Wednesday, December 5, 2012

Duplicate Detection Rules Unpublish After Solution Import

For the past few weeks something has been bothering me.  I have been doing a lot of solution imports and also a lot of data imports.  The Duplicate Detection Rules created for my import kept showing as Unpublished and I could not figure out why.  Turns out that when you modify entity metadata the duplicate detection rules for that entity will automatically un-publish.  Thank you to Sarah Cousins Hoopes for helping to shed some light on this for me.

Original Article from Sarah

Thursday, June 7, 2012

ADFS 2.0 Default Claims Provider


In situation where you have multiple Claims Providers the HomeRealDiscovery.aspx page may confuse users.


As you can see here I have created a second claims provider called test. User may not know which one to use.


FIX 1 – Well not really a fix as much as a way to reduce this issue.

One way to help with this confusion is by setting the persistIdentityProviderInformation enabled value to true and the lifetimeInDays value to something like 30 in the web.config located at C:\inetpub\adfs\ls.  This will allow users to only have to select their claim provider every 30 days.


FIX 2 – Update your web application to allow for WHR parameter

Another way to allows users to divert the HomeRealDiscovery page is by adding functionality to your web application that allows the whr parameter to determine which claim provider will be used when doing the redirect to ADFS.  Again this code all goes into your web application and does not require any additional work on the ADFS website.

Add a reference to the Microsoft.IdentityModel in your web application


If you don’t already have a Global.asax file in your web application add a new item and select Global Application Class.

You will need to add an additional handler to the code behind of the Global.asax file.


void WSFederationAuthenticationModule_RedirectingToIdentityProvider(object sender, RedirectingToIdentityProviderEventArgs e)
      e.SignInRequestMessage.HomeRealm = Request["whr"];

What’s great is that the Identity Model already knows what to do with this method, there is no more code to write.

Now just add the ?whr=identityID parameter to your applications url and you will no longer see the HomeRealDiscovery page but be automatically directed to the authentication method.

Let’s look at two example of how to use this.  For both of these my web application will be located at:

My STS (ADFS) server will be located at:

EXAMPLE 1: Using the build in Active Directory Claims Provider

-First we will need to get the entityID of our claims provider.  To get this we will go to the FederationMetadata on the STS (ADFS) server at the following url:

NOTE: Depending on your IE Version this page may come up blank.  If you do not see the XML on the page hit the compatibility view button in IE.

The entityID for the default provider is in the first line:


Copy the value for the entity ID and add it as the value for the whr parameter in your application url.

NOTE: Make sure you copy the entityID parameter exactly, case does matter on this one so no mixing upper case and lower case letters.

EXAMPLE 2: Using a custom Claims Provider

This one is actually easier than getting the information for the default claims provider since you can access it from the ADFS 2.0 GUI. Open the properties for the Claims Provider Trust you want to access.


On the Identifiers page copy the “Claims provider identifier”


Add the value for the whr parameter in your application url.

NOTE: Make sure you copy the Claims provider identifier exactly, case does matter on this one so no mixing upper case and lower case letters.


In order to force users to a specific claims provider you can set up an IIS Redirect which will tag on the whr parameter you want to use.  That way if user go to it will auto add the whr parameter.

Wednesday, June 6, 2012

Limited Access to Program Data folder in AD for ADFS 2.0

If you work in an environment where you have no write access to the ‘Program Data’ folder in AD you can still install ADFS 2.0 but you will need to use the command prompt.

First Retrieve the Certificate Thumbprint for the Singing Cert and the Decrypt Cert.  Since this was a test machine I was using the same certificate for both, but in a production environment you will probably have separate certs for each.

To retrieve a certificate's thumbprint

  1. Open the Microsoft Management Console (MMC) snap-in for certificates. (See How to: View Certificates with the MMC Snap-in.)

  2. In the Console Root window's left pane, click Certificates (Local Computer).

  3. Click the Personal folder to expand it.

  4. Click the Certificates folder to expand it.

  5. In the list of certificates, note the Intended Purposes heading. Find a certificate that lists Client Authentication as an intended purpose.

  6. Double-click the certificate.

  7. In the Certificate dialog box, click the Details tab.

  8. Scroll through the list of fields and click Thumbprint.

  9. Copy the hexadecimal characters from the box. If this thumbprint is used in code for the X509FindType, remove the spaces between the hexadecimal numbers. For example, the thumbprint "a9 09 50 2d d8 2a e4 14 33 e6 f8 38 86 b0 0d 42 77 a3 2a 7b" should be specified as "a909502dd82ae41433e6f83886b00d4277a32a7b" in code.

Run the FSCONFIG Command to Create Farm

  1. Open a command prompt.
  2. Run the following command.
    CD “C:\Program Files\Active Directory Federation Services 2.0\”

  3. Run this command and substitute the values for your own ADFS setup.
    FSCONFIG.exe CreateFarm /ServiceAccount "domain\account" /ServiceAccountPassword Password1 /FederationServiceName /CleanConfig /SigningCertThumbprint "a909502dd82ae41433e6f83886b00d4277a32a7b" /DecryptCertThumbprint "a909502dd82ae41433e6f83886b00d4277a32a7b"

Friday, March 16, 2012

CRM 2011 Dashboards Inside IFrames

If you are going to place CRM 2011 Dashboards within an IFrame make sure your URL points to:


and not


using the home_dashboards.aspx may cause your charts to just sit with the loading icon displayed.

To get the url of a dashboard right click on the name of the dashboard and click “Copy a Link”


CRM Setup and Org Import Logs

Location of CRM 2011 Setup Logs and Organization Import Logs.




Tuesday, February 28, 2012

ADFS 2.0 ID:4332 The SamlSecurityToken is rejected because the SamlAssertion

ID4223: The SamlSecurityToken is rejected because the SamlAssertion.NotOnOrAfter condition is not satisfied.
NotOnOrAfter: '02/28/2012 1:15:04 PM'
Current time: '02/28/2012 2:18:35 PM'

This error happens when the clock on the ADFS server and the clock on the machine hosting the website are not synchronized.

To fix this go onto each box and restart the "Windows Time" service.  Then open a command prompt and type w32tm /resync

ADFS 2.0 Config Debug Tracing

  1. Run CMD as Administrator
  2. wevtutil sl "AD FS 2.0 Tracing/Debug" /l:5
  3. Open Event Viewer.
  4. To open Event Viewer, click Start, point to Programs, point to Administrative Tools, and then click Event Viewer.
  5. On the View menu, click Show Analytic and Debug Logs.
  6. In the console tree, expand Applications and Services Logs, expand AD FS 2.0 Tracing, and then click Debug.
  7. In the Actions pane, click Enable Log.
  8. Tracing for AD FS 2.0 is now enabled.
  9. Restart the AD FS 2.0 Windows Service.

Monday, February 27, 2012

Force Line Break in CRM 2011 Ribbon Labels

With really long title on CRM ribbon buttons the text will fill the entire space before going to the next line.  In order to for text to the next line you can use the Zero Width Space.  Encoded these characters look like this.


In order to actually enter these characters into a text editor the easier way is the use the charmap.exe utility in windows.

NOTE: If using Windows Server 2008 ensure the Desktop Experience feature installed or the Charmap will not be available.

1. Start->Run->charmap
2. Change the font to Arial Unicode MS
3. Scroll down about 1/6 of the way down and you will see the space characters.
4. Click on the characters until you see that U+200B is selected at the bottom of the screen.
5. Click Select
6. Click Copy