The “Gift” Certificate:

A couple of days ago we started seeing the following errors in our staged portal instances on our On-Premise Hosted CRM Organizations.

“MessageSecurityException: An unsecured or incorrectly secured fault was received from the other party.”


Digging a little depper in the Event Viewer we saw this:

“The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.”

What we found was that our cert had rolled over unexpectedly and our CRM instances had not been updated to account for the new certificate. The fix was simple enough, though it had to be applied to all of the organizations in the domain. Below are the steps to resolve this issue should you be presented with this holiday surprise or if you’d like to rollover your certificate manually.


From the ADFS Server:
Step 1: 
Open Powershell
Step 2: From the prompt type add-pssnapin Microsoft.adfs.powershell
Step 3: Run set-adfsproperties -autocertificaterollover $true
Step 4: update-adfscertificate -urgent

Now update your Dynamics CRM servers to use the new certificate.

From the CRM Server (As a CRM Deployment Admin):image3

Step 1: Open the Dynamics CRM Deployment Manager
Step 2: Run through Configure Claims-Based Authentication Wizard (no changes)
Step 3: Run through Configure Internet-Facing Deployment Wizard (no changes)
Step 4: Restart the Microsoft Dynamics CRM services
Step 5: Restart IIS
Joy to the World:

That’s it. Everything should work like normal on your Dynamics CRM organizations. If you’re still having issues you may want to restart the services on the ADFS server.


Learn How Cobalt Can Help You with CRM

More hosting tips and fixes…