STS returns “an error has occurred” with Microsoft Dynamics CRM 2011/13 Internet-Facing Deployment and Active Directory Federation Services 2.2 (ADFS 2.2) configuration.
Event ID: 364
Encountered error during federation passive request.
Protocol Name:wsfed
Exception details:
Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.InvalidAuthenticationTypePolicyException: MSIS7102: Requested Authentication Method is not supported on the STS.at Microsoft.IdentityServer.Web.Authentication.GlobalAuthenticationPolicyEvaluator.EvaluatePolicy(IList`1 mappedRequestedAuthMethods, AccessLocation location, ProtocolContext context, HashSet`1 authMethodsInToken, Boolean& validAuthMethodsInToken)
We could not find an official Microsoft article stating this but I believe ADFS Server does not allow to be directly published on the Internet because of the potential security reasons, therefore all requests should go through ADFS Proxy (Web Application Proxy).Note that ADFS Server and Web Application Proxy cannot be installed on the same host.
Install and configure Web Application Proxy.
Configure that all external HTTPS requests from sts.domain.com are redirected to Web Application Proxy (192.168.0.3) and not ADFS Server. Make sure ADFS and WAP server locally resolves sts.domain.com to ADFS Server (192.168.0.2). To do so configure Split-DNS, point-to-point DNS or manually write hosts (recommended) on ADFS and WAP server.
File: %SystemRoot%\System32\Drivers\etc\hosts
192.168.0.2 sts.domain.com
Connect to ADFS server, open AD FS Management and create CRM IFD Relying Party rule. Follow Microsoft Dynamics CRM 2011 Configuring Claims-based Authentication article.
Try to access https://crm.domain.com externally.