locked
Configuring Outlook client with claims based authentication RRS feed

  • Question

    • Greetings,

      We have installed CRM with claims based authentication and a wildcard certificate we have purchased from GoDaddy.

      everything is working fine except for the outlook clients, which fail to connect.

      I enter the CRM servers address: https://crm.domain.com, and getting a "microsoft dynamics crm login window", whatever user i input there, including the domain admin which is also a system administrator on the CRM, I keep getting the following message:

      Cannot connect to Microsoft Dynamics CRM server because we cannot authenticate your credentials

      and there is no sign of somthing like this in the log, it's like an external window or somthing.

      can anyone help me with this?

       

      Assaf

    Wednesday, February 1, 2012 9:51 AM

Answers

  • Thanks everyone.

    I have decided to leave the crm with regular HTTPS connection without claims based authentication.

    • Marked as answer by Assaf Lev Sunday, February 12, 2012 11:17 AM
    Tuesday, February 7, 2012 7:43 PM

All replies

  • This often can be a very perplexing issue to solve. You didn't mention whether these clients were on the network or connecting over the Internet.

    Here are two quick items to do right off before you dig deeper.

    1. Confirm that the client computer and the server time are in sync.

    2. Remove the Live ID signin assistant from the client computer.

    What is the OS of the client computer?

    Jerry, Microsoft Dynamics CRM MVP
    CRM Innovation
    Need a solution for CRM to help you manage Events or Email Marketing?
    Follow me on Twitter

    If this post answers your question, please click "Mark As Answer" on the post and "Mark as Helpful"
    Jerry CRM Innovation - Need a solution for CRM to help you manage Events or Email Marketing? Follow me on Twitter
    Wednesday, February 1, 2012 3:02 PM
  • Hi Jerry, Thank you for answering me,

     

    Those clients are members of the domain and connect internally using the external address.

     

    1. time is indeed synced

    2. Already removed the Live ID sign in asistant

     

    Client OS is Win7 (Not XP :))

     

    Any other ideas?

    Assaf

    Wednesday, February 1, 2012 7:03 PM
  • Hi Again,

     

    This is the relevant part of the log file:

     

    6|Verbose| Method exit: Microsoft.Crm.Application.Outlook.Config.ServerForm._testConnectionButton_Click

    23:02:18|  Error| Error connecting to URL: https://Servername.domain.co.il/XRMServices/2011/Discovery.svc Exception: Microsoft.Crm.CrmException: Credentials required

       at Microsoft.Crm.Outlook.ClientAuth.ClaimsBasedAuthProvider`1.AuthenticateHomeRealm()

       at Microsoft.Crm.Outlook.ClientAuth.ClaimsBasedAuthProvider`1.SignIn()

       at Microsoft.Crm.Outlook.ClientAuth.ClientAuthProvidersFactory`1.SignIn(Uri endPoint, Credential credentials, AuthUIMode uiMode, IClientOrganizationContext context, Form parentWindow, Boolean retryOnError)

       at Microsoft.Crm.Application.Outlook.Config.DeploymentsInfo.DeploymentInfo.LoadOrganizations(AuthUIMode uiMode, Form parentWindow, Credential credentials)

       at Microsoft.Crm.Application.Outlook.Config.DeploymentsInfo.InternalLoadOrganizations(OrganizationDetailCollection orgs, AuthUIMode uiMode, Form parentWindow)

    23:02:24|  Error| Error connecting to URL: https://Servername.domain.co.il/XRMServices/2011/Discovery.svc Exception: Microsoft.Crm.CrmException: Authentication failed

    When I access the url from IE, it works.

     

    Please help,


    • Edited by Assaf Lev Wednesday, February 1, 2012 9:21 PM
    Wednesday, February 1, 2012 9:20 PM
  • Hi Assaf, make sure that your domain account in AD has logon access to the CRM Server.

     


    View Kevin Dan's LinkedIn profileView Kevin Dan's profile Please click "Mark As Answer" on the post if this post answers the question or "Vote as Helpful" when it helps.
    Thursday, February 2, 2012 6:08 AM
  • Hi Kevin, as I said - from IE everything is working fine, both adfs and CRM.

     

    Thanks,

    Thursday, February 2, 2012 8:19 AM
  • Hi Assaf,

    I had similar issue a few days ago, it works fine in IE for both IFD and internal, but popping up the login window in outlook configuration wizard, even crm administrator account wouldn't work. The cause in my case, net admin restrict my domain account (outlook runs as) to CRM Server, once they got rid of the restriction. The issue fixed. I guess outlook crm plugin passing credential differently than IE.


