Sharing a single ADFS server with multiple Dynamics CRM Deployments

At a customer we recently had the situation, that we have deployed two separate Dynamics CRM 2011 Deployments called A and B. Both of them are configured as Internet Facing Deployments (IFD).
For authentication we have installed a single ADFS server in the customer environment. This server is used by both deployments.

If we access CRM A and authenticate at ADFS everything is fine. The user is redirected to CRM A afterwards and is able to work. If CRM B is accessed afterwards an error is displayed:

An error occured:

Try this action again. If the problem continues, check the Microsoft Dynamics CRM Community for solutions or contact your organization’s Microsoft Dynamics CRM Administrator. Finally, you can contact Microsoft Support.

You know, the standard error bla bla…

The trace contains following error:

Exception type: CryptographicException
Exception message: Key not valid for use in specified state.

In order to access CRM B, the user has to logoff and logon again at CRM B.

What we have tried to solve this issue

Finally we opened a support case with the CRM support. After the ticket was escalated we got the information that this scenario is not possible at the moment. The reason is a design limitation of Dynamics CRM. At the moment it looks like this would result in a change in the next major version of Dynamics CRM.

You have two workarounds for this issue:

  • Logging off from one system before accessing the other
  • Use an InPrivate session for accessing the second system

6 Gedanken zu „Sharing a single ADFS server with multiple Dynamics CRM Deployments

  1. daniel mcgee

    I would like some info on how you did the original deployment of 2 CRM servers? how did you change the dev.domain url to enable 2 separate servers?

  2. Maicon

    Hello Dieser,
    You solve your problem?
    Whe have here the same, but in dynamics crm 2013,
    You now if, today have a solution for this problem?

    Sharing a single ADFS server with multiple Dynamics CRM Deployments.

  3. Sankel

    We use CRM 2011 nlb , CRM 2013 NLB – they work fine
    4 – CRM 2013 one server config, 3 – CRM 2011 one server config
    Solution to this problem was to Check „The deployment uses an NLB“ on every stand alone CRM servers

    1. Open „Microsoft Dynamics CRM Deployment Manager“
    2. In the console right click on the root node named „Microsoft Dynamics CRM“ and click „Properties“
    3. Select the Second Tab called „Web Address“
    4. Click the Advanced Button in the bottom
    5. Make sure that the „The deployment uses an NLB“ checkbox is checked.
    6. Click „OK“ then „Apply“
    7. Recycle CRMAppPool

  4. K.C. Christensen

    This doesn’t work if you cross multiple relying parties. What is occuring is CRM is decoding the MSISAuth tokens and is extracting the deployment/CRM Org that you performed the initial AuthN against, and then passes that IFD url as the Referrer.

    As the referrer is not a part of that deployment, CRM will invalidate the request as a security infraction and it will kill the session.

    The only fix. Find a way to strip the referrer out of the Request Header, else you will have to have your users launch „In-Private“ as we do today. If you do find a good NLB or scripted work around, I’d love to hear it.


Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.