A while after renewing and replacing the Service Communication certificate on the ADFS server, and updating the CRM Internet Facing Deployment to use the new public certificate, the Dynamics CRM Server 2013 started to throw a series of errors in the Application log every 15 minutes:
First 3x event 25089:
Log Name: Application
Source: MSCRMMonitoringTest
Date: 16-11-2015 17:12:01
Event ID: 25089
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: CRMSrv01.adatum.dk
Description:
A certificate registered for use by Microsoft Dynamics CRM has expired. Certificate type: TrustedIssuer Certificate Name: http://fs.adatum.dk/adfs/services/trust Expiration Date: 29-10-2015 17:12:59 Store Location: Store Name:
Then 1x event 18797:
Log Name: Application
Source: MSCRMMonitoringTest
Date: 16-11-2015 17:12:01
Event ID: 18797
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: CRMSrv01.adatum.dk
Description:
Monitoring test failed: Test Title: Trusted Issuer Certificate test: Machine: CRMSrv01: ServerRole: DiscoveryService, Portal, ApiServerTest Log:Retrieving certificate data from config DBVerifying TrustedIssuer certificate. Name=http://fs.adatum.dk/adfs/services/trust.
TrustedIssuer certificate is not stored in local store: It is contained in the config DB. Name=http://fs.adatum.dk/adfs/services/trust. Certificate Lifespan: Valid from 10/29/2014 17:12:59 to 10/29/2015 17:12:59. Failure: Certificate has expired
Verifying TrustedIssuer certificate. Name=http://fs.adatum.dk/adfs/services/trustTrustedIssuer certificate is not stored in local store: It is contained in the config DB. Name=http://fs.adatum.dk/adfs/services/trust. Certificate Lifespan: Valid from 10/09/2015 19:40:32 to 10/08/2016 19:40:32 Remaining certificate lifespan 89.6 % is greater than the configured threshold of 10.0 %. Certificate is not nearing expiration.
Looking in the Certificates snap-in for the Local Computer, I found both the new and the old certificate listed.
Some systems have a tendency to hang on to old certificates, even after it has expired – despite new, valid certificates are present and available – thus requiring a forced update to initiate a discovery for replacement certificates.
So my first action was to review and remove any expired certificate from the Certificates snap-in:
After removing the expired certificate, leaving only the current configured, valid certificate, I started a rerun of the Claims-Based Authentication configuration using the CRM Deployment Manager.
IMPORTANT: |
The following procedure require membership of the CRM_Admins domain security group, and administrative access to the CRM server farm.
Active Directory: CRM_Admins CRM: Deployment Administrators SQL: sysadmin i the CRM SQL service instance |
Rerun the ADFS configuration in CRM Deployment Manager with NO changes, except re-selecting the new certificate:
On the Microsoft Dynamics CRM server, start the Deployment Manager.
In the Deployment Manager console tree, click Microsoft Dynamics CRM.
Click Configure Claims-Based Authentication.
Run the wizard using the default settings. Click Next
On the Specify the security token service page, leave the Federation metadata URL as unchanged.
Click Next
On the Specify the encryption certificate page, click Select
Ensure that only the current service communication certificate is listed, and click OK
Click Next
The Configure Claims-Based Authentication Wizard now verifies ADFS metadata URL and the service communication certificate that was configured in the last step.
On the System Checks page, review the results, if any errors appear, investigate and fix the issues.
When both checks are validated correctly, click Next.
On the Review your selections and then click Apply page, verify your selections, and then click Apply.
View and save the log file for later reference. Click Finish
After completing the change and waiting for 15 minutes to expire since the last series of errors, the following event (18691) appeared in the Application log on the CRM server.
The event confirmed that the CRM service has made a discovery of the new token signing certificate and committed the updated certificate data to the Config Database, thus resolving the issue.
Log Name: Application
Source: MSCRMMonitoringTest
Date: 16-11-2015 18:12:01
Event ID: 18691
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: CRMSrv01.adatum.dk
Description:
Monitoring test succeeded: Test Title: Trusted Issuer Certificate test: Machine: CRMSrv01: ServerRole: DiscoveryService, Portal, ApiServerTest Log:Retrieving certificate data from config DB.
Verifying TrustedIssuer certificate. Name=http://fs.adatum.dk/adfs/services/trustTrustedIssuer certificate is not stored in local store: It is contained in the config DB. Name=http://fs.adatum.dk/adfs/services/trust. Certificate Lifespan: Valid from 10/09/2015 19:40:32 to 10/08/2016 19:40:32. Remaining certificate lifespan 89.6 % is greater than the configured threshold of 10.0 %. Certificate is not nearing expiration.