web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics CRM (Archived) / CRM 2015 + AD FS FBA f...
Microsoft Dynamics CRM (Archived)

CRM 2015 + AD FS FBA for Intranet - "Requested Authentication Method is not supported on the STS"

(1) ShareShare
ReportReport
Posted on by Community Member

Hi all,

I testing my internal access to CRM 2015 after having configured claims-based auth with AD FS 2012 R2. I was able to get SSO working for internal browsers supporting WIA, but this resulted in an IE auth prompt, which I don't want as part of the user experience. I would prefer a single form customised with corporate identity for all browsers which provides claims based auth for all browsers. (I haven't started the final config of IFD with the WAP yet).

To this end I have unchecked Windows Authentication in AD FS Authentication Policies > Primary Auth > Global Settings > Intranet. I only have Forms Auth checked. However when I try to open the CRM browser URL it redirects to AD FS and throws an error.

In the AD FS logs this has event ID 346, Source: AD FS, "

Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.InvalidAuthenticationTypePolicyException: MSIS7102: Requested Authentication Method is not supported on the STS.

at Microsoft.IdentityServer.Web.Authentication.GlobalAuthenticationPolicyEvaluator.EvaluatePolicy(IList`1 mappedRequestedAuthMethods, AccessLocation location, ProtocolContext context, HashSet`1 authMethodsInToken, Boolean& validAuthMethodsInToken)"

There are a few articles that say the fix is merely to enabled FBA in the AD FS console but in my case FBA is already checked. I have also checked the following;

  • SPNs, I have checked the SPNs for both CRM & AD FS and have added SPNs for all the DNS records used to address CRM & AD FS
  • Certificates: I have imported the certs into the Personal Store for Local Computer and for the AD FS service account. I've imported all of the extended properties so that the certificate can be checked up the chain.
  • DNS: I can resolve the metadata xml pages on both CRM & AD FS and I can resolve the DNS names of the URLs from all servers and the clients
  • CRM: I've configured CRM for claims based auth as per the IFD Deployment Guide and it completed successfully, seemed to import the AD FS metadata .xml correctly
  • AD FS config: I've configured the relying party and the claims rules in AD FS as per the IFD Deployment Guide

Could anyone indicate steps I may have missed or whether I am completely confused. Appreciate your assistance.

regards

Charlie

*This post is locked for comments

I have the same question (0)
  • Community Member Profile Picture
    Community Member on at

    Hello CABF,

    This seems to be a configuration issue, especially with the Relying Party Trust.

    I am providing you with a link with explains in a easy way by which you can cross check the steps you performed to configure ADFS.

    I am aware of the fact that you have used the IFD Deployment Guide for configuration, however I wish you to confirm it again following the steps below.

    Feel free to reply if you have any questions or concerns and I'll be glad to assist you. :)

    Please find the below link:

    http://blogs.msdn.com/b/niran_belliappa/archive/2014/01/16/step-by-step-configuring-crm-2013-internet-facing-deployment-ifd.aspx

    Thanks & Regards,

    Sharon Mhatre

    Support Engineer

    Microsoft Dynamics CRM

     

     

  • BlueIce Profile Picture
    BlueIce 30 on at

    Hi Charlie,

    We are having the identical problem! I has been perplexing us for days! We have CRM2013 on ADFS 3.0 (win 2012R2). Did you ever find a solution? Enabling FBA as you said, doesn't make any difference at all!

  • Community Member Profile Picture
    Community Member on at

    What happens if you use the "external" URL instead of internal? Eg http://MyCRMOrgName.domain.com

    not

    crmserver.domain.com/MyCRMOrgName

    Internal URL expects ADFS to be able to use kerberos to do SSO. If you get any kind of prompt for username and password, the most common culprit is ADFS server not being in Trusted Sites. Typically *.mydomain.com is the easiest approach to cover CRM, ADFS and other internal sites in one go.

