You’re offline. This is a read only version of the page.
99
Hope everyone is doing okay, I am having a problem with my adfs relying party trust.
In my dev crm environment i configured claims based authentication using this url
adfs.domain/.../federationmetadata.xml
attached our wildcard certificate and completed this succesfully.
I then did my IFD Succesfully
Proof that Claims based authentication and IFD are configured and enabled.
After IFD and Claims based authentication was enabled succesfully, i then went to my ADFS server to add the relying party trust, This is where my problem lies.
When i enter my metadata url that contains my server name
CRMSERVERNAME.DOMAIN/.../federationmetadata.xml
I then get this error
Is there a location that would give me the correct URL, that i can enter into the Relying Party Trust Wizard??
This worked!! Once i added the crmapppool account to the cert with read rights it worked instantly.
Hello David,
The starting point here is to check this:
And to make sure, service accounts have access to read the certificate installed on CRM server by going to the certificate MMC -> manage private keys and provide adfs/crmapppool accounts access.
Pedo Thanks,
After alot of headbanging, and re-reading the manual multiple times it started making sense. I was indeed using the wrong url which is actually given to me when i finish my claims based wizard. My problem that I realized is that my xml that was suppose to be created using Claims Based Authentication is not operating correctly.
This is my current error:
Share
Report
All responses (
Answers (
Unhandled Exception: System.ServiceModel.FaultException`1[[Microsoft.Xrm.Sdk.OrganizationServiceFault, Microsoft.Xrm.Sdk, Version=9.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35]]: System.Security.Cryptography.CryptographicException: Keyset does not exist at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters,
Boolean randomKeyContainer) at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize,
SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle) at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize,
CspParameters parameters, Boolean useDefaultKeySize) at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey() at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey()
at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetSignatureFormatter(String algorithm) at System.IdentityModel.SignedXml.ComputeSignature(SecurityKey signingKey)
at System.IdentityModel.EnvelopedSignatureWriter.ComputeSignature() at System.IdentityModel.EnvelopedSignatureWriter.OnEndRootElement() at System.IdentityModel.Metadata.MetadataSerializer.WriteEntityDescriptor
(XmlWriter inputWriter, EntityDescriptor entityDescriptor) at System.IdentityModel.Metadata.MetadataSerializer.WriteMetadata(Stream stream, MetadataBase metadata) at Microsoft.Crm.Authentication.Claims.
MetadataGenerator.GenerateCrmFederationMetadata(Stream stream) at Microsoft.Crm.Application.Components.Handlers.FederationMetadata.ProcessRequestInternal(HttpContext context) at System.Web.HttpApplication.
CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously):
Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #022B2AE9Detail: 8ce3aff7-e14b-48e9-a690-259e386c7dc0 -2147220970
System.Security.Cryptography.CryptographicException:
Keyset does not exist at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) at System.Security.
Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle,
SafeKeyHandle& safeKeyHandle) at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize,
CspParameters parameters, Boolean useDefaultKeySize) at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey() at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey()
at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetSignatureFormatter(String algorithm) at System.IdentityModel.SignedXml.ComputeSignature(SecurityKey signingKey) at System.IdentityModel.EnvelopedSignatureWriter.
ComputeSignature() at System.IdentityModel.EnvelopedSignatureWriter.OnEndRootElement() at System.IdentityModel.Metadata.MetadataSerializer.WriteEntityDescriptor(XmlWriter inputWriter, EntityDescriptor entityDescriptor) at
System.IdentityModel.Metadata.MetadataSerializer.WriteMetadata(Stream stream, MetadataBase metadata) at Microsoft.Crm.Authentication.Claims.MetadataGenerator.GenerateCrmFederationMetadata(Stream stream) at Microsoft.Crm.Application.
Components.Handlers.FederationMetadata.ProcessRequestInternal(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStepImpl
(IExecutionStep step) at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously): Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #022B2AE9 <
Timestamp>2021-09-13T20:55:52.8143914Z false
Hello David,
Hope you are well.
I would require more details on the addresses you are using for CRM, but one thing its certainly wrong is you attempting to create a relying party trust using SERVERNAME.DOMAIN.
CRM needs 2 relying party trusts:
1- internal url party trust that will expose only 1 claims url under internalcrm.domain.com
2- auth relying party trust, which will expose all CRM adresses, including organizations URL's + dev + auth.
Everyhting should be behind a DNS record and not server names. DNS of type host A pointing to CRM server IP
You can also check first if the federation metadata url works on the browser itself, as it must. Both on CRM server and ADFS server.
Let us know your thoughts!
Stay up to date on forum activity by subscribing. You can also customize your in-app and email Notification settings across all subscriptions.
#1
André Arnaud de Cal...
291,240
Super User 2024 Season 2
#2
Martin Dráb
230,149
Most Valuable Professional
#3
nmaenpaa
101,156