Microsoft Dynamics CRM 2011 log-in issue due to AD FS Certificate Rollover


Recently, we came across an interesting issue where in without changing anything in CRM server or ADFS server , authentication starts failing for all users . Every time when we try to access CRM external URL or CRM internal URL we  get prompted continuously for URL https://<auth.domain.com>.

Once we enter our credentials we receive following error :- 

HTTP Error 401 - Unauthorized Access is denied.

An error has occurred.

 

 

We receive following error in event viewer of ADFS server (Application and Services Logs -> ADFS 2.0 -> Admin ) :-

 Exception information:

Exception type: SecurityTokenException

Exception
message: ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.

at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.CreateClaims(SamlSecurityToken samlSecurityToken)

at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)

at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)

at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)

at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)

at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)

at Microsoft.Crm.Authentication.Claims.CrmFederatedAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)

at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()

at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

 OR

Encountered error during federation passive request. 

Additional Data

Exception details:

Microsoft.IdentityServer.Web.AuthenticationFailedException: ID3034: Authentication failed.

at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)   

at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, Uri& replyTo)

at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSecurityToken(SecurityToken securityToken, WSFederationMessage incomingMessage)

at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseForProtocolRequest(FederationPassiveContext federationPassiveContext, SecurityToken securityToken)

at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponse(SecurityToken securityToken)

 

The signing certificate in AD FS shows two Token-decrypting and Token-signing certificates with one Primary and one Secondary status:-

 

 

As you can see, there are two signing certificates, the second signing certificate was created by AD FS automatically because the first signing certificate was reaching it's expiration date. This feature - AD FS creating a new self-signed certificate when the old one nears expiration - is called Auto Certificate Rollover.

 In the CRM server database it still has the old certificate entry and hence the authentication starts failing. The issue will get resolved once the database  gets updated with new values after we re-configure.

 

Cause

The Token-signing certificate and Token-Decrypting certificate in ADFS gets automatically renewed by AD FS , by Auto Certificate Rollover feature because these certificates reached their expiration date. This feature - AD FS creating a new self-signed certificate when the old one nears expiration - is called Auto Certificate Rollover. 

Resolution

 In ADFS management Console update the Federation metadata URLs and do an IIS reset on CRM server. Next, restart the ADFS service.

If above steps do not resolve the issue please follow below steps:-

1) In CRM server go to Deployment Manager and then disable the Claims Based Authentication.

2) Do an IISReset on CRM server

3) Re-configure Claims- Based Authentication from Deployment manager keeping all the settings same.

4) Re-configure IFD through deployment manager.

5) Do an IISRESET again on CRM server

6) In ADFS management console in ADFS server , update the corresponding Federation
Metadata URLs.


Comments (16)

  1. pogo69 says:

    We discovered this in the worst possible way as our hosted CRM environment became inaccessible about a month ago.

    While the cause was relatively clear, and the remedy not overly difficult to discern, it is good to see it all explained – thanks, Arpita.

  2. Rahul says:

    Hi…I have wild card certificate which is going to expire on 21st nov,2012.So please tell me what are the steps which I have to follow to to update certificate and ADFS 2.0.

    1.Does I have to attached renewed certificate again to default website and CRM website.

    2.Does I have to add these entry again to MMC for personal and Trusted certificate.

    If Not,then do let me know what are the steps that need to perform as still there are 20 days for certificate expiration.

    Please Help…It's urgent.

  3. Arpita Saini says:

    Hi Rahul,

    Do not get confused with the wildcard certificate that you have attached to CRM and ADFS default and the Token-decrypting and Token-signing certificates that you see in ADFS management console -> Certificate Section. So, if the wildcard is certificate is expiring that you have bought from Go-Daddy or any other CA. then once they expire or before that you need to follow below steps:-

    STEP 1

    Bind the certificate to these website again, CRM and ADFS website.

    Binding the new certificate on both ADFS and CRN website :-

    To bind an SSL certificate to the default Web site

    1. Open IIS Manager.
    2. In the Connections pane, expand the Sites node in the tree, and then click the Default Web Site.

    3. In the Actions pane, click Bindings.

    4. In the Site Bindings dialog box, click Add.

    5. Under Type, select https.

    6. Under SSL certificate, select your SSL certificate and then click OK.

    7. Click Close.

    STEP 2-

    2)The CRMAppPool account of each Microsoft Dynamics CRM Web application must have read permission to the private key of the encryption certificate.

    1. On the Microsoft Dynamics CRM Server 2011, create a Microsoft Management Console (MMC) with the Certificates snap-in console that targets the Local computer certificate store.
  4. In the console tree, expand the Certificates (Local Computer) node, expand the Personal store, and then click Certificates.

  5. In the details pane, right-click the encryption certificate specified in the Configure Claims-Based Authentication Wizard, point to All Tasks, and then click Manage Private Keys.

  6. Click Add, (or select the Network Service account if that is the account you used during Setup) add the CRMAppPool account, and then grant Read permissions.

  7. Tip

    You can use IIS Manager to determine what account was used during setup for the CRMAppPool account. In the Connections pane, click Application Pools, and then check the Identity value for CRMAppPool.

    1. Click OK.

    STEP 3

    One you have attached these certificates

    First:

    Rerun ADFS configuration in Deployment Manager without any changes this time selecting the new certificate.

    If above steps do not resolve the issue please follow below steps:-

    1) In CRM server go to Deployment Manager

    2) Re-configure Claims- Based Authentication from Deployment manager keeping all the settings same.

    3) Re-configure IFD through deployment manager.

    4) Do an IISRESET again on CRM server

    Second:

    Update the ADFS Relying party from metadata.

       (Go to ADFs server -> open ADFS management console -> relying party trusts-> click on Update on all relying party trust)

  • Arpita Saini says:

    Apart from the wildcard certificate if the Token-decrypting and Token-signing certificates are going to get expired ADFs server will handle it by re-creating these certificate but you need to follow the steps I have mentioned in my blog in RESOLUTION section.

  • johnywalker says:

    Dear friend this is the good post and this post is really appreciative and informatics .I interested this post too much.

    <a href="<a href="http://www.attestationcertificate.in/…/">Certificate Authentication</a>

  • johnywalker says:

    Thanks for sharing your info. I really appreciate your efforts and I will be waiting for your further write ups thanks once again.

  • Arpita Saini says:

    Thanks so much Johny Walker. So, will get few other blogs on ADFS soon.

  • Thanks a ton Arpita.I was stuffing around with this issue since morning. Would have saved me half a day only if I would have found your article before.

    Thanks

    Sapan

  • Thanks Very Much

    Carlos Dugarte

    CCS,

  • Santy says:

    It helped me during Production deployment. Thank you so much.

  • Arpita says:

    Thanks Guys! I'm happy that this blog helped you guys for fixing issue in your production environment.

  • Krish says:

    Hi,

    I am using a different IDP for ws-federation. But IDP does not support encrypted assertions. Is there a way to disable the encryption requirement in CRM.

    Thanks,

  • Aman Sahota says:

    very Interesting 🙂

  • Ricardo says:

    Númber de refer 08d1b212-103e-4b14-8a33-27be9fc9fd9e

    my Crm 2011 show me this why?

  • Arpita says:

    Hi Richardo,

    The reference number will not help. Can you go to ADFS server–> event viewer —> Application and service logs—> Admin –> ADFS –> check the error here every time you get an error in UI.

  • Skip to main content