Using fiddler on Microsoft CRM Online with ADFS enabled

2 posts, 0 answers
  1. Jonathan
    Jonathan avatar
    1 posts
    Member since:
    Dec 2015

    Posted 09 Dec 2015 Link to this post

    We are troubleshooting some performance issues on a CRM Online instance.

    The site has ADFS configured single sign on  and without fiddler running this works fine.

    The site also has a proxy server to access the internet which users are authenticated against using their internal AD network credentials.

    Once fiddler is turned on and capturing traffic the SSO to the online instance no longer works and users are presented with a series of ADFS login boxes to our internal ADFS urls - it seems like running fiddler interrupts the exchange of credentials that underpins SSO. Entering the user's domain credentials allows the user to view the CRM Online instance (they can enter domain\username and their password to proceed). Once entered the user is not prompted again for that session.

    we have also seen occasional prompts for credentials from other random internet sites while fiddler is running - public websites that should not need authentication. It is unclear to me whether it is our internal proxy that is requesting the credentials but claiming that the website needs authentication - see attached screen cap. In this case, entering a user's network credentials to authenticate to the proxy allows access

     Are there any tips for :-

    a) running fiddler on CRM Online instances (beyond decrypting the traffic so fiddler can see it)

    b) running fiddler on applications that use federated SSO solutions

    c) tuning Fiddler to not interrupt authentication traffic

     

    Thanks

     

  2. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 09 Dec 2015 Link to this post

    Hi, Jonathan--

    Can you confirm that you're using the latest (e.g. 4.6.1.5 or 2.6.1.5) version of Fiddler?

    There are a few possible issues in play here-- one is that some ADFS instances are protected with "Channel Binding Tokens" which prevent your Windows Authentication credentials from being sent through a decrypting proxy. You can use the "Rules > Automatically Authenticate" command to instruct Fiddler to use your Windows credentials to respond to authentication challenges directly (without sending the request to the browser where it will fail due to the CBT feature).

    we have also seen occasional prompts for credentials from other random internet sites while fiddler is running - public websites that should not need authentication. It is unclear to me whether it is our internal proxy that is requesting the credentials but claiming that the website needs authentication - see attached screen cap

    The way to troubleshoot this is to look at the challenge inside Fiddler-- is it a HTTP/401 (server challenge) or a HTTP/407 (proxy challenge)? In either case, does the body of the challenge include any explanatory text?

    Regards,
    Eric Lawrence
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
Back to Top