Recently, while configuring a client’s CRM 2011 installation, we ran across an odd problem – ADFS and IFD seemed to be configured correctly, but upon logon through the webportal we recieved “Server Error: 404 – File or Directory not found. The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.”

404 - File or Directory Not Found

What a helpful, descriptive error. In addition, there was no information in the system logs on the CRM server. After much research, it turns out that ADFS wasn’t quite set up correctly….

There are actually several entries that need to be set correctly in ADFS to ensure external and internal access.

In the ADFS 2.0 console, expand Trust Relationships, then Relying Party Trust, There should be two trusts – one for internal, and one for external access.

On the Internal AND External Trust, the following Claim Rules should be set:

internal claim rules

If the Trust doesn’t exist, it should be added as follows:

1.   Click “Add a Relaying Party Trust” in the ADFS Console

2.   Choose “Import data about the relying party published online or on a local network”, and enter the Federation Metadata Address (obtained from CRM after configuring Claims-Based Authentication)

3.   Type a display name, such as “Internal Claims” or “Internal CRM Access”

4.   Select the option to “Permit all users access to this relying party”

5.   Click Close, and add the following Transform Claim Rules

6.   For the first one, choose “Pass through or filter an incoming claim”

  • Claim rule name: “Pass Primary SID”
  • Incoming claim type: “Primary SID”
  • Choose “Pass through all claim values”

7.   For the second rule, choose “Pass through or filter an incoming claim”

  • Claim rule name: “Pass UPN”
  • Incoming claim type: “UPN”
  • Choose “Pass through all claim values”

8.   For the last one, choose “Transform an Incoming Claim”

  • Claim rule name: “Transform Windows Account Name to Name”
  • Incoming claim type: “Windows Account Name”
  • Outgoing claim type: “Name”  (or “* Name”)
  • Choose “Pass through all claim values”

9.   Click Apply, and then OK

We also need to make sure that an External Trust exists. It should be added as follows:

1.   Click “Add a Relaying Party Trust” in the ADFS Console

2.   Choose “Import data about the relying party published online or on a local network”, and enter the Federation Metadata Address (obtained from CRM after configuring Internet-Facing Deployment)

3.   Type a display name, such as “External Claims” or “External CRM Access”

4.   Select the option to “Permit all users access to this relying party”

5.   Click Close, and add the following Transform Claim Rules

6.   For the first one, choose “Pass through or filter an incoming claim”

  • Claim rule name: “Pass Primary SID”
  • Incoming claim type: “Primary SID”
  • Choose “Pass through all claim values”

7.   For the second rule, choose “Pass through or filter an incoming claim”

  • Claim rule name: “Pass UPN”
  • Incoming claim type: “UPN”
  • Choose “Pass through all claim values”

8.   For the last one, choose “Transform an Incoming Claim”

  • Claim rule name: “Transform Windows Account Name to Name”
  • Incoming claim type: “Windows Account Name”
  • Outgoing claim type: “Name”  (or “* Name”)
  • Choose “Pass through all claim values”

9.   Click Apply, and then OK

However, in our client’s environment, we actually found both of these Trusts set up correctly. So what was the issue?

It turns out that one critical step had been missed when ADFS has been configured. A UPN rule needed to be added to the Active Directory Claims Provider Trusts.

  1. In the ADFS 2.0 console, expand Trust Relationships, then Claims Provider Trusts
  2. On the “Active Directory” Trust, right-click and chose “Edit Claim Rules”
  3. The “Send UPN” rule (see below screenshot) was missing in our client’s environment
  4. Click on the “Add Rule” button
  5. Choose the “Send LDAP Attributes as Claims” option
  6. Name the claim rule “Send UPN”
  7. Choose the “Active Directory” attribute store from the drop-down list
  8. Under the “Mapping of LDAP attributes to outgoing claim types” section, choose the following:
    • LDAP Attribute: “User-Principal-Name”
    • Outgoing Claim Type: “UPN”
  9. Click Finish

ad claim

After this, we were able to update the Federation Metadata for both the Internal and External trusts on the ADFS server, and our client was able to log onto their web access just fine.

Like this post? Share it!