Hello,

I'm totally new to this kind of setting. I have a crm web portal connect to CRM 2011 by system administrator. I have to use ADFS authentication for login user. I've already had ADFS used on our sharepoint server. I want to use this server as my crm portal server as well. so what kind of setting do I need to do to make it work? I saw some document online about the setting, they have too many servers involve, I'm totally confuse. My case is simple: ADFS and web portal share same server. When user access the portal from client side anonymously, they can connect to CRM. Also, what kind of configuration do I need to my web.config file?

Thanks.

  Hi,

I have an interesting situation where searches towards AD within a claim rule either works or doesn't work, depending on which IdP the user is authenticated against.

I have a sample app from the WIF SDK that shows me the contents of claims (called claimapp). I've created a custom claim rule for that relying party trust that performs a search against AD. On the ADFS server I have a claims provider trust which is an OpenAM SSO server.

If I access the claimapp with the web browser I get the ADFS web page asking me which IdP I want to use, the SSO server or AD. If I authenticate against AD, the claim rule runs and the claimapp shows the claims (which are the result of the search against AD).

However, if I authenticate against the SSO server and the user is redirected back to the ADFS server, I get an error message "There was a problem accessing the site. Try to browse to the site again".

If I remove the AD search claim rule, I can successfully authenticate against the SSO server and the claimapp shows the claims (which are the result of simple pass through rules).

Any idea why the AD search fails when I don't authenticate against AD? Could this be a AD permission issue? I'm using a stand-alone ADFS server and the ADFS service is using the network service account.

This is causing a major headache for us and any help would be appreciated, thanks.

  -- Kari

I can submit requests to authenticate and the response is just fine.  I have ADFS configured to send me a persistent name ID using instructions from here: http://blogs.msdn.com/b/card/archive/2010/02/17/name-identifiers-in-saml-assertions.aspx

I know that the Requester status code means there is something wrong with my request message, but I can't figure out what is wrong.  I've got tracing turned on as described here:http://blogs.msdn.com/b/card/archive/2010/01/21/diagnostics-in-ad-fs-2-0.aspx

But I don't see anything in either the debug logs or in the regular logs that points me to the part of the message that is incorrect.  I've validated my request against the XSDs provided by OASIS.

Can anyone help?  Are there some settings somewhere I should turn on to provide even more debugging information?  Or is there something obviously wrong with my SAML request?

An example of a request message:

<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_df18d04d7325bef3ecb3" Version="2.0" IssueInstant="2012-10-05T22:03:46.888Z" Destination="https://dc1.org.testna.me/adfs/ls/"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">TestSamlApp</saml:Issuer><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">+543LSsx5Bs/NqZuwtdoBediy78qfXi3owHKJbtc+sQ=</saml:NameID></samlp:LogoutRequest>

Signed and converted to redirect format:

https://dc1.org.testna.me/adfs/ls/?SAMLRequest=nZFPa8JAEMW%2FStirmM0fU8NgAoqU2lqhVUrxUtbsxgaS3bgzQfvtu0YP0oOHHmfm%2Fd68YSYomrqFpdmbjt7VoVNI3qmpNUI%2FyVhnNRiBFYIWjUKgAtbT1yVEfgCtNWQKU7Mb5D4hEJWlymjmLeYZ%2B5JlmMpgJMdxlOxUGatiFzPvQ1l0mow5xAkRO7XQSEKTawVhNAyDYZBsogiCGEYPfpqmW%2BbNXfZKC%2BrJb6IWgXNZhL6xe5%2FcUAu%2FUVzIEnmNnOWTc17o7e0%2FLsg3znPtgGnbTviN19V45djF3Hs0thF03%2FTcqeSw7KXQns9HUppYPkhG8XKNp2SGfHXYdkeSZqZk9TNOD%2BVnFZvj08vzjooBvmXXEJe9%2BaX689v8Fw%3D%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=nnJeG2zW1dVqprfVKUihwKDvD44tNstRgWKeClUQXwQ5uWfmZ8K27w9k2fHC%2BUaGOM5k8obJYR3pRfY8GWd5tq7uRQRp0wjUpNJWD7JrlAv0qJRgmetfD9KTDCRJTl7vVm7keVS7V43JqpP4iEQfdy%2FR%2BEB2ADE%2FtKVCAAvbu%2FcV00r47ZJsmOXDEoINh9EhXpE7t%2BTNFaHrVwYN2srzckFhUXfGvpG6wwAhxA4oBT8VPY%2FWiN2eWgFoYUsDzYEfvjU9TNxMFRK2FaHO6KA1jgr%2FI8LTZ0%2B%2Bz91PhWJn5iWr%2FxpJObZCuxYXaxtcmSDWAYk%2BAX7lP77Ti37LuC%2BH9g%3D%3D

