This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 63%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDK%3C/text%3E%3C/svg%3E)
I posted this in CRM Dynamics to no avail so I'm trying here.
I have two users (one being me) who get an authentication loop when attempting to access our CRM system via our intranet.
I used a SAML inspection program and I get
ws-fed error
fds
"requests": [
{
"method": "GET",
"url": "https://removed.crm/crm365/",
"requestId": "4229",
"requestHeaders": [
{
"name": "Host",
"value": "removedcrm.com"
},
{
"name": "User-Agent",
"value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0)
Gecko/20100101 Firefox/72.0"
},
{
"name": "Accept",
"value":
"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0
.8"
},
{
"name": "Accept-Language",
"value": "en-US,en;q=0.5"
},
{
"name": "Accept-Encoding",
"value": "gzip, deflate, br"
},
{
"name": "Connection",
"value": "keep-alive"
},
{
"name": "Referer",
"value": "http://removed/default.aspx"
},
{
"name": "Cookie",
"value":
"ReqClientId={hash:ad5343d02572c374afa16e0b739e365585f9658bfe69a945337188
83c3475953}"
},
{
"name": "Upgrade-Insecure-Requests",
"value": "1"
}
],
"get": [],
"responseStatus": 302,
"responseStatusText": "HTTP/2.0 302 Found",
"responseHeaders": [
{
"name": "cache-control",
"value": "private"
},
{
"name": "content-type",
"value": "text/html; charset=utf-8"
},
{
"name": "location",
"value":
"https://removed.com/adfs/ls/?wa=wsignin1.0&wtrealm=https%3a%2
f%2frvkcrm.crm.rvkinc.com%2f&wctx=rm%3d1%26id%3db8eb1d65-29d4-4e23-aecbe4549043bb03%
26ru%3d%252fremoved365%252fdefault.aspx%26crmorgid%3de369084a
-a907-e411-954e-00155d009f27&wct=2020-02-
13T19%3a48%3a32Z&wauth=urn%3afederation%3aauthentication%3awindows"
},
{
"name": "server",
"value": "Microsoft-IIS/10.0"
},
{
"name": "req_id",
"value": "3bc91d84-7e42-49aa-9ebc-1958b0077b1a"
},
{
"name": "x-aspnet-version",
"value": "4.0.30319"
},
{
"name": "x-powered-by",
"value": "ASP.NET"
},
{
"name": "date",
"value": "Thu, 13 Feb 2020 19:48:32 GMT"
},
{
"name": "content-length",
"value": "457"
},
{
"name": "X-Firefox-Spdy",
"value": "h2"
}
]
},
{
"method": "GET",
"url":
"removed.com/.../
f%2fremovedinc.com%2f&wctx=rm%3d1%26id%3db8eb1d65-29d4-4e23-aecbe4549043bb03%
26ru%3d%252frvkcrm365%252fdefault.aspx%26crmorgid%3de369084a
-a907-e411-954e-00155d009f27&wct=2020-02-
13T19%3a48%3a32Z&wauth=urn%3afederation%3aauthentication%3awindows",
"requestId": "4229",
"requestHeaders": [
{
"name": "Host",
"value": "removed.com"
},
{
"name": "User-Agent",
"value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0)
Gecko/20100101 Firefox/72.0"
},
{
"name": "Accept",
"value":
"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0
.8"
},
{
"name": "Accept-Language",
"value": "en-US,en;q=0.5"
},
{
"name": "Accept-Encoding",
"value": "gzip, deflate, br"
},
{
"name": "Referer",
"value": "http://removed/default.aspx"
},
{
"name": "Connection",
"value": "keep-alive"
},
{
"name": "Upgrade-Insecure-Requests",
"value": "1"
}
],
"get": [
[
"wa",
"wsignin1.0"
],
[
"wtrealm",
"https://crm.removed.com/"
],
[
"wctx",
"rm=1&id=b8eb1d65-29d4-4e23-aecbe4549043bb03&
ru=%2fremoved365%2fdefault.aspx&crmorgid=e369084a-a907-e411-
954e-00155d009f27"
],
[
"wct",
"2020-02-13T19:48:32Z"
],
[
"wauth",
"urn:federation:authentication:windows"
]
],
"protocol": "WS-Fed",
"saml": null,
"responseStatus": 302,
"responseStatusText": "HTTP/1.1 302 Found",
"responseHeaders": [
{
"name": "Content-Length",
"value": "0"
},
{
"name": "Content-Type",
"value": "text/html; charset=utf-8"
},
{
"name": "Location",
"value":
"https://removedc.com:443/adfs/ls/wia?wa=wsignin1.0&wtrealm=htt
ps%3a%2f%removed%2f&wctx=rm%3d1%26id%3db8eb1d65-29d4-
4e23-aecbe4549043bb03%
26ru%3d%252frvkcrm365%252fdefault.aspx%26crmorgid%3de369084a
-a907-e411-954e-00155d009f27&wct=2020-02-
13T19%3a48%3a32Z&wauth=urn%3afederation%3aauthentication%3awindows&client
-request-id=ebb8764d-0b1c-4f4e-6b15-0080010000de"
},
{
"name": "Server",
"value": "Microsoft-HTTPAPI/2.0"
},
{
"name": "Date",
"value": "Thu, 13 Feb 2020 19:48:32 GMT"
}
]
},
"timestamp": "2020-02-13T19:48:42.736Z"
It appears to be a problem at WS-FED.
