We had a client with CRM 2011 On premises IFD environment that no-one could log in to today – approximately 1 year after deployment. It turned out that the ADFS Token-decrypting and ADFS token-signing certificates rolled over as the default validity for them is 365 days. While the new certs were rolled over OK, we were getting authentication errors and no-one could log on to CRM.
The errors we were finding were a bit misleading:
- We had some CAPI errors in the Application Event Log indicating invalid 3rd party trusts which I assume were related to the recent Microsoft certificate revocation of certificates in reaction to the Flame malware saga.
- We also had token request errors in the ADFS 2.0 Admin Event Log “the federation service could not satisfy a token request because the accompanying credentials do not meet the authentication type requirement of ‘urn:oasis:names:tc:SAML:1:0:am:password’ for the relying party https://crmorg.crmserver.example.com”.
I had suspected that the CRM Claims/IFD Configuration had cached some of the token details, including perhaps the certificate thumbprints, and now they were not being accepted.
The resolution is as follows:
- Disable Claims/IFD in CRM Deployment Manager
- Perform an IIS Reset con the CRM Server(s)
- Re-configure Claims & IFD in CRM Deployment Manager (same settings)
- Perform an IIS Reset on the CRM Server(s)
- Manually update the Federation Metadata for each of your CRM Relying Party Trusts for your CRM server in ADFS/Trust Relationships, and clicking the “Update from Federation Metadata …” action.
Hopefully a future CRM Service Release might fix (or have already fixed) this. If not, then be prepared to either mark this date in your calendar and repeat the process every year, or reconfigure your ADFS to use certificates for signing and decrypting that last a bit longer than the default 365 days.
To see how your ADFS Server is configured in respect to Certificate Auto Rollover, try the following powershell commands:
Add-PSSnapin Microsoft.ADFS.PowerShell Get-ADFSProperties
and check the following settings:
AutoCertificateRollover : True CertificateCriticalThreshold : 2 CertificateDuration : 365 CertificateGenerationThreshold : 20 CertificatePromotionThreshold : 5 CertificateRolloverInterval : 720 CertificateSharingContainer : CertificateThresholdMultiplier : 1440
From these settings you can read that ADFS will generate a new certificate for decrypting/signing that will be:
- Automatically rolled over
- valid for 365 days
- be re-geneated 20 days before expiry
- be promoted to be the primary cert 5 days before expiry (this is when CRM will start failing)