Problems connecting CRM 2011 webservice after ADFS / IFD configuration

Hi,

till last month we used CRM 2011 in local intranet only. Few weeks ago we installed ADFS and we switch to IFD. Since that I'm experiencing a lot of problem when connecting to CRM webservice from external apps. CRM itself runs quite good.

I get a lot of errors like:

System.InvalidOperationException: Metadata contains a reference that cannot be resolved: 'https://companyGroup.company.com:444/XrmServices/2011/Organization.svc?wsdl=wsdl0'. 
---> System.InvalidOperationException: There is an error in XML document (1, 1432). 
---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. 
---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host

Our configuration looks now:

CRM is accessible in our local intranet under crm.company.com:444(1) (windows authentication prompt)

Crm is reachable from outside under companyGroup.company.com:444 (2) (ADFS login form)

CRM 2011 and ADFS installed on same server, URL adfs.company.com

When I open CRM I see following services under developer resources:

for (1)
https://crm.company.com:444/XRMServices/2011/Discovery.svc (3)
https://crm.company.com:444/companyGroup/XRMServices/2011/Organization.svc (4)

for (2)
https://dev.company.com:444/XRMServices/2011/Discovery.svc (5)
https://companyGroup.company.com:444/XRMServices/2011/Organization.svc (6)

We are running ASP.NET app in our intranet where users can make some data entry and save it to CRM. Here is my C# code:

        private void InitializeDiscoveryServiceProxy(Uri discoveryUri, string userName, string password)
        {
            var credentials = new ClientCredentials();
            var discoveryConfig = ServiceConfigurationFactory.CreateConfiguration<IDiscoveryService>(discoveryUri);

            if (discoveryConfig.AuthenticationType == AuthenticationProviderType.Federation)
            {
                credentials.UserName.UserName = userName;
                credentials.UserName.Password = password;
            }
            else if (discoveryConfig.AuthenticationType == AuthenticationProviderType.ActiveDirectory)
            {
                credentials.Windows.ClientCredential = new NetworkCredential(userName, Password);
            }

           
            _discoveryServiceProxy = new DiscoveryServiceProxy(discoveryConfig, credentials);
            _discoveryServiceProxy.Authenticate();

        }

        private void InitializeOrganizationServiceProxy(Uri organizationUri, string userName, string password)
        {
            //to ignore certificate errors
            ServicePointManager.ServerCertificateValidationCallback = AcceptAllCertificatePolicy;

            var credentials = new ClientCredentials();
            var serviceConfig = ServiceConfigurationFactory.CreateConfiguration<IOrganizationService>(organizationUri);
            if (serviceConfig.AuthenticationType == AuthenticationProviderType.Federation)
            {
                credentials.UserName.UserName = userName;
                credentials.UserName.Password = password;
            }
            else if (serviceConfig.AuthenticationType == AuthenticationProviderType.ActiveDirectory)
            {
                credentials.Windows.ClientCredential = new NetworkCredential(userName, Password);  
            }

            _organizationServiceProxy = new OrganizationServiceProxy(serviceConfig, credentials);
            _organizationServiceProxy.Authenticate();

            if(!_organizationServiceProxy.ServiceConfiguration.CurrentServiceEndpoint.Behaviors.Contains(typeof(ProxyTypesBehavior)))
                _organizationServiceProxy.ServiceConfiguration.CurrentServiceEndpoint.Behaviors.Add(new ProxyTypesBehavior());
            _organizationServiceProxy.EnableProxyTypes();
        }

        private bool AcceptAllCertificatePolicy(Object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
        {
            return true;
        }

First strange behaviour is I can't connect to CRM from my webapp using services (3) and (4). Everytime I get error "Access denied". When I use links for external access (5) and (6) everything runs ok except that I get "Metadata contains..." exceptions. Our app runs in intranet so I think it should be possible to reach "local" CRM services. I'm using same credentials in both cases.

And second problem we have are those "Metadata contains..." exceptions when I use (5) and (6). When I try to open webservice url in browser https://companyGroup.company.com:444/XrmServices/2011/Organization.svc?wsdl I see an internal error. But at the same time if I go on https://crm.company.com:444/XrmServices/2011/Organization.svc?wsdl everything looks fine. I need to do iisreset, than it runs again for some hours. And it's important for us because we want to have another webapp hosted outside, so I need stable access to our CRM.
In event log I don't see any related errors.

Can you please help us?