You’re offline. This is a read only version of the page.
Announcements
25
We upgraded our development on-premise environment to 9.1 last night and while we can login as a service account using domain\user our IFD using user@UPN is no longer working. We receive the generic "An error has occurred. Try this action again. If the problem continues, check...." message.
We have refreshed the ADFS metadata and rebooted the front and back ends and verified the databases/organization in deployment manager are all on version 9.1.1.914.
In event viewer on our front-end we see one error referencing this (I have verified there is no object called "ScaleGroup" in the MSCRM_Config database that I can find).
Just as an update to this post, we've confirmed with Microsoft this is an issue and it has been passed to their development team to fix.
The issue is that we are authenticating with outside domains (for example, we are hosted in Active Directory domain x, but want to authenticate with another organization using their own Active Directory.
So when we do this, we have to set up the user in D365 with the upn (ex. "user@myorganization.org")
When authenticating it passes through a stored procedure called p_GetCRMUserID which uses the following SQL:
select suo.CrmUserId as CrmUserId
from SystemUserOrganizations suo
join SystemUserAuthentication sua on (suo.UserId = sua.UserId)
where sua.AuthInfo = @AuthInfo and suo.OrganizationId = @OrganizationId
The @AuthInfo parameter is supposed to be either set to "W:" appended with the users SID (if you are in the same domain) or a "C:" appended with the user's UPN if you are using claims and coming from an outside domain.
It always comes though with the "W:" and SID regardless of where the user is coming from (which is different than how 9.0 worked). So it will never authenticate with any "C:" users in that table.
Anyways, we can't use 9.1 until this is fixed because 99% of our users are not in the hosted domain.
That's why I was thinking it was authenticating against Active Directory fine as I don't see the error there, but rather on the front end (so I'm thinking D365 doesn't think the logged in user is a valid D365 user.
I enabled ADFS tracing and I do see one warning during the sign on: "Event 78: SSO token is null or empty. Cannot write SSO token to Cookies." but then it continues on and appears to be successful (no further warnings or errors).
Did you check the specific AD FS, Admin log under Application and Services logs for any errors during sign-on?
Kind of strange that you get "Unknow user name or bad password" on the D365 FE as when using claims-based autentication as you would get this in ADFS Admin log mentioned above if the supplied credentials were to be incorrect..
You should be seeing something like this on the ADFS:
Token validation failed.
Additional Data
Token Type:
schemas.microsoft.com/.../UserName
%Error message:
<username>-The user name or password is incorrect
Exception details:
System.IdentityModel.Tokens.SecurityTokenValidationException: <username>
Can you confirm this is related to the sign-on processes for that specific user or might it be some other account(e.g. service account) that has trouble authenticating?
We believe it's an issue with the claims auth. We've reconfigured it in deployment manager, and it appears to be authenticating against the Active Directory but after reaching D365 we're seeing an "Unknown user name or bad password" in the front end security event viewer. So I guess the AD is authenticating but D365 isn't thinking it's a valid user. We've rebooted all servers, refreshed metadata, even set up a brand new user in both AD and D365 to eliminate any caching issues but it still persists.
Not sure what we're missing as this was working fine on 9.0. We've re-checked our claims rules, etc, but no luck thus far. We may end up having to revert back to 9.0 but we've opened a ticket with MS which we hope to hear about today.
Check the Eventlogs on both CRM FE and ADFS server(AD FS, Admin log under Application and Services logs) when you authenticate against the IFD endpoint for issues.
Other than that, try reseting the Claims as well as IFD configuration via Deployment Manager, it's such a quick and easy task and you will see if any new errors have come up during the Pre-check tests it does.
Regarding the event log error: The locator service failed to connect to the configuration database (MSCRM_CONFIG). The error was: System.Data.SqlClient.SqlException (0x80131904): Invalid object name 'ScaleGroup'.
I've got this to along with another similar one:
The locator service failed to connect to the configuration database (MSCRM_CONFIG). The error was: System.Data.SqlClient.SqlException (0x80131904): Invalid object name 'OrganizationLifecycle'.
I would assume these entries are side-effect/leftovers when Microsoft put together their package from "Online" and forget to remove some features and functions that only are available online and is now missing in the On-Premise installation.
Basically they removed the object from the MSCRM_Config but dit not exclude it from the service itself which continue to query for that object..
Hopefully, they'll address it in a future update.
#1
André Arnaud de Cal...
294,095
Super User 2025 Season 1
#2
Martin Dráb
232,866
Most Valuable Professional
#3
nmaenpaa
101,158
Moderator
Share
Report
All responses (
Answers (
