We had an interesting occurrence with a client this week. Like many security conscious clients, they have limited ability for their servers to access the internet. In this client's case, they had a proxy that was required for access.
Fairly typical CRM setup with an IFD CRM, leveraging an ADFS internal server, with an ADFS proxy supplying the gatekeeping for the outside. CRM was using a standard SSL certificate from a public provider.
Once we got CRM configured and working we began the typical setup of Claims based authentication and Internet Facing Deployment (IFD) with their required Relying Party Trusts in ADFS. That's where the problems began. We immediately checked the ADFS log and came across a 317 Error with the verbiage below:
"An error occurred during an attempt to build the certificate chain for the relying party trust 'https://crm.domain.com/' certificate identified by thumbprint '<thumb print removed>'. Possible causes are that the certificate has been revoked, the certificate chain could not be verified as specified by the relying party trust's encryption certificate revocation settings or certificate is not within its validity period.
What this error came down to was without the Proxy, this server was not going to be able to get to the Internet. Without that Internet access, the ADFS could not reach the Certificate Revocation List for the certificate and determine if it had been revoked. Initial thought was to log in as the ADFS service account and add the proxy to the browser, but it wasn't likely we were going to be able to RDP as the service account, nor did we know that the ADFS service would honor that proxy while the account was not logged on.
The option that was decided upon after significant searching was to issue Powershell commands to essentially stop checking for the CRL (Certificate Revocation List). This had to be done for both Relying Party Trusts and for to certificates (Signing and Encrypting). A total of 4 commands were issued as follows:
crm.domain.com represents the internal IFD address space and the name of the Relying Party Trust, where auth.domain.com represents the external Relying Party Trust.
Set-ADFSRelyingPartyTrust -TargetName crm.domain.com -SigningCertificateRevocationCheck None
Set-ADFSRelyingPartyTrust -TargetName crm.domain.com -EncryptionCertificateRevocationCheck None
Set-ADFSRelyingPartyTrust -TargetName auth.domain.com -SigningCertificateRevocationCheck None
Set-ADFSRelyingPartyTrust -TargetName auth.domain.com -EncryptionCertificateRevocationCheck None
Once we set those 4 powershell commands, we performed an IISRESET on CRM and everything worked as expected.
by Customer Effective Bloggers
