Customer experience | Sales, Customer Insights,...

ADFS Relying Party Trust Help

(0) Share

Report

Posted on by David Lewis

106

Hope everyone is doing okay, I am having a problem with my adfs relying party trust.

In my dev crm environment i configured claims based authentication using this url

adfs.domain/.../federationmetadata.xml

attached our wildcard certificate and completed this succesfully.

I then did my IFD Succesfully

Proof that Claims based authentication and IFD are configured and enabled.

After IFD and Claims based authentication was enabled succesfully, i then went to my ADFS server to add the relying party trust, This is where my problem lies.

When i enter my metadata url that contains my server name

CRMSERVERNAME.DOMAIN/.../federationmetadata.xml

I then get this error

Is there a location that would give me the correct URL, that i can enter into the Relying Party Trust Wizard??

All responses (4)

Answers (0)

Suggested answer

David Lewis 106 on at

Like (0)

Report

RE: ADFS Relying Party Trust Help

This worked!! Once i added the crmapppool account to the cert with read rights it worked instantly.
Suggested answer

Pedro Cadavez de Fr... on at

Like (0)

Report

RE: ADFS Relying Party Trust Help

Hello David,

The starting point here is to check this:

support.microsoft.com/.../error-after-updating-ssl-certificate-used-by-microsoft-dynamics-crm-2013-8800bbc9-e0f5-c427-27a4-bea4733e6187

And to make sure, service accounts have access to read the certificate installed on CRM server by going to the certificate MMC -> manage private keys and provide adfs/crmapppool accounts access.
David Lewis 106 on at

Like (0)

Report
RE: ADFS Relying Party Trust Help

Pedo Thanks,

After alot of headbanging, and re-reading the manual multiple times it started making sense. I was indeed using the wrong url which is actually given to me when i finish my claims based wizard. My problem that I realized is that my xml that was suppose to be created using Claims Based Authentication is not operating correctly.

This is my current error:

Unhandled Exception: System.ServiceModel.FaultException`1[[Microsoft.Xrm.Sdk.OrganizationServiceFault, Microsoft.Xrm.Sdk, Version=9.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]: System.Security.Cryptography.CryptographicException: Keyset does not exist at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle) at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize) at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey() at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey() at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetSignatureFormatter(String algorithm) at System.IdentityModel.SignedXml.ComputeSignature(SecurityKey signingKey) at System.IdentityModel.EnvelopedSignatureWriter.ComputeSignature() at System.IdentityModel.EnvelopedSignatureWriter.OnEndRootElement() at System.IdentityModel.Metadata.MetadataSerializer.WriteEntityDescriptor (XmlWriter inputWriter, EntityDescriptor entityDescriptor) at System.IdentityModel.Metadata.MetadataSerializer.WriteMetadata(Stream stream, MetadataBase metadata) at Microsoft.Crm.Authentication.Claims. MetadataGenerator.GenerateCrmFederationMetadata(Stream stream) at Microsoft.Crm.Application.Components.Handlers.FederationMetadata.ProcessRequestInternal(HttpContext context) at System.Web.HttpApplication. CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously): Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #022B2AE9Detail: 8ce3aff7-e14b-48e9-a690-259e386c7dc0 -2147220970 System.Security.Cryptography.CryptographicException: Keyset does not exist at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) at System.Security. Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle) at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize) at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey() at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey() at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetSignatureFormatter(String algorithm) at System.IdentityModel.SignedXml.ComputeSignature(SecurityKey signingKey) at System.IdentityModel.EnvelopedSignatureWriter. ComputeSignature() at System.IdentityModel.EnvelopedSignatureWriter.OnEndRootElement() at System.IdentityModel.Metadata.MetadataSerializer.WriteEntityDescriptor(XmlWriter inputWriter, EntityDescriptor entityDescriptor) at System.IdentityModel.Metadata.MetadataSerializer.WriteMetadata(Stream stream, MetadataBase metadata) at Microsoft.Crm.Authentication.Claims.MetadataGenerator.GenerateCrmFederationMetadata(Stream stream) at Microsoft.Crm.Application. Components.Handlers.FederationMetadata.ProcessRequestInternal(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStepImpl (IExecutionStep step) at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously): Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #022B2AE9 < Timestamp>2021-09-13T20:55:52.8143914Z false
Suggested answer

Pedro Cadavez de Fr... on at

Like (0)

Report

RE: ADFS Relying Party Trust Help

Hello David,

Hope you are well.

I would require more details on the addresses you are using for CRM, but one thing its certainly wrong is you attempting to create a relying party trust using SERVERNAME.DOMAIN.

CRM needs 2 relying party trusts:

1- internal url party trust that will expose only 1 claims url under internalcrm.domain.com

2- auth relying party trust, which will expose all CRM adresses, including organizations URL's + dev + auth.

Everyhting should be behind a DNS record and not server names. DNS of type host A pointing to CRM server IP

You can also check first if the federation metadata url works on the browser itself, as it must. Both on CRM server and ADFS server.

Let us know your thoughts!

Community site session details

ADFS Relying Party Trust Help

Helpful resources

Quick Links

Understanding Microsoft Agents - Introductory Session

Jonas ”Jones” Melgaard – Community Spotlight

Kudos to the March Top 10 Community Stars!

Leaderboard

Featured topics

Product updates

Community site session details

ADFS Relying Party Trust Help

Helpful resources

Quick Links

Understanding Microsoft Agents - Introductory Session

Jonas ”Jones” Melgaard – Community Spotlight

Kudos to the March Top 10 Community Stars!

Subscribe to this forum!

Select categories

Leaderboard

Featured topics

Product updates