Tip #176: Adminless traceless troubleshooting

tl;dr

When users are presented with a generic error message, URL in a browser address bar sometimes contain enough details about the error to determine the actual cause.

How to fish

“An error has occurred.” How wonderful. We all have seen it at one point of our CRM lives or another.

No administrators allowed

Users unable to login, and instead presented with this message. Note that there are no references to send more information to Microsoft, no option to download the log file. Try again or get out. (I’m not sure why did anyone even bother to add Try Again button, like that ever worked.)

So what is going to happen if you decide to stop using this dialog as an excuse to attend to your facebook page and contact system administrator (presumably, you have one of those)? Troubleshooting of generic messages like this one usually involves setting up a trace on CRM server(s), capturing errors, analyzing, drinking lots of coffee, etc. Depending on size of your company and your relationship with administrator it may take a day or two. Or a week. Or a month. Don’t call us we’ll call you. Troubleshooting, in short.

Surely, there must be a better way and on this occasion there is! Let’s have a close look at the URL:

https://auth.foobar.com/_common/error/errorhandler.aspx?BackUri=https%3a%2f%2fadfs.foobar.com%2fadfs%2fls%2f%3fwa%3dwsignin1.0%26wtrealm%3dhttps%253a%252f%252fcrm.foobar.com%252f%26wctx%3drm%253d1%2526id%253db6f1f7e4-2178-4e23-8344-4a39cae5b2c1%2526ru%253dhttps%25253a%25252f%25252fcrm.foobar.com%25252fdefault.aspx%26wct%3d2014-07-10T11%253a12%253a44Z%26wauth%3durn%253aoasis%253anames%253atc%253aSAML%253a1.0%253aam%253apassword&ErrorCode=&Parm0=%0d%0a%0d%0aError%20Details%3a%20ID1044%3a%20An%20encrypted%20security%20token%20was%20received%20at%20the%20relying%20party%20which%20could%20not%20be%20decrypted.%20Configure%20the%20relying%20party%20with%20a%20suitable%20decryption%20certificate.%20Current%20relying%20party%20decryption%20certificate%20info%3a%0a%5bThumbprint%5d%2074864195002BC54673D5D31A852B494D02548DF2&RequestUri=%2fdefault.aspx&user_lcid=1033

And after plonking this monstrosity into one of the online decoders:

https://auth.foobar.com/_common/error/errorhandler.aspx?BackUri=https://adfs.foobar.com/adfs/ls/?wa=wsignin1.0&wtrealm=https%3a%2f%2fcrm.foobar.com%2f&wctx=rm%3d1%26id%3db6f1f7e4-2178-4e23-8344-4a39cae5b2c1%26ru%3dhttps%253a%252f%252fcrm.foobar.com%252fdefault.aspx&wct=2014-07-10T11%3a12%3a44Z&wauth=urn%3aoasis%3anames%3atc%3aSAML%3a1.0%3aam%3apassword&ErrorCode=&Parm0=

Error Details: ID1044: An encrypted security token was received at the relying party which could not be decrypted. Configure the relying party with a suitable decryption certificate. Current relying party decryption certificate info:
[Thumbprint] 74864195002BC54673D5D31A852B494D02548DF2&RequestUri=/default.aspx&user_lcid=1033

It looks like AD FS server receives an encrypted request from CRM to authenticate but certificate to decrypt the request cannot be found. Quick check of the certificates on the AD FS server and, lo and behold, some smart administrator installed a replacement certificate but re-configured neither AD FS nor CRM servers. Easy to fix by repeating claims & IFD configuration process.

Lesson: before running for help to the community, your system administrator or, gosh, Microsoft, just have a look at URL. If it’s all foreign to you, at least copy URL and send it to your administrator as part of the problem reporting. Unless, of course, all you want to do is to get back to that facebook page.

Leave a Reply

Your email address will not be published. Required fields are marked *