CRM 2013 and ADFS 2.2: Requested Authentication Method is not supported on the STS

Issue:

CRM 2013 and ADFS 2.2: Requested Authentication Method is not supported on the STS

Event ID: 364

Encountered error during federation passive request.

Protocol Name:
wsfed

Exception details:
Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.InvalidAuthenticationTypePolicyException: MSIS7102: Requested Authentication Method is not supported on the STS.
at Microsoft.IdentityServer.Web.Authentication.GlobalAuthenticationPolicyEvaluator.EvaluatePolicy(IList`1 mappedRequestedAuthMethods, AccessLocation location, ProtocolContext context, HashSet`1 authMethodsInToken, Boolean& validAuthMethodsInToken)

 

Cause/Problem:

We could not find an official Microsoft article stating this but I believe ADFS Server does not allow to be directly published on the Internet because of the potential security reasons, therefore all requests should go through ADFS Proxy (Web Application Proxy).

Note that ADFS Server and Web Application Proxy cannot be installed on the same host.

Resolution:

Install and configure Web Application Proxy.

ADFS and WAP Network Diagram

Configure that all external HTTPS requests from sts.domain.com are redirected to Web Application Proxy (192.168.0.3) and not ADFS Server.

Make sure ADFS and WAP server locally resolves sts.domain.com to ADFS Server (192.168.0.2). To do so configure Split-DNS, point-to-point DNS or manually write hosts (recommended) on ADFS and WAP server.
File: %SystemRoot%\System32\Drivers\etc\hosts

192.168.0.2 sts.domain.com

Connect to ADFS server, open AD FS Management and create CRM IFD Relying Party rule. Follow Microsoft Dynamics CRM 2011 Configuring Claims-based Authentication article.

Try to access https://crm.domain.com externally.

Leave a Reply

avatar
  Subscribe  
Notify of