Skip to main content

Notifications

Announcements

No record found.

Microsoft Dynamics CRM forum
Suggested answer

ADFS Relying Party Trust Help

Posted on by 97

Hope everyone is doing okay, I am having a problem with my adfs relying party trust.

In my dev crm environment i configured claims based authentication using this url

 adfs.domain/.../federationmetadata.xml

attached our wildcard certificate and completed this succesfully.

I then did my IFD Succesfully

pastedimage1631216456693v4.png

Proof that Claims based authentication and IFD are configured and enabled.

pastedimage1631215929487v3.png

After IFD and Claims based authentication was enabled succesfully, i then went to my ADFS server to add the relying party trust, This is where my problem lies. 

pastedimage1631215756476v1.png

When i enter my metadata url that contains my server name 

 CRMSERVERNAME.DOMAIN/.../federationmetadata.xml

I then get this error

pastedimage1631215811504v2.png

Is there a location that would give me the correct URL, that i can enter into the Relying Party Trust Wizard??

  • Suggested answer
    David Lewis Profile Picture
    David Lewis 97 on at
    RE: ADFS Relying Party Trust Help

    This worked!! Once i added the crmapppool account to the cert with read rights it worked instantly.

  • Suggested answer
    RE: ADFS Relying Party Trust Help

    Hello David,

    The starting point here is to check this:

    support.microsoft.com/.../error-after-updating-ssl-certificate-used-by-microsoft-dynamics-crm-2013-8800bbc9-e0f5-c427-27a4-bea4733e6187

    And to make sure, service accounts have access to read the certificate installed on CRM server by going to the certificate MMC -> manage private keys and provide adfs/crmapppool accounts access.

  • David Lewis Profile Picture
    David Lewis 97 on at
    RE: ADFS Relying Party Trust Help

    Pedo Thanks,

    After alot of headbanging, and re-reading the manual multiple times it started making sense. I was indeed using the wrong url which is actually given to me when i finish my claims based wizard. My problem that I realized is that my xml that was suppose to be created using Claims Based Authentication is not operating correctly.

    This is my current error:

      Unhandled Exception: System.ServiceModel.FaultException`1[[Microsoft.Xrm.Sdk.OrganizationServiceFault, Microsoft.Xrm.Sdk, Version=9.0.0.0, Culture=neutral, 
      PublicKeyToken=31bf3856ad364e35]]: System.Security.Cryptography.CryptographicException: Keyset does not exist at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, 
      Boolean randomKeyContainer) at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, 
      SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle) at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, 
      CspParameters parameters, Boolean useDefaultKeySize) at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey() at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey() 
      at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetSignatureFormatter(String algorithm) at System.IdentityModel.SignedXml.ComputeSignature(SecurityKey signingKey) 
      at System.IdentityModel.EnvelopedSignatureWriter.ComputeSignature() at System.IdentityModel.EnvelopedSignatureWriter.OnEndRootElement() at System.IdentityModel.Metadata.MetadataSerializer.WriteEntityDescriptor
      (XmlWriter inputWriter, EntityDescriptor entityDescriptor) at System.IdentityModel.Metadata.MetadataSerializer.WriteMetadata(Stream stream, MetadataBase metadata) at Microsoft.Crm.Authentication.Claims.
      MetadataGenerator.GenerateCrmFederationMetadata(Stream stream) at Microsoft.Crm.Application.Components.Handlers.FederationMetadata.ProcessRequestInternal(HttpContext context) at System.Web.HttpApplication.
      CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously): 
      Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #022B2AE9Detail:  8ce3aff7-e14b-48e9-a690-259e386c7dc0 -2147220970 
       System.Security.Cryptography.CryptographicException: 
      Keyset does not exist at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) at System.Security.
      Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, 
      SafeKeyHandle& safeKeyHandle) at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, 
      CspParameters parameters, Boolean useDefaultKeySize) at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey() at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey() 
      at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetSignatureFormatter(String algorithm) at System.IdentityModel.SignedXml.ComputeSignature(SecurityKey signingKey) at System.IdentityModel.EnvelopedSignatureWriter.
      ComputeSignature() at System.IdentityModel.EnvelopedSignatureWriter.OnEndRootElement() at System.IdentityModel.Metadata.MetadataSerializer.WriteEntityDescriptor(XmlWriter inputWriter, EntityDescriptor entityDescriptor) at 
      System.IdentityModel.Metadata.MetadataSerializer.WriteMetadata(Stream stream, MetadataBase metadata) at Microsoft.Crm.Authentication.Claims.MetadataGenerator.GenerateCrmFederationMetadata(Stream stream) at Microsoft.Crm.Application.
      Components.Handlers.FederationMetadata.ProcessRequestInternal(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStepImpl
      (IExecutionStep step) at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously): Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #022B2AE9 <
      Timestamp>2021-09-13T20:55:52.8143914Z false 
           
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

  • Suggested answer
    RE: ADFS Relying Party Trust Help

    Hello David,

    Hope you are well.

    I would require more details on the addresses you are using for CRM, but one thing its certainly wrong is you attempting to create a relying party trust using SERVERNAME.DOMAIN.

    CRM needs 2 relying party trusts:

    1- internal url party trust that will expose only 1 claims url under internalcrm.domain.com

    2- auth relying party trust, which will expose all CRM adresses, including organizations URL's + dev + auth.

    Everyhting should be behind a DNS record and not server names. DNS of type host A pointing to CRM server IP

    You can also check first if the federation metadata url works on the browser itself, as it must. Both on CRM server and ADFS server.

    Let us know your thoughts!

Helpful resources

Quick Links

Replay now available! Dynamics 365 Community Call (CRM Edition)

Catch up on the first D365 Community Call held on 7/10

Community Spotlight of the Month

Kudos to Saurav Dhyani!

Congratulations to the June Top 10 community leaders!

These stars go above and beyond . . .

Leaderboard

#1
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 287,989 Super User

#2
Martin Dráb Profile Picture

Martin Dráb 225,588 Super User

#3
nmaenpaa Profile Picture

nmaenpaa 101,148

Leaderboard

Featured topics

Product updates

Dynamics 365 release plans