administrator for more information.
Error details
•Activity ID: 00000000-0000-0000-0d00-0080000000fd
•Relying party: crmauth.namma.com
•Error time: Thu, 06 Mar 2014 14:58:06 GMT
•Cookie: enabled
•User agent string: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.3; WOW64; Trident/7.0; Touch; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; InfoPath.3)

Here is the report in Event Viewer:

Log Name:      AD FS/Admin
Source:        AD FS
Date:          3/6/2014 6:58:06 AM
Event ID:      364
Task Category: None
Level:         Error
Keywords:      AD FS
User:          BSHASTRIDOMAIN\bshastri
Computer:      bshastriw2012.bshastridomain.local
Description:
Encountered error during federation passive request.

Additional Data
Protocol Name:
wsfed
Relying Party:
https://crm.namma.com:444/

Exception details:
Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.InvalidAuthenticationTypePolicyException: MSIS7102: Requested Authentication Method is not supported on the STS.
   at Microsoft.IdentityServer.Web.Authentication.GlobalAuthenticationPolicyEvaluator.EvaluatePolicy(IList`1 mappedRequestedAuthMethods, AccessLocation location, ProtocolContext context, HashSet`1 authMethodsInToken, Boolean& validAuthMethodsInToken)
   at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.RetrieveFirstStageAuthenticationDomain(Boolean& validAuthMethodsInToken)
   at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.EvaluatePolicy(Boolean& isLastStage, AuthenticationStage& currentStage, Boolean& strongAuthRequried)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthMethodsFromAuthPolicyRules(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthenticationMethods(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

After good digging around on above exception telling “Requested Authentication Method is not supported….” I found the configuration setting which dictates allowed Authentication Methods. This is under AD FS Management Console->Authentication Policies->Global Settings->Edit->. Here is a screenshot:

 

I am on one box setup and browsing IFD URL locally so my request is surely being considered from Intranet by whatever logic is used to decide source of request. I am not sure on what basis a request is labeled Intranet or Extranet by AD FS 3.0, that’s different investigation I am keen on:).  Back to the exception, checking Form Authentication method for Intranet allowed to get IFD URL working. This guess was based on the fact that CRM does ask for Form Based Authentication when we browse IFD URL. Below are redirection URLs given by CRM with different wauth parameters:

Browsing internal CRM URL asks for Integrated Authentication:

https://sts.namma.com/adfs/ls/?wa=wsignin1.0&wtrealm=https%3a%2f%2fcrmint.namma.com%3a444%2f&wctx=rm%3d1%26id%3ded7bd6f6-ca7a-4cf1-ab8d-6a07fc3c3773%26ru%3d%252fdefault.aspx&wct=2014-03-06T16%3a25%3a38Z&wauth=urn%3afederation%3aauthentication%3awindows

Browsing external CRM URL asks for Integrated Authentication:

https://sts.namma.com/adfs/ls/?wa=wsignin1.0&wtrealm=https%3a%2f%2fcrm.namma.com%3a444%2f&wctx=rm%3d1%26id%3ddf0e3ef6-ddd0-4d13-ad61-086239cf5ffc%26ru%3dhttps%253a%252f%252fcrm.namma.com%253a444%252fdefault.aspx&wct=2014-03-06T16%3a22%3a27Z&wauth=urn%3aoasis%3anames%3atc%3aSAML%3a1.0%3aam%3apassword

Wauth parameter reference can be found here on TechNet.

Hope this helps!

Thank you!

Bhavesh Shastri

Comments (19)

  1. @Lou Bergstrom: I haven’t read the refreshed IFD doc yet. But I don’t think it would have any info coz CRM 2013 is yet to officially announce support for Server 2012 R2/ADFS 3.0.

  2. Thanks Arpita! I haven’t tried configuring Outlook client on said VM. I will try that out in near future and see how it goes..

  3. Lou Bergstrom says:

    Bhavesh,

    Great post! Did you happen to reference the refreshed IFD doc? Thanks for sharing.

  4. Jim Holtzman says:

    The refreshed doc is here: http://www.microsoft.com/en-us/download/details.aspx?id=41701
    and does address the need to enable forms authentication. The doc is written using WS12 R2.

  5. mohammad says:

    Really a Great Post, Bhavesh

    Hi Lou,
    If you are going to use ADFS for Win Server 2012 R2 and CRM 2013 in different Servers, with ADFS in Win-2012 R2 and CRM 2013 in Win-2012 or any other Windows Server other than Win 2012 R2 then the document for the setup is available at: http://www.microsoft.com/en-us/download/details.aspx?id=41701

    However, if you are looking for set up instructions for ADFS and CRM 2013 in one box that is Windows Server 2012 R2 then as Bhavesh mentioned you have to wait for UR2 for CRM 2013, as Windows Server 2012 R2 comes with IIS 8.5 which is not yet tested for CRM 2013 App. I hope this helps..
    So, ADFS is supported for Windows Server 2012 R2, in fact that’s an in build Role of Windows Server now. But CRM 2013 has not been tested on IIS 8.5 yet.

  6. Arpita says:

    Thanks Bhavesh…really helped us a lot.. Did you happen to see if in this configuration and environment where we have ADFS 3.0 and Server 2012 R2, if we are able to configure Outlook…Do we have any other setting to enable to do to configure outlook successfully.

  7. Anonymous says:

    Dynamics CRM IFD on Windows server 2012 R2 ADFS (aka ADFS 3.0) – CRM Addin for Outlook

    Hearing

  8. Jose Ramon Corrales says:

    It works for me either. I don't know why it considers external access as Intranet though …

  9. Rajesh. R says:

    Thank you Bhavesh. This helped me in one of my cases and I fixed the problem in like 5 minutes.

  10. Maria says:

    You're a star! This saved me from many hours of trial and error. Thanks 🙂

  11. Simone says:

    Great post! After many trials and errors, this make my workingday successfully!
    Thank you

  12. vishnu says:

    Great article!! This helped me.

  13. Balasaheb says:

    Thanks a lot it solves my error.

  14. Matthieu says:

    "I am not sure on what basis a request is labeled Intranet or Extranet by AD FS 3.0" -> did you ever find the answer to this question? I’m wondering the same thing;-)

  15. StfZyl says:

    Hi there, will adfs 3.0 and MS CRM 2015 work?

  16. Tech Guy says:

    Cant thank you enough for this post!!! Solved my MAC issue not being able to use of Federated logins.

  17. @Matthieu,
    If request is from ADFS WAP(Proxy) it’s considered external.

  18. Sergey says:

    Great research! Worked for me.

Skip to main content