CCA & Claims based auth ... not working

May 23, 2011 at 4:14 PM

Hello,

I have CRM 2011 on-premise installed and configured for Claims based authentication. I have federated CRM with an ADFS 2.0 server. I am able to sign in successfully using the CRM Web-based UI from both a domain joined computer and a non-domain joined computer. This leads me to believe I have claims based authentication working for CRM. Prior to enabling claims-based authentication on CRM, the Agent Desktop worked correctly (if run with elevated privileges).

ADFS v2.0 is running on the default website

  • Has a trust with CRM 2011
  • No trust relationship with Agent Desktop application (is one needed? If so, how does one set this up?)
  • Verbose tracing enabled; no errors logged

CRM 2011 is running on port 5443

  • Claims based auth enabled
  • Internet facing deployment NOT enabled

I updated the AgentDesktop.exe.config file with the following settings as prescribed by the CCA/UII documentation:

    <add key="authenticationMode" value="Federation"/>
    <add key="organizationServiceUrl" value="https://2008dev.crmdev.local:5443/Development/XRMServices/2011/Organization.svc"/>
    <add key="homeRealmUrl" value="https://2008dev.crmdev.local/adfs/services/trust/mex"/>

However, when attempting to sign in to the Agent Desktop, I am receiving the following error:

System.NotSupportedException: The authentication endpoint AsymmetricToken was not found on the configured Secure Token Service!
   at Microsoft.Xrm.Sdk.Client.IssuerEndpointDictionary.GetIssuerEndpoint(TokenServiceCredentialType credentialType)
   at Microsoft.Xrm.Sdk.Client.ServiceConfiguration`1.Authenticate(TokenServiceCredentialType endpointType, String appliesTo, String keyType, IssuerEndpointDictionary issuerEndpoints, ClientCredentials clientCredentials, SecurityToken securityToken)
   at Microsoft.Xrm.Sdk.Client.ServiceConfiguration`1.Authenticate(TokenServiceCredentialType endpointType, String keyType, ClientCredentials clientCredentials, SecurityToken securityToken)
   at Microsoft.Xrm.Sdk.Client.ServiceConfiguration`1.Authenticate(SecurityToken securityToken, String keyType)
   at Microsoft.Xrm.Sdk.Client.ServiceConfiguration`1.Authenticate(SecurityToken securityToken)
   at Microsoft.Xrm.Sdk.Client.OrganizationServiceConfiguration.Authenticate(SecurityToken securityToken)
   at Microsoft.Xrm.Sdk.Client.ServiceProxy`1.AuthenticateCore()
   at Microsoft.Xrm.Sdk.Client.ServiceProxy`1.Authenticate()
   at Microsoft.Xrm.Sdk.Client.ServiceProxy`1.ValidateAuthentication()
   at Microsoft.Xrm.Sdk.Client.ServiceContextInitializer`1.Initialize(ServiceProxy`1 proxy)
   at Microsoft.Xrm.Sdk.Client.OrganizationServiceProxy.ExecuteCore(OrganizationRequest request)
   at Microsoft.Uii.AifServices.AuthenticationService.ValidateConnect()
   at Microsoft.Uii.AifServices.AuthenticationService.Connect(Uri organizationServiceUri, Uri homeRealmUri, ClientCredentials clientCredentials, ClientCredentials deviceCredentials)
   at Microsoft.Crm.Accelerator.Cca.WpfDesktop.MainWindow..ctor() in D:\Development\Ford\trunk\Agent Desktop\AgentDesktop\MainWindow.xaml.cs:line 143

During the Agent Desktop authentication I see verbose and informational entries in the trace log and a token being issued. There are no errors being logged nor are there any errors in the ADFS 2.0 Admin Event Log. If I attempt to use an incorrect password, I receive a different exception: "ID3242: The security token could not be authenticated or authorized." So, it appears that ADFS is successfully issuing the token.

The Agent Desktop calls into Microsoft.Uii.AifServices>authenticationService.Connect, which I am unable to debug through.

May 23, 2011 at 4:19 PM

PS. This is using the CCA R2 bits.

May 24, 2011 at 4:45 PM
Edited May 24, 2011 at 4:47 PM

** As always.. CCA RI Is an example desktop… its is not intended to be used as production code without modification ***

What I would like to do here is check that it’s a problem with config in CCA RI or something else.

If you can … Please download the UII Solution Starters for Visual Studio 2010 from here: http://blogs.msdn.com/b/mbarbour/archive/2011/05/04/customer-care-accelerator-for-microsoft-crm-2011-released.aspx ( at the bottom )
Run the VSI on your workstation, which will install them into VS.

Then Start a new project, File => New Project => UII => Baseline Agent Desktop

That will lay out a blank desktop with a CRM Connection module built into it that’s a bit more verbose then what we put into the CCA example..   Before you try to build it .. goto project properties modify the reference paths to add the <program directory>\Microsoft UII\framework\ directory and <program directory>\Microsoft UII\framework\Crm2011 directory’s..

The shell should build at that point.

You will also find a Doc in that describes the various settings you can set… however what you need to do is edit the HomeRealmsStore.xml file in the CrmConnect\Model Directory..

For example… this is a modified copy that we tested with..  *** Thease URL's are hostname driven... so they do not work outside of our test env. ****:

 <?xml version="1.0" encoding="utf-8"?>
  <ClaimsHomeRealmOptions>
    <HomeRealm DisplayName="federoad-1.federoad.com" Uri="https://federoad-1.federoad.com/adfs/services/trust/mex/" />
    <HomeRealm DisplayName="contosoad-1.contosoad.com" Uri="https://contosoad-1.contosoad.com/adfs/services/trust/mex/"/>
    <HomeRealm DisplayName="contosoTel.com" Uri="https://auth.contosoTel.com/adfs/services/trust/mex/" />
  </ClaimsHomeRealmOptions>

Once you have done that Build \ Run the desktop… when It pops asking for credentials, choose your Federated server from the authentication source and fill out the rest of the data..

If works correctly, and you have already loaded the RI config, you will get a “I cant find the Hosted control” error.   This is ok, because the Reference project is setup to look for all the controls local to the shell.

Let me know if it works for you .

May 25, 2011 at 4:54 PM

Matt,

THANKS for the help! It is greatly appreciated!

While waiting for your response, I attempted working with samplecode\cs\generalprogramming\authentication solution/project. Interestingly it was failing with a similar error message (Username instead of AsymmetricToken):

The authentication endpoint Username was not found on the configured Secure Token Service!

Searching around on the net, I found a mention of someone else having the same error and the solution was to create an alias for the ADFS server. So I changed the ADFS server to use sts.crmdev.local and mapped that to a real IP address (not localhost, 127.0.0.1). After re-federating everything the code is making it further, but still encountering an error.

Unable to create token reference.
Server stack trace: 
   at System.ServiceModel.Security.Tokens.SecurityTokenParameters.CreateGenericXmlTokenKeyIdentifierClause(SecurityToken token, SecurityTokenReferenceStyle referenceStyle)
   at System.ServiceModel.Security.Tokens.IssuedSecurityTokenParameters.CreateKeyIdentifierClause(SecurityToken token, SecurityTokenReferenceStyle referenceStyle)
   at System.ServiceModel.Security.SendSecurityHeader.SignWithSupportingTokens()
   at System.ServiceModel.Security.SendSecurityHeader.CompleteSecurityApplication()
   at System.ServiceModel.Security.SecurityAppliedMessage.OnWriteMessage(XmlDictionaryWriter writer)
   at System.ServiceModel.Channels.Message.WriteMessage(XmlDictionaryWriter writer)
   at System.ServiceModel.Channels.BufferedMessageWriter.WriteMessage(Message message, BufferManager bufferManager, Int32 initialOffset, Int32 maxSizeQuota)
   at System.ServiceModel.Channels.TextMessageEncoderFactory.TextMessageEncoder.WriteMessage(Message message, Int32 maxMessageSize, BufferManager bufferManager, Int32 messageOffset)
   at System.ServiceModel.Channels.MessageEncoder.WriteMessage(Message message, Int32 maxMessageSize, BufferManager bufferManager)
   at System.ServiceModel.Channels.HttpOutput.SerializeBufferedMessage(Message message)
   at System.ServiceModel.Channels.HttpOutput.Send(TimeSpan timeout)
   at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.SendRequest(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]: 
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustContract.Issue(Message message)
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)
   at Microsoft.Xrm.Sdk.Client.ServiceConfiguration`1.Issue(IssuerEndpoint issuerEndpoint, String appliesTo, String requestType, String keyType, ClientCredentials clientCredentials, SecurityToken securityToken)
   at Microsoft.Xrm.Sdk.Client.ServiceConfiguration`1.Authenticate(TokenServiceCredentialType endpointType, String appliesTo, String keyType, IssuerEndpointDictionary issuerEndpoints, ClientCredentials clientCredentials, SecurityToken securityToken)
   at Microsoft.Xrm.Sdk.Client.ServiceConfiguration`1.Authenticate(TokenServiceCredentialType endpointType, String keyType, ClientCredentials clientCredentials, SecurityToken securityToken)
   at Microsoft.Xrm.Sdk.Client.ServiceConfiguration`1.Authenticate(SecurityToken securityToken, String keyType)
   at Microsoft.Xrm.Sdk.Client.ServiceConfiguration`1.Authenticate(SecurityToken securityToken)
   at Microsoft.Xrm.Sdk.Client.DiscoveryServiceConfiguration.Authenticate(SecurityToken securityToken)
   at Microsoft.Xrm.Sdk.Client.ServiceProxy`1.AuthenticateCore()
   at Microsoft.Xrm.Sdk.Client.ServiceProxy`1.Authenticate()
   at Microsoft.Xrm.Sdk.Client.ServiceProxy`1.ValidateAuthentication()
   at Microsoft.Xrm.Sdk.Client.ServiceProxy`1.get_ServiceChannel()
   at Microsoft.Xrm.Sdk.Client.ServiceContextInitializer`1.Initialize(ServiceProxy`1 proxy)
   at Microsoft.Xrm.Sdk.Client.ServiceContextInitializer`1..ctor(ServiceProxy`1 proxy)
   at Microsoft.Xrm.Sdk.Client.DiscoveryServiceContextInitializer..ctor(DiscoveryServiceProxy proxy)
   at Microsoft.Xrm.Sdk.Client.DiscoveryServiceProxy.Execute(DiscoveryRequest request)
   at Microsoft.Uii.AifServices.AuthenticationService.DiscoverOrganizations(Uri discoveryServiceUri, Uri homeRealmUri, ClientCredentials clientCredentials, ClientCredentials deviceCredentials)
   at BaselineAgentDesktopClaimsAuth.CrmConnect.CrmConnectionManager.ValidateServerConnection(OrganizationDetail selectedOrg) in D:\Development\Ford\trunk\Mini POC\BaselineAgentDesktopClaimsAuth\BaselineAgentDesktopClaimsAuth\CrmConnect\CrmConnectionManager.cs:line 494 