If a user tries a different machine it is fine, if a different user logs into the same machine they can sometimes work.
I"ve tried accessing the ADFS and it returns the federationmetadata.xml file correctly.
Done all the usual, changing profile, clearing cache, different browsers all with the same issue.
Anyone have an idea?
Thanks
david
Hello! This is a pretty hard to read log here. Ideally you would share a "sanitized" Fiddler trace and we could look into it.
What is the users' experience? Are they prompted for credentials multiple times? Or is the browser just flashing and then have the error message? What are the logs on the application side (if any)?
If that works on one machine and not the other for the same account, it might be something to do with the machine itself. Maybe a different maximum size for the headers and/or cookies.
HI,
This turned out to be our DLP application with WIP.
Agent isn't working need to roll back.
Thanks for all the responses.
David
Hi
I have the fiddler trace but will see about sanitizing.
Problem that users work on most system, but some they just don't work.
You to the link on intranet and prompts for username/pwd even in IE when it should be passed along.
I ran on a different browser where the credentials are cached and works for the intranet site but then when try to access the crm we run into this trouble. All running ie11 btw.
Your last point "Maybe a different maximum size for the headers and/or cookies." I will try
This is from the fiddler raw data
HTTP/1.1 401 Unauthorized
Content-Length: 0
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Date: Mon, 02 Mar 2020 20:07:23 GMT
Proxy-Support: Session-Based-Authentication
here is the cleaned up fiddler data, hope I did that right,
CONNECT <removed>:443 HTTP/1.1
Host: <removed>:443
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below.
Version: 3.3 (TLS/1.2)
Random: B9 61 1A C3 42 B9 1C 69 DA D2 F9 6E 80 55 B9 C2 6F C6 59 50 D7 0F 36 4D C1 86 0D 79 0C 77 5E 57
"Time": 9/21/2073 11:07:53 PM
SessionID: empty
Extensions:
NextProtocolNego empty
server_name <removed>
status_request OCSP - Implicit Responder
supported_groups x25519 [0x1d], secp256r1 [0x17], secp384r1 [0x18], secp521r1 [0x19]
ec_point_formats uncompressed [0x0]
signature_algs rsa_pkcs1_sha256, ecdsa_secp256r1_sha256, rsa_pkcs1_sha384, ecdsa_secp384r1_sha384, rsa_pkcs1_sha512, ecdsa_secp521r1_sha512, rsa_pkcs1_sha1, ecdsa_sha1
renegotiation_info 00
ALPN h2, http/1.1
SignedCertTimestamp (RFC6962) empty
Ciphers:
[C02F] TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
[C030] TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
[C02B] TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
[C02C] TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
[CCA8] TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
[CCA9] TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
[C013] TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
[C009] TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
[C014] TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
[C00A] TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
[009C] TLS_RSA_WITH_AES_128_GCM_SHA256
[009D] TLS_RSA_WITH_AES_256_GCM_SHA384
[002F] TLS_RSA_WITH_AES_128_CBC_SHA
[0035] TLS_RSA_WITH_AES_256_CBC_SHA
[C012] TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
[000A] SSL_RSA_WITH_3DES_EDE_SHA
Compression:
[00] NO_COMPRESSION
HTTP/1.1 200 Connection Established
FiddlerGateway: Direct
StartTime: 12:07:22.691
Connection: close
Encrypted HTTPS traffic flows through this CONNECT tunnel. HTTPS Decryption is enabled in Fiddler, so decrypted sessions running in this tunnel will be shown in the Web Sessions list.
