Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Passive federation request fails when accessing an application using AD FS and Forms Authentication after previously connecting to Microsoft Dynamics CRM also using AD FS


View products that this article applies to.

Symptoms

Passive federation request fails when accessing an application, such as SharePoint, that uses AD FS and Forms Authentication after previously connecting to Microsoft Dynamics CRM with Claims Based Authentication

It fails with following error:

Encountered error during federation passive request.
Additional Data
Protocol Name:
Relying Party:
Exception details:
Microsoft.IdentityServer.RequestFailedException: MSIS7065: There are no registered protocol handlers on path /adfs/ls/ to process the incoming request.
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Sign out scenario:
20 minutes before Token expiration below dialog is shown with options to Sign In or Cancel. Clicking Sign In doesn't redirect to ADFS Sign In page prompting for username and password. Instead, it presents a Signed Out ADFS page. Referece - Claims-based authentication and security token expiration.



Session about to expire dialog

↑ Back to the top


Cause

The issue is caused by a duplicate MSISAuth cookie issued by Microsoft Dynamics CRM as a domain cookie with an AD FS namespace. This cookie name is not unique and when another application, such as SharePoint is accessed, it is presented with duplicate cookie. This causes authentication to fail.

The Signed Out scenario is caused by Sign Out cookie issued by Microsoft Dynamics CRM as a domain cookie, see below example. This cookie is domain cookie and when presented to ADFS, it's considered for the entire domain, like *.contoso.com/. This causes re-authentication flow to fail and ADFS presents Sign Out page.

Set-Cookie: MSISSignOut=; domain=contoso.com; path=/; secure; HttpOnly

↑ Back to the top


Resolution

To resolve this issue, you will need to configure Microsoft Dynamics CRM with a subdomain value such as crm.domain.com. This will require a different wild card certificate such as *.crm.domain.com.

After performing these changes, you will need to re-configure Claims Based Authentication and IFD using the correct endpoints like shown below:

  1. auth.<subdomain>.domain.com
  2. dev.<subdomain>.domain.com
  3. org.<subdomain>.domain.com

↑ Back to the top


More Information

For additional details on configuring Claims Based Authentication and IFD for Microsoft Dynamics CRM, see the following link:

Configuring Claims-based Authentication for Microsoft Dynamics CRM Server

↑ Back to the top


Keywords: kbmbspartner, kbmbsmigrate, kbsurveynew, kb

↑ Back to the top

Article Info
Article ID : 3045286
Revision : 1
Created on : 1/7/2017
Published on : 3/6/2015
Exists online : False
Views : 477