web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics CRM (Archived) / CRM 2016 IFD Authentic...
Microsoft Dynamics CRM (Archived)

CRM 2016 IFD Authentication with Claims using ADFS Breaking Subsequent Authentications

(0) ShareShare
ReportReport
Posted on by Community Member

We're preparing to release CRM 2016 for our company and have run into a problem with its Claims authentication using ADFS.  We're a long time Microsoft ADFS user and currently running ADFS 3.0 on Windows 2012R2 servers.

What we see is that the CRM authentication is stepping on the MSISAuth cookie and not using the FedAuth cookie.  What happens is that once we authenticate to CRM, the MSISAuth cookie is overwritten and therefore we can no-longer authenticate to any new sites as we're sending a bad MSISAuth cookie.  If we logout out of CRM, we can then again authenticate to a new site, but we are prompted for credentials.

We're trying to figure out how we could have configured the CRM application in such a way that it steps on the MSISAuth cookie and doesn't use the FedAuth cookie.

This is a serious usability issue for our company as once we login to CRM, we can no-longer login to any of our other ADFS authenticated applications until we log out of CRM.  We have about 25 ADFS authenticated applications.   What the users experiences is when trying to access a new sites is that the ADFS forms authentication page just keeps prompting for their logon credentials.

Is this a CRM configuration issue?, a CRM authentication problem? or some other issue?  I would think that Microsoft would make integration between CRM Claims Authentication and AFDS fool proof, but what we're seeing is bad behavior in the CRM application.  Hope there is a fix for this.

Thanks Dan

*This post is locked for comments

I have the same question (0)
  • Verified answer
    Community Member Profile Picture
    Community Member on at

    We did find the work around in this article, https://support.microsoft.com/en-us/kb/3045286.  Just don't understand why we're facing this issue when Microsoft controls both CRM and ADFS and we're running the latest versions of both.  I would call this a problem with the CRM code that should be fixed by Microsoft.  We typically use the same DNS root name for our web application services but due to how CRM works, we can not do that.  Say our ADFS URL is sso.rootdomain.com, we could not then use a DNS name like crm.rootdomain.com for our CRM server.  We could add a level, say, crm.apps.rootdomain.com or simply use another domain like crm.newrootdomain.com.  

  • cmillerlce Profile Picture
    cmillerlce 147 on at

    Does anyone know if this is a temp work around from Microsoft or are they planning on fixing this in a CRM update? Going through the trouble of a new domain or a sub-domain for this seems pretty ridiculous.

  • Community Member Profile Picture
    Community Member on at

    This bug is literally one of the most unforgivable I have seen in many years of working in IT. It is bad that the bug is there in the first place...

    ...BUT the thing that makes this completely unacceptable is that the only 'fix' offered by Microsoft is for me, the paying customer, to redesign my bloody domain name structure and shell out even more money for yet more wildcard certificates.

    Is this seriously the best you have got Microsoft? You issued this "FAST PUBLISH" article offering the workaround over 1 year ago - since then there have been multiple CRM updates and even a completely new release with CRM 2016 and yet you appear to have done nothing to address this very significant product flaw.

    One would almost think you don't want people using your software

  • cmillerlce Profile Picture
    cmillerlce 147 on at

    Does anyone know if this issue has been resolved with ADFS 4.0?

  • Community Member Profile Picture
    Community Member on at

    Have found the same thing within our organisation. I am with cmillerLCE and holding out hope for AD FS 4.

  • Community Member Profile Picture
    Community Member on at

    The Article you referenced has been removed, (touch wood) there may be some action on this.

  • Nick2030 Profile Picture
    Nick2030 160 on at

    I have ADFS 4.0 and CRM 2016 on the same box and I tried all different combinations but it did not work. It worked fine for me on ADFS 3.0 and CRM 2016.

  • Snowlion_Tom Profile Picture
    Snowlion_Tom on at

    Hi All Looks like I have the same problem with Dynamics 365. Before I do the full run of Subdomain, it would be Nice to know how you made it work.

    The article you link to is gone.

  • Community Member Profile Picture
    Community Member on at

    Just checked the link, it has a comma at the end of it causing it to fail. This should work: support.microsoft.com/.../3045286

    TL;DR The bad auth token from CRM can be worked around by creating a subdomain.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics CRM (Archived)

#1
SA-08121319-0 Profile Picture

SA-08121319-0 4

#1
Calum MacFarlane Profile Picture

Calum MacFarlane 4

#3
Alex Fun Wei Jie Profile Picture

Alex Fun Wei Jie 2

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans