Troubleshoot Microsoft Dynamics 365 Server IFD

Article
12/09/2016

Applies To: Dynamics 365 (on-premises), Dynamics CRM 2016

A quick checklist

Did you…	Reference
Configure DNS records?	See “DNS configuration” in the downloadable document
Install and bind your certificate on the Microsoft Dynamics 365 website?	See “Certificate selection and requirements” in the downloadable document
Add an AD FS signing certificate as a trusted certificate under the CRMAppPool account profile?	See “Enable AD FS token signing” in the downloadable document
Change the binding type for Microsoft Dynamics 365 websites to HTTPS and use the correct web addresses in Deployment Manager?	Configure the Microsoft Dynamics 365 server for IFD
Give the CRMAppPool account the rights to use an existing certificate used by Microsoft Dynamics 365 as signing certificate? This could be the wildcard certificate installed on the Microsoft Dynamics 365 server.	Configure the Microsoft Dynamics 365 Server for claims-based authentication
Run the Configure Claims-Based Authentication Wizard from Microsoft Dynamics 365 Deployment Manager? Have you specified the correct URL in this wizard? Have you selected the appropriate encryption certificate?	Configure the Microsoft Dynamics 365 Server for claims-based authentication
Configure relying party trust in AD FS for Microsoft Dynamics 365 internal claims endpoint? Have you provided the correct URL for the Microsoft Dynamics 365 IFD claims endpoint? Have you setup the correct rules for the relying party trusts?	Configure the AD FS server for claims-based authentication Configure the AD FS server for IFD

AD FS

Use the following to verify your AD FS settings.

Review AD FS events

Open Event Viewer.
Expand Applications and Services Logs. Expand AD FS. Click Admin.
Review the events looking for errors.

Events such as Event ID 184 describing an unknown relying party trust could indicate missing host records in DNS or incorrect path configuration for the relying party’s federation metadata URL.

Verify relying party trust identifiers

Open the AD FS Management console.
Under Trust Relationships, click Relying Party Trusts. Verify the relying party trusts are enabled and not displaying an alert.
Right-click the relying party trust and click Properties. Click the Identifiers tab. You should see identifiers like the following.

Relying party trust for claims: internalcrm.contoso.com

Relying party trust for IFD: auth.contoso.com

If your identifiers aren’t similar to the above examples, check the path entered for the relying party’s federation metadata URL on the Monitoring tab and check your DNS records.

When attempting an internal claims-based authentication connection, you might receive prompt for your credentials. Try the following steps.

Resolve prompt for credentials

Add the add website address for the AD FS server (for example, https://sts1.contoso.com) to the Trusted Intranet Zone in Internet Explorer.
Turn off Extended Protection. On the server running IIS for the Microsoft Dynamics 365 website:

Turn off extended protection on the Microsoft Dynamics 365 website.
1. Open IIS.
2. Select the Microsoft Dynamics 365 website.
3. Under IIS, double-click Authentication.
4. Right-click Windows Authentication, and then click Advanced Settings.
5. Set Extended Protection to Off.

For more AD FS troubleshooting information

See the following: Troubleshoot AD FS 2.0

HTTP Error 401.1 - Unauthorized: Access is denied

If the Microsoft Dynamics 365 website fails to display or produces the following error: HTTP Error 401.1 - Unauthorized: Access is denied, there are two steps to try to resolve this issue:

You might need to update the Federation metadata URLs and do an IIs reset. See KB2686840.
You might need to register the AD FS server as a service principal name (SPN). See “Register the AD FS server as a service principal name (SPN)” in the downloadable document.

Time differs between two servers

An authentication error can occur if the time between the AD FS and the Microsoft Dynamics 365 server differs by more than 5 minutes. See Windows Time Service Technical Reference for information on how to configure time synchronization on your servers.