locked
CRM 2011 with ADFS Outlook client does not work RRS feed

  • Question

  • Hi,

    We have installed CRM 2011 On-Premise on one server and the ADFS 2.0 on another server.

    Open in Internet Explorer works great but when we try to configure the Outlook client it just says "Cannot connect to server because we cannot authenticate your credentials".

    There is no time difference on the client and the CRM or ADFS server.
    There are no duplicate SPNs.
    There are no problems when tracing with Fiddler or int ClientConfig-log file.

     

    Does anyone have more ideas of where we can find problems causing this?

    Regards

    Joakim Gustafsson

    Stratiteq

    Friday, August 19, 2011 9:31 AM

Answers

  • Hi,

    Finally found the thing causing the problem. There was a SPN registered on a service account that was used in the testing phase. It was a HOST/ SPN so thats why I didn't find it at first.

    Removed the SPN and Outlook clients were able to configure again.

     

    /Joakim

    • Marked as answer by Joakim G Monday, August 22, 2011 7:18 AM
    Monday, August 22, 2011 7:17 AM

All replies

  • Some completing thing we found:

    - A computer with a user that is not in the same domain can configure Outlook Client without problem.

    I did a trace when configuring the client and got this:

    >Exception during Signin System.ServiceModel.Security.MessageSecurityException: Unable to create a security token reference.

    Server stack trace:
       vid System.ServiceModel.Security.Tokens.SecurityTokenParameters.CreateGenericXmlTokenKeyIdentifierClause(SecurityToken token, SecurityTokenReferenceStyle referenceStyle)
       vid System.ServiceModel.Security.Tokens.IssuedSecurityTokenParameters.CreateKeyIdentifierClause(SecurityToken token, SecurityTokenReferenceStyle referenceStyle)
       vid System.ServiceModel.Security.SendSecurityHeader.SignWithSupportingTokens()
       vid System.ServiceModel.Security.SendSecurityHeader.CompleteSecurityApplication()
       vid System.ServiceModel.Security.SecurityAppliedMessage.OnWriteMessage(XmlDictionaryWriter writer)
       vid System.ServiceModel.Channels.Message.WriteMessage(XmlDictionaryWriter writer)
       vid System.ServiceModel.Channels.BufferedMessageWriter.WriteMessage(Message message, BufferManager bufferManager, Int32 initialOffset, Int32 maxSizeQuota)
       vid System.ServiceModel.Channels.TextMessageEncoderFactory.TextMessageEncoder.WriteMessage(Message message, Int32 maxMessageSize, BufferManager bufferManager, Int32 messageOffset)
       vid System.ServiceModel.Channels.HttpOutput.SerializeBufferedMessage(Message message)
       vid System.ServiceModel.Channels.HttpOutput.Send(TimeSpan timeout)
       vid System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.SendRequest(Message message, TimeSpan timeout)
       vid System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
       vid System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
       vid System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
       vid System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
       vid System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
       vid System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

    Exception rethrown at [0]:
       vid System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
       vid System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
       vid Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustContract.Issue(Message message)
       vid Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)
       vid Microsoft.Xrm.Sdk.Client.ServiceConfiguration`1.Issue(IssuerEndpoint issuerEndpoint, String appliesTo, String requestType, String keyType, ClientCredentials clientCredentials, SecurityToken securityToken)
       vid Microsoft.Xrm.Sdk.Client.ServiceConfiguration`1.Authenticate(TokenServiceCredentialType endpointType, String appliesTo, String keyType, IssuerEndpointDictionary issuerEndpoints, ClientCredentials clientCredentials, SecurityToken securityToken)
       vid Microsoft.Xrm.Sdk.Client.ServiceConfiguration`1.Authenticate(TokenServiceCredentialType endpointType, String keyType, ClientCredentials clientCredentials, SecurityToken securityToken)
       vid Microsoft.Xrm.Sdk.Client.ServiceConfiguration`1.Authenticate(SecurityToken securityToken, String keyType)
       vid Microsoft.Xrm.Sdk.Client.ServiceConfiguration`1.Authenticate(SecurityToken securityToken)
       vid Microsoft.Xrm.Sdk.Client.DiscoveryServiceConfiguration.Authenticate(SecurityToken securityToken)
       vid Microsoft.Crm.Outlook.ClientAuth.ClaimsBasedAuthProvider`1.AuthenticateHomeRealm()
       vid Microsoft.Crm.Outlook.ClientAuth.ClaimsBasedAuthProvider`1.SignIn()
       vid Microsoft.Crm.Outlook.ClientAuth.ClientAuthProvidersFactory`1.form_CredentialsEntered(Object sender, EventArgs e)

    Friday, August 19, 2011 10:19 AM
  • Hi Joakim,

    You are using the same URL to configure the clients?  So you are using https://dev.<yourdomain>:<yourportifnotdefault> and then entering the user credentials and it fails at that point?


    Best regards,

    Kim Johnson
    Partner Online Technical Community
    -----------------------------------------------------------------------------------------
    We hope you get value from our new forums platform! Tell us what you think:
    http://social.microsoft.com/Forums/en-US/partnerfdbk/threads
    ------------------------------------------------------------------------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, August 19, 2011 5:29 PM
  • Hi,

    Finally found the thing causing the problem. There was a SPN registered on a service account that was used in the testing phase. It was a HOST/ SPN so thats why I didn't find it at first.

    Removed the SPN and Outlook clients were able to configure again.

     

    /Joakim

    • Marked as answer by Joakim G Monday, August 22, 2011 7:18 AM
    Monday, August 22, 2011 7:17 AM