Error occurs in Microsoft Dynamics CRM 2011 when accessing the CRM URL using a one-way domain trust
This article provides options to solve the error message that occurs when you try to access Microsoft Dynamics CRM 2011 URL by using a one-way domain trust.
Applies to: Microsoft Dynamics CRM Online
Original KB number: 2698987
Symptoms
Consider the following scenario. Microsoft Dynamics CRM 2011 and ADFS 2.0 are installed on a trusting domain and users are located on the trusted domain:
- There is a one-way trust between two domains.
- Trusting domain:
contoso.com. - Trusted domain:
fabrikam.com.
The following error occurs when logging in to Microsoft Dynamics CRM 2011 using credentials from the trusted domain:
There was a problem accessing the site. Try to browse to the site again.
If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.Reference number: <GUID>
Additionally, the following information is found in the Event Viewer from the ADFS server:
Log Name: AD FS 2.0/Admin
Source: AD FS 2.0
Date: DateTime
Event ID: 111
Task Category: None
Level: Error
Keywords: AD FS
User: SYSTEM
Computer:ADFS.contoso.com
Description:
The Federation Service encountered an error while processing the WS-Trust request.
Request type:https://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueException details:
Microsoft.IdentityServer.ClaimsPolicy.Language.PolicyEvaluationException: POLICY0018: Query ';userPrincipalName;{0}' to attribute store 'Active Directory' failed: 'Exception of type
'Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapServerUnavailableException' was thrown.'. --->
Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapServerUnavailableExceptionUsing the LDP.exe tool to query a Domain Controller located on the trusted domain from the ADFS Server, using credentials from the trusting domain, the following error occurs:
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='NULL'; Pwd=<unavailable>; domain = 'NULL'}
Error <49>: ldap_bind_s() failed: Invalid Credentials.
Server error: 8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece
Error 0x8009030C The logon attempt failed
Cause
This problem occurs due to having a one-way domain trust configured. The ADFS service account needs to have rights to read attributes for users in the trusted domain. Without it, ADFS has no way of issuing claims.
Resolution
To resolve this problem, there are two options:
- If you are not authenticating users in the trusting domain, remove the ADFS server from the trusting domain and join it to the trusted domain. An ADFS Proxy server can be placed in the trusting domain so that users on the internet can authenticate via the proxy. Microsoft Dynamics CRM 2011 does not need direct communication with the ADFS server as it can pull the Federation Metadata from the ADFS Proxy. However, ADFS would need direct communication with Microsoft Dynamics CRM when setting up the relying party trust to get the federationmetadata from Microsoft Dynamics CRM, but only for the setup of the relying party trust. Once the relying party trust is created, communication can be terminated.
- If you are authenticating users in the trusting domain as well as the trusted domain, add a new ADFS server to the internal domain and set up a federation trust between the two ADFS servers. You can still add an ADFS proxy to the trusting domain so internet users from the trusted domain can authenticate.
More information
To set up federation trust, follow the instructions in Claims access and partner companies.