How to resolve “An error occurred” in CRM for Office 365 with ADFS

This error can occur in a topology where an ADFS server is used for authenticating to Office 365 and the CRM Online service.
When starting the CRM for Office 365 plug-in, the users receive the following error message during the ADFS authentication:

An error occurred

An error occurred. Contact your administrator for more information.

Error details

  • Activity ID: xxxxxxxx-xxxx-xxxx-a003-a55e3ad5e2b9
  • Relying party: Microsoft Office 365 Identity Platform
  • Error time: <Date> <Time>
  • Cookie: enabled
  • User agent string: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 10.0; Win64; x64; Trident/8.0; Microsoft Outlook 16.0.7070)

On the ADFS server, event 364 is logged in the Application log (note the highlighted part):

Log Name:      AD FS/Admin
Source:        AD FS
Date:          <date> <time>
Event ID:      364
Task Category: None
Level:         Error
Keywords:      AD FS
User:          adatum\<adfs service account)
Computer:      ADFSSRV.adatum.dk
Description:
Encountered error during federation passive request. 

Additional Data 

Protocol Name: 
wsfed 

Relying Party: 
urn:federation:MicrosoftOnline 


Exception details: 
Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.InvalidAuthenticationTypePolicyException: MSIS7102: Requested Authentication Method is not supported on the STS.
   at Microsoft.IdentityServer.Web.Authentication.GlobalAuthenticationPolicyEvaluator.EvaluatePolicy(IList`1 mappedRequestedAuthMethods, AccessLocation location, ProtocolContext context, HashSet`1 authMethodsInToken, Boolean& validAuthMethodsInToken)
   at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.RetrieveFirstStageAuthenticationDomain(Boolean& validAuthMethodsInToken)
   at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.EvaluatePolicy(Boolean& isLastStage, AuthenticationStage& currentStage, Boolean& strongAuthRequried)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthMethodsFromAuthPolicyRules(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthenticationMethods(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

image

As stated, the “… Requested Authentication Method is not supported on the STS …” indicates that the ADFS service lack support for the authentication method requested by the CRM plugin.

In certain ADFS configurations, the administrator may not have enabled forms-based authentication, which prevents clients from logging in if their authentication process is based on this method.

To resolve this issue, change the ADFS configuration and add forms-based authentication to the supported authentication methods.

First, verify which authentication methods your ADFS service is configured to support:

  • Open Server Manager on the primary ADFS for Windows Server 2012 R2 server
  • Click Tools, and then click AD FS Management.
  • In the AD FS snap-in, click Authentication Policies.
  • Review the Global Settings in the Primary Authentication section.
  • To support modern authentication, the Authentication Method for both Intranet and Extranet must have the Forms Authentication option enabled.

clip_image001

Follow these steps to enable forms-based authentication for both authentication methods:

  • In the AD FS snap-in, select the Authentication Policies branch.
  • Under the Primary Authentication section, click Edit next to Global Settings.

clip_image002

  • In the Edit Global Authentication Policy dialog box, click the Primary tab.
  • In both the Extranet and Intranet sections, ensure the Forms Authentication check box is enabled.

clip_image003

Click OK

clip_image004

Though it is not required, I recommend that you restart the ADFS service:

  • Open an elevated PowerShell prompt on the primary ADFS server
  • Run the following Windows PowerShell command:
    Restart-Service adfssrv
  • Repeat this on any secondary ADFS servers

 

 

Futher reading:     https://support.microsoft.com/en-us/kb/3015526

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.