Monday, 13 August 2012

CRM 2011 / ADFS Renewed Certificates

CRM 2011 is a very particular beast.


I had an issue where the ADFS server was passing the credentials to the CRM box but CRM was not accepting them. A Windows Authentication Box kept popping up then eventually a 401 not authorised error would appear.

The event viewer moaned about a few things, but what's new with CRM?

It turned out that the ADFS Certificates for Token-decrypting and Token Signing, adfs.*.local had expired and my trusty ADFS farm had renewed them for me, because when they were installed we used the switch /autocertrolloverenabled.

However, CRM dislikes not being told about the new cert and requires you to set up Claims and IFD again!
To fix it, I had to follow this process: Obviously do your snap shots first, backup etc

  • Open CRM Deployment Manager, Right Click "Microsoft Dynamics CRM" and then click Disable Claims Based Authentication.
  • IISReset both front end servers (web farm.)
  • Open CRM Deployment Manager, Right Click "Microsoft Dynamics CRM"  and click Configure Claims Based Authentication and follow the wizard (with the defaults as they come from the Database.)
  • Then Right Click "Microsoft Dynamics CRM" and click Configure Internet Facing Deployment and follow the wizard .
  • IISreset both web servers.
  • Cross fingers.
  • Cross toes.
  • On the ADFS Server, Open ADFS 2.0 Management, Under Trust Relationships click Relying Party Trusts and then right click the URL's and chose Update From Federation Meta Data for all URL's here (relating to CRM.)

No comments: