When registering for your Click solution, you may encounter the following error:
Error: There was no endpoint listening at http://adfs.mycompany.com/adfs/services/trust/13/username that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.
This error is not a Click error. It is an error caused by a misconfiguration of Microsoft's Active Directory Federation Services. We have compiled the tips below in order to try to help if you encounter this error, but you should consult Microsoft's documentation or your CRM partner for assistance in correcting this error. Click does not provide technical support for ADFS configuration.
TIP: When setting up ADFS, the ADFS website should only have a single binding: port 443. You should remove the default port 80 binding. Notice that in the error above, the address is http (not https) which means that there is communication taking place across port 80 to ADFS. This is not the desired configuration. By removing the port 80 binding in IIS from the ADFS website, and restarting the ADFS server, you should be able to avoid this error. If not, read some of the tips below.
If you see this error when trying to register or connect with Click, there are several possible causes, all due to CRM/ADFS configuration:
- The Username endpoint is not properly configured in ADFS; (This is the most common cause of this error. Some customers have been able to disable the Username endpoint in ADFS to correct this. Others have had to enable it depending on their specific configuration. Refer to Microsoft's documentation for your environment.)
- If ADFS and CRM are installed on the same server and using the same port, you can run into this error. Change the port that ADFS uses so it is different from the CRM website. More details here.
- If you are using Windows Server 2012 with certain versions of CRM, there is a hotfix from Microsoft for a related issue: http://support2.microsoft.com/kb/2827748/en-us
- The Federation Metadata in ADFS needs to be updated due to changes in the environment (adding a new org, making DNS changes);
- The endpoint is unreachable due to a routing or firewall issue (or having incorrectly configured bindings on ADFS in IIS);
- The user you are entering for the service account does not have sufficient privileges in CRM;
- The time on your ADFS and/or CRM servers are out of sync by more than 5 minutes with internet time
- Another potential resolution is to enable the kerberosmixed endpoint if it is disabled. See this blog post for more detail.
To resolve this error: First, make sure the user you have set up as the service account has Read/Write access to CRM and has a security role assigned that enables it to log into CRM remotely. Next, make sure the Username endpoint is configured in the ADFS deployment that this CRM org is using:
- Log onto the ADFS server and open the ADFS management console. Go to ADFS > Service > Endpoints
- You’ll see a list of endpoint URLs here. Find the one for /adfs/services/trust/13/username of type WS-Trust 1.3
- Make sure that this endpoint has “Yes” set for both the Enabled and Proxy Enabled settings.
- If you have to make a change to this endpoint, after making the change re-start the ADFS server and the CRM server, then try to register again.
Lastly, if the above looks okay, it could be a resolution or routing issue blocking the connection. Make sure that there are external DNS entries for the path to your ADFS server (for example, https://sts.mydomain.com needs to resolve externally). Also, make sure that your firewall permits external access to the ADFS server. If you are able to, try to use a computer that is outside of your domain to navigate directly to the ADFS server to test its accessibility.
NOTE: This error also prevents connections from the Outlook client for CRM when connecting from outside of a network.