The Authentication Endpoint Kerberos was not found on the configured Secure Token Service

Roshan Mehta, 20 September 2013

We recently setup an internet-facing deployment for Microsoft Dynamics CRM 2013 using ADFS 2.1 as our Secure Token Service. Users were able to access CRM without any issues, but our custom applications were unable to establish a connection with CRM via the SDK. The error message we were getting was The Authentication Endpoint Kerberos was not found on the configured Secure Token Service.

As part of our ongoing troubleshooting, we tried to use the Plugin Registration Tool to connect to an organisation in our CRM 2013 deployment. However, this was giving us an error stating that there are no organisations to connect to.

A Knowledge Base Article has been released by Microsoft which outlines the steps to fix this issue. This involves updating the MEX Endpoint by running the provided Powershell script. However, you may encounter the following error during the execution of the script.

Error: The Deployment Service cannot process the request because one or more validation checks failed.

VerifyConfigurationEntityNotAmbiquous raising error: This setting has multiple instances. The Id of the instance is required to set or get the ActiveMexEndPoint property.


On the SQL Server, connect to the MSCRM_CONFIG database and look for the dbo.FederationProvider system table. Next, run the built-in script to select the top 1000 rows.

You should see more than one entry in this table, as suggested by the error message above. You will need to update the ActiveMexEndpoint property for all entries to match the following URL:

Lastly, perform an iisreset on the CRM and ADFS servers and try running your custom application again. It will now connect to your CRM 2013 organisation without any issues!