ADFS 2.0 Auto certificate Rollover – Login to claims enabled CRM On-Premise fails with federation service error

Login to claims enabled CRM On-Premise fails with federation service error

Error  On the ADFS server, we can see the below mentioned error while accessing the page "https://crm.contoso.com"

Encountered error during federation passive request.

Exception details:

Microsoft.IdentityServer.Configuration.ReadServiceConfigFailedException: MSIS2001: Configuration service URL is not configured. ---> Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreConnectionException: ADMIN0017: An exception occurred while connecting to the configuration service. The configuration service URL 'net.tcp://localhost:1500/policy' may be incorrect or the AD FS 2.0 Windows Service is not running. ---> System.ServiceModel.EndpointNotFoundException: Could not connect to net.tcp://localhost:1500/policy. The connection attempt lasted for a time span of 00:00:02.0469798. TCP error code 10061: No connection could be made because the target machine actively refused it 127.0.0.1:1500.  ---> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 127.0.0.1:1500

   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)

   at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)

   at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)

   --- End of inner exception stack trace ---

Server stack trace:

   at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)

   at System.ServiceModel.Channels.BufferedConnectionInitiator.Connect(Uri uri, TimeSpan timeout)

   at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)

   at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)

   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)

   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

   at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)

   at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)

   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)

   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)

   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

 

Why login to CRM with claims enabled fails:

Newly issued tokens are now signed by the newly created token signing certificate however the federation trust with CRM On-Premise has not been updated to reflect the certificate changes. This causes the newly issued tokens to be invalidated as CRM On-Premise rejects it as an invalid signing certificate.

What is the solution:

1)In CRM server go to Deployment  Manager and then disable the Claims Based Authentication.

2)Do an IISReset on CRM server

3) Re-configure Claims-Based Authentication 

4) Re-configure IFD through deployment manager.

5) Do an IISRESET again on CRM server

6) In ADFS management console in ADFS server, update the corresponding Federation Metadata URLs

 

How to check if the ADFS is set for Auto Renewal

Add-PSSnapin Microsoft.adfs.powershell

Get-ADFSProperties

If the AutoCertRollover value is set to True then it is set for auto renewal

How to recognize alerts for ADFS certificate Expiry

the AD FS 2.0 Admin Event Log will show warning messages (Event ID:385).

AD FS 2.0 detected that one or more certificates in AD FS configuration database need to be updated manually because they are expired, or will expire soon. See additional details for more information

Additional Details:
Token-signing certificate with thumbprint ’xxxxxxxxxxxxxxxxxxxxxxx′ is set to expire on xx/xx/xxxx at xx:xx:xx AM/PM.

 

PowerShell command to immediately generate new self-signed certificates:

Add-PSSnapin Microsoft.Adfs.Powershell

Update-AdfsCertificate -Urgent

How to disable Auto Renewal:

PowerShell command to disable AutoCertificateRollover:

Add-PSSnapin Microsoft.Adfs.Powershell

Set-ADFSProperties -AutoCertificateRollover $false

 

Additionally, there are some very good articles detailing how to troubleshoot token signing certificate problems:

• Expiring AD FS 2.0 Token Signing Certificates
  • http://blog.auth360.net/2012/01/08/expiring-ad-fs-2-0-token-signing-certificates/ 
• Troubleshooting Certificates management problems with AD FS 2.0
  • http://technet.microsoft.com/en-us/library/adfs2-troubleshooting-certificate-management-problems(v=WS.10).aspx
• AD FS 2.0: How to enable and immediately use AutoCertificateRollover
  • http://social.technet.microsoft.com/wiki/contents/articles/ad-fs-2-0-how-to-enable-and-immediately-use-autocertificaterollover.aspx      

**Thanks,
Sudhir
**