CRM 2011 Login Failures in IFD/Claims with ADFS Auto Certificate Rollover

We had a client with CRM 2011 On premises IFD environment that no-one could log in to today – approximately 1 year after deployment.  It turned out that the ADFS Token-decrypting and ADFS token-signing certificates rolled over as the default validity for them is 365 days.  While the new certs were rolled over OK, we were getting authentication errors and no-one could log on to CRM.

ADFS Token Certificates

The errors we were finding were a bit misleading:

  • We had some CAPI errors in the Application Event Log indicating invalid 3rd party trusts which I assume were related to the recent Microsoft certificate revocation of certificates in reaction to the Flame malware saga.
  • We also had token request errors in the ADFS 2.0 Admin Event Log  “the federation service could not satisfy a token request because the accompanying credentials do not meet the authentication type requirement of ‘urn:oasis:names:tc:SAML:1:0:am:password’ for the relying party https://crmorg.crmserver.example.com”.

Location of the ADFS 2.0 Admin Event Log:
ADFS Server Event Log

ADFS Server CAPI Error

ADFS Server CRM Authentication Error

I had suspected that the CRM Claims/IFD Configuration had cached some of the token details, including perhaps the certificate thumbprints, and now they were not being accepted.

The resolution is as follows:

  • Disable Claims/IFD in CRM Deployment Manager
  • Perform an IIS Reset con the CRM Server(s)
  • Re-configure Claims & IFD in CRM Deployment Manager (same settings)
  • Perform an IIS Reset on the CRM Server(s)
  • Manually update the Federation Metadata for each of your CRM Relying Party Trusts for your CRM server in ADFS/Trust Relationships, and clicking the “Update from Federation Metadata …” action.

Hopefully a future CRM Service Release might fix (or have already fixed) this.  If not, then be prepared to either mark this date in your calendar and repeat the process every year, or reconfigure your ADFS to use certificates for signing and decrypting that last a bit longer than the default 365 days.

To see how your ADFS Server is configured in respect to Certificate Auto Rollover, try the following powershell commands:

Add-PSSnapin Microsoft.ADFS.PowerShell
Get-ADFSProperties

and check the following settings:

AutoCertificateRollover        : True
CertificateCriticalThreshold   : 2
CertificateDuration            : 365
CertificateGenerationThreshold : 20
CertificatePromotionThreshold  : 5
CertificateRolloverInterval    : 720
CertificateSharingContainer    : 
CertificateThresholdMultiplier : 1440

 From these settings you can read that ADFS will generate a new certificate for decrypting/signing that will be:

  • Automatically rolled over
  • valid for 365 days
  • be re-geneated 20 days before expiry
  • be promoted to be the primary cert 5 days before expiry (this is when CRM will start failing)
Advertisements

About nzregs

Senior Technical Evangelist at Microsoft NZ
This entry was posted in Claims Based Auth & Internet Facing Deployment (IFD), CRM IFD Deployment, Dynamics CRM and tagged , , , , . Bookmark the permalink.

7 Responses to CRM 2011 Login Failures in IFD/Claims with ADFS Auto Certificate Rollover

  1. Fervis says:

    I’ve spent an entire day tracking down what turned out to be this exact problem. Thanks to you and this post, I can sleep tonight. Thanks!

  2. nang says:

    I had the same problem. These instructions solved it. Thanks a lot!

  3. Pingback: Ran into this issue today with ADFS certificate rollover | Orwin.ca

  4. mukesh says:

    Hi…I have wild card certificate which is going to expire on 21st nov,2012.So please tell me what are the steps which I have to follow to to update certificate and ADFS 2.0.

    1.Does I have to attached renewed certificate again to default website and CRM website.

    2.Does I have to add these entry again to MMC for personal and Trusted certificate.

    If Not,then do let me know what are the steps that need to perform as still there are 20 days for certificate expiration.

    • nzregs says:

      Hi Mukesh

      Yes, you will have to re-load or update the certificate on all your websites. Make sure you include the version with the private key.

      If you used the Wildcard cert as the Token Signing/Decrypting certificate on ADFS 2.0 then you will have also have to load the new ones there, promote to primary, and re-configure the CRM claims/IFD (to make CRM recognise and load the new certificate info).

      When you load the new certs, make sure to give the appropriate user (e.g. Network Service) access to read the private key of the cert.

      Regan.

  5. Sai Prasad says:

    This cant be done every year when the ADFS token certificate renews itself and we cant expect the services to go down every year knowing that this would happen.

    Solution: Put this script in your ADFS server.
    http://gallery.technet.microsoft.com/scriptcenter/Office-365-Federation-27410bdc

    • nzregs says:

      Thanks, that looks like a great solution for Office 365 federation. I haven’t seen one around for CRM On Premises though but it should be possible as there are powershell commands for configuring claims/IFD for CRM On Premises.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s