The response I'm getting from ADFS:

<samlp:LogoutResponse ID="_570da7da-8d7e-4e1f-b417-4b80cee1a426" Version="2.0" IssueInstant="2012-10-05T23:03:39.952Z" Destination="https://localhost:3000/saml/logout/callback" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_df18d04d7325bef3ecb3" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://dc1.org.testna.me/adfs/services/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><ds:Reference URI="#_570da7da-8d7e-4e1f-b417-4b80cee1a426"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><ds:DigestValue>r/6mxT5Lu71BohKUlyNfnmiYLt8=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>JRprCiBCZVEWJbFh4dmiqrq0DrlrLmlWQ5gfDay/dfxrkZxKZjkm4Cyrl7THrSmC4ASoBlxD6jb+e1WA6rcSr0PUH7u9H1KQ1vB/3APxUBlOaBsndg6SgD5PBP1fHqI1n9fDgIH6XdmMBs6NADkXMbeNjF1Ti5UDLZo5kncs8TJLFLnbGOtIXQaDpDeTqP0nmvCyV0VQ1nnjnClhIkl2kaGddf7lfOdRmHtAiEMxG8uuBlxsBFdZ2uUnSDXyjxxpB8WsDazcRdius2UQ+WaXFYcHCn8CkXeFJKlkQbWSkDubQtKA8NkpqKZyMRNq3bRXYeGJHT9x89NUX+hpK4Vt6w==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIC5jCCAc6gAwIBAgIQRjJu6D+dUKREnbGOWi77xjANBgkqhkiG9w0BAQUFADAcMRowGAYDVQQDExFkYzEub3JnLnRlc3RuYS5tZTAeFw0xMjEwMDEyMzExMTRaFw0xMzEwMDEwMDAwMDBaMBwxGjAYBgNVBAMTEWRjMS5vcmcudGVzdG5hLm1lMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzCjyneYPzRzybJ/K6NCRDQ7NsbitYr5UxVOMGjYGybm9cc+zLSFAVSaZBRHfQFKI59lfDnHk99v1vskXz+wMx8h/UFgYW/lR2NYWDsQgYM/IVzRmgFgXIRAc32tIhRH8f+XAKl+Rig/FGOnGXNPl77r35m24hunuq+CG3BqydLQhDeSc8W0pUaCx5QeJCxd0mVC46zy0OsqCkx1E1DrbHHDclHsYaf0hcRQxFeQg7RQHQVgznNgJxtXEvNpCsTkoX0Xtn2jJx6LUW9rz1mdTT6SWtPIKhvyOmkp2BiL0sznL5dxuaG8jN8LhICbIL0RHfZY6xJ8G+ecfkkxroSgKuwIDAQABoyQwIjALBgNVHQ8EBAMCBDAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADggEBABjTkuVWmGN6chD+4Y/jfr56QIcMDW+dsdJvNUtUXaG46B4SZ+fNeR1RPAM9QHp11OlpL1t/i1tPVn6jpy4QkPTqmQhYGPydt+Z2up+wJneX8+waKf6nrGgSJaMMcwQ6250x5Q3+jfyqX/ekw+uHOwnbXQWtVWVbLSOGnHdRW2hgNbY0btCN/0DYX5KODzYxQu6JmZefgNjW69wEi42ZnO5gN7Elkdaeyks5zX43fSH/QpQfrrWMDaZqsFCUkBe/bhYljZvE5FYioUwUkaXXtESjmTmm30GvOx/cBdXz040CDssk7bIe6LeYRSv1I3sEaO5kPbfqvzD3rXpIw1wJds8=</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester" /></samlp:Status></samlp:LogoutResponse>