Secure Protocol: Tls12
Cipher: Aes256 256bits
Hash Algorithm: Sha384 ?bits
Key Exchange: ECDHE_RSA (0xae06) 255bits
== Server Certificate ==========
<removed>
[SubjectAltNames]
<removed>
GET https://<removed>rvkcrm365/ HTTP/1.1
Host: <removed>
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; .NET CLR 1.1.4322; wbx 1.0.0; Zoom 3.6.0)
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, /
Accept-Encoding: gzip, deflate
Accept-Language: en-US
Connection: Keep-Alive
Cookie: ReqClientId=0ba90f69-7f25-4bbb-a695-b5f13221c285
Referer: http://rvknow/default.aspx
HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: https://<removed>/adfs/ls/?wa=wsignin1.0&wtrealm=https%3a%2f%2f<removed>%2f&wctx=rm%3d1%26id%3d50dc8871-66cf-4d0b-b70c-65c50975ae6f%26ru%3d%252frvkcrm365%252fdefault.aspx%26crmorgid%3de369084a-a907-e411-954e-00155d009f27&wct=2020-03-02T20%3a07%3a22Z&wauth=urn%3afederation%3aauthentication%3awindows
Server: Microsoft-IIS/10.0
REQ_ID: e4de8c7e-1553-426e-810b-2fbf4e4413aa
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 02 Mar 2020 20:07:22 GMT
Content-Length: 457
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="https://<removed>/adfs/ls/?wa=wsignin1.0&wtrealm=https%3a%2f%2f<removed>%2f&wctx=rm%3d1%26id%3d50dc8871-66cf-4d0b-b70c-65c50975ae6f%26ru%3d%252f<removed>365%252fdefault.aspx%26crmorgid%3de369084a-a907-e411-954e-00155d009f27&wct=2020-03-02T20%3a07%3a22Z&wauth=urn%3afederation%3aauthentication%3awindows">here</a>.</h2>
</body></html>
CONNECT <removed>:443 HTTP/1.1
Host: <removed>:443
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below.
Version: 3.3 (TLS/1.2)
Random: 76 F3 D0 76 E0 60 F1 4F AA C3 65 F1 16 9E 97 E8 96 F1 39 DA BB B4 AA D8 4E 2D 71 1C AF DF 95 3C
"Time": 3/2/2033 11:41:42 AM
SessionID: empty
Extensions:
NextProtocolNego empty
server_name <removed>
status_request OCSP - Implicit Responder
supported_groups x25519 [0x1d], secp256r1 [0x17], secp384r1 [0x18], secp521r1 [0x19]
ec_point_formats uncompressed [0x0]
signature_algs rsa_pkcs1_sha256, ecdsa_secp256r1_sha256, rsa_pkcs1_sha384, ecdsa_secp384r1_sha384, rsa_pkcs1_sha512, ecdsa_secp521r1_sha512, rsa_pkcs1_sha1, ecdsa_sha1
renegotiation_info 00
ALPN h2, http/1.1
SignedCertTimestamp (RFC6962) empty
Ciphers:
[C02F] TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
[C030] TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
[C02B] TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
[C02C] TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
[CCA8] TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
[CCA9] TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
[C013] TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
[C009] TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
[C014] TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
[C00A] TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
[009C] TLS_RSA_WITH_AES_128_GCM_SHA256
[009D] TLS_RSA_WITH_AES_256_GCM_SHA384
[002F] TLS_RSA_WITH_AES_128_CBC_SHA
[0035] TLS_RSA_WITH_AES_256_CBC_SHA
[C012] TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
[000A] SSL_RSA_WITH_3DES_EDE_SHA
Compression:
[00] NO_COMPRESSION
HTTP/1.1 200 Connection Established
FiddlerGateway: Direct
StartTime: 12:07:22.865
Connection: close
Encrypted HTTPS traffic flows through this CONNECT tunnel. HTTPS Decryption is enabled in Fiddler, so decrypted sessions running in this tunnel will be shown in the Web Sessions list.
Secure Protocol: Tls12
Cipher: Aes256 256bits
Hash Algorithm: Sha384 ?bits
Key Exchange: ECDHE_RSA (0xae06) 255bits
== Server Certificate ==========
<removed>
[SubjectAltNames]
<removed>
GET https://<removed>/adfs/ls/?wa=wsignin1.0&wtrealm=https%3a%2f%2f<removed>%2f&wctx=rm%3d1%26id%3d50dc8871-66cf-46f%26ru%3d%252f<removed>%252fdefault.aspx%26crmorgid%3de369084a-a907-e411-954e-00155d009f27&wct=2020-03-02T20%3a07%3a22Z&wauth=urn%3afederation%3aauthentication%3awindows HTTP/1.1
Host: <removed>
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; .NET CLR 1.1.4322; wbx 1.0.0; Zoom 3.6.0)
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, /
Accept-Encoding: gzip, deflate
Accept-Language: en-US
Connection: Keep-Alive
Referer: http://rvknow/default.aspx
HTTP/1.1 302 Found
Content-Length: 0
Content-Type: text/html; charset=utf-8
Location: https://<removed>:443/adfs/ls/wia?wa=wsignin1.0&wtrealm=https%3a%2f%2f<removed>%2f&wctx=rm%3d1%26id%3d50dc8871-66cf-4d0b-b70c-65c50975ae6f%26ru%3d%252f<removed>%252fdefault.aspx%26crmorgid%3de369084a-a9072020-03-02T20%3a07%3a22Z&wauth=urn%3afederation%3aauthentication%3awindows&client-request-id=50adfbdb-fadb-4dea-2e01-0080010000d2
Server: Microsoft-HTTPAPI/2.0
Date: Mon, 02 Mar 2020 20:07:23 GMT
GET https://<removed>/adfs/ls/wia?wa=wsignin1.0&wtrealm=https%3a%2f%2f<removed>%2f&wctx=rm%3d1%26id%3d50dc8871-66cf-b70c-65c50975ae6f%26ru%3d%252frvkcrm365%252fdefault.aspx%26crmorgid%3de369084a-a907-e411-954e-00155d009f27&wct=2020-03-02T20%3a07%3a22Z&wauth=urn%3afederation%3aauthentication%3awindows&client-request-id=50adfbdb-fadb-4dea-2e01-0080010000d2 HTTP/1.1
Host: rvkservices.rvkinc.com
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; .NET CLR 1.1.4322; wbx 1.0.0; Zoom 3.6.0)
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, /
Accept-Encoding: gzip, deflate
Accept-Language: en-US
Connection: Keep-Alive
Referer: http://rvknow/default.aspx
HTTP/1.1 401 Unauthorized
Content-Length: 0
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Date: Mon, 02 Mar 2020 20:07:23 GMT
Proxy-Support: Session-Based-Authentication
GET https://<removed>/adfs/ls/wia?wa=wsignin1.0&wtrealm=https%3a%2f%2f<removed>%2f&wctx=rm%3d1%26id%3<removed>e369084a-a907-e411-954e-00155d009f27&wct=2020-03-02T20%3a07%3a22Z&wauth=urn%3afederation%3aauthentication%3awindows&client-request-id=50adfbdb-fadb-4dea-2e01-0080010000d2 HTTP/1.1
Host: <removed>
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; .NET CLR 1.1.4322; wbx 1.0.0; Zoom 3.6.0)
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, /
Accept-Encoding: gzip, deflate
Accept-Language: en-US
Authorization: Negotiate <removed>
Connection: Keep-Alive
Referer: http://rvknow/default.aspx
HTTP/1.1 401 Unauthorized
Content-Length: 0
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Date: Mon, 02 Mar 2020 20:07:23 GMT
Proxy-Support: Session-Based-Authentication
So it seems that you are never redirected to the app and loop on the Windows Integrated Authentication (WIA) part. Do you see an event 4625 on the ADFS server in the security logs while you attempt to connect? It might have relevant information on why the WIA fails.