web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Customer experience | Sales, Customer Insights,... / Setting up a relying p...
Customer experience | Sales, Customer Insights,...
Suggested Answer

Setting up a relying party trust. Error when browsing to Federation Metatadata URL of CRM server

(0) ShareShare
ReportReport
Posted on by WillD44 172

CRM 2016 (v9.1) on-prem

When browsing the CRM federation metadata URL from the AFDS server, I get this:

"An error has occurred.

Try this action again. If the problem continues, check the Microsoft Dynamics 365 Community for solutions or contact your organization's Microsoft Dynamics 365 Administrator. Finally, you can contact Microsoft Support."

The security certificate shows as valid.  There's a padlock icon in the browser window.

When configuring the Relying Party Trust on the ADFS server and adding the Federation Metadata URL and clicking the Test button, i get this:

"An error occured during an attempt to read the federation metadata.  Verify that the specified URL or host name is a valid federation metadata endpoint.

Verify you proxy server setting."

All roles are installed on a single CRM server.  No proxy.

How can I determine where the problem lies?

I have the same question (0)
  • Suggested answer
    Pedro Cadavez de Freitas Profile Picture
    Pedro Cadavez de Fr... on at

    Hello WillD44 ,

    Hope you are well.

    Does the federation metadata URL opens on a browser on CRM server directly?

    If not, you can ignore for now ADFS and that would mean your "auth" federation metadata URL is not properly configured.

    When CRM metadata url does open on ADFS browser but does not validate on adding relying party, it normally means there is a communication problem like having mismatch TLS versions between the 2.

  • WillD44 Profile Picture
    WillD44 172 on at

    It will open on the CRM server if you ignore the security warning about the certificate not being valid. (NET::ERR_CERT_COMMON_NAME_INVALID)

    This is a self-signed wild card certificate (created with MakeCert) that resides in both the personal and trusted root stores on both the ADFS and CRM servers.  CRM and ADFS app pool accounts have read rights to the private key.

  • Pedro Cadavez de Freitas Profile Picture
    Pedro Cadavez de Fr... on at

    Glad to know.

    Then it probably was because either the self signed certificate was created using a CNG template (not supported for CRM) or because adfs machine didn't have that certificate on the trusted root to trust it.

  • WillD44 Profile Picture
    WillD44 172 on at

    I checked the TLS settings in Internet Options and they match on the ADFS and CRM servers.

  • WillD44 Profile Picture
    WillD44 172 on at

    How would I know if it's a CNG template?  None was specified when using MakeCert.

  • WillD44 Profile Picture
    WillD44 172 on at

    How can I mark this question as un-answered?

  • Pedro Cadavez de Freitas Profile Picture
    Pedro Cadavez de Fr... on at

    Hello WillD44 ,

    I've rejected the answer so its marked as unsolved again.

    It seems it would be better for you to open a support ticket as these scenarios can be challenging to fix and may require additional logs to be reviewed and architecture.

    To check if its a CNG template:

    certutil -v -store my > c:\temp\cert.txt

    In the Text file created seek for the Certificate CRM is using and identify 2 values:

    Provider Type = Non-Zero Value (If the value is 0 it is is a CNG certificate and wrong)

    Cryptography Service Provider (CSP) = Microsoft RSA SChannel Provider (Encryption) is the right one, if you see a different provider the certificate may be wrong created

    learn.microsoft.com/.../gg188582(v=crm.6)

    www.mistercloudtech.com/.../

  • WillD44 Profile Picture
    WillD44 172 on at

    The values are:

    Provider = Microsoft RSA SChannel Cryptographic Provider

    ProviderType = c

    We don't have a support agreement with Microsoft so I don't think a ticket is possible.

    The link for creating a custom CSR looks interesting but since we're seeking a self-signed certificate for our testing environment, I don't think it would help.

  • Pedro Cadavez de Freitas Profile Picture
    Pedro Cadavez de Fr... on at

    Hello Will,

    You can always open a standalone ticket if you contact support phone lines (i don't have them right now).

    Coming back to your initial info, are you still having (NET::ERR_CERT_COMMON_NAME_INVALID) if you navigate into CRM metadata?

    That just means you are populating a metadata with a URL that is not contained on the certificate.

    Whats the certificate DNS subject and what is your CRM metadata URL ?

  • WillD44 Profile Picture
    WillD44 172 on at

    Certificate subject = *.newcrm.mycompany.com

    CRM metadata URL = in.newcrm.mycompany.com/.../federationmetadata.xml

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Customer experience | Sales, Customer Insights, CRM

#1
Tom_Gioielli Profile Picture

Tom_Gioielli 170 Super User 2025 Season 2

#2
#ManoVerse Profile Picture

#ManoVerse 61

#3
Gerardo Rentería García Profile Picture

Gerardo Rentería Ga... 52 Most Valuable Professional

Last 30 days Overall leaderboard

Featured topics

Hide selecting Contact for potential customer when creating quote

Product updates

Dynamics 365 release plans