Working with MSCRM 2016 on-premise always presents a few issues when working within an unknown network or configuring things a bit differently than what all the instructions say. One example is configuring ADFS after installing it from the Windows 2012 add features/roles wizard. Once installed, you run through the ADFS configuration wizard and usually select all of the defaults. Beware of going off script.
We recently configured ADFS and when asked to specify a Service Account, we selected to use an existing Service Account (2nd option below). The configuration wizard finished with no errors and we proceeded to then enable Claims-Based Authentication within MSCRM 2016.
We ran through the Claims-Based Authentication wizard in the CRM Deployment manager and then added our relying party trusts in ADFS. All appeared to be in place. However, we received an error when we tried to access MSCRM using the internal URL as well as when trying to login to ADFS itself. As a result, I opened a ticket with Microsoft.
Issue Definition: Unable to sign into the IDP initiated page https://sts.xxxxxx.com/adfs/ls/idpinitiatedsignon.aspx. Getting an error: HTTP 400 Bad Request.
So how did we fix this issue? It was actually our client's IT resource that figured it out. Now, I'm not saying this is the overall resolution, but it did immediately fix the issue. If you look at the above screenshot, you'll see under the first option "Create a Group Managed Service Account," "Account Name," and a place to add the name of the Group Managed Service Account you would like to create. During the configuration, we added an entry but then proceeded to select the second option and supplied an existing Service Account. We then created an SPN for the Service Account we entered in the second option. When we could not access CRM, we decided to add an SPN for the Account Name in the first option and this fixed the issue.
So, weird and wonderful things happen when working with ADFS and some resolutions aren't always obvious. I hope this helps someone in the future.
Beringer Technology Group, a Microsoft Gold Certified Partner, is always here to provide expert knowledge in topics like these. Please contact us with any questions you may have.