Consider the following scenario. Microsoft Dynamics CRM 2011 and ADFS 2.0 are installed on a trusting domain and users are located on the trusted domain:
- There is a one-way trust between two domains
- Trusting domain: contoso.com
- Trusted domain: fabrikam.com
The following error occurs when logging in to Microsoft Dynamics CRM 2011 using credentials from the trusted domain:
"There was a problem accessing the site. Try to browse to the site again.
If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.
Reference number: <GUID>"
Additionaly, the following information is found in the Event Viewer from the ADFS server:
Log Name: AD FS 2.0/Admin
Source: AD FS 2.0
Date: 01/01/2012 10:00:00
Event ID: 111
Task Category: None
Level: Error
Keywords: AD FS
User: SYSTEM
Computer: ADFS.contoso.com
Description:
The Federation Service encountered an error while processing the WS-Trust request.
Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Exception details:
Microsoft.IdentityServer.ClaimsPolicy.Language.PolicyEvaluationException: POLICY0018: Query ';userPrincipalName;{0}' to attribute store 'Active Directory' failed: 'Exception of type 'Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapServerUnavailableException' was thrown.'. ---> Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapServerUnavailableException
Using the LDP.exe tool to query a Domain Controller located on the trusted domain from the ADFS Server, using credentials from the trusting domain, the following error occurs:
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='NULL'; Pwd=<unavailable>; domain = 'NULL'}
Error <49>: ldap_bind_s() failed: Invalid Credentials.
Server error: 8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece
Error 0x8009030C The logon attempt failed