I followed the steps in https://technet.microsoft.com/en-us/library/dn949332.aspx to set up CRM-SharePoint server-based authentication but I'm getting authentication prompts when opening documents from CRM in IE, Chrome or through the Dynamics CRM iPhone app.
My environment contains:
-CRM 2016 Update .1 on-premise configured for IFD with claims set up for UPN, SID and Windows Account Name.
-SharePoint 2013 SP1 on-premise
I'm getting the below error in the event log:
An exception occurred when trying to issue security token: The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs.
Below are the commands I ran:
### Prepare CRM for server-based auth (on CRM server)
.\CertificateReconfiguration.ps1 -certificateFile C:\Support\wildcard_thinketg.com_2016.pfx -password <PW> -updateCrm -certificateType S2STokenIssuer -serviceAccount EIMAGINE\svc.sp13.webappdev -storeFindType FindBySubjectDistinguishedName
#Run on SharePoint server
Add-PSSnapin Microsoft.SharePoint.PowerShell
$c = Get-SPSecurityTokenServiceConfig
$c.AllowMetadataOverHttp = $true
$c.AllowOAuthOverHttp= $true
$c.Update()
$i = New-SPTrustedSecurityTokenIssuer –Name "crm" –IsTrustBroker:$false –MetadataEndpoint http://etgcrm16dev.thinketg.com/XrmServices/2015/metadataendpoint.svc/json?orgName=etgcrm16dev
$CrmRealmId = "c514788d-143c-406c-841f-c9042fa4aa49"
$Identifier = "00000007-0000-0000-c000-000000000000@" + $CrmRealmId
## Configure Subscription Settings service application
$account = Get-SPManagedAccount "EIMAGINE\svc.sp13.webappdev"
$appPoolSubSvc = New-SPServiceApplicationPool -Name SettingsServiceAppPool -Account $account
$appSubSvc = New-SPSubscriptionSettingsServiceApplication -ApplicationPool $appPoolSubSvc -Name SettingsServiceApp -DatabaseName SettingsServiceDB
$proxySubSvc = New-SPSubscriptionSettingsServiceApplicationProxy -ServiceApplication $appSubSvc
## Configure the App Management service application
$account = Get-SPManagedAccount "EIMAGINE\svc.sp13.webappdev"
$appPoolAppSvc = New-SPServiceApplicationPool -Name AppServiceAppPool -Account $account
$appAppSvc = New-SPAppManagementServiceApplication -ApplicationPool $appPoolAppSvc -Name AppServiceApp -DatabaseName AppServiceDB
$proxyAppSvc = New-SPAppManagementServiceApplicationProxy -ServiceApplication $appAppSvc
## Configure URLs
Set-SPAppDomain thinketg.com
Set-SPAppSiteSubscriptionName -Name "app" -Confirm:$false
$site=Get-SPSite https://spdev.thinketg.com/sites/crm
Register-SPAppPrincipal -site $site.RootWeb -NameIdentifier $Identifier -DisplayName "crm"
$app = Get-SPAppPrincipal -NameIdentifier $Identifier -Site $site.RootWeb
Set-SPAppPrincipalPermission -AppPrincipal $app -Site $site.Rootweb -Scope "sitecollection" -Right "FullControl" -EnableAppOnlyPolicy
New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" -SameAsIncoming
New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" -IncomingClaimTypeDisplayName "SID" -SameAsIncoming
New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" -IncomingClaimTypeDisplayName "WindowsAccountName" -SameAsIncoming
Is there something I'm overlooking?
