CRM 2013 and ADFS 2.2: Requested Authentication Method is not supported on the STS

Issue:

CRM 2013 and ADFS 2.2: Requested Authentication Method is not supported on the STS

Event ID: 364

Encountered error during federation passive request.

Protocol Name:
wsfed

Exception details:
Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.InvalidAuthenticationTypePolicyException: MSIS7102: Requested Authentication Method is not supported on the STS.
at Microsoft.IdentityServer.Web.Authentication.GlobalAuthenticationPolicyEvaluator.EvaluatePolicy(IList`1 mappedRequestedAuthMethods, AccessLocation location, ProtocolContext context, HashSet`1 authMethodsInToken, Boolean& validAuthMethodsInToken)

 

Cause/Problem:

We could not find an official Microsoft article stating this but I believe ADFS Server does not allow to be directly published on the Internet because of the potential security reasons, therefore all requests should go through ADFS Proxy (Web Application Proxy).

Note that ADFS Server and Web Application Proxy cannot be installed on the same host.

Resolution:

Install and configure Web Application Proxy.

ADFS and WAP Network Diagram

Configure that all external HTTPS requests from sts.domain.com are redirected to Web Application Proxy (192.168.0.3) and not ADFS Server.

Make sure ADFS and WAP server locally resolves sts.domain.com to ADFS Server (192.168.0.2). To do so configure Split-DNS, point-to-point DNS or manually write hosts (recommended) on ADFS and WAP server.
File: %SystemRoot%\System32\Drivers\etc\hosts

192.168.0.2 sts.domain.com

Connect to ADFS server, open AD FS Management and create CRM IFD Relying Party rule. Follow Microsoft Dynamics CRM 2011 Configuring Claims-based Authentication article.

Try to access https://crm.domain.com externally.

CRM 2013: Cannot connect to Microsoft Dynamics CRM for Tablets

Issue:

You may receive the following error:

Apple iPad:

We’re sorry, Your server is not available or does not support this application

Windows 8.1 RT:

Windows Authentication window pops up.

Windows Authentication pop-up

Cause/Problem:

Incorrect permissions on the Web Application IIS server, OAuth provider not configured and client apps not registered.

Resolution:

Make sure your certificate is trusted by the client device. If you’re using self-signed certificate, install Root CA to the device.

Test your Internet-Facing Deployment to work in a browser without certificate warnings. To be able to successfully connect to a CRM deployment, you will need to run a Repair of Microsoft Dynamics CRM Server 2013 installation on the Web Application Server role where IIS service is installed. Open Program and Features, select Microsoft Dynamics CRM Server 2013 and Click Repair. Map installation media and wait for an operation to finish.

Repair Microsoft Dynamics CRM

Configure the OAuth provider on Microsoft Dynamics CRM server

Start a PowerShell window and execute the following script:

Import-Module "C:\Program Files\Microsoft Dynamics CRM\Tools\Microsoft.Crm.PowerShell.dll"
$fedurl = Get-CrmSetting -SettingType ClaimsSettings
$fedurl.FederationProviderType = 1
Set-CrmSetting $fedurl

Register the client apps

The mobile client apps for the Apple iPad and Windows 8 tablets and phone must be registered with AD FS.

Log on to the ADFS server and execute the PowerShell script:

Add-AdfsClient -ClientId ce9f9f18-dd0c-473e-b9b2-47812435e20d `
-Name "Dynamics CRM Mobile Companion" `
-RedirectUri ms-app://s-1-15-2-2572088110-3042588940-2540752943-3284303419-1153817965-2476348055-1136196650/, ms-app://s-1-15-2-1485522525-4007745683-1678507804-3543888355-3439506781-4236676907-2823480090/, urn:ietf:wg:oauth:2.0:oob

Try to connect with your tablet again.

For more information download Microsoft Dynamics CRM 2013 Implementation Guide.