Troubleshoot Microsoft Dynamics CRM Server IFD
Applies To: Dynamics CRM 2013
A quick checklist
Did you… |
Reference |
|---|---|
Configure DNS records? |
See “DNS configuration” in the downloadable document |
Install and bind your certificate on the Microsoft Dynamics CRM website? |
See “Certificate selection and requirements” in the downloadable document |
Add an AD FS signing certificate as a trusted certificate under the CRMAppPool account profile? |
See “Enable AD FS token signing” in the downloadable document |
Change the binding type for Microsoft Dynamics CRM websites to HTTPS and use the correct web addresses in Deployment Manager? |
|
Give the CRMAppPool account the rights to use an existing certificate used by Microsoft Dynamics CRM as signing certificate? This could be the wildcard certificate installed on the Microsoft Dynamics CRM server. |
Configure the Microsoft Dynamics CRM Server for claims-based authentication |
Run the Configure Claims-Based Authentication Wizard from Microsoft Dynamics CRM Deployment Manager? Have you specified the correct URL in this wizard? Have you selected the appropriate encryption certificate? |
Configure the Microsoft Dynamics CRM Server for claims-based authentication |
Configure relying party trust in AD FS for Microsoft Dynamics CRM internal claims endpoint? Have you provided the correct URL for the Microsoft Dynamics CRM IFD claims endpoint? Have you setup the correct rules for the relying party trusts? |
AD FS
Use the following to verify your AD FS settings.
Review AD FS events
Open Event Viewer.
Expand Applications and Services Logs. Expand AD FS. Click Admin.
Review the events looking for errors.
Events such as Event ID 184 describing an unknown relying party trust could indicate missing host records in DNS or incorrect path configuration for the relying party’s federation metadata URL.
Verify relying party trust identifiers
Open the AD FS Management console.
Under Trust Relationships, click Relying Party Trusts. Verify the relying party trusts are enabled and not displaying an alert.
Right-click the relying party trust and click Properties. Click the Identifiers tab. You should see identifiers like the following.
Relying party trust for claims: internalcrm.contoso.com
.jpeg "Identifiers for internal")
Relying party trust for IFD: auth.contoso.com
.jpeg "IFD identifiers Auth")
If your identifiers aren’t similar to the above examples, check the path entered for the relying party’s federation metadata URL on the Monitoring tab and check your DNS records.
When attempting an internal claims-based authentication connection, you might receive prompt for your credentials. Try the following steps.
Resolve prompt for credentials
Add the add website address for the AD FS server (for example, https://sts1.contoso.com) to the Trusted Intranet Zone in Internet Explorer.
Turn off Extended Protection. On the server running IIS for the Microsoft Dynamics CRM website:
Turn off extended protection on the Microsoft Dynamics CRM website.
Open IIS.
Select the Microsoft Dynamics CRM website.
Under IIS, double-click Authentication.
Right-click Windows Authentication, and then click Advanced Settings.
Set Extended Protection to Off.
For more AD FS troubleshooting information
- See the following: Troubleshoot AD FS 2.0
HTTP Error 401.1 - Unauthorized: Access is denied
If the Microsoft Dynamics CRM website fails to display or produces the following error: HTTP Error 401.1 - Unauthorized: Access is denied, there are two steps to try to resolve this issue:
You might need to update the Federation metadata URLs and do an IIs reset. See KB2686840.
You might need to register the AD FS server as a service principal name (SPN). See “Register the AD FS server as a service principal name (SPN)” in the downloadable document.
Time differs between two servers
An authentication error can occur if the time between the AD FS and the Microsoft Dynamics CRM server differs by more than 5 minutes. See Windows Time Service Technical Reference for information on how to configure time synchronization on your servers.