Thursday, March 17, 2016

The Authentication Endpoint Username Was Not Found On The Configured Secure Token Service and Port 808

While not recommended, circumstances sometime present the need to install CRM and ADFS on the same server. If this is done on Windows Server 2012 R2, you will likely run into issues connecting anything through the discovery service such as the Outlook Add-In, Email Router, and Plugin Registration Tool. The error will read:

The authentication endpoint Username was not found on the configured Secure Token Service.

If taken literally, one would be tempted to go to the ADFS Configuration and enable the /adfs/services/trust/13/username endpoint as shown below:


DO NOT DO THIS! On the outside chance that it does actually fix the immediate issue it can cause further authentication problems and is NOT recommended – despite what some other blogs/forums may tell you.

Further investigation should eventually lead you to this error in the ADFS event viewer logs:

System.ServiceModel.AddressAlreadyInUseException: There is already a listener on IP endpoint 0.0.0.0:808. This could happen if there is another application already listening on this endpoint or if you have multiple service endpoints in your service host with the same IP endpoint but with incompatible binding configurations. —> System.Net.Sockets.SocketException: Only one usage of each socket address (protocol/network address/port) is normally permitted

With ADFS for Server 2012 R2, net.tcp port 808 is utilized for a function of the federation service. You may recall that port 808 is also used by CRM for its sandbox service so it’s easy to see the problem here. Port conflict! Luckily, the solution is rather simple. Just open a PowerShell prompt on the server and enter the following:

Set-ADFSProperties -nettcpport 809

(Note: In the above the command, 809 is just an example of a port that can be used and is not required. If something else is running over port 809 on your server, substitute it for some other number.)

After the command has been run, restart the ADFS service, IIS, and the email router service (if the email router was having the issue connecting) – to be on the safe side, you could just reboot the whole server. Give it another go and you should be in business! If you are wondering why this hasn’t been an issue with past versions of ADFS, it's because the federation services used to run on ports 1500 and 1501.

5 comments:

  1. Thanks for this post. It stopped me headbanging after four hours of googling, and coming up with the first solution you mention. I also tried stopping the CRM Sandbox Service, but to no avail.

    I should also mention that in my case, ADFS + AD and CRM were installed on two different servers.

    ReplyDelete
    Replies
    1. Glad this was able to help you! Sounds like something else (obviously not CRM) on your ADFS/AD box may have also been using port 808. Thanks for the comment!

      Delete
  2. same error gives when authenticate CRM 2016 (on-prem) through Plugin Registration Tool

    ReplyDelete
  3. ADFS net tcp port is 1501 as far as I can see, not 808 ...

    ReplyDelete
  4. Thanks to this article. Saved me some time doing research and good to know not to take the simple solution, which is to enable username with both Yes. For our on premise client with CRM and ADFS on same server, although ADFS is on Port 809, it was the firewall which was disallowing any incoming / outgoing traffic for port 809. Thanks for the tips.

    ReplyDelete