Hello,

We currently run Windows 2008 R2 servers and our domain function level is "Windows Server 2008 R2".  Where currently setting up a hosted cloud application with a third party vender and would like to utilize active directory federated services for authentication.  Can anyone please provide some good documentation (step by step) to set this up?  any help would be appreciated.

Thank you,

 Hi,

I have already posted this issue in SharePoint forum here: http://social.msdn.microsoft.com/Forums/en-US/sharepointgeneralprevious/thread/c4a7d325-d5c6-400c-a734-d2a0008413e3

I have SharePoint 2010 with my custom ASP page. This Sharepoint has claims based authentication.

My page has following url: https://moss.dev.local/_layouts/MyPage.aspx

Service is available via: https://service.dev.local/myservice.svc

These two application are hosted by the same IIS on the same application pool.

Now I want to call my service from that page. I have configured binding to use windows authentication and it 'works' but user on the service side is "NT AUTHORITY\\IUSR" and not current logged user.

Could you give me any suggestion how to configure the connection to authenticate user as windows authentication or claims authentication. Both cases are fine but i would prefer claims authentication if possible.

When i consume this service from silverlight application than Windows Authentication works correctly.

<services><service behaviorConfiguration="MyServiceBehavior" name="Mynamespace.MyService"><endpoint address="" contract="Mynamespace.MyService" binding="basicHttpBinding" bindingConfiguration="basicBinding" /><endpoint address="" contract="Mynamespace.MyService" binding="ws2007FederationHttpBinding" bindingConfiguration="IMyService_ws2007FederationHttpBinding" /><endpoint address="silverlight" contract="MyNamespace.ISilverlightService" binding="basicHttpBinding" bindingConfiguration="basicBindingHttps" behaviorConfiguration="SilverlightFaultBehavior" /><endpoint address="tcp" contract="Mynamespace.MyService" binding="netTcpBinding" bindingConfiguration="ServiceBinding" /></service></services><bindings><!--Https - Claims--><ws2007FederationHttpBinding><binding name="IMyService_ws2007FederationHttpBinding" closeTimeout="00:03:00" openTimeout="00:03:00" receiveTimeout="00:10:00" sendTimeout="00:10:00" maxReceivedMessageSize="6553600"><readerQuotas maxDepth="32" maxStringContentLength="2000000" maxArrayLength="2147483647" maxBytesPerRead="4096" maxNameTableCharCount="1638400" /><security mode="TransportWithMessageCredential"><message><issuerMetadata address="https://adfs.dev.local/adfs/services/trust/mex" /></message></security></binding></ws2007FederationHttpBinding><!--Http - Windows--><basicHttpBinding><binding name="basicBinding" closeTimeout="00:03:00" openTimeout="00:03:00" receiveTimeout="00:10:00" sendTimeout="00:10:00" allowCookies="true" textEncoding="UTF-8" maxBufferSize="4194304" maxReceivedMessageSize="4194304" messageEncoding="Text" transferMode="Buffered"><readerQuotas maxDepth="32" maxStringContentLength="2000000" maxArrayLength="2147483647" maxBytesPerRead="4096" maxNameTableCharCount="1638400" /><security mode="TransportCredentialOnly"><transport clientCredentialType="Windows" /></security></binding><binding name="basicBindingHttps" closeTimeout="00:03:00" openTimeout="00:03:00" receiveTimeout="00:10:00" sendTimeout="00:10:00" allowCookies="true" textEncoding="UTF-8" maxBufferSize="4194304" maxReceivedMessageSize="4194304" messageEncoding="Text" transferMode="Buffered"><readerQuotas maxDepth="32" maxStringContentLength="2000000" maxArrayLength="2147483647" maxBytesPerRead="4096" maxNameTableCharCount="1638400" /><security mode="Transport"><transport clientCredentialType="Windows" /></security></binding></basicHttpBinding><!--Tcp - Windows--><netTcpBinding><binding name="ServiceBinding" closeTimeout="00:03:00" openTimeout="00:03:00" receiveTimeout="00:10:00" sendTimeout="00:10:00" transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions" hostNameComparisonMode="StrongWildcard" listenBacklog="10" maxBufferPoolSize="524288" maxBufferSize="6553600" maxConnections="50" maxReceivedMessageSize="6553600"><readerQuotas maxDepth="32" maxStringContentLength="2000000" maxArrayLength="102400" maxBytesPerRead="4096" maxNameTableCharCount="1638400" /><reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" /><security mode="Transport"><transport clientCredentialType="Windows" protectionLevel="None" /><message clientCredentialType="None" /></security></binding></netTcpBinding></bindings>

