web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics CRM (Archived) / CRM 2016 and ADFS
Microsoft Dynamics CRM (Archived)

CRM 2016 and ADFS

(0) ShareShare
ReportReport
Posted on by Community Member

Hi All,

I have CRM 2016, with ADFS for IFD and Claims.  All working fine. But, I want to change the organisation name and also the domain name in use.  I can disable, delete and then reimport the organisation.  If I disable Claims and IFD then I can logon to the site.  

But, if I try and get the ADFS part working with claims and IFD it doesnt work.   On the ADFS page I see the logon page but if I enter my credentials it just returns to the page.   If I use claims I enter my credentials and get an error page.

Should I be able to change the ADFS domain name?  Is  there a guide anyone can point me to?  

Regards

Craig

*This post is locked for comments

I have the same question (0)
  • joman Profile Picture
    joman 617 on at

    You can change domain name in Deployment manager.

    Remove your organisation, change domain on server, restore organisation from base.

    While restoring, it will be user mapping procedure.

  • Community Member Profile Picture
    Community Member on at

    Hi Joman - Yes, as in my original post I've done that and its working fine without claims\IFD.   My question is the ADFS part, should I be able to change the domain name in that, and if so is there a procedure to follow?

  • Suggested answer
    Wouter Madou Profile Picture
    Wouter Madou 3,392 on at

    You changed the name of the organisation, therefore the metadata has changed as well and your ADFS is invalid.

    Disabling Claims makes you bypass the ADFS and thus you  can login as you would in a non-adfs environment.

    You will have to update the federation metadata as well with the relying party trust (org. specific identifier).

    1. Click the AD FS 2.0\Trust Relationships and select Relying Party Trusts.
    2. In the details pane, click the relying party trust for the CRM deployment.
    3. In the Action pane, click Update from Federation Metadata.
    4. In the properties dialog box for the trust, click Update to perform the update.

    HOWEVER:

    If you want to change domain names and DNS entries etc I suggest you start from scratch with your IFD/ADFS setup since you will be changing certificates.

    Rollover functions on certificates can easily cause strange behaviour so it will be faster/easier to just start over.

    There are a lot of manuals out there to do this installation.

    This should get you going:

    http://www.interactivewebs.com/blog/index.php/crm/how-to-set-up-microsoft-crm-2016-ifd-on-windows-2012-r2-server/

  • David Jennaway Profile Picture
    David Jennaway 14,065 on at

    If you change anything related to Claims or IFD in Deployment Manager, then you may need to update the metadata on the relying party trusts in ADFS Manager. By default I think ADFS should check for changes to the metadata automatically, but I find it best to manually force the update. Also, after making changes, it is best to restart the ADFS service, and the CRM app pool

  • Community Member Profile Picture
    Community Member on at

    Thanks Wouter.   I've looked at that one previously and its not helped, its a little confusing and has some omissions.  I think the sts A record confused me somewhat - I assume that this points to the ADFS server?   Is it needed?

  • Wouter Madou Profile Picture
    Wouter Madou 3,392 on at

    Assuming you are not using a proxy you will need to put the sts record in your external dns towards the external ip of the adfs server and internal dns towards the internal ip.

    (Long story short: sts record is used for your crm public facing connection, which in this case (without a proxy) is your adfs server.)

    It is needed, yes.

    More info on DNS entries for ADFS:

    technet.microsoft.com/.../gg188591%28v=crm.6%29.aspx;MSPPError=-2147217396

  • Community Member Profile Picture
    Community Member on at

    The link doesnt work.  So, if I have my ADFS server as adfs.blah.com with an internal IP address or 10.10.10.10 then, on internal DNS, I point the SPN to the adfs.blah.com name with its internal domain\hostname?

  • Suggested answer
    Wouter Madou Profile Picture
    Wouter Madou 3,392 on at

    new link:

    technet.microsoft.com/.../gg188591(v=crm.6).aspx

    you set your spn to your federation service which it sounds like you set it to adfs.blah.com, so yes.

  • Community Member Profile Picture
    Community Member on at

    Digging some more into the logs I see this error "The private key does not support the exchange KeySpec.".  I am using a Comodo PositiveSSL wildcard certificate.  

    Any thoughts?

  • Suggested answer
    Wouter Madou Profile Picture
    Wouter Madou 3,392 on at

    This is not my forte but I believe your certificate has not been generated with the XCN_AT_KEYEXCHANGE property for the KeySpec but with the XCN_AT_SIGNATURE instead. (There are only two options, had to look it up.)

    You will have to regenerate it.

    The Signature is valid for encryption etc just not for adfs authentication.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics CRM (Archived)

#1
SA-08121319-0 Profile Picture

SA-08121319-0 4

#1
Calum MacFarlane Profile Picture

Calum MacFarlane 4

#3
Alex Fun Wei Jie Profile Picture

Alex Fun Wei Jie 2

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans