Windows Live ID Login Issue

May 21, 2010 at 7:39 PM

We are installing the new Customer Portal Accelerator. All the Customer Portal customizations have been installed per the installation document and the site is running normally. 

As a connectivity test, we have created a new Event and can see the event listed on the portal as expected. 

Our issue is when we attempt to login using LiveID, we are immediately returned to the LiveID login screen when accessing the Schedule a Service, Cases and Knowledge Base tabs.

 We have successfully ran the workflows generating the new user invitiation, accessed the portal with the unique keyed URL, received the Password Question and entered response challenge validation screen and successfully validiated.

The last successful logon date/time fields on the Web Authentication tab on the Contact record are being updated when we attempt a login.    

May 21, 2010 at 8:52 PM

Please read the "Customer Portal Functionality and Administration Guide_v1.0.doc" file.  The portal doesn't make any assumptions about your security model - it uses custom entities so that you can configure the appropriate security for your customers.  For example, to edit a case, you must have configured a Case Access Permissions entity that specifies that the customer can manage cases, and which scope (account or self) that they are granted those permissions.  The case access security permission is documented at the bottom of page 12 of the guide.

As far as the KB search page, the only test is that the user must be authenticated.  Please validate that the user's name and a "Manage Account" link is in the header.  If you still see Sign In, then something went wrong with the signup process and we need to troubleshoot that.

Shan McArthur

May 21, 2010 at 10:46 PM

I have read the  "Customer Portal Functionality and Administration Guide_v1.0.doc" file completely.  I have access permissions setup for both account and self under the Account, Contact and Case permissions area, but I do not believe I am making it that far, even though the Last Successful Login date/time is being updated.

I believe my error lies in your second paragraph.  When I click login on the portal and reditected to the Windows LiveID screen, I login and am returned to the Customer Portal.  The "Sign In" located in the upper right portion of the portal screen still says "Sign In", I have no LiveID UID listed with a Manage Account.

I have double checked the Authorization and Secret Key numbers, even regenerating a new Secret Key, updating the web.config and Rebuilding the entire solution.  No change.

Are there any IIS authenciation settings or possible firewall settings I need to be converned about?  The non-secure pages (i.e. Home Page, Event Management page) are displaying properly and I can see Event Management data from CRM listed on the Event Management tabs, so I know my AD connection to CRM is operating correctly.  My IIS is set to authenciate for Anonomous and Windows authenciation.  My firewall has the http port (80) open only


May 21, 2010 at 10:51 PM

I think I will need to help you over a web meeting.  Click on my contact and send me an email so that we can coordinate this.

The only other thing I can think of is that your Live ID return url is not set up properly (are you using live.axd or liveid.axd)?


May 21, 2010 at 10:52 PM
Edited May 21, 2010 at 11:01 PM



May 21, 2010 at 10:54 PM
Edited May 21, 2010 at 11:02 PM



May 22, 2010 at 12:43 AM

Problem solved.  Old Live ID password in web.config on deployed web server.  We will look at how to add more debug information to make this easier to troubleshoot.


May 25, 2010 at 12:14 PM

I have the same problem. I checked my web.config. I'm using liveiD.axd.

Please, can anyone help me!!!

May 25, 2010 at 2:49 PM

I also had to set the appropriate authentication types on the Portal Website in IIS.  The only two authentication types I have enabled are Anonomous and Forms.  All others are disabled.

May 25, 2010 at 3:04 PM

dnick - your settings for IIS authentication are correct.  We will be documenting the IIS website setup more carefully in the next round of documentation and will include these settings in the next document.  Thanks for pointing that out.

rceiba - please send me the following:  the url of your portal (even if it is not accessible to the web), the return url in the Live ID application screen, and a double-confirmation that the app id and the secret match the Live ID connection string in your portal.  Do you get any error messages, or do you just land back on the home page?  Also, have you implemented the user invitation mechanism?


May 25, 2010 at 6:32 PM

Problem solved.

I changed the aunthentication types on the Portal WebSite (Anonymous and Forms).



May 30, 2010 at 8:42 PM

Hello All,

Thanks to a great Sunday hint from Shan, we're getting so very close to having a working portal.  I can 'see' the portal and i've been able to change some basic content.  So application authtication is working, woot!

However (similar) to this thread, when I sign in via Live I'm re-directed back to the portal home page via the correct URL I've specified 'liveID.axd', but the user isn't ever logged in.  I've triple checked the url's and even changed the case in web.config to match what was registered with a lower case 'l' in liveID.axd.

IIS 6 is setup for anon authentication (default setup).

Thank you


May 30, 2010 at 10:46 PM

The Live ID implementation that was shipped with the portal is a pretty secure implementation, however, that additional security adds complexity as well.  To log in with Live ID, using the unmodified portal code (you can modify it to meet your own needs), you need to use the invitation mechansim.  That involves generating an invitation code on the contact editor, and setting a security question and answer.  There is a workflow that will send the invite email.  If you are just testing, simply run the workflow and then copy/paste the url.  The url will include an invitation code.  When you click on Live ID to sign in, you will go to Live ID, and then be redirected back to the portal using the Return URL in Live ID.  Make sure it matches the live ID authentication handler wired up in the web.config.  If anything goes wrong, including missing the invitation code or the security questions, you will find yourself on the home page, unauthenticated.

In summary, check your domain name, return url, ensure that the user has a valide invitation code, and a security question and answer.  With all of those things in place, the user will be authenticated and you will see a PUID (sort of like a GUID) in the username field on the web authentication tab of the contact form.

Shan McArthur

May 30, 2010 at 10:54 PM

Hello Shan,

I was misreading the information on the page, I'd enabled the user so I thought that would do it.  Sure enough went to the workflow for the user, found the most recent email recorded and copy/pasted the url and it worked like a charm.  Thanks again Shan really appreciate the help!

Kind Regards,


Jun 29, 2010 at 1:08 AM

I am having issues with the Live page. bit of background info: Im trying to set up this portal on a VM for demonstration purposes. I registered with azzure and got my keys etc and in there i put my domain name as the computer(vm) domain name e.g. moss.local    I installed the e-services on port 85 i.e localhost:85 and the page loads up fine. when I generate the invitation email, i click on the link and process to press the sign-in button, from there im redirected to http://moss.local/liveid.axd which doesnt work obviously. but putting in the url localhost:85/liveid.axd just redirects me to the default home page and i STILL need to sign in again! if i put localhost:85/liveid.axd i get an error stating resource not found etc Im not sure what to do,when is this liveid.axd file generated?is it during the websitecopy.exe stage?any ideas??!thanks!


Jun 29, 2010 at 5:51 AM


The configuration that you explained will not work with Live ID.  Live ID will issue an HTML response that will POST to your return url.  It is not sufficient to change the url in the browser after authenticating with Live ID.  I would recommend that you set up a host entry in your hosts file or an alias in your DNS to point moss.local to the IP address of your website.  Live ID will not let you use localhost for a domain name, nor an IP address.  If you want to set things up for running in a demo machine, I recommend reading my blog article:


Jun 29, 2010 at 6:08 AM

Thanks Shan,will give that a go and see how it goes...

Jun 30, 2010 at 12:15 AM

worked like a gem :) thanks once again shan

Jul 5, 2010 at 8:02 PM


I have the same problem as dnick.   I have not be able to resolve the issue.  I get thrown back to the live id signin now matter what I do.

I am running Microsoft CRM Online and Azure so I don't think I can adjust the authentication types for the web site.

Can you help me to resolve this.


Jul 5, 2010 at 9:06 PM
Edited Jul 5, 2010 at 9:11 PM

Hi, rmcperson70,

Assume that you are using CRM Online with Live ID.  You are running the CPA on an Azure instance at  To make Live ID work, you need to:

Use the correct authentication string in web.config for the Live ID provider.  You get this from the Live ID provisioning page. 

The Live ID invitation *must* already exist in the CRM contact record and the Live ID has to be a real Live ID.  To ensure that you have the Live user set up correctly you can either

  1. Run the workflow provided and respond to the email, which requires functioning email, or
  2. Manually enter the confirmation link into your browser, which is a whole lot easier.  The URL string is in the Customer Portal Signup email template and is{Invitation Code(Contact)}. 

Next, you

  1. Log on as the Live ID you are setting up. 
  2. Get the invitation code from the contact's web authentication tab and manually build the URL.  Follow the steps presented.  When the process is done, you'll see a GUID-ish entry in the CRM contact Username field (Web Authentication tab).  This string is a kind of hash of the user's Live ID adn your domain.  Note that *no* information about the Live ID is passed directly.  The person loggin in has to provide any profile infromation you want as a separate (visible and permitted) step.  

Now when you log on as the Live ID you set up, you'll get the "Manage Profile" link.  You will not get the CMS features until you add that contact to the Customer Portal Administrators web role and log in again. 