• TCP binding is used by ASP
• Silverlight binding is used by silverlight
• ws2007FederationHttpBinding binding is used by desktop application

All bindings except ASP works fine. The ASP binding doen't have to be TCP.

And Client configuration:

private static IMyServiceChannel CreateServiceBasicHttp(string endpointAddress)
{
	var binding = endpointAddress.StartsWith("https") 
			? new BasicHttpBinding(BasicHttpSecurityMode.Transport) 
			: new BasicHttpBinding(BasicHttpSecurityMode.TransportCredentialOnly);

	binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Ntlm;
	binding.MessageEncoding = WSMessageEncoding.Text;
	binding.TextEncoding = Encoding.UTF8;
	binding.TransferMode = TransferMode.Buffered;
	binding.MaxBufferSize = 4194304;
	binding.MaxReceivedMessageSize = 4194304;

	return CreateProxy(binding, endpointAddress);
}

private static IMyServiceChannel CreateServiceNetTcp(string endpointAddress)
{
	var binding = new NetTcpBinding(SecurityMode.Transport);

	binding.Security.Transport.ClientCredentialType = TcpClientCredentialType.Windows;
	binding.TransferMode = TransferMode.Buffered;
	binding.MaxBufferSize = 6553600;
	binding.MaxReceivedMessageSize = 6553600;

	return CreateProxy(binding, endpointAddress);
}

private static IMyServiceChannel CreateProxy( Binding binding, string endpointAddress )
{            
	var proxy = new MyServiceClient( binding, new EndpointAddress( endpointAddress ) );
	if (proxy.ClientCredentials != null)
	{ 
		proxy.ClientCredentials.Windows.ClientCredential = CredentialCache.DefaultNetworkCredentials;
	}

	return proxy;
}

We have a customer who is looking for a greenfield AD installation for 700-800 users. It is a rather straightforward AD implementation - but they are requesting AD authentication for some externally hosted services also. The main service they are looking to integrate at the moment is Blackboard. We have verified that this supports AD integration.

From what I have seen, AD integration is usually only used for internal services - how would we (securely) allow these remote services to authenticate back to the local domain from the internet? I am not sure where to begin with this one. 

Thanks in advance.

It looks like Im back in the market for a robust OAUTH2 server/component-set, that can fulfill the persistent grant (authorization_code, and implicit) from a ws-fedp inbound assertion (fed2005 style and modern!). It should issue JWTs, and verify them (and their signatures). The token issuing/renewing/validating endpoint should feel ALOT like ws-trust (except the blobs are simpler!).

So what have folks done in the area of adding some value to the ACS OAUTH capability to manage "delegation-records" and issue authorization_code as part of the "authorization/consent flow"?

I have to assume someone rounded out the sample in the ACS SDK that showcased how 3rd parties could do what SharePoint Online itself does - using the ACS OAUTH capabilities to facilaite minting OAUTH tokens so site apps can call back to the sharepoint APIs?

How do we specify claims transformations in ACS so that "parameters" from the ws-trust RST get mapped into the output token (e.g. a JWT)?

