I have deployed crm 2011 with claims based auth. However when I try to connect it appears that one part of the process is receiving the wrong url. I'm doing this through a LB so that might be a complicating factor, but it doesn't appear to be the primary cause. I'm also using a verisign wildcard cert for all certs.
I have the CRM web server on port 444. The default web server (ADFS) on 443.
My CRM properties page I have for all entries;
extcrm.externaldomain:443
The actual server is on 444, but the LB is translating the port from 443 to 444. In the advanced tab I have LB checked, and the external URL of extcrm.externaldomain.
In the claims config I have;
https://adfs.externaldomain/federationmetadata/2007-06/federationmetadata.xml
When I check the federation metadata it shows what appears to be the correct information as below;
- <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>https://extcrm.externaldomain/</Address>
</EndpointReference>
</fed:TargetScopes>
- <fed:ApplicationServiceEndpoint>
- <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>https://extcrm.externaldomain/</Address>
</EndpointReference>
</fed:ApplicationServiceEndpoint>
- <fed:PassiveRequestorEndpoint>
- <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>https://extcrm.externaldomain/</Address>
</EndpointReference>
</fed:PassiveRequestorEndpoint>
The address is there appears to be driven by the properties setting in CRM - which makes sense to me.
I created a Relying Party as follows;
https://auth.externaldomain/FederationMetadata/2007-06/FederationMetadata.xml
Everything in there appears to be in order. The auth VIP is on a different IP to the extcrm VIP and translates to the correct ADFS website on 443. I'm a little unsure if this is correct or not - should it be pointing to the CRM web server on 444?
Now what actually happens is; When I hit the external URL I get an error saying "Error adfs.externaldomain There was a problem". In the event logs I get an entry that says;
A token request was received for a relying party identified by the key 'https://emp1crmpin02:444/', but the request could not be fulfilled because the key does not identify any known relying party trust.
Key: https://emp1crmpin02:444/
This request failed.
User Action
If this key represents a URI for which a token should be issued, verify that its prefix matches the relying party trust that is configured in the AD FS configuration database.
So the token that is being passed to ADFS appears to be the URI of the actual hostname of the CRM server. My problem is that I can't see ANY configs that even show that host name let alone let me change it.
It looks like when I add the Relying Trust that the metadata is incorrect as the identified being displayed is the internal host name.
Just to be clear I have the following config.....
External VIP adsf.externaldomain > Default Web Server with ADSF installed at 443
External VIP extcrm.externaldomain > Web Server (same box) at 444
DNS extcrm.externaldomain > External extcrm VIP
DNS adfs.externaldomain > External adfs VIP
DNS auth.externaldomain > External extcrm VIP
DNS dweb.externaldomain > External extcrm VIP
Any suggestions would be greatly appreciated.
Thanks
Dave
