You’re offline. This is a read only version of the page.
7
We have been running Dynamics CRM On-Premise (currently on 2016) for about 5 years now with a solid ADFS integration. In the past two months, I had two users who suddenly cannot login using Resco mobile but the issue does not appear to be with Resco (they use the standard CRM SDK connection code) because I can see the error in a fiddler trace and it is coming from ADFS.
I have also A/B compared the CRM -> ADFS redirect and the second ADFS call to /adfs/services/trust/13/usernamemixed with a user that does not have an issue.
On the good user, after POSTing to the above URL with the soap envelope containing their username (formatted as user@domain.com), I get a nice 200 response with a return soap envelope containing all my authentication token info.
On the bad users, I get an HTTPS 500 error with a response of 'www.w3.org/.../faults:Sendera:InvalidSecurity An error occurred wen verifying security for this message."
I can see the username on the bad user POSTed like the good user and the POSTed envelope contains both the valid username (user@domain.com) and the correct password.
We are running CRM 8.2.8 currently and no changes to either ADFS or CRM since the minor update to 8.2.8 in June of this year. My problem users first starting having this issue in July. We did renew our ADFS/CRM trust cert (wildcard) on 5/31/2019. Nothing of consequence seemed to happen after the cert upgrade it was turnkey.
Anyone have any ideas on what might be causing this? The really odd part is that if my problem users use a different device, they can connect fine... one user is having problems on his Android Phone and the other user is having the issue from his PC (hence the fidder trace).
thank you!
*This post is locked for comments
I have the same question (0)Okay, I figured this out after a long debugging session and figured it may help someone here. For one user, their computer was 6 minutes ahead of the domain controllers and would not complete a gpupdate successfully, so we assumed that the computer account on the domain was somehow broken. We removed the computer from the domain, re-added it, performed a gpupdate and the clock on the local computer was then in sync. It solved the issue.
On the other user (Android Phone) after asking more precisely about the time on his phone, he brought up that he keeps his phone set 5 minutes ahead and not synced via Cell Network. After he rolled this back, to stay in sync with the Cell Network, his authentication worked fine.
In Summary.... this was a challenging one, because normal browser logins worked fine into Dynamics CRM and ADFS, but only in RESCO (which uses the Microsoft CRM SDK connection library .dlls) did this throw the 'Security Exception' (with no details). It appears that the time and date must be within a fairly tight window for the CRM authentication to succeed using the libs.
If anyone has any insights on how to widen this window, it would be good information to know about. Also, what is the default... Im guessing 5 minutes? maybe less?
Share
Report
All responses (
Answers (
