Configure Claims-Based Authentication

Below, we setup Claims-Based Authentication Configuration Wizard ( Configure Claims-Based Authentication Wizard ) to configure the Claims-Based Authentication. To learn how PowerShell to configure Claims-Based Authentication, refer to the English original.

1) Open the Deployment Manager.

2) on the left navigation panel, right-click Microsoft Dynamics CRM , and then click Configure Claims-Based Authentication.

image

3) click Next.

image

4) In the Specify the security token service page , enter the Federation metadata URL, such as

https://sts1.interactivewebs.com/federationmetadata/2007-06/federationmetadata.xml

image

Note: The data is usually in the AD FS 2.0 website. Can this URL copied into IE to seeFederation metadata , to ensure that this is the correct URL . Using IE to access the URL can not have a certificate-related warnings (Ignore that crap!)

image

5) Click Next .

6) In the Specify the encryption certificate page , click on Select…

7) select a certificate, where we choose *.interactivewebs.com.

image

image

8) This certificate is used to encrypt the transmitted AD FS 2.0 authentication security token service security token.

Note: Microsoft Dynamics CRM service account must have the private key encryption certificate Read permission.

10 Click Next . Claims-Based Authentication Configuration Wizard validates the token and certificate you specified.

image

11 In the System Checks page, if the test passed, click Next .

12 In the Review your selections and then click Apply page , just to confirm the input, and then click Apply .

image

13. On this page, note which of the URL , because then, you will use this URL to add a trusted party ( Relying Party ) to the security token service.

image

image

14 IMPORTANT – Click View Log File

15 Scroll to the end, and Copy the URL from the bottom of the file.

image– This will be used in the next configuration. Note that this is different to the URL used in step 4 above, as it represents the internal URL. Subtle but vital (and the cause of frustration the first 10 times we tried this).

16 Click Finish.

17 Validate that you can browse to the URL above. If you cannot view this in a browser, then have a look again at your permissions on the certificate in relation to the account on the application pool in IIS for CRM. Read above: Claims-based authentication configuration CRM 2011server.

18. Once you can browse this URL, you are done here.

AND if you get the following error: The encryption certificate “…..” does not exist in the local computer certificate store. Here is how you fix it:
When attempting to setup Claims-Based Authentication for CRM 2011 from a client-side ADFS server, you encounter the following error: The encryption certificate “…..” does not exist in the local computer certificate store.

The encryption certificate does not exist CRM

Now, in this case, it is happening after you have just renewed your SSL Wildcard certificate. After a few ponderous moments of head-scratching and chin-rubbing, you go back and double-check that on your CRM server, the new SSL certificate is stored in the correct places within the Microsoft Management Console.

To check, you go to Start-Run-MMC.exe and first load your Certificates snap-in by doing the following: from MMC – File – Add or Remove Snap-ins – Certificates Computer Account – Local Computer.

MMC - Snap-in - Certificate

You check in both the MMC – Certificates – Personal & Trusted Root Certification Authorities stores. The new wildcard SSL certificate is in both stores. Now, at this point you also notice that the old wildcard SSL certificate is in the Personal store. Once you have removed the old certificate from the store (and you may wish to verify that it is not in Trusted Root Certification Authorities store as well), the error dissipates and you can now successfully complete the Claims-based Authentication setup.

References:
http://thinketg.com/crm-resolving-the-encryption-certificate-does-not-exist-in-the-local-computer-certificate-store/
http://www.interactivewebs.com/blog/index.php/server-tips/microsoft-crm-2011-how-to-configure-ifd-hosted-setup/

Advertisements

3 thoughts on “MS: Configure Claims-Based Authentication, and fixing it if these steps don’t work

    1. This site’s goal is not to make money or generate traffic, it’s sole purpose is to combine howtos of all the tasks I need to complete on a daily basis on one site for easy reference. I noticed that while working away from my desk that I cannot easily access my favorites – which is where these howtos come from – and that some of the pages hosting the howtos might close down leaving me with a nice 404 in times of trouble.

      NOTE: If you find any value in these posts please don’t give me any kudos – kudos belong to the owners of the sites I reference and the people who went through all the trouble of actually fixing and documenting their steps. 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s