CRM2013 with IFD ADFS 3.0 issues

(0) Share

Report

Posted on by Matt Jereb

590

Hi all,

I'm struggling now for few days I cannot make Dynamics CRM 2013 internet-facing deployment to work with ADFS 3.0 on Windows 2012 R2. CRM is installed on Windows 2008 R2, upgraded from CRM2011. There were no custom deployed code. ADFS is running on fresh Windows 2012 R2. Had no issues with ADFS 2.0.

Error from Event Viewer:

Encountered error during federation passive request.
Protocol Name:
wsfed

Relying Party:
https://auth.celoxgroup.com.au/

Exception details:
Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.InvalidAuthenticationTypePolicyException: MSIS7102: Requested Authentication Method is not supported on the STS.
at Microsoft.IdentityServer.Web.Authentication.GlobalAuthenticationPolicyEvaluator.EvaluatePolicy(IList`1 mappedRequestedAuthMethods, AccessLocation location, ProtocolContext context, HashSet`1 authMethodsInToken, Boolean& validAuthMethodsInToken) at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.RetrieveFirstStageAuthenticationDomain(Boolean& validAuthMethodsInToken) at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.EvaluatePolicy(Boolean& isLastStage, AuthenticationStage& currentStage, Boolean& strongAuthRequried) at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthMethodsFromAuthPolicyRules(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext) at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthenticationMethods(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext) at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Please help as Google is not much useful nowadays.

*This post is locked for comments

I have the same question (0)

All responses (31)

Answers (1)

ph_eight 15 on at

Like (0)

Report

Same error here..

Exception details:

Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.InvalidAuthenticationTypePolicyException: MSIS7102: Requested Authentication Method is not supported on the STS.

at Microsoft.IdentityServer.Web.Authentication.GlobalAuthenticationPolicyEvaluator.EvaluatePolicy(IList`1 mappedRequestedAuthMethods, AccessLocation location, ProtocolContext context, HashSet`1 authMethodsInToken, Boolean& validAuthMethodsInToken)

at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.RetrieveFirstStageAuthenticationDomain(Boolean& validAuthMethodsInToken)

at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.EvaluatePolicy(Boolean& isLastStage, AuthenticationStage& currentStage, Boolean& strongAuthRequried)

at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthMethodsFromAuthPolicyRules(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)

at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthenticationMethods(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)

at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Was this reply helpful? Yes No
Pradeep Pawar 2,930 on at

Like (0)

Report

Hi Matt,

Please see if my wordpress blogpost can help you,

pradeeppawarblog.wordpress.com/.../configure-internet-facing-deployment-for-crm-2011-server-in-more-secure-way-with-adfs-proxy

Check if you have added requires rules in Relying party wizard too.

Regards,

Pradeep P

Was this reply helpful? Yes No
ph_eight 15 on at

Like (0)

Report

Thats not the Problem Pradeep P.

My Problem was the TMG 2010 Servers Publishing Rule for sts.domain.com.

Now i removed the publishing rule for the sts.domain.com. I made a Access Rule for Port 443 to my ADFS proxy and now i works for the Externall Users, but for Internal users who adfs points not over the proxy i had the same error.

Exception details:

Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.InvalidAuthenticationTypePolicyException: MSIS7102: Requested Authentication Method is not supported on the STS.

at Microsoft.IdentityServer.Web.Authentication.GlobalAuthenticationPolicyEvaluator.EvaluatePolicy(IList`1 mappedRequestedAuthMethods, AccessLocation location, ProtocolContext context, HashSet`1 authMethodsInToken, Boolean& validAuthMethodsInToken)

Was this reply helpful? Yes No
Pradeep Pawar 2,930 on at

Like (0)

Report

I hope you have configured different relying parties for Internal and External. as for internal authentication process your adfs proxy doesnt comes into picture anyways it directly hit ADFS server.

Was this reply helpful? Yes No
Matt Jereb 590 on at

Like (0)

Report

Have published through TMG as well but now tried only with local IPs (using hosts) and getting same error. I'll try with ADFS 2.1 (Win 2012) today and let's see how it goes.

Was this reply helpful? Yes No
ph_eight 15 on at

Like (0)

Report

Yes i had configured different relying parties for internal and external.

But Windows Server 2012 R2 with ADFS 3.0 is different as Windows Server 2012..

Was this reply helpful? Yes No
MichelZ on at

Like (0)

Report

Hi

I have the same problem...

I tried enabling all endpoints with Windows Authentication, no success :(

Anyone any more ideas?

Cheers

Michel

Was this reply helpful? Yes No
Matt Jereb 590 on at

Like (0)

Report

Hi all, I've had no issues with ADFS 2.1. Same configuration with ADFS 3.0 fails with above error. I'll give it a go with ADFS Proxy (Web Application Proxy) if any better.

Yeah I tried to enable all endpoints as well, no luck.

Was this reply helpful? Yes No
MichelZ on at

Like (0)

Report

We have the ADFS Proxy / WAP in place.. no luck on that front :(

Was this reply helpful? Yes No
Verified answer

Matt Jereb 590 on at

Like (0)

Report

Woot woot, believe it or not but it works for me!

Make sure your sts URL points to ADFS Proxy (WAP) and not to the ADFS Server (I've done this mistake as well once... Exchange publishing). As I do not have split or point-to-point DNS, I have manual entries of sts URL in local hosts file (on ADFS and WAP server).

I believe MS do not allow publishing ADFS directly to the Internet anymore and all requests must go via ADFS Proxy aka WAP.

Configuration example:

CRM Server internal IP: 192.168.0.66 (crm.domain.local)

ADFS Server internal IP: 192.168.0.9 (adfs.domain.local)

ADFS Server federation service name: sts.domain.com

WAP Proxy internal IP: 192.168.0.44 (wap.domain.local)

Public ADFS FQDN: sts.domain.com

Public CRM FQDN: crm.domain.com

sts.domain.com resolves to [unimportant] public IP and NAT translates to WAP Proxy internal IP (192.168.0.44) - be careful this is the tricky part, do not redirect 443 to ADFS server

WAP Proxy published app rule:

- ADFS Rule: CRM IFD Relying Party (follow the MS CRM 2011 guide)

- External URL: https://crm.domain.com

- Internal URL: https://crm.domain.com (I didn't try if it works with internal CRM hostname)

Last important part:

Add the following entry to the ADFS and WAP Proxy Server hosts (%System32%\Drivers\etc\hosts):

192.168.0.9 sts.domain.com

Personally I try to avoid point-to-point and split-DNS configuration.

Cheers, Matt

Was this reply helpful? Yes No

Community site session details

CRM2013 with IFD ADFS 3.0 issues

Helpful resources

Quick Links

Responsible AI policies

Neeraj Kumar – Community Spotlight

Congratulations to the November Top 10 Community Leaders!

Leaderboard > 🔒一 Microsoft Dynamics CRM (Archived)

Featured topics

Product updates

Community site session details

CRM2013 with IFD ADFS 3.0 issues

Helpful resources

Quick Links

Responsible AI policies

Neeraj Kumar – Community Spotlight

Congratulations to the November Top 10 Community Leaders!

Subscribe to this forum!

Select categories

Leaderboard > 🔒一 Microsoft Dynamics CRM (Archived)

Featured topics

Product updates