Its normal to send "parameters" in an RST (and indeed a WIF SDK sample shows how to do it). My own STS can consume such parameters if sent (and map them). SO, how do we make ACS apply all this?

Since the parameter can have any name, there may be some "nominal" claim stem that when suffixed with the parameter name causes ACS to recognize the RST's parameter. It can then be mapped using mapping rules, as with any other claim.

Hi there,

i have a question regarding the new JWT Tokenhandler. I have an MVC App with a custom ClaimsAuthenticationManager. If i consume a WS-Trust / JWT token provided by ACS, the Authenticate-Event of my ClaimsAuthenticationManager is executed as expected, but if i consume a WS-Trust / JWT token provided by a custom STS (Identityserver), the Authenticate-Event does not get executed.

If requested, i can post code-details, but maybe someone recognizes this problem without further details..

Thanks in advance

Hi All,

I am trying to renew  my certificate in claim provider trust of ADFS.

But it is giving error. It seems some intermediate certificate is missing in the Certificate file.

Please if anyone could suggest me is there a way through which I can trust the certificate in ADFSand successfully and renew my certificate.

Thanks in Advance

I am testing IDP initiated sign-on from ADFS 2 to salesforce.com. I have been trying unsuccessfully to pass the Mail attribute to salesforce as the User ID. I have extracted the SAML assertion using Fiddler and put it into salesforce's SAML validator and it passes all checks except the most important one ie it can't find a username or Federation ID.

There is definitely an email address entered in Active Directory for my test user. Can anyone shed any light on why this might be failing ?

Thanks

Hi, I am not sure if this is the right forum to ask about API Security & SAML. How to learn these and are there any good reference material (books, on-line tutorials) etc.

Thanks in advance................

Background:

I have an installation of dynamics crm 2011 (IFD), and I have an ASP.net website in which I want to retrieve the logged-in user's details.

I followed the walkthrough to create a website which is configured as a relying party, and it seems to be working ok; I log on to crm, then browse to my website, and the user's credentials are available there as necessary.

The issue:

In some cases I want to open one of my web pages as a modal dialog from within the CRM website (meaning- a user logs on to the CRM website, presses a button, and a modal dialog displaying one of my pages appears).

In that case, my web page doesn't display anything at all- the address bar indicates that it's loading the sts server's signon page, but nothing actually happens and the window is frozen.

looking at the ADFS trace I can see 2 warning log entries, as follows:

Ignoring Invalid entry 'signoutCleanup;https%3a%2f%2fMyCrm.dev.com%3a4444%2f&walkthrough&https%3a%2f%2fMyCrm.dev.com%3a4444%2fdefault.aspx&https%3a%2f%2fMyCrm.dev.com%3a4444%2fdefault.aspx' in signout cookie.

Ignoring Invalid entry 'signoutCleanup;https%3a%2f%2fMyCrm.dev.com%3a444%2f&CRM+IFD+Relying+Party&https%3a%2f%2fauth.dev.com%3a444%2f&https%3a%2f%2fauth.dev.com%3a444%2f' in signout cookie.

Now the strange thing is that if I browse via a non-modal window to one of my webpages, and then open that same modal dialog again- it works fine.

Looking at the ADFS logs for browsing the non-modal dialog I can see one warning- the latter from before:

after that, any browsing (be it modal or non modal) to my web page works fine, without warnings on ADFS.

Can anyone shed any light on this behaviour?

thanks

Jhonny

Hi

We have an installation of Crm dynamics 2011 (IFD), and we're trying to develop some custom web pages which will be integrated in the dynamics website.

I've followed the walkthrough here, but haven't been able to get it to work- i'm getting the generic 'there was a problem accessing the site' error message from the sts server.

However, the reference number provided does not appear under any event log (applications and services logs\ADFS 2.0 orADFS 2.0 Tracing)

Can anyone suggest a way to troubleshoot this issue?

