This issue occurs when the following conditions are true:
· The web browser is connecting to a Microsoft Dynamics CRM Server that uses AD FS 2.0 for claims-based authentication. Claims-based authentication is required for an Internet-facing deployment (IFD).
· The web browser that used to access Microsoft Dynamics CRM 2011 is Firefox or Chrome.
The following steps disable Extended Protection for Authentication. This feature can help reduce the risk for “man in the middle” kinds of attacks. For more information about this feature and the protection it provides for credential handling see Microsoft Security Advisory (973811).
The following steps disable the Extended Protection for Authentication feature on the computer running Firefox or Chrome.
1. On the computer where the web browser is experiencing the issue, start Registry Editor (regedit), and locate the following subkey.
2. In the Lsa subkey, locate the SuppressExtendedProtection value. If the value does not exist, you must add it. To add the value, right-click Lsa, point to New, and then click DWORD (32-bit) Value. Type SuppressExtendedProtection, and then press ENTER.
3. Right-click SuppressExtendedProtection, click Modify, and enter 1 (REG_DWORD).
4. Click OK and close Registry Editor.
5. Repeat for each computer that experiences the issue when you run Firefox or Chrome and Microsoft Dynamics CRM.
After the change is made, the following behavior occurs.
· Chrome web browsers will no longer continue to prompt after the initial sign in.
· Firefox web browsers will prompt up to two additional occasions after the initial sign in.
Alternatively, you can disable the Extended Protection for Authentication feature in AD FS 2.0. Notice that disabling Extended Protection for Authentication feature in AD FS 2.0 will disable the feature for all clients that are authenticated by the federation server. For more information about how to disable the Extended Protection for Authentication feature on the AD FS 2.0 federation server, see Configuring Advanced Options for AD FS 2.0. For more information about this issue when using Office 365, see A federated user is repeatedly prompted for credentials when they connect to the AD FS 2.0 service endpoint during Office 365 sign-in.
Mozilla Firefox users may also experience a prompt for credentials when using Windows Integrated Authentication. For more information regarding this symptom, please see the following article:
Article ID: 2709891 - Last Review: 3 Jan 2013 - Revision: 1