SSO Between CRM Deployments

(0) Share

Report

Posted on by Paolo Heuer

Hi all,

has anyone an idea why when I sign in a CRM Organization in IFD via ADFS (2.0 but I don't think it's a version issue) and then whant to sign in in another CRM Organization (not in the same CRM deployment) via the same ADFS I receive an error? shouldn't it use the same token i already have from the other CRM?

By the way when I change the organization in the same CRM deployment I get in without issues.

Here the recap of the infrastructure:

*This post is locked for comments

I have the same question (0)

All responses (9)

Answers (0)

Arpita Saini on at

Like (0)

Report

Could you please explain more elaborately ? And is this scenario from a machine which is outside the domain and u accessing CRM through internet ?

Was this reply helpful? Yes No
Paolo Heuer 80 on at

Like (0)

Report

Yes, I'm on a pc outside the domain and from the internet. (Crm works correctly in IFD with ADFS)

let's say I surf to : https://crm1.domain.com -> I authenticate on adfs -> i get on the crm1

now I want to surf to https://crm2.domain.com -> I get an error. I cannot get in without deleting cookies or surfin in private mode.

I don't understand why the crm2 doesn't accept che token issued for crm1. the adfs and the claim provider (active directory) are the same.

Was this reply helpful? Yes No
Wayne Walton 13,730 on at

Like (0)

Report

What error? Do you have a matching error on the logs on the ADFS or second CRM server? What does the ADFS section look like with your CRM domain info? Does it happen in both directions? (e.g. if you start in CRM2, does CRM1 give you an error?)

These will help narrow down the bad behavior.

Was this reply helpful? Yes No
Paolo Heuer 80 on at

Like (0)

Report

I've no evidence on the adfs event viewer of any error or warning log.

the error i can find out is this one:

<..> ID1014%3a The signature is not valid. The data may have been tampered with.&RequestUri=%2fdefault.aspx&user_lcid=1040 <..>

it's in the url that i receive on the second CRM access.

the error on the CRM page itself is a "retry again later; contact your administrator; contact the dynamics community" :(

and yes, it happens in both dicrections, cross versions (crm 2011 <-> 2011; crm 2011 <-> crm 2013) and with any organization.

if the organizations are in the same CRM deployment I can login without relogin.

Was this reply helpful? Yes No
Neal Santin 106 on at

Like (0)

Report

I'm able to get this to work when both deployments are the same version (2015 -2015), you need to ensure the NLB flag is on in the deployment properties - Web Address - Advanced page

However once one of the environments upgraded it failed again (2015 - 2016)

Using ADFS 3.1

Was this reply helpful? Yes No
K.C. Christiansen on at

Like (0)

Report

I do not see an answer below as fitting your information. In essence, this is what's happening.

ADFS will process authentication (AuthN) requests for each deployment. If you are using the IFD URL, then the token is going to assign itself via the CRM FQDN, AuthN domain, and a directory auth. "IF", your user authenticates to both Deployment 1 and Deployment 2, CRM will see the saml token from deployment 1 and try to use it for Deployment 2. When CRM tries to decrypt that token with your cert, there will be a failure, and thus the security error "The signature is not valid".

CRM 2013 UR2+(crm2015 and crm2016 ur1.1), they had changed the token handling a bit to help prevent some of this behavior, however, if your authentication sources match the same servers, you will continue to get the signature error when users try to access both deployments. You can change your token lifetime settings on ADFS to expire that token, which the as the user logs into the other deployment, they will be prompted to re-login.

Again, you have probably solved this issue, however, I have had to run 4 different deployments using the same ADFS and Directory servers, and I have had to deal with this for quite some time.

I was hoping that there was a way to handle the change via an F5 irule or logic on the NLB, however, unless the token can be decrypted, you are stuck.

Was this reply helpful? Yes No
Suggested answer

K.C. Christiansen on at

Like (0)

Report
Ok. I found the issue.

User logs into CRM Deployment 1

They get a set of MSIAuth tokens to provide the AuthN

User Logs into CRM Deployment 2

CRM See's the MSIAuth tokens from CRM Deployment 1 and tries to pass through CRM Deployment 2. Through the decryption process, CRM see's the Security Origin from CRM Deployment 1, then appends that to the Response Header. When CRM Deployment 2 reads the Origin URL, the deployment doesn't recognize the URL as a part of the deployment, and invalidates the token, thus the error.

The only way to keep the token active would be to intercept and update the url to the existing URL. That said, you would be risking additional security violations through the process and cause more problems than help.

Was this reply helpful? Yes No
Hamish Ahern on at

Like (0)

Report

I am getting the same error, any fixes?

Was this reply helpful? Yes No
Bruce Bee 206 on at

Like (0)

Report

Im getting the same error message now too! Started this morning. crm online with ADFS...global issue?

Was this reply helpful? Yes No