Customer experience | Sales, Customer Insights,...

Setting up a relying party trust. Error when browsing to Federation Metatadata URL of CRM server

(0) Share

Report

Posted on by WillD44

158

CRM 2016 (v9.1) on-prem

When browsing the CRM federation metadata URL from the AFDS server, I get this:

"An error has occurred.

Try this action again. If the problem continues, check the Microsoft Dynamics 365 Community for solutions or contact your organization's Microsoft Dynamics 365 Administrator. Finally, you can contact Microsoft Support."

The security certificate shows as valid. There's a padlock icon in the browser window.

When configuring the Relying Party Trust on the ADFS server and adding the Federation Metadata URL and clicking the Test button, i get this:

"An error occured during an attempt to read the federation metadata. Verify that the specified URL or host name is a valid federation metadata endpoint.

Verify you proxy server setting."

All roles are installed on a single CRM server. No proxy.

How can I determine where the problem lies?

All responses (12)

Answers (0)

WillD44 158 on at

Like (0)

Report

RE: Setting up a relying party trust. Error when browsing to Federation Metatadata URL of CRM server

Yes. Same cert for both.

I think I found the answer here. I generated a new self-signed cert using New-SelfSignedCertificate and was sure to include the -HashAlgorithm 'SHA256' section in the command. That seemed to fix it. I can browse to the CRM metadata URL with no error now.

I'm still getting a NET::ERR_CERT_AUTHORITY_INVALID error when browsing to the CRM site URL but I'll start a new thread about that.
Pedro Cadavez de Fr... on at

Like (0)

Report

RE: Setting up a relying party trust. Error when browsing to Federation Metatadata URL of CRM server

Looks good.

Then the only reason it would not validate your self signed cert is because you might not imported that self signed cert without private key into the Trusted Root Certification Authorities path on ADFS machine under local machine and/or current user.

Do you use the same cert for ADFS ssl and CRM ssl?
WillD44 158 on at

Like (0)

Report

RE: Setting up a relying party trust. Error when browsing to Federation Metatadata URL of CRM server

Certificate subject = *.newcrm.mycompany.com

CRM metadata URL = in.newcrm.mycompany.com/.../federationmetadata.xml
Pedro Cadavez de Fr... on at

Like (0)

Report

RE: Setting up a relying party trust. Error when browsing to Federation Metatadata URL of CRM server

Hello Will,

You can always open a standalone ticket if you contact support phone lines (i don't have them right now).

Coming back to your initial info, are you still having (NET::ERR_CERT_COMMON_NAME_INVALID) if you navigate into CRM metadata?

That just means you are populating a metadata with a URL that is not contained on the certificate.

Whats the certificate DNS subject and what is your CRM metadata URL ?
WillD44 158 on at

Like (0)

Report

RE: Setting up a relying party trust. Error when browsing to Federation Metatadata URL of CRM server

The values are:

Provider = Microsoft RSA SChannel Cryptographic Provider

ProviderType = c

We don't have a support agreement with Microsoft so I don't think a ticket is possible.

The link for creating a custom CSR looks interesting but since we're seeking a self-signed certificate for our testing environment, I don't think it would help.
Pedro Cadavez de Fr... on at

Like (0)

Report

RE: Setting up a relying party trust. Error when browsing to Federation Metatadata URL of CRM server

Hello WillD44 ,

I've rejected the answer so its marked as unsolved again.

It seems it would be better for you to open a support ticket as these scenarios can be challenging to fix and may require additional logs to be reviewed and architecture.

To check if its a CNG template:

certutil -v -store my > c:\temp\cert.txt

In the Text file created seek for the Certificate CRM is using and identify 2 values:

Provider Type = Non-Zero Value (If the value is 0 it is is a CNG certificate and wrong)

Cryptography Service Provider (CSP) = Microsoft RSA SChannel Provider (Encryption) is the right one, if you see a different provider the certificate may be wrong created

learn.microsoft.com/.../gg188582(v=crm.6)

www.mistercloudtech.com/.../
WillD44 158 on at

Like (0)

Report

RE: Setting up a relying party trust. Error when browsing to Federation Metatadata URL of CRM server

How can I mark this question as un-answered?
WillD44 158 on at

Like (0)

Report

RE: Setting up a relying party trust. Error when browsing to Federation Metatadata URL of CRM server

How would I know if it's a CNG template? None was specified when using MakeCert.
WillD44 158 on at

Like (0)

Report

RE: Setting up a relying party trust. Error when browsing to Federation Metatadata URL of CRM server

I checked the TLS settings in Internet Options and they match on the ADFS and CRM servers.
Pedro Cadavez de Fr... on at

Like (0)

Report

RE: Setting up a relying party trust. Error when browsing to Federation Metatadata URL of CRM server

Glad to know.

Then it probably was because either the self signed certificate was created using a CNG template (not supported for CRM) or because adfs machine didn't have that certificate on the trusted root to trust it.

Setting up a relying party trust. Error when browsing to Federation Metatadata URL of CRM server

Helpful resources

Quick Links

December Spotlight Star - Muhammad Affan

Top 10 leaders for November!

Tips for Writing Effective Suggested Answers

Leaderboard

Featured topics

Product updates

Setting up a relying party trust. Error when browsing to Federation Metatadata URL of CRM server

Helpful resources

Quick Links

December Spotlight Star - Muhammad Affan

Top 10 leaders for November!

Tips for Writing Effective Suggested Answers

Subscribe to

Leaderboard

Featured topics

Product updates