Personalized Community is here!
Quickly customize your community to find the content you seek.
Have questions on moving to the cloud? Visit the Dynamics 365 Migration Community today! Microsoft’s extensive network of Dynamics AX and Dynamics CRM experts can help.
2023 Release Wave 1Check out the latest updates and new features of Dynamics 365 released from April 2023 through September 2023
The FastTrack program is designed to help you accelerate your Dynamics 365 deployment with confidence.
FastTrack Community | FastTrack Program | Finance and Operations TechTalks | Customer Engagement TechTalks | Upcoming TechTalks | All TechTalks
CRM 2016 (v9.1) on-prem
When browsing the CRM federation metadata URL from the AFDS server, I get this:
"An error has occurred.Try this action again. If the problem continues, check the Microsoft Dynamics 365 Community for solutions or contact your organization's Microsoft Dynamics 365 Administrator. Finally, you can contact Microsoft Support."
The security certificate shows as valid. There's a padlock icon in the browser window.
When configuring the Relying Party Trust on the ADFS server and adding the Federation Metadata URL and clicking the Test button, i get this:
"An error occured during an attempt to read the federation metadata. Verify that the specified URL or host name is a valid federation metadata endpoint.
Verify you proxy server setting."
All roles are installed on a single CRM server. No proxy.
How can I determine where the problem lies?
Hello WillD44 ,
Hope you are well.
Does the federation metadata URL opens on a browser on CRM server directly?
If not, you can ignore for now ADFS and that would mean your "auth" federation metadata URL is not properly configured.
When CRM metadata url does open on ADFS browser but does not validate on adding relying party, it normally means there is a communication problem like having mismatch TLS versions between the 2.
It will open on the CRM server if you ignore the security warning about the certificate not being valid. (NET::ERR_CERT_COMMON_NAME_INVALID)
This is a self-signed wild card certificate (created with MakeCert) that resides in both the personal and trusted root stores on both the ADFS and CRM servers. CRM and ADFS app pool accounts have read rights to the private key.
Glad to know.
Then it probably was because either the self signed certificate was created using a CNG template (not supported for CRM) or because adfs machine didn't have that certificate on the trusted root to trust it.
I checked the TLS settings in Internet Options and they match on the ADFS and CRM servers.
How would I know if it's a CNG template? None was specified when using MakeCert.
How can I mark this question as un-answered?
I've rejected the answer so its marked as unsolved again.
It seems it would be better for you to open a support ticket as these scenarios can be challenging to fix and may require additional logs to be reviewed and architecture.
To check if its a CNG template:
certutil -v -store my > c:\temp\cert.txt
In the Text file created seek for the Certificate CRM is using and identify 2 values:
Provider Type = Non-Zero Value (If the value is 0 it is is a CNG certificate and wrong)
Cryptography Service Provider (CSP) = Microsoft RSA SChannel Provider (Encryption) is the right one, if you see a different provider the certificate may be wrong created
The values are:
Provider = Microsoft RSA SChannel Cryptographic Provider
ProviderType = c
We don't have a support agreement with Microsoft so I don't think a ticket is possible.
The link for creating a custom CSR looks interesting but since we're seeking a self-signed certificate for our testing environment, I don't think it would help.
You can always open a standalone ticket if you contact support phone lines (i don't have them right now).
Coming back to your initial info, are you still having (NET::ERR_CERT_COMMON_NAME_INVALID) if you navigate into CRM metadata?
That just means you are populating a metadata with a URL that is not contained on the certificate.
Whats the certificate DNS subject and what is your CRM metadata URL ?
Certificate subject = *.newcrm.mycompany.com
CRM metadata URL = in.newcrm.mycompany.com/.../federationmetadata.xml
Then the only reason it would not validate your self signed cert is because you might not imported that self signed cert without private key into the Trusted Root Certification Authorities path on ADFS machine under local machine and/or current user.
Do you use the same cert for ADFS ssl and CRM ssl?
Yes. Same cert for both.
I think I found the answer here. I generated a new self-signed cert using New-SelfSignedCertificate and was sure to include the -HashAlgorithm 'SHA256' section in the command. That seemed to fix it. I can browse to the CRM metadata URL with no error now.
I'm still getting a NET::ERR_CERT_AUTHORITY_INVALID error when browsing to the CRM site URL but I'll start a new thread about that.
Business Applications communities