The domain name you use to create the Live credentials *must* be the same URL you use to access the web site.  If you got your Live credentials for, and you publish to your Azure staging slot, Live auth will not work because the external domain is [some guid]  To fix it, VIP switch to the production slot (which you previously set up as, right?)  and try from that URL. 

One last note: Any time you make a change in the CRM, such as registering a new user to Live ID, be sure to reset the portal cache, even if you think you shouldn't have to do that.  That way your web site will have the most up-to-date information from CRM.  Here's the order of process:

  1. I register with Live ID and get the authorization secrets for my domain. 
  2. I enter that information in web.config.   
  3. I publish my site (to Azure) on the slot that matches the domain I registered with Live ID. 
  4. I set up a contact manually using the procedure above. 
  5. I reset the portal cache, even though I don't think I should have to. 
  6. I log onto CRM using the Live ID I just registered and follow the registration process if it's my first time. 

Now I should see the "Manage Profile" link, and if I am in the Customer Portal Administrators web role I'll also see teh very cool content management controls. 

Like many things this is simpler looking back.  Manually create and test the credentials, reset the portal cache each time you change CMS. make sure your app is hosted on the correct domain name, and it ought to work just fine. 

 Todd "Cloudrocket" Shelton

Jul 6, 2010 at 1:19 AM

Thanks Todd,

I beleive I have this all provisioned properly.

AS for the Live Id providisioning are you refering to the web.config?


<add name="Xrm" connectionString="Authentication Type=Passport;    Server=https://crmurl; User; Password=wlidpassword; Device ID=your-device-id; Device Password=your-device-password"/>

<add name="Live" connectionString="Application Id=0000000000000000; Secret=aaaaaaa"/>


This is what I have (with my credentials) setup for my portal:

I have tried setting up a contact and the invitation code generates proplery.  The email goes out and when I click on the link it brings me back to the page.  When I try to login I get same results (page refreshes but does not sign in).

I tried building the URL with the invite code but I got the same results.   I cannot login.  I just throws me back and each link I click on asks for a login which won't take.

I was able to publish an Event from CRM so this portion seems to be ok.






Jul 6, 2010 at 3:18 AM

Hi rm...

First, you're using the actual Live ID Application ID and Secret you got from, right? 

Second, the invite code string in the invite email is broken.  This is an artifact of the rather primitive tem[plate editor--even though you can pick up the Invitation Code and it appears to be part of the URL, it won't be.  To bypass that, did you log on as that WLID, then manually built the URL *while* you are still logged on as that WLID?  Success from that page will erase the invitation code and date, then write the LiveID hash to teh Userbname field--all these fields are in the Web Authentication tab on on the Contact record. 

Finally, check that the return URL you gave to is [...]/liveid.axd, not live.axd.  There was a glitch in the docs. 

If that doesn't work, let me know and we'll set up an LM and figure it all out! 


Jul 7, 2010 at 6:40 PM
CR, I figured it out. I was assuming that the credentials used in the web.config would automatically give me admin access to the portal. I followed the steps for creating a contact and setting up the permissions and it began working properly. It was just a case of RTFM. Thanks for all your help. RM
Jul 7, 2010 at 10:21 PM

Glad you figured it out--it's not that obvious how everything works together.  I think getting wet with Live ID is a super-important piece of knowledge.  What Microsoft is doing with Live ID is way beyond Hotmail logons.  Live ID is a cloud platform for federating and managing claims-based identities from everywhere.  For more info, take a look at what ADFS does.  Thanks for hanging in there--it's a great feature to offer your users. 

Sep 7, 2010 at 5:54 AM

I have a similar yet slightly differnent problem on the Partner Portal version.  The workflow seems to be working fine and it generates the email with the link as shown below (my domain replaced with "mydomain")

However, when I clicked on the link above, the link sends me to the partner portal sign in webpage and when I sign in, it still sends me right back to the sign in page and I do not see the Manage Account link.  What I noticed was that when I clicked on the link above, the web address on the Partner Portal said{Invitation Code(Contact)}. 

For some reason, the Invitation Code was not showing up and instead "{Invitation Code(Contact)}" text was listed on the web address as listed above.

Only when I cut and paste the link from the email directly onto the browser and press entered, I was prompted with Password Question/Answer and finally able to log into the portal. 

The return URL is ".../liveid.axd" and I've also done Cache Refresh.

On a separate instance, I installed Customer Portal and that didn't have this problem.

Does anyone have any idea why this might be happening on the Partner Portal or what I might have missed here?