web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics CRM (Archived) / Claims based authentic...
Microsoft Dynamics CRM (Archived)

Claims based authentication - can't browse federationmetadata.xml in CRM server

(0) ShareShare
ReportReport
Posted on by Community Member

I have ADFS installed on its own server and I can browse to https://adfs.lctcs.edu/federationmetadata/2007-06/federationmetadata.xml just fine.

When I configured CRM for Claims Based Authentication it provided the resulting URL of https://crm.lctcs.edu/FederationMetadata/2007-06/FederationMetadata.xml.

The problem is I can't browse the file at this URL so I can't continue configuring the relying trust in adfs

The CRMAppPool service account does have read access to the private key.

Thoughts? What am I missing?

*This post is locked for comments

I have the same question (0)
  • Suggested answer
    Remon Profile Picture
    Remon 1,485 on at

    Hello LCTCS,

    First of all, it's not wise to publish real addresses, next time 'blur' the addresses.

    My first idea:

    - You're using "CRM" as CBA/internal CRM URL, but your organization is also called CRM. That mixes things up.

    Example:

    CBA:

    - Internal URL: https://crm-internal.lctcs.edu   (for SSO you can connect to https://crm-internal.lctcs.edu/crm)

    - only add entry in internal DNS.

    IFD:

    - Discovery & External https://crm-external.lctcs.edu (can be split, but in most cases can be the same)

    - add entry in public&internal DNS per organization and crm-external domainname, in your case (if i'm right about your org being named 'crm') you'll get: https://crm.lctcs.edu for org.address.

    Result: internally you'll get SSO on the CRM-INTERNAL.lctcs.edu url, and internally and externally you'll get FormsBasedAuthentication on ORGNAME.lctcs.edu url 

    Also if you want your CRM implementation to be IFD, you should also publish your ADFS server on the internet.

    Hope this helps you to get on the right track, if not. please supply your URL's and Organization names.

    PS> no proxy between clients and servers?

    Kind regards,

  • Community Member Profile Picture
    Community Member on at

    Thank you for your response Remon,

    I'm a CRM novice and am building out a CRM environment as a pilot for a number of colleges in our system, so bear with my ignorance...

    The CRM org is the default and it's named DynamicsCRM( I think it must have defaulted to that at install). The CRM host has a DNS enter for crm.xxx.xxx (machine name is different). My test users can successfully login to the web interface (internally and externally) via http://crm.xxx.xxx or https://crm.xxx.xxx (I have a redirect on port 80 to automatically force everyone to 443).

    I had installed the ADFS in the CRM server but later uninstalled ADFS on the CRM server and built out a dedicated server for the ADFS service (adfs.xxx.xxx).

    CBA:

    So if I understand correctly, I need to add an internal DNS entry (crm-internal.xxx.xxx) that points at the same IP address as the CRM Server for the CBA?

    IFD:

    Create DNS entries in internal and external DNS (crm-external.xxx.xxx) that also point at the CRM servers IP address?

    Create DNS entry for FS.xxx.xxx point at the ADFS server IP?

    So where do i use these new DNS addresses, as part of the CBA and IFD setup on the CRM server?

    I am interested in using a proxy between clients and server. Is that where I would use WAP?

    Sorry for my ignorance... We're investigating whether CRN will meet our needs in a non traditional application (Foundation and Workforce Development for capturing system wide business, contact and opportunity data).

    Thx

    Eric

  • Community Member Profile Picture
    Community Member on at

    Just for clarity... The IIS server on the CRM server has only one site for Microsoft Dynamics CRM (no Default Web Site). I've read some documents that suggest this could lead to problems. But those comments referred to having ADFS installed on the same server...

    Is not having a default web site in addition to the CRM web site a problem?

  • Suggested answer
    Community Member Profile Picture
    Community Member on at

    Hello Eric,

    If your try to browse the Metadata URL. Do you get any certificate error?.

    Check the thumbprint of the certificate which is configured with ADFS.

    You can do this by

    Open certificate-> Go to tab Details->show : properties only

    and

    Run these commands in powershell.

    get-AdfsSslCertificate

    The above command will give you the certificate associated with ADFS URL.

    And you may have a look at the certificate hash if there is visible difference between what is shown in the Thumbprint when you check the properties and the certificate hash shows a different thumbprint after you run the command .

    Then you will need to update the certificate hash.

    You can use the below command

    Set-AdfsSslCertificate -Thumbprint 557c228c5c1c57f06d92c83f89330794********(Use the value shown in the properties tab)

    This should help you to configure the RPT.

    Please mark my answer as verified if you found it useful.

    Regards,

    Bhartendu Pandey

    Microsoft Dynamics CRM Support Engineer

  • Suggested answer
    Remon Profile Picture
    Remon 1,485 on at

    Hi Eric,

    did you already solved it? If not, here is my reply:

    - Website: should not be an issue. You could however change the id of the website back to 1 (=equal to Default Website)

    - Addresses: 

    Internal DNS:

    - crm-internal.domain.ext --> CRM Server

    - adfs.domain.ext --> ADFS Server

    - crm-external.domain.ext --> CRM Server

    - dynamicscrm.domain.ext --> CRM Server

    External DNS:

    - adfs.domain.ext --> ADFS Server

    - crm-external.domain.ext --> CRM Server

    - dynamicscrm.domain.ext --> CRM Server

    On your CRM Server, configure:

    Web addresses:

    HTTPS

    crm-internal.domain.ext for all entries (assuming a single server deployment)

    Claims Based Configuration:

    use: crm-internal.domain.ext as address.

    Internet Facing Deployment:

    use: domain.ext as the first two entries

    use: crm-external.domain.ext as discovery and also for external address.

    when using the above route, you're ready to roll using ADFS.

    users inside your LAN: https://crm-internal.domain.ext will have SSO (NTLM/Kerberos Auth against ADFS Server)

    users ouside your LAN: https://dynamicscrm.domain.ext will have Forms Based Auth against your ADFS Server

    Hope this gives you enough information to get you going.

    Good luck,

  • Javed Iqbal Profile Picture
    Javed Iqbal 85 on at

    Hi Eric

    Thanks for detailed explenation.

    Can you also specifiy DNS settings in case our local domain is e.g. abc.local and external is xyz.com ?

  • Javed Iqbal Profile Picture
    Javed Iqbal 85 on at

    Hi Remon

    Thanks for detailed explenation.

    Can you also specifiy DNS settings in case our local domain is e.g. abc.local and external is xyz.com ?

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Stars!

Meet the Microsoft Dynamics 365 Contact Center Champions

We are thrilled to have these Champions in our Community!

Congratulations to the March Top 10 Community Leaders

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics CRM (Archived)

#1
JS-09031509-0 Profile Picture

JS-09031509-0 3

#2
AS-17030037-0 Profile Picture

AS-17030037-0 2

#2
Mark Eckert Profile Picture

Mark Eckert 2

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans