CRM2013 IFD not creating federationmetadata.xml

(0) Share

Report

Posted on by Community Member

CRM gurus,

This was working until the certificate expired on the ADFS server, this has been renewed now and I've been able to update our pre-prod environment and this works ok.

What I'm struggling with is getting the Production environments working with ADFS 2.0 .

I have followed several guides which all look pretty straightforward in terms of getting it up and running.

however, I'm struggling, spend 2 days learning/working on it.

Please trust that the basics have been done and are ok. (I think)

renewed public SSL certificates, installed, tested and working, permissions set for network service to access SSL cert, all DNS entries done and are public facing, SSL applied to both ADFS and CRM servers websites, client side authentication wizard run on CRM box.

CRM version is 2013 UR 4 was applied recently.

We have a Forefront TMG web proxy server doing all the rules for access etc..

crm-auth.mydomain.org

crm-disco.mydomain.org

crm.mydomain.org

I've run the claims based authentication wizard, with no problems. pointing to our STS server on crm-auth.mydomain.org

When I run the Internet Facing Deployment wizard everything checks out ok.

After running IFD when I try and view the crm-auth.mydomain.org/.../FederatedMetadata.xml file on the CRM server it displays 404 Page Not Found.

I'm also unable to create the relying trust from the ADFS server pointing to crm-auth.

To me it just seems like the XML has not been created.

what is a little strange to me is when I paste the following crm-auth.mydomain.org/FederatedMetadata into a browser it redirects to adfs.mydomain.org/.../le ................. presenting me with a login screen, however this fails as no claim can be setup with access to a working xml.

Hopefully the above makes sense, I'm not always good at articulating the tech!

Mike.

*This post is locked for comments

I have the same question (0)

All responses (8)

Answers (1)

sandeepstw 4,601 on at

Like (0)

Report

Hi,h

Please check this article-

blogs.msdn.microsoft.com/.../unexpectedinaccurate-federation-metadata-xml-generated-by-crm-federation-metadata-urls

Thanks,

Sandeep

Was this reply helpful? Yes No
Verified answer

prt33k 6,907 on at

Like (0)

Report

Hi Mike,

Hope this helps :

"The solution for this issue is to re install the IIS URL Rewrite.

If the reinstallation of IIS URL Rewrite does not resolve the issue. The Issue could be due to Reserved URL. To find the Reserved URL follow the below given steps.

a) Open Command Prompt.
b) Type the Command NETSH HTTP SHOW URLACL.
c) This command will show all the reserved URL’s.
d) If you get any reserved URL with error as given below.

Reserved URL : https://ABC:443/
Can’t lookup sid, Error: 1332
SDDL: D:(A;;GA;;;S-1-5-80-2246541699-21809830-3603976364-117610243- 975697593)

e) Then we have to delete each URL for which we get such type of error as given above using the below command. Please provide the full URL for which you get the error in the command Prompt.

netsh http delete urlacl url=https://ABC:443/

f) After that again run the command to check if the reserved URL is still having an error message through command NETSH HTTP SHOW URLACL.

g) Repeat the step (e) for each URL for which you are getting the error.

h) After deleting all the Reserved URL through the Command,do IIS RESET on CRM server.

i) Configure CLAIMS again using Deployment Manager on CRM 2011.

j) Now try to access the federation Url “FederationMetadata/2007-06/FederationMetadata.xml”again."

Source: http://www.inogic.com/blog/2012/03/ifd-configuration/

Thanks,

PS

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Thanks for the reply, I will look into this in the morning and revert.

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

thanks, I will review in the morning and revert.

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Pre33k,

I've reviewed the above information this morning, I've run NETSH command and no URLs were in the error state.

The CRM and ADFS servers do not already have IIS url rewrite installed currently.

not sure what my next options are.

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Sandeep, I've come across this document during my search already. For our environment, our CRM will only be accessible from external as our users have changed domains, our CRM is published using a portal webpage which they login to using the old domain credentials. So I think we are only publishing the IFD from CRM in adfs and no also publishing SSO from internal. we are alos using the default SSL ports 443, and this Is not referenced on the CRM config.

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

The solution for this issue is to re install the IIS URL Rewrite

Ultimately yes, this was the solution, IIS URL Rewrite was completely missing from the CRM IIS server. Not sure why or how, but this was the resolution. Thank you.

Was this reply helpful? Yes No
Suggested answer

Community Member on at

Like (1)

Report

The issue in my case it was due to having a hostname in the Site Bindings in IIS. Since I had the FQDN of the Server listed it wouldn't respond to auth.domain.com for the federation metadata xml request. I cleared the hostname field, restarted the website, and it works.

Was this reply helpful? Yes No