I've issue with IFD configuration of my crm organization.
When I try to access to public address https://organization.domain.com/XRMServices/2011/OrganizationService.svc?wsdl browser redirect to ADFS page for credentials and I would like view WSDL directly, because the CRM plugin for outlook doesn't work.
ADFS is version 3.0 and uses WAP (new ADFS Proxy for 3.0) for exposing STS on internet.
Thanks for help
I've solved the problem by setting pre-authentication pass-through on WAP / ADFS Proxy
Related
Overview:
We're trying to configure SSO for OWA on Exchange 2019 server (on-premise), using ADFS. When going to https://mail.domain.com/owa we're experiencing multiple redirects between ADFS and OWA before we get an error in ADFS, followed by an error in the Windows Event logs that says:
Encountered error during federation passive request.
Additional Data
Protocol Name:
wsfed
Relying Party:
https://mail.domain.com/owa/
Exception details:
Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made '6' requests in the last '0' seconds. Contact your administrator for details.
at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.UpdateLoopDetectionCookie(WrappedHttpListenerContext context)
at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.ProcessCommonCookiesInLastAuthenticationStage(ProtocolContext context)
at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.SendSignInResponse(WSFederationContext context, MSISSignInResponse response)
at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
Steps to reproduce:
Install Exchange Server 2019
Install ADFS and configure SSO exactly following the steps outlined on the following article (click here)
Navigate to https://mail.domain.com/owa.
Troubleshooting so far:
Confirmed that ECP and OWA External URLs match the audiences set in Powershell.
Confirmed that the user I'm attempting to sign in as is able to authenticate using FBA.
Confirmed that OWA is working as expected.
Servers + configuration:
Exchange Server 2019 15.02.0221.017 configured with a self-signed certificate
ADFS 4.0 configured with a self-signed certificate
Question(s):
Where can I go to get the OWA logs detailing why OWA is redirecting back to ADFS?
Is there anything in the above-linked article that's incorrect?
After a bit more testing we found that if we used IE11, the problem went away. The problem only existed for Chrome or Edge Chromium.
We decided to update to Exchange 2019 CU10, and there were no further issues.
While system proxy is set with Jmeter, CRM Dynamics 365 app is prompting for credentials repeatedly until it gives "HTTP 401.1 - Unauthorized: Access is denied" error at last. Without the proxy, users can access the CRM application at ease over browsers. Following steps are already taken, but no luck yet.
Jmeter root certificate is installed
Domain admin credentials are used for login
For authentication, NTLM service provider is set at IIS
Any help is appreciated!
In recorder advanced tab , switch Http request implementation to Java and try again.
If it doesn’t work, investigate wether it’s ntlm or keeberos.
Alternatively you can start authenticating without proxy setuo and once done, you switch browser to use jmeter proxy.
You can record test cases over BlazeMeter then import them into JMeter. That is worked for me.
I have installed the ADFS 2.0 on windows server 8, When I am going to fetch the page (FormsSignIn.aspx) which is under adfs/ls dierctory I am getting below error
There was a problem accessing the site. Try to browse to the site again.
I have checked the logs in event viewer and got the below message
Microsoft.IdentityServer.Protocols.Saml.HttpSamlMessageException: MSIS7015: This request does not contain the expected protocol message or incorrect protocol parameters were found according to the HTTP SAML protocol bindings.
at Microsoft.IdentityServer.Web.HttpSamlMessageFactory.CreateMessage(HttpContext httpContext)
at Microsoft.IdentityServer.Web.FederationPassiveContext.EnsureCurrent(HttpContext context)
I have checked all the possible way but not able to reslove this problem.
Please assist.
If you are wanting to utilize Forms authentication in ADFS, you do not access this page directly, rather you configure the ADFS web.config for forms authn and you claims enable your application / service provider (SP). The methods for claims enabling an application can vary depending on the version of Windows Identity Foundation (WIF) used.
I'm in the process of setting up IFD for CRM, and can't get past the internal login part of the claims based setup. I can browse both the adfs and crm metadata. When I try to browse to the internal crm url (https://internalcrm3.XXX.com:447/crm2013) I get prompted for credentials to adfs ("Enter username and password for htts://adfs3.xxx.com"). The url has changed to the adfs url (https://adfs3.xxx.com/adfs/ls/wia?....) at this point upon the login failure. There are no errors in the adfs event long, not sure where to check for this failure. The crm site worked prior to me setting up claims based authentication. I'm using windows 2012r2, I'm running crm on port 447.
Fiddler shows a 200 from internalcrm3, and a 200 for adfs3 (it shows adfs3 is on 443, but I haven't set up anything in IIS for this, as it's the 2012r2 version of adfs)
If I browse https://adfs3..com/adfs/ls/idpinitiatedsignon, I am prompted and can login wit the same credentials I'm trying above.
Recently, MS have spoken in build 2013 conference session titled "Securing Windows Store Applications and REST Services with Active Directory" and video posted at http://channel9.msdn.com/Events/Build/2013/3-518
This session talks about new OAuth end point as part of ADFS Windows Server 2012 server. And token validation in ASP.NET Web API using AAL and for this Windows Azure Active Directory is required.
But I would like to try on premise ADFS of Server 2012.
Which lib should I use with in MS framework to validate the token in ASP.NET Web API 2?
What is the token format you plan to use? Will it be the SAML as-is or you plan to transform it to may be JWT? Azure ACS can give you JWT or you can use thinktecture identity server. Check this out. SAML can get bulky at times and you can have problem transporting them in an HTTP header depending on the token size.
If you plan to use SAML, you can use WIF classes SecurityTokenHandlerCollection, etc. For JWT, there is a library available with a long name of "JSON Web Token Handler For the Microsoft .Net Framework 4.5". Check this out as well.