web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics CRM (Archived) / ADFS not redirecting b...
Microsoft Dynamics CRM (Archived)

ADFS not redirecting back to CRM

(0) ShareShare
ReportReport
Posted on by amos.max

Hi All,

Scenario: CRM2013 UR2, ADFS 3

when I try to logon from "the outside" ADFS authenticates the account, but it doesn't redirect back to CRM. I know ADFS is authenticating, because it gives me a message if I type a wrong password.
There are no error messages/log entries anywhere (ADFS or CRM).

Internally everything works.

This was working before, all I did was replace the certificate (same wildcard for ADFS and CRM).
Anyone seen this before of have an idea?

Thx in advance!

*This post is locked for comments

I have the same question (0)
  • Morne Wolfaardt Profile Picture
    Morne Wolfaardt on at

    Did you refresh your ADFS services? and also did you do an IIS reset after that? Make sure that the sites are under you trusted sites and that you have cleared your cache.  

  • amos.max Profile Picture
    amos.max on at

    Thx for your reply.

    I'm assuming by "refresh" you mean restart the Windows service? Yes - and yes to your other suggestions as well (already tried all the "simple" stuff).

  • Ragnar Hilmarsson Profile Picture
    Ragnar Hilmarsson 3,427 on at

    Hi Amos

    Try to run Configure internet-facing Deployment wizard again.  in Deployment manager

  • amos.max Profile Picture
    amos.max on at

    Hello Ragnar,

    thx for your reply, but I already tried that. As I mentioned, I already tried all the "simple" stuff.

    I also already tried deleting and recreating the IFD Relying party trust. But when looking at the Federation metadata the correct targets are listed, so I'm thinking this is an ADFS and not a CRM problem.

    When tracing the connection if Fiddler, I can see the 302 response from ADFS after authentication, but the target points at the ADFS (sts.mydomain.com/....) not at the CRM server.

  • Bruno Lucas Profile Picture
    Bruno Lucas 5,421 on at

    What info display on the screen when you browse the ADFS url? do you have any firewalls redirecting things between ADFS and CRM?

    technet.microsoft.com/.../cc778709(v=ws.10).aspx

    The Federation Service URL is used by clients to access a server in the resource Federation Service. This URL has the form fullyqualifieddomainname/.../ls

    The ADFS Web server issues a standard HTTP 302 REDIRECT to the client, which directs the client to the resource federation server. This redirect occurs to the resource federation server because the ADFS Web server knows about only its own federation server and requires that incoming ADFS tokens are signed by its federation server. The ADFS client is able to communicate with the resource federation server because it trusts the CA that issues the SSL server certificate for the resource federation server. As in Step 1 (Verify Connectivity and Initial Request from the Client), if the client fails to contact the resource federation server, an error appears and the URL on the browser indicates the point of failure. Common errors are DNS failures and 401 access denied. In this case, use the tests that are described in step 1.

  • amos.max Profile Picture
    amos.max on at

    Bruno,

    this is a more accurate description of the scenario: www.microsoft.com/.../details.aspx (pg. 12)

    In this diagram, everything works as expected up to step 8. As I mentioned, step 8 is a 302 response, but the target in the response is not the CRM server, it's the ADFS url (sts.mydomain.com).

    In other words:

    1. anonymous request to CRM (crm.domain.com)

    2. Redirect to ADFS; ADFS logon screen is shown on client (sts.domain.com)

    3. Enter credentials, authenticated (wrong password results in bad pw message)

    4. 302 redirect sent back to client, but target is ADFS (sts.domain.com)

  • ChrisR Profile Picture
    ChrisR 5 on at

    Make sure the account your ADFS service is running as has read access to the user object in Active Directory. That solved my issue.

  • amos.max Profile Picture
    amos.max on at

    Chris,

    thx for responding to this thread after all this time.

    Already tried that (added the service to the Domain Admins group to test).

    And yes, this is still unresolved (using internally only).

    Thx again - M.

  • Suggested answer
    Claudio Profile Picture
    Claudio 55 on at

    Hello

    I had a problem with my lab.

    I could not get the adfs to redirect to CRM (Forms Authentication was not working correctly). The authentication was happening I could tell from the DC security event log, but the adfs would refresh the login page after correct authentication, only internal  Windows authentication would work correctly.

    I was able to get everything working moving the adfs to a different server, fresh install of Windows 2012 R2.

    The previous adfs server was an Upgraded Windows 2012 DC (it is a test lab environment)to Windows 2012 r2  (the upgrade was necessary to get WAP working with ADFS).  

     

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics CRM (Archived)

#1
SA-08121319-0 Profile Picture

SA-08121319-0 4

#1
Calum MacFarlane Profile Picture

Calum MacFarlane 4

#3
Alex Fun Wei Jie Profile Picture

Alex Fun Wei Jie 2

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans