Using LiveID login in contoso demo image

May 17, 2010 at 10:45 AM


I saw a similar post at , but thought this required it's own thread. (

I have setup the portal in the latest MSCRM contoso demo image and want to login using my live id.

Using the steps at I successfully connected the VPC to the internet.

I have searched for a way of using liveid login in the development/demo environment and cannot find a solution. I signed up for a liveid but it requires a proper domain such as a .com domain. It will not accept CRM-SRV-01 which is my local IIS server. I tried using a domain name that is different but then the authentication does not work.

Any ideas on how to run a liveid site using a local webserver would be appreciated.



May 17, 2010 at 4:24 PM

Live ID does have some requirements that have to be satisfied before you can use it.  One of those requirements is a domain name.  For my demos, I register a subdomain such as and then use either a host entry on the demo machine or the DNS on it to resolve that domain to the local machine.  Once you have a 'real' domain name (it's not really real, but it is real enough for Live ID), you can then complete the setup and get it working with Live ID.

Shan McArthur

May 18, 2010 at 4:56 PM

I'd really like some more specific documented steps in this area. I've setup the Live Services and Active Directory Federation settings at but I'm not clear on exactly what the Return URL should be. I've put in

Every time I attempt to sign in to the sample site I get the following error:

An error has occurred.

Try this action again. If the problem continues, check the Microsoft Dynamics Community for solutions or contact your organization's Microsoft Dynamics CRM Administrator. Finally, you can contact Microsoft Support.

Try again | Close

May 18, 2010 at 5:23 PM

The Live ID return url should be pointed to the handler on your portal.  This handler is registered on your site in the web.config file in the httphandlers section.  It should be /LiveId.axd.  The url that you used above points to the CRM user interface, which does not know how to handle the Live ID authentication interchange and it also will not be able to authenticate your users to the website.  The job of the liveid.axd handler is to accept the signed authentication request from Live ID and if the user is known, locate the contact record and set the forms authentication to authenticated, or if the user is not known yet (a new user) to redirect to the signup page on the portal.  One other thing to note: the Live ID handler uses connection strings as well to decrypt the authentication request from Live ID, so it is important to configure the Live ID connection string in your web.config as well.

Does that make sense?

Shan McArthur

May 18, 2010 at 5:56 PM
Edited May 18, 2010 at 5:58 PM

Thanks for the help. I really, REALLY appreciate it.

In the web.config I'm seeing :

<add verb="*" path="LiveID.axd" type="Microsoft.Xrm.Portal.Web.Handlers.LiveIdWebAuthenticationHandler, Microsoft.Xrm.Portal"/>

Maybe an example domain might make the document clearer.

In the installation document is being used, so for my domain on Live Services and Active Directory Federation settings I put servername.division.organization.companyextension. Is this format for the domain correct(should I be including the FQDN with the servername)?

When I look at the document where the domain settings are mentioned : "For the Return URL place prepend ,http:// or https:// and append liveid.axd to the domain."

So I've tried changing the Return URL to the following: without success like you point out above.

http://servername.division.organization.companyextension/liveid.axd without success.

I'm still trying to hack my way into getting this to work...I've got a few ideas...but this definitely isn't as easy as I would like to get setup. I'll report back later today on my progress.

Thanks for the help. If/When I get this working I'm more than happy to put together a screencast/HOL on customizations. I'm in fact trying to build a complaint manangement workflow/portal.



May 18, 2010 at 6:24 PM

The domain name that you register in the Live ID has to be the domain name of your website.  For example, if you are hosting your site as, then you have to use as your domain name and use as the return url.  You have the option of using https as long as you have that configured on your site.

"servernane.division.organization.companyextension" does not appear to be a valid domain name.

Keep this in mind - Live ID is an SSO solution.  Your website will redirect the user to Live ID services, which will authenticate the user within the Live ID domain.  You have to pass along your app ID as part of the redirect so that Live ID knows where to redirect the user once they are authenticated.  Once the user is authenticated in Live ID, Live ID will send a special HTML page to the browser which will invoke a POST to your registered authentication handler (return url).  If you don't have the correct domain name and authentication handler, the browser will post into the wrong location and nothing will work.  The authentication handler will accept this POST request, which includes an encrypted context, it will decrypt and validate it, then locate the user and use forms authentication to authenticate the user or redirect to the signup url if this is a new user.  This redirect is using the same technique as Live ID in that it crafts a special HTML page that will post to the redirect url.

Live ID is non-trivial, and it is important for you to understand how it works.  That said, we have simplified it so that all you have to do is configure an connection string plus register your portal application properly in Live ID.  Once you get those settings figured out, the rest of the system should just work.  We have also implemented a secure invitation model in the portal code - which again can seem complicated, but you can simplify it if you wish.

Shan McArthur

Jun 16, 2010 at 9:30 PM

So I have a site working on a machine: (which has a simple dns entry).

LiveId returns to  (port 81 because CRM is on 80)

I have a second site on the same machine with a dns entry which allows access to

I dropped the 99 to satisfy liveid that it is a different machine and a different port number because it is a new site on the same machine.  The first site works, the second site works until I try to log in.  I am assuming it is because the actual machine name is crmtest99 (even though this shouldn't matter)


Jun 16, 2010 at 11:35 PM

From the portal framework standpoint, you can host these sites using different port numbers with no problems, except for Live ID design issues.  If you follow my blog article about switching the website to using Active Directory membership provider instead of Live ID, it will get rid of the issues about having to register two different Live ID apps using two different domain names.

There is no dependency on the portal and the actual machine name.  For Live ID to work, it is all about dns name resolution and having the AppID set up properly in each site.

Here is the article: