Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
A quick checklist
| Did you… | Reference |
|---|---|
| Configure DNS records? | See “DNS configuration” in the downloadable document |
| Install and bind your certificate on the Dynamics 365 Customer Engagement (on-premises) website? | See “Certificate selection and requirements” in the downloadable document |
| Add an AD FS signing certificate as a trusted certificate under the CRMAppPool account profile? | See “Enable AD FS token signing” in the downloadable document |
| Change the binding type for Dynamics 365 Customer Engagement (on-premises) websites to HTTPS and use the correct web addresses in Deployment Manager? | Configure the Microsoft Dynamics 365 Server for IFD |
| Give the CRMAppPool account the rights to use an existing certificate used by Dynamics 365 Customer Engagement (on-premises) as signing certificate? This could be the wildcard certificate installed on the Dynamics 365 Customer Engagement (on-premises) server. | Configure the Microsoft Dynamics 365 Server for claims-based authentication |
| Run the Configure Claims-Based Authentication Wizard from Dynamics 365 Deployment Manager? Have you specified the correct URL in this wizard? Have you selected the appropriate encryption certificate? | Configure the Microsoft Dynamics 365 Server for claims-based authentication |
| Configure relying party trust in AD FS for Dynamics 365 Customer Engagement (on-premises) internal claims endpoint? Have you provided the correct URL for the Dynamics 365 Customer Engagement (on-premises) IFD claims endpoint? Have you setup the correct rules for the relying party trusts? | Configure the AD FS server for claims-based authentication Configure the AD FS server for IFD |
| Verify that clients can connect from the Internet? | If unable to connect, see Required steps after enabling OAuth for Dynamics 365 Server. |
AD FS
Use the following to verify your AD FS settings.
Review AD FS events
Open Event Viewer.
Expand Applications and Services Logs. Expand AD FS. Select Admin.
Review the events looking for errors.
Events such as Event ID 184 describing an unknown relying party trust could indicate missing host records in DNS or incorrect path configuration for the relying party’s federation metadata URL.
Verify relying party trust identifiers
Open the AD FS Management console.
Under Trust Relationships, select Relying Party Trusts. Verify the relying party trusts are enabled and not displaying an alert.
Right-click the relying party trust and select Properties. Select the Identifiers tab. You should see identifiers like the following.
Relying party trust for claims: internalcrm.contoso.com
Relying party trust for IFD: auth.contoso.com
If your identifiers aren’t similar to the above examples, check the path entered for the relying party’s federation metadata URL on the Monitoring tab and check your DNS records.
When attempting an internal claims-based authentication connection, you might receive prompt for your credentials. Try the following steps.
Resolve prompt for credentials
Add the add website address for the AD FS server (for example,
https://sts1.contoso.com) to the Trusted Intranet Zone in Internet Explorer.Turn off Extended Protection. On the server running IIS for the Dynamics 365 Customer Engagement (on-premises) website:
Turn off extended protection on the Dynamics 365 Customer Engagement (on-premises) website.
Open IIS.
Select the Dynamics 365 Customer Engagement (on-premises) website.
Under IIS, double-click Authentication.
Right-click Windows Authentication, and then select Advanced Settings.
Set Extended Protection to Off.
For more AD FS troubleshooting information
- See the following: Troubleshoot AD FS 2.0
HTTP Error 401.1 - Unauthorized: Access is denied
If the Dynamics 365 Customer Engagement (on-premises) website fails to display or produces the following error: HTTP Error 401.1 - Unauthorized: Access is denied, there are two steps to try to resolve this issue:
You might need to update the Federation metadata URLs and do an IIs reset. See KB2686840.
You might need to register the AD FS server as a service principal name (SPN). See “Register the AD FS server as a service principal name (SPN)” in the downloadable document.
Time differs between two servers
An authentication error can occur if the time between the AD FS and the Dynamics 365 Customer Engagement (on-premises) server differs by more than 5 minutes. See Windows Time Service Technical Reference for information on how to configure time synchronization on your servers.