CRM 2011 – New ADFS Wildcard Cert Breaks CRM Claims Based Authentication

2017-12-11T16:01:08+00:00 September 30th, 2013|Azure|

We recently faced a strange issue when our ADFS Wildcard certificate was updated, we had got our new ADFS Wildcard Certificate along with token decrypting and signing certs, when these became the primary certificates, CRM authentication completely died, no external or internal authentication was being allowed whatsoever.

So after a quick look around I decided to update the Internal and External CRM relying party trusts with Federation Metadata to update the cert it was using, as even though the secondary still had 30 days left, it was not authenticating,

ADFS1

this did not resolve the issue, but it had moved us over to the new certificate. So logically the next step is to configure claims based authentication from deployment manager, we had already tried this without updating from federation metadata, to no avail, with the new cert however you can disable Claims Based authentication, perform an IIS Reset, reconfigure, IIS Reset again and presto, you have working Claims Based Authentication.

CBA1

CBA3

 

Here is a step by step list of what I did:

  • Update External and Internal Relying Party Trusts from federation metadata. (From ADFS)
  • Disable Claims Based Authentication. (From CRM Deployment Manager)
  • IIS Reset. (From Command Prompt)
  • Configure Claims Based Authentication. (From CRM Deployment Manager)
  • IIS Reset (From Command Prompt)