  • BlueIce Profile Picture
    BlueIce 30 on at

    Hi,

        I have tried this  URL - crmserver.domain.com/mycrmorgname . Its prompting for the ADFS credentials. After providing the details. It is showing 404-File/Directory not found. All URL including *.mydomain.com also added to the trusted site in  in ADFS server. Even no logs in front and end and Back end server as well. 

  • Community Member Profile Picture
    Community Member on at

    You need *.mydomain.com to be added to trusted sites on the client, not the server.

    You should not get asked for any credentials when using that URL from your internal network (on a domain-joined machine, logged on as a domain user who is also in CRM as a user).

  • BlueIce Profile Picture
    BlueIce 30 on at

    Hi Adam,

           Its not working after added it to the trusted sites in the client system. the internal CRM url is not asking for windows credentials. Its directly going for ADFS error log page.  Not sure why its not hitting Windows authentication ?

  • David Jennaway Profile Picture
    David Jennaway 14,065 on at

    BlueIce. Can you confirm what behaviour you're seeing, and you current ADFS configuration. Specifically, do you have Windows Authentication enabled in ADFS and is the error still a 404 error, or an 'ADFS error log page' ?

    If it's a 404 error, what is the url that is not found - is it a CRM url or an ADFS one ? If it's a CRM one, check that the user is an active user in the organisation, and that the organisation name is correct

  • BlueIce Profile Picture
    BlueIce 30 on at

    Hi David,

       crminternal.domain.com is giving 404 Error, its active user as well and the orgname is correct. And also 1 think which am completely not clear. I have configured claim based Authentication and IFD as per Microsoft Document.

    Why the CRM internal URL is asking for ADFS credentials ? I don't  know why its hitting the ADFS Login Page ? What is the mistake here? I couldn't get that

    Thanks for all the response.

  • Community Member Profile Picture
    Community Member on at

    Once you configure IFD correctly, all connections to CRM will use ADFS. It will never use windows authentication directly.

    You need to configure ADFS for internal and external connections by adding two relying party trusts. The internal one will ask the client for a valid kerberos token, the external one will present the logon page.

    Can you confirm what settings you have used for your ADFS configuration?

    What about the IFD wizard configuration?

    Don't forget that in IFD the first two entries need to be the domain only eg  domain.com, whereas the last two need a "host" as well.

    What ports are you using for CRM and for ADFS? Have you made sure CRM is only using https and is not configured for two bindings? (it is not supported to have http and https at the same time).

  • BlueIce Profile Picture
    BlueIce 30 on at

    Hi Adam,

      Thanks for all the details.

      1. Yes Two relying party trusts are added to the CRM.

      2. When accessing the CRM internal URL is redirecting to  ADFS Error Page

    "An error occurred

    An error occurred. Contact your administrator for more information. "

    Error details•Activity ID: 00000000-0000-0000-6f6b-0180000000ca

    3. In ADFS - Configured Internal CRM - Replying party trusts and External IFD Claim Party trusts, ON ADFS - Enabled Forms authentication as well.

    4. CRM IFD URL is working fine internally and externally.

    5. Internal CRM URL works only when I login with External CRMIFD URL in same browser with different tabs- Example - If I login with CRM internal URL - I got error message which I have  mentioned in Point 2.  But once I login successfully with CRM external URL with tab1 browser. CRM Internal URL is login automatically with Tab2 same browser.

    6. Yes,created IFD entries on domain and Host as per the document.s

    7. Before IFD , Its used to be port 80 HTTP, After that added new binding 143 for HTTPS .

    Now I have disabled the HTTP Port 80. Still the same issue. 

    Exact issue : Internal CRM url works only if I Login with External CRM IFD URL in different tab with same browser. Else internal CRM Internal Url is not working 

    Thanks

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics CRM (Archived)

#1
SA-08121319-0 Profile Picture

SA-08121319-0 4

#1
Calum MacFarlane Profile Picture

Calum MacFarlane 4

#3
Alex Fun Wei Jie Profile Picture

Alex Fun Wei Jie 2

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans