Environment:
- Dynamics CRM 2016 service pack 1 deployed on Windows 2012 R2 Server (domain joined)
- AD FS on domain joined Windows 2012 R2 Server
- Web Application Proxy (WAP) installed on workgroup Server in DMZ
Error Encountered: Seeing the following error in the Application event logs on the Dynamics CRM Server:
n error has occurred.
Try this action again. If the problem continues, check the Microsoft Dynamics CRM Community for solutions or contact your organization's Microsoft Dynamics CRM Administrator. Finally, you can contact Microsoft Support.
+ System
- Provider
[ Name] ASP.NET 4.0.30319.0
- EventID 1309
[ Qualifiers] 32768
Level 3
Task 3
Keywords 0x80000000000000
- TimeCreated
[ SystemTime] 2017-02-04T01:51:56.000000000Z
EventRecordID 1796646
Channel Application
Computer <Dynamics CRM Server FQDN)
Security
- EventData
3005
An unhandled exception has occurred.
2/3/2017 8:51:56 PM
2/4/2017 1:51:56 AM
d557250f37594d2792c72671e17ce5e3
26
4
0
/LM/W3SVC/1/ROOT-4-131306320864190376
Full
/
C:\Program Files\Microsoft Dynamics CRM\CRMWeb\
<Dynamics CRM Server Name>
1488
w3wp.exe
DOMAIN\CRMAPPSERV
SecurityTokenException
ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer. at System.IdentityModel.Tokens.SamlSecurityTokenHandler.ValidateToken(SecurityToken token) at System.IdentityModel.Services.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri) at System.IdentityModel.Services.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequestBase request) at System.IdentityModel.Services.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) at Microsoft.Crm.Authentication.Claims.CrmFederatedAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
https://auth.biztechfusion.com:443/default.aspx
/default.aspx
10.1.20.53
False
DOMAIN\CRMAPPSERV
537
BIZTECH\CRMAPPSERV
False
at System.IdentityModel.Tokens.SamlSecurityTokenHandler.ValidateToken(SecurityToken token) at System.IdentityModel.Services.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri) at System.IdentityModel.Services.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequestBase request) at System.IdentityModel.Services.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) at Microsoft.Crm.Authentication.Claims.CrmFederatedAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Cause: Any changes to certificates in the AD FS farm.
Symptoms: Cannot login to CRM
Resolution: Each time there are any certificate changes in the AD FS farm, the following prescribed steps must be performed again:
On the Dynamics CRM Server:
- Open the Deployment Manager
- Re-run Configure Claims-Based Authentication accepting the current populated data including the appropriate SSL certificate.
- Re-run Configure Internet-Facing Deployment accepting the current populated data.
- Run iisreset.
- Run "Restart-Service Adfssrv" from Windows Powershell.
On the ADFS Server
- Open AD FS management console.
- Under Trust Relationships, Relying Party Trusts, right-click on both CRM listings and then click "Update From Federation Metadata".
- Run iisreset from elevated command prompt.
- Run "Restart-Service adfssrv" from Windows Powerhsell.