Expiring ADFS Certificates and CRM access

By August 9, 2018 Support No Comments
ADSF Certificate

If your Dynamics 365 (previously known as Dynamics 365 CRM) users are repeatedly prompted to login and are receiving the message “HTTP Error 401 – Unauthorized access is denied.” or “An error has occurred.”, this could be because your Active Directory Federation Services (ADFS) certificate has expired.

ADFS uses their own Auto Certificate Rollover feature to renew certificates used to make sure the log in for Dynamics 365 is secure. Your ADFS administrator is notified this will happen five days before the date of renewal.  Unfortunately, Dynamics 365 is not made aware of this renewal, so your administrator will need to manually update Dynamics 365 or users will lose all access to CRM until this happens.


If this happens go in to the ADFS Management Console and update the Federation metadata URLs. Then perform an IIS reset on CRM server. Finally, restart the ADFS service.

 If that doesn’t work, then follow the steps below:

1.       On the Microsoft Dynamics CRM server, go to Deployment Manager and disable the Claims Based Authentication

2.       Whilst still on the Microsoft Dynamics CRM server, click the Start menu, select Run and type iisreset to complete an IIS reset

3.       Re-configure Claims-Based Authentication from Deployment Manager keeping all settings same

4.       Re-configure IFD through the Microsoft Dynamics CRM Deployment Manager

5.       On the Microsoft Dynamics CRM server again, click the Start menu, select Run and type iisreset once again to complete an IIS reset

6.       In ADFS Management Console on the ADFS server, update the corresponding Federation Metadata URLs

            a.       Go to the ADFS Server and open the ADFS management Console

            b.       Click Relying Party Trusts to display the internal and external relying party trusts

            c.       Right-click each and select Update Federation Metadata

            d.     Go to the Microsoft Dynamics CRM server one last time, click the Start menu, select Run and type iisreset to  complete an IIS reset

            e.       Next, browse to Service on the ADFS server and restart the ADFS service

Further information about this issue can be found in this Knowledge Base article here

If following these instructions does not fix the errors, then we would recommend that you get in touch with your internal IT support.  They may wish to contact Tisski through the support portal to help them resolve this issue.



Leave a Reply