Resolving “A certificate registered for use by Microsoft Dynamics CRM has expired” error in CRM 2013

A while after renewing and replacing the Service Communication certificate on the ADFS server, and updating the CRM Internet Facing Deployment to use the new public certificate, the Dynamics CRM Server 2013 started to throw a series of errors in the Application log every 15 minutes:

First 3x event 25089:

Log Name: Application
Source: MSCRMMonitoringTest
Date: 16-11-2015 17:12:01
Event ID: 25089
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: CRMSrv01.adatum.dk

Description:

A certificate registered for use by Microsoft Dynamics CRM has expired. Certificate type: TrustedIssuer Certificate Name: http://fs.adatum.dk/adfs/services/trust Expiration Date: 29-10-2015 17:12:59 Store Location: Store Name:

Then 1x event 18797:

Log Name: Application
Source: MSCRMMonitoringTest
Date: 16-11-2015 17:12:01
Event ID: 18797
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: CRMSrv01.adatum.dk
Description:

Monitoring test failed: Test Title: Trusted Issuer Certificate test: Machine: CRMSrv01: ServerRole: DiscoveryService, Portal, ApiServerTest Log:Retrieving certificate data from config DBVerifying TrustedIssuer certificate. Name=http://fs.adatum.dk/adfs/services/trust.

TrustedIssuer certificate is not stored in local store: It is contained in the config DB. Name=http://fs.adatum.dk/adfs/services/trust. Certificate Lifespan: Valid from 10/29/2014 17:12:59 to 10/29/2015 17:12:59. Failure: Certificate has expired

Verifying TrustedIssuer certificate. Name=http://fs.adatum.dk/adfs/services/trustTrustedIssuer certificate is not stored in local store: It is contained in the config DB. Name=http://fs.adatum.dk/adfs/services/trust. Certificate Lifespan: Valid from 10/09/2015 19:40:32 to 10/08/2016 19:40:32 Remaining certificate lifespan 89.6 % is greater than the configured threshold of 10.0 %. Certificate is not nearing expiration.

 

Looking in the Certificates snap-in for the Local Computer, I found both the new and the old certificate listed.

Some systems have a tendency to hang on to old certificates, even after it has expired – despite new, valid certificates are present and available – thus requiring a forced update to initiate a discovery for replacement certificates.

So my first action was to review and remove any expired certificate from the Certificates snap-in:

clip_image001

After removing the expired certificate, leaving only the current configured, valid certificate, I started a rerun of the Claims-Based Authentication configuration using the CRM Deployment Manager.

IMPORTANT:
The following procedure require membership of the CRM_Admins domain security group, and administrative access to the CRM server farm.

Active Directory:

CRM_Admins
SQLAccessGroup

CRM:

Deployment Administrators
(Microsoft Dynamics CRM -> Deployment Manager -> Add user to Deployment Administrators)

SQL: 

sysadmin i the CRM SQL service instance
db_owner on the MSCRM_CONFIG database.

Rerun the ADFS configuration in CRM Deployment Manager with NO changes, except re-selecting the new certificate:

On the Microsoft Dynamics CRM server, start the Deployment Manager.

clip_image002

In the Deployment Manager console tree, click Microsoft Dynamics CRM.

Click Configure Claims-Based Authentication.

clip_image003

Run the wizard using the default settings. Click Next

clip_image004

On the Specify the security token service page, leave the Federation metadata URL as unchanged.
Click Next

clip_image005

On the Specify the encryption certificate page, click Select

clip_image006

Ensure that only the current service communication certificate is listed, and click OK

clip_image007

Click Next

clip_image008

The Configure Claims-Based Authentication Wizard now verifies ADFS metadata URL and the service communication certificate that was configured in the last step.

On the System Checks page, review the results, if any errors appear, investigate and fix the issues.
When both checks are validated correctly, click Next.

clip_image009

On the Review your selections and then click Apply page, verify your selections, and then click Apply.

clip_image010

View and save the log file for later reference. Click Finish

clip_image011

After completing the change and waiting for 15 minutes to expire since the last series of errors, the following event (18691) appeared in the Application log on the CRM server.
The event confirmed that the CRM service has made a discovery of the new token signing certificate and committed the updated certificate data to the Config Database, thus resolving the issue.

Log Name: Application
Source: MSCRMMonitoringTest
Date: 16-11-2015 18:12:01
Event ID: 18691
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: CRMSrv01.adatum.dk
Description:

Monitoring test succeeded: Test Title: Trusted Issuer Certificate test: Machine: CRMSrv01: ServerRole: DiscoveryService, Portal, ApiServerTest Log:Retrieving certificate data from config DB.

Verifying TrustedIssuer certificate. Name=http://fs.adatum.dk/adfs/services/trustTrustedIssuer certificate is not stored in local store: It is contained in the config DB. Name=http://fs.adatum.dk/adfs/services/trust. Certificate Lifespan: Valid from 10/09/2015 19:40:32 to 10/08/2016 19:40:32. Remaining certificate lifespan 89.6 % is greater than the configured threshold of 10.0 %. Certificate is not nearing expiration.

 

Leave a Reply