This is a migrated thread and some comments may be shown as answers.

Using fiddler on Microsoft CRM Online with ADFS enabled

1 Answer 213 Views
Windows
This is a migrated thread and some comments may be shown as answers.
Jonathan
Top achievements
Rank 1
Jonathan asked on 09 Dec 2015, 10:03 AM

We are troubleshooting some performance issues on a CRM Online instance.

The site has ADFS configured single sign on  and without fiddler running this works fine.

The site also has a proxy server to access the internet which users are authenticated against using their internal AD network credentials.

Once fiddler is turned on and capturing traffic the SSO to the online instance no longer works and users are presented with a series of ADFS login boxes to our internal ADFS urls - it seems like running fiddler interrupts the exchange of credentials that underpins SSO. Entering the user's domain credentials allows the user to view the CRM Online instance (they can enter domain\username and their password to proceed). Once entered the user is not prompted again for that session.

we have also seen occasional prompts for credentials from other random internet sites while fiddler is running - public websites that should not need authentication. It is unclear to me whether it is our internal proxy that is requesting the credentials but claiming that the website needs authentication - see attached screen cap. In this case, entering a user's network credentials to authenticate to the proxy allows access

 Are there any tips for :-

a) running fiddler on CRM Online instances (beyond decrypting the traffic so fiddler can see it)

b) running fiddler on applications that use federated SSO solutions

c) tuning Fiddler to not interrupt authentication traffic

 

Thanks

 

1 Answer, 1 is accepted

Sort by
0
Eric Lawrence
Telerik team
answered on 09 Dec 2015, 06:19 PM
Hi, Jonathan--

Can you confirm that you're using the latest (e.g. 4.6.1.5 or 2.6.1.5) version of Fiddler?

There are a few possible issues in play here-- one is that some ADFS instances are protected with "Channel Binding Tokens" which prevent your Windows Authentication credentials from being sent through a decrypting proxy. You can use the "Rules > Automatically Authenticate" command to instruct Fiddler to use your Windows credentials to respond to authentication challenges directly (without sending the request to the browser where it will fail due to the CBT feature).

we have also seen occasional prompts for credentials from other random internet sites while fiddler is running - public websites that should not need authentication. It is unclear to me whether it is our internal proxy that is requesting the credentials but claiming that the website needs authentication - see attached screen cap

The way to troubleshoot this is to look at the challenge inside Fiddler-- is it a HTTP/401 (server challenge) or a HTTP/407 (proxy challenge)? In either case, does the body of the challenge include any explanatory text?

Regards,
Eric Lawrence
Telerik
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
Tags
Windows
Asked by
Jonathan
Top achievements
Rank 1
Answers by
Eric Lawrence
Telerik team
Share this question
or