404-File or Directory Not Found occurs when accessing Microsoft Dynamics CRM 2011 with Claims Based Authentication
This article provides a resolution for the issue that you can't access Microsoft Dynamics CRM 2011 with Claims Based Authentication due to the 404-File or Directory Not Found error.
Applies to: Microsoft Dynamics CRM Online
Original KB number: 2847921
Symptoms
An error message 404-File or Directory Not Found may occur when trying to access Microsoft Dynamics CRM 2011 with Claims Based Authentication.
The following error stack can be found in the event viewer after enabling the AD FS trace log on the AD FS server:
Log Name: AD FS 2.0 Tracing/Debug
Source: AD FS 2.0 Tracing
Date: mm/dd/yyyy 00:00:00 PM
Event ID: 67
Task Category: None
Level: Error
Keywords: ADFSProtocol
User: NETWORK SERVICE
Computer: SERVER
Description:
Failed to process the Web request because the request is not valid. Cannot get protocol message from HTTP query. The following errors occurred when trying to parse incoming HTTP request:Microsoft.IdentityServer.Protocols.Saml.HttpSamlMessageException: MSIS7015: This request does not contain the expected protocol message or incorrect protocol parameters were found according to the HTTP SAML protocol bindings.
at Microsoft.IdentityServer.Web.HttpSamlMessageFactory.CreateMessage(HttpContext httpContext)
at Microsoft.IdentityServer.Web.FederationPassiveContext.EnsureCurrent(HttpContext context)
Cause
IIS Applicationhost.config is incomplete. This could be caused by a corrupt or incomplete installation of AD FS. One or all of the following location paths and their settings have been removed:
<location path="Default Web Site/adfs">
<location path="Default Web Site/adfs/ls">
<location path="Default Web Site/adfs/ls/auth">
<location path="Default Web Site/adfs/ls/auth/integrated">
<location path="Default Web Site/adfs/ls/auth/sslclient">
<location path="Default Web Site/adfs/ls/auth/basic">
Resolution
In order to fix this issue, you must follow the steps below:
Stop the IIS service on the AD FS server
Stop the AD FS service on the AD FS server
Make a copy of the applicationhost.config file and then open the applicationhost.config file located:
C:\windows\system32\inetsrv.Review this file for any missing file location paths. Update this file to include all file location paths as displayed below.
<location path="Default Web Site/adfs"> <system.webServer> <handlers accessPolicy="Read" /> <security> <access sslFlags="Ssl, Ssl128" /> <authentication> <windowsAuthentication enabled="false" useAppPoolCredentials="true"> <extendedProtection tokenChecking="Allow" /> </windowsAuthentication> <clientCertificateMappingAuthentication enabled="false" /> <anonymousAuthentication enabled="true" /> <iisClientCertificateMappingAuthentication enabled="false" /> <digestAuthentication enabled="false" /> </authentication> </security> <directoryBrowse enabled="false" showFlags="Date, Time, Size, Extension" /> <defaultDocument enabled="true"> <files> <clear /> <add value="default.aspx" /> </files> </defaultDocument> </system.webServer> </location> <location path="Default Web Site/adfs/ls"> <system.webServer> <handlers accessPolicy="Read, Script" /> <security> <access sslFlags="Ssl, Ssl128" /> <authentication> <windowsAuthentication enabled="true" useAppPoolCredentials="true"> <extendedProtection tokenChecking="Allow" /> </windowsAuthentication> <clientCertificateMappingAuthentication enabled="false" /> <anonymousAuthentication enabled="true" /> <iisClientCertificateMappingAuthentication enabled="false" /> <digestAuthentication enabled="false" /> </authentication> </security> </system.webServer> </location> <location path="Default Web Site/adfs/ls/auth"> <system.webServer> <security> <authentication> <windowsAuthentication enabled="false" useAppPoolCredentials="true" /> <clientCertificateMappingAuthentication enabled="false" /> <anonymousAuthentication enabled="false" /> <iisClientCertificateMappingAuthentication enabled="false" /> <digestAuthentication enabled="false" /> </authentication> </security> </system.webServer> </location> <location path="Default Web Site/adfs/ls/auth/integrated"> <system.webServer> <handlers accessPolicy="Read, Script" /> <security> <authentication> <windowsAuthentication enabled="true" useAppPoolCredentials="true" /> <clientCertificateMappingAuthentication enabled="false" /> <anonymousAuthentication enabled="false" /> <iisClientCertificateMappingAuthentication enabled="false" /> <digestAuthentication enabled="false" /> </authentication> </security> </system.webServer> </location> <location path="Default Web Site/adfs/ls/auth/sslclient"> <system.webServer> <handlers accessPolicy="Read, Script" /> <security> <access sslFlags="Ssl, SslNegotiateCert, SslRequireCert, Ssl128" /> <authentication> <windowsAuthentication enabled="false" useAppPoolCredentials="true" /> <clientCertificateMappingAuthentication enabled="false" /> <anonymousAuthentication enabled="true" /> <iisClientCertificateMappingAuthentication enabled="false" /> <digestAuthentication enabled="false" /> </authentication> </security> </system.webServer> </location> <location path="Default Web Site/adfs/ls/auth/basic"> <system.webServer> <handlers accessPolicy="Read, Script" /> <security> <authentication> <windowsAuthentication enabled="false" useAppPoolCredentials="true" /> <clientCertificateMappingAuthentication enabled="false" /> <anonymousAuthentication enabled="true" /> <iisClientCertificateMappingAuthentication enabled="false" /> <digestAuthentication enabled="false" /> </authentication> </security> </system.webServer> </location>Start the IIS service on the AD FS server.
Start the AD FS service on the AD FS server.
More information
For more information, see How to Enable Debug Logging for Active Directory Federation Services 2.0 (AD FS 2.0).