Hi Team,
I have CRM 2013 On Premise UR3, IFD setup with ADFS 2.0. All of my existing users can login but any new users I create get stuck in a loop when authenticating and the request eventually fails. These new users do have security roles enabled and they do have a professional full license.
The new users can authenticate to Office 365 and they can get into SharePoint from my ADFS 2.0 setup. Its just when the new users try to login to CRM the request is failing. It almost seems like the new users are missing an attribute in their AD object that CRM is looking for but I don't know where to look?
Below is a log file entry that is created on the ADFS server when they try to authenticate. Below that is a log file from the CRM server when this happens.
I have been spinning my wheels on this for days on this, searching high and low for a solution. Any tips would be appreciated!
-------------------ADFS Error-------------------------------
Encountered error during federation passive request.
Additional Data
Exception details:
Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made '6' requests in the last '6' seconds. Contact your administrator for details.
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.UpdateLoopDetectionCookie()
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSignInResponse(MSISSignInResponse response)
---------------CRM Web ServerError-----------------------------------
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 9/29/2014 5:01:25 PM
Event time (UTC): 9/29/2014 9:01:25 PM
Event ID: 211210f31c6843749d75ae2f205bb726
Event sequence: 286756
Event occurrence: 127
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/1/ROOT-1-130564212147947296
Trust level: Full
Application Virtual Path: /
Application Path: C:\Program Files\Microsoft Dynamics CRM\CRMWeb\
Machine name: --------
Process information:
Process ID: 5104
Process name: w3wp.exe
Account name: --------
Exception information:
Exception type: ArgumentException
Exception message: Value was invalid.
Parameter name: sddlForm
at System.Security.Principal.SecurityIdentifier..ctor(String sddlForm)
at Microsoft.Crm.Authentication.ActiveDirectoryUserInformation.MatchExistingUser(ClaimsIdentity claimsIdentity, Guid organizationId, String userAuth)
at Microsoft.Crm.Authentication.Claims.ClaimsUtility.DoRecognizeUser(ClaimsIdentity claimsIdentity, String userAuth, Guid organizationId, LocatorServiceContext locatorServiceContext)
at Microsoft.Crm.Authentication.Claims.ClaimsUtility.SetCrmIdentityClaims(ClaimsIdentity claimsIdentity, Guid orgId, LocatorServiceContext locatorServiceContext)
at Microsoft.Crm.Authentication.Claims.CrmSessionAuthenticationManager.AuthenticateSessionSecurityToken(SessionSecurityToken sessionToken, Boolean writeCookie)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
at Microsoft.Crm.Authentication.Claims.CrmFederatedAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Request information:
Request URL: ----------------
Request path: /default.aspx
User host address: -------------------
User:
Is authenticated: False
Authentication Type:
Thread account name: ----------------
Thread information:
Thread ID: 207
Thread account name: ---------------------
Is impersonating: True
Stack trace: at System.Security.Principal.SecurityIdentifier..ctor(String sddlForm)
at Microsoft.Crm.Authentication.ActiveDirectoryUserInformation.MatchExistingUser(ClaimsIdentity claimsIdentity, Guid organizationId, String userAuth)
at Microsoft.Crm.Authentication.Claims.ClaimsUtility.DoRecognizeUser(ClaimsIdentity claimsIdentity, String userAuth, Guid organizationId, LocatorServiceContext locatorServiceContext)
at Microsoft.Crm.Authentication.Claims.ClaimsUtility.SetCrmIdentityClaims(ClaimsIdentity claimsIdentity, Guid orgId, LocatorServiceContext locatorServiceContext)
at Microsoft.Crm.Authentication.Claims.CrmSessionAuthenticationManager.AuthenticateSessionSecurityToken(SessionSecurityToken sessionToken, Boolean writeCookie)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
at Microsoft.Crm.Authentication.Claims.CrmFederatedAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Custom event details: