Symptoms
- Claims authentication prompting for password when connecting to CRM.
Claims authentication should automatically forward your windows credentials and not prompt for a username password. - 3 logon attempts and then the connection fails.
- The event viewer on the server hosting ADFS contains an error message with event ID 197.
The error message will be similar to the message below
The Federation Service could not satisfy a token request because the accompanying credentials do not meet the authentication type requirement of 'urn:federation:authentication:windows' for the relying party 'https://yourInternalCRM.companyName.com/'. Authentication type: http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password Desired authentication type(s): urn:federation:authentication:windows Relying party: ‘https://yourInternalCRM.companyName.com/’
Diagnosis
- Certificate rollover on ADFS server.
The certificate on the ADFS server is now different from the certificate on the CRM Server
Solution
http://social.technet.microsoft.com/Forums/en-US/439a0f19-bab9-40b8-b2b9-e753c859809f/unable-to-login-to-crm-via-adfs-20-getting-event-id-197-on-the-adfs-server?forum=winserverDS
- CRM server ==> go to deployment manager and disable IFD(skip if IFD is not setup).
- CRM server ==> go to deployment manager and disable claims authentication.
- CRM server ==> Reset IIS (need administrative privileges). Open a command prompt and run the command IISRESET.
- CRM server ==> In the deployment manager enable claims authentication.
- CRM server ==> In the deployment manager enable IFD (if it was setup before).
- ADFS server ==> go to Trust Relationships. Select relying party trusts and update federation metadata.
