Claims Based Authentication - Relying Party Identifier not correct

(0) Share

Report

Posted on by CU13121614-0

Hi,

I am currently trying to set up CRM 2015 for claims based authentication. All seems to be going well until I create the relying party in ADFS. When I enter the URL from the log file after configuring in deployment manager, according to the documentation this is suposed to generate just one identifier of the format internalcrm.contoso.com. However mine generates 6 identifiers none in this format. Of course then when I try to navigate to CRM it fails and in the event log it says the identifier is not found :-(

my internal url is internalcrm (same as the documentation)

my adfs url is sts1 (again same as the documentation)

I am not sure where it gete http://sts. from in the first identifier

the url generated after configuration has the correct name https://internalcrm....

both adfs and the internalcrm metadata urls resolve correctly, so not sure what is going wrong.

Any help appreciated?

Regards

Chris

*This post is locked for comments

I have the same question (0)

All responses (5)

Answers (0)

Ragnar Hilmarsson 3,427 on at

Like (0)

Report

Hi

Are ADFS and CRM on seperated server? It seems you are getting itentifier from ADFS server, not from CRM as expected,

Was this reply helpful? Yes No
CU13121614-0 on at

Like (0)

Report

Hi,

Yes they are on seperate servers.

I set up ADFs and it gives us a metadata url of

https://sts1.topss.int/federationmetadata/2007-06/federationmetadata.xml

This resolves correctly.

On the CRM server I then configure Claims Based Authentication entering the above url for the metadat url.

When this has completed in the log file it gives the crm metadata url as

https://internalcrm.topss.int/FederationMetadata/2007-06/FederationMetadata.xml

This also resolves correctly.

I then go back on the ADFS server and ad a new relying party and enter the internalcrm url as the source url.

This all works except when it gets to the page with the identifiers tab they are all incorrect :-(

Regards

Chris

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Hi Chris, I have the same issue, did you managed to solve this?

Was this reply helpful? Yes No
CU13121614-0 on at

Like (0)

Report

Hi,

Unfortunately not, but as we were building a new adfs server anyway it didn't happen on the new server. Apologies for not having a result for you :-(

Chris

Was this reply helpful? Yes No
kyleknab 517 on at

Like (0)

Report

The relying party identifiers in your screen shot would only come from pointing at the ADFS federation endpoint at <sts1.topss.int/.../federationmetadata.xml>.

Do you have a DNS record setup to resolve internalcrm.topss.int to the IP address of your CRM server?

Also, what does the XML look like on the CRM federation metadata endpoint at <internalcrm.topss.int/.../FederationMetadata.xml>?

Was this reply helpful? Yes No