I followed your steps above and created a Baseline Agent Desktop project and updated the HomeRealmsStore.xml file and app.config as follows:

  <ClaimsHomeRealmOptions>
    <HomeRealm DisplayName="crmdev.local" Uri="https://sts.crmdev.local/adfs/services/trust/mex/" />
  </ClaimsHomeRealmOptions>


    <add key="UiiCrm_UseOnPrem" value="True"/>
    <add key="UiiCrmOrg" value="development"/>
    <add key="UiiCrmPort" value="5443"/>
    <add key="UiiCrmServerName" value="2008dev.crmdev.local"/>
    <add key="UiiCrmUseSSL" value="True"/>
    <add key="UiiUserDefaultCreds" value="False"/>
    <add key="UiiCacheCredentials" value="False" />

I still get the same error: Unable to create token reference.

Note: I had to copy the HomeRealmsStore.xml file to the project output directory, the VS solution/project doesn't seem to do this automatically. (Mentioning it here if anyone else runs into a problem where the Home Realms are not displayed in the login box.)

Thanks,
Roger

 

May 25, 2011 at 5:08 PM

PS. I setup a 2nd ADFS server. On the 2nd ADFS server the sts.crmdev.local is a trusted Relying Party. On sts.crmdev.local the 2nd ADFS server is a trusted Claims Provider. When I use the 2nd ADFS server as the home realm, it sample works! However, when I specify the sts.crmdev.local as the Home Realm the error "Unable to create token reference." occurs.

Is there any reason why federation is not working with a single ADFS server, sts.crmdev.local? I am able to log into the CRM UI using the sts.crmdev.local and my CRMDEV credentials.

Roger

May 26, 2011 at 2:42 AM

Out of curiosity.. if your using Certificate Mode for your token.. is the Certificate you are using for it registered in the trusted root authorities of the machine your running this from?

This will show up visually if, using the browser, you nav to the CRM site and it either gives you a red Address bar with Certificate warning or makes you click though an I’m sure I want to go here page.

Mattb-msft.

May 26, 2011 at 2:15 PM

The ADFS service communication certificate and IIS SSL certificate on sts.crmdev.local are issued from a local CA. That CA cert is in the trusted root authorities.

The ADFS token signing and decrypting certificates are the self issued certificates that were created when ADFS was installed. These certificates are self signed and not expired.

May 27, 2011 at 11:39 PM

I am not as proficient as I would like to be with claims base servers… I would suggest you ping this list :
http://social.msdn.microsoft.com/Forums/en/Geneva/threads with the ADFS question.. they may be able to help you sort it out..

-Mattb-msft.

Jul 21, 2011 at 10:15 PM

I was having this problem so I traced the web request that the connection client was made and it seems to me that there is an error in the connection client.

Specifically, if you enter a username in the format of DomainName\UserName then the connection client actually converts it to the UserName@Domain format. The problem is that if your domain is something like Contoso.com and you were to enter your username in as Contoso\JohnDoe then it would convert it to JohnDoe@Contoso and send that as your username....which is the incorrect format and should instead be JohnDoe@Contoso.com

I was able to get around this issue by putting my username in the correct post windows 2000 format of JohnDoe@Contoso.com and the connection established successfully.

Also, I left the Home Realm URL blank....not sure what that is for exactly.

All of this was tested against CRM 2011 using ADFS from a client machine which was not connected to the same domain as that of our partner hosted CRM system at http://appshost.org

Aug 4, 2011 at 5:50 PM

Yea. Iv been looking at the this issue were the homerealm is left blank,   as far as I can tell, that will work with the CRM Discovery server and web Server is on the same domain as the ADFS instance. Its effectively falling through to use the underlying AD Auth to do it.
Im still looking into this..

MattB.