mscrm-addons.com - Blog

IMPORTANT INFORMATION

This blog is deprecated since July 2020.The articles below are no longer maintained and might contain outdated information. 
You can find the most acutal and relevenat information in our Knowledge Base at support.mscrm-addons.com

News.mscrm-addons.com Blog

rss

Hello and welcome to our blog! What can we do for you? Are you looking for further technical information or step-by-step instructions to our products? Or would you like to read the latest news on mscrm-addons? Please feel free to browse our blog for detailed information and to share our posts!


Certificate Changes in an IFD environment

This blog article explains what to do if one of the certificates has changed in the IFD environment. If so, our products require additional steps in order to work again.
 

This issue can occur with two different certificates:
   
1) SSL certificate
2) Token Signing certificate

 

1) How to react in case of the SSL certificate 

First of all, you need to rerun the IFD-wizard and select the correct certificates (since in the web.config your old certificates are still cached).


Figure 1: Certificates in AD FS

Next, please update the Relying Party Trust with the new Federation Meta Data URL which has been created in the IFD Wizard previously.

If this does not work correctly, you will need to delete and recreate the relying party trust for our product on the ADFS Server.

Then, specify the Federation Metadata URL, which was created by the IFD Wizard and click on the [Next]-button. 


Figure 2: Specified Federation Metadata URL

Next, please specify a display name and click on the [Next]-button. 


Figure 3: Specified display name.

Then check the Permit all users to access this relying party-option and click on the [Next]-button. 


Figure 4: Permit all users to acess this relying party

Please check if everything looks alright and then click on the [Next]-button. 


Figure 5: Check changes

After you have finished working with the Add Relying Party Trust-Wizard, the Rules Editor appears.
There, click on the [Add Rule]-button.

Should the Editor not open automatically, please right-click the relying party object you have created before in the Relying Party Trust list, click on the [Edit Claims Rules]-button and then click on the [Add Rule]-button.

Please note: It is of upmost importance that the Issuance Transform Rules-tab is selected. In the Claim rule template list, select Pass Through or Filter an Incoming Claim template and then click on the [Next]-button.

Create the following rule:

  • Claim rule name: Pass Through UPN (or something descriptive)
  • Add the following mapping:

1. Incoming claim type: UPN

2. Pass through all claim values

Click on the [Finish]-button. 

In the Rules Editor, click on the [Add Rule]-button and in the Claim rule template list, click on Pass Through or Filter an Incoming Claim Template. Click on the [Next]-button in order to proceed.

  • Claim rule name: Pass Through Primary SID (or something descriptive)
  • Add the following mapping:

1. Incoming claim type: Primary SID

2. Pass through all claim values

Click on the [Finish]-button.

In the Rules Editor, click on the [Add Rule]-button. 

In the Claim rule template list, select Transform an Incoming Claim Template and then click on the [Next]-button in order to continue.

Now create the following rule:

  • Claim rule name: Transform Windows Account Name to Name (or something descriptive)
  • Add the following mapping:

1. Incoming claim type: Windows account name

2. Outgoing claim type: Name

3. Pass through all claim values

Click on the [Finish]-button and as soon as you have created all three rules, click on the [OK]-button in order to close the Rules Editor.

 

2) How to react in case of the Token Signing certificate


Figure 6: Certificates in ADFS 

Please replace the old thumbprint of the Token Signing Certificate in the web.config with the thumbprint from your new Token Signing Certificate. As soon as you have replaced it, click on the [OK]-button in order to proceed.  
Please note: Do not copy the thumbprint from here, type it of instead (there are hidden characters inside this string-value which can not be deleted). 


Figure 7: Replace the thumbprint in the certificate dialog

Find an example for the thumbprint in the web.config which you have to replace below:


Figure 8: Token Signing thumbprint in the web.config.

That’s it! We appreciate your feedback! Please share your thoughts by sending an email to support@mscrm-addons.com.




Comments are closed.