locked
CRM 2011 Outlook Client cannot authenticate credentials externally RRS feed

  • Question

  • Hi,

          I'm having problem sign in to CRM client for outlook when outside the domain, i got message saying cannot authenticate your credentials. It works if i'm inside the domain.

          I'm using MS CRM 2011 + IFD + Forefront TMG

    Externally:

    1. connect to CRM through IE web URL- OK

    2. Connect to CRM through outloo client  - ERROR

    Internally

    1. connect to CRM through IE web URL- OK

    2. Connect to CRM through outloo client  - OK

     

    I enabled tracing on outlook client, there is an entry in the log file - "Attempt to retrieve user's upn (user principle name) failed." It was working fine before, the thing that has change is the windows update that we applied 2 weeks ago.

     If more log needed, i can collect and send to you.

    Thanks for your help.

     

     

    Regards,

    DL

     


    Regards, Dean
    Tuesday, January 24, 2012 3:56 AM

Answers

  • CRM and ADFS server is on different server and using different name.

    Using Network monitoring tool, we noticed client authenticate to ADFS through port 80 instead of port 443. Open up port 80 works but is not a secure way.

    In the end, we found out that there is a settings under ADFS MMC- Service - Endpoints, adfs/services//trust/13/username was turned on, disbaled the service fixed the issue and client authenticate using port 443. We not sure why that service was turned on, maybe windows update..?

    Regards,

    Dean


    Regards, Dean

    • Marked as answer by DLMyriad Tuesday, February 14, 2012 12:02 AM
    Tuesday, February 14, 2012 12:02 AM

All replies

  • Did you happen to install the intial release of UR6? I did and subsequently had all kinds of Outlook client problems. I have an IFD installation and the browser based client worked fine but the Outlook client was really messed up. I would get the "Cannot connect... cannot authenticate.." error. I installed the recent UR6 re-release and the Outlook client is happy again.

    Matt

    Wednesday, January 25, 2012 7:36 PM
  • enable logging on tmg and recreate the issue, what is tmg saying?

    are u maybe logged on with domainuser automatically? is this on every OS, machine?

    date and time matches server and client?


    greetz dao
    Thursday, January 26, 2012 12:45 PM
  • Hi,

         I installed UR6 on client but still no luck.

          For TMG, interestingly i saw the following log,

    Failed Connection Attempt TMG01 27/01/2012 9:31:59 AM
    Log type: Web Proxy (Reverse)
    Status: 64 The specified network name is no longer available. 
    Rule: sts.crm
    Source: External (<Client public IP>:50610)
    Destination: Local Host (xxxx.mydomain.com 192.168.xx.xx:443)
    Request: POST http://sts.xxxx/adfs/services/trust/13/kerberosmixed
    Filter information: Req ID: 0b41180e; Compression: client=Yes, server=No, compress rate=0% decompress rate=0%
    Protocol: https
    User: anonymous

     

    Denied Connection TMG01 27/01/2012 9:31:59 AM
    Log type: Web Proxy (Reverse)
    Status: 12202 Forefront TMG denied the specified Uniform Resource Locator (URL). 
    Rule: Default rule
    Source: External (<Client Public IP>:50611)
    Destination: Local Host (192.168.xx.xx:80)
    Request: POST http://sts.xx.xx/adfs/services/trust/13/username
    Filter information: Req ID: 0b411810; Compression: client=Yes, server=No, compress rate=0% decompress rate=0%
    Protocol: http
    User: anonymous

     

     

    any thoughts?

     

    Dean


    Regards, Dean
    Friday, January 27, 2012 1:49 AM
  • firewall, DNS, proxy, ie-settings?

    can another useraccount logon via outlook?

    check CRM Deployment Manager in properties if there are the correct webadresses

    uninstall crm clean up %appdata% MSCRM. restart, install again.

    deactivate third party add-ins

    is the external IP routet to internally?

    maybe this can help: http://social.microsoft.com/Forums/en-US/partnerdynamicscrm/thread/0e4a466d-b5ba-452a-bcc0-794b8a19863b

     



    greetz dao
    Friday, January 27, 2012 8:38 AM
  • Hi,

    When I access CRM 2011 website using IE all authentication is done via port 443 over SSL.

    When I access the CRM 2011 via Outlook, it appears the token authentication is being done via port 80 with NO SSL.

    Any thoughts for this behavior?

    Regards,

    Dean


    Regards, Dean
    Tuesday, January 31, 2012 3:08 AM
  • Im not sure how you have everything setup for you but if ADFS is on the same server as CRM then you should use an alias for ADFS instead of the server name.  You will need to set this is DNS and make sure you certificate works with the new name.  You will also need to double check your IFD config in deployment manager etc
    Marc Collins www.QGate.co.uk
    Wednesday, February 1, 2012 11:42 AM
  • I should make it clear that ADFS and CRM should use different names.  There is/was a bug that prevented authentication with Outlook due to CRM and ADFS both using the server name.  Giving ADFS an alias fixed it.
    Marc Collins www.QGate.co.uk
    Wednesday, February 1, 2012 11:48 AM
  • CRM and ADFS server is on different server and using different name.

    Using Network monitoring tool, we noticed client authenticate to ADFS through port 80 instead of port 443. Open up port 80 works but is not a secure way.

    In the end, we found out that there is a settings under ADFS MMC- Service - Endpoints, adfs/services//trust/13/username was turned on, disbaled the service fixed the issue and client authenticate using port 443. We not sure why that service was turned on, maybe windows update..?

    Regards,

    Dean


    Regards, Dean

    • Marked as answer by DLMyriad Tuesday, February 14, 2012 12:02 AM
    Tuesday, February 14, 2012 12:02 AM