Thanks

Jhonny

Hello,

I just installed ADFS 2.0 on a Windows 2008 R2 server to enable single sign-on for a third party cloud bases application.  So far I cant get it working and I'm trying to troubleshoot.  One of things I have to enter is the "SSO Issuer URL" which is the Federation Service identifier "http://servername.test.com/adfs/services/trust". But when I go to this URL from a local machine I get a "HTTP Error 503. The service is unavailable."  Is this normal behavior or should it be returning a result?

Thank you for your help!

Hi,

  I  have configured ADFS 2.0 to work with an application vendor that only accepts IdP-Initiated SSO using SAML 2.0; they do not send a SAMLRequest.

  When the user goes to the Application page...

1. they are redirected to https://adfs-server/adfs/ls/IdpInitiatedSignOn.aspx?SAMLRequest=&RelayState=application-url
2. first thing is they have to choose the application (how can i stop this from happening, and direct them directly to the login screen)
3. once logged in, they are redirected correctly to the application page and are logged in to the application
4. After closing the IE session and going again to the same appilcation page, steps 1 - 3 are repeated (how can I get SSO to work so they don't need to login again).

  The application vendor say they do not provide a SAMLRequest to start and expect the ADFS server to do the IdP initiation login directly, so ADFS is suppose to understand the SSO cookie and login the user directly.

Hany Elkady

Infrastructure Consultant

I have a standard MVC application that was bound to an Windows Azure Active Directory via "Enable Windows Azure Authentication...". This creates the following entry in web.config

<wsFederation passiveRedirectEnabled="true"
 issuer="https://accounts.accesscontrol.windows.net/mydomain.onmicrosoft.com/v2/wsfederation"
 realm="spn:12b1b398-3c30-46c1-a13f-70cb0c62158f@41652b2a-b60c-4f5d-a184-c9c431a67dc8"
  reply="https://localhost:44303/"
  requireHttps="false" />

The problem is now signout:

var fc = FederatedAuthentication.FederationConfiguration.WsFederationConfiguration;
            
string request = HttpContext.Request.Url.ToString();
string wreply = request.Substring(0, request.Length - "SignOut".Length);

var soMessage = new SignOutRequestMessage(new Uri(fc.Issuer), wreply);
soMessage.SetParameter("wtrealm", fc.Realm);

FederatedAuthentication.SessionAuthenticationModule.SignOut();
Response.Redirect(soMessage.WriteQueryString());

The code works fine with Integrated Applications via the Azure portal (where you have a URL realm).

How do I get signout to work with a spn: realm?

Chris

Christoph Wille - Glengamoi Alumni - Realnamen sind ein Gebot der Höflichkeit in der Community

Hi,

We have implemented one custom claim provider for SharePoint which augment claims and add additional claims, which will be used by my WCF service.

When I write custom code which run in SharePoint web application context every thing works as expected. it always gets additional claims which is been provisioned by  custom claim provider.

Now when I write some code by creating Custom console based application , my custom claims didn't get provisioned, it get the claims which are provided by default SharePoint STS only.

I want to know a way to add custom claim when we create console application.

Please Note that custom claim provider will be used at enterprise level for all authorization throughout different application by setting up trust between applications and SharePoint STS. 

Regards,

Regards, Vikas Patel

I've added claim-awareness to my ASP.Net application using the 'add STS reference' wizard, in my dev environment, and all seems to be working well.

(the application is actually this walkthrough sample application)

Now it's time to move to production environment, I'm facing a few challenges:

1. In order to define a new trusted issuer, I seem to have to run the 'add STS reference' wizard again just to retrieve the certificate's thumbprint. Is there any easier, more straightforward way to get this value?

2. Dynamics CRM has many urls (one for each organization), which resolve to the same server (for example- 'org1.dev.com' and 'org2.dev.com' would resolve to the same server and same website)  . This means that my ASP.Net application would be accessed also through multiple urls ('org1.dev.com/myApp', 'org2.dev.com/myApp'). Do I have to manually update the identifiers in my relying party on ADFS server, audience URLs (and possibly wsFederation.realm) in web.config with all of these different URLs, or is there an easier way I'm not aware of?