    View Kevin Dan's LinkedIn profileView Kevin Dan's profile Please click "Mark As Answer" on the post if this post answers the question or "Vote as Helpful" when it helps.
    Thursday, February 2, 2012 5:44 PM
  • Kevin,

     

    Can you explain what exactly was restricted?

    What exactly was done in order to fix the issue?

     

    Thank you,

    Assaf

    Thursday, February 2, 2012 8:39 PM
  • Hi Assaf, sorry I cannot tell you what exactly the Network Admin changed my domain account in AD, I was told they restricted my domain acccount to all kinds of servers - it was the first time to use this kind of pratice in their network setup - then removed the practices, afterwards my CRM Outlook configuration wizard works.

    After saying that, can you verify if you can access the discovery service in IE: http://[yourcrmserver]/XRMServices/2011/Discovery.svc?

    Do you have the same problem on all your client machines or the problem only with one domain user account? If it is first, you'd better check IFD/ADFS setup, if it is latter, that might be the domain account access issue. Try logging on different machine with different domain account (with crm admin role).

     


    View Kevin Dan's LinkedIn profileView Kevin Dan's profile Please click "Mark As Answer" on the post if this post answers the question or "Vote as Helpful" when it helps.
    Friday, February 3, 2012 1:17 AM
  • Asaf,

    From the client computers go to settings, customization, developer resources. Click on Discovery Service - do you get an IE error or does it return the Discovery service response? Or possible a permission issue when accessing the service.

    If not then there is an issue with DNS or your firewall not permitting access to the CRM discovery service.

     

    Jerry, Microsoft Dynamics CRM MVP
    CRM Innovation
    Need a solution for CRM to help you manage Events or Email Marketing?
    Follow me on Twitter

    If this post answers your question, please click "Mark As Answer" on the post and "Mark as Helpful"
    Jerry CRM Innovation - Need a solution for CRM to help you manage Events or Email Marketing? Follow me on Twitter
    Friday, February 3, 2012 2:02 PM
  • you have just created a service!

     

    To Jerry and Kevin:

    Thank you both for trying to help,

    as for the discovery service - I can access it freely using the address: http://[yourcrmserver]/XRMServices/2011/Discovery.svc?, and it works.

    any other ideas?

     

    I hate this.

    Friday, February 3, 2012 9:23 PM
  • From your previous tracing information, of course you can access the service :-). The problem is "cannot be authenticated".

    Does this happen to you on all machines even with different domain user accounts?

    Do you happen to look into configuration wizard log file: C:\Users\<username>\AppData\Local\Microsoft\MSCRM\Logs\Crm50ClientConfig.txt?

    Another idea, try adding your CRM server into IE trusted site with (eg. *.domainname.com)


    View Kevin Dan's LinkedIn profileView Kevin Dan's profile Please click "Mark As Answer" on the post if this post answers the question or "Vote as Helpful" when it helps.

    • Edited by Kevin Dan Friday, February 3, 2012 9:41 PM
    Friday, February 3, 2012 9:36 PM
  • Hi Kevin,

     

    Yes, tried with different users, even the domain admin.

    on every machine in the domain

    yes, the log I have posted here is the one your refer to.

    The CRM server is already in the trusted sites.

     

    Anything else?

    HELP!

    Saturday, February 4, 2012 7:33 PM
  • Hi again,

     

    This looks pretty similar to my issue, only that I have used one server for both CRM and ADFS, and got a different error in the event log:

    http://social.microsoft.com/Forums/en-US/partnerdynamicscrm/thread/d547d3b5-0ccb-4718-9d89-796ee338889d

     

    Can anyone tell me how to diagnose requests getting to the ADFS service?

     

    Assaf

    Sunday, February 5, 2012 5:54 PM
  • Hi Assaf, sorry to hear about you are still trying to solve the issue.

    According to Microsoft Dynamics CRM 2011 Unleashed:

    Note An important note is the server where you will install the ADFS 2.0 because it installs on the default website created on the IIS. If you try this on the same server where you installed the CRM, it won’t run because the AD FS creates a virtual folder called adfs inside the default website, which needs the previous .NET Framework version 2.0. You can either install AD FS on a separate server with a clean IIS or create another default website on the IIS where the CRM is installed so that it won’t overlap with the CRM server website. If you use the same server, you will have to either configure the new default website to use a port other than the default 443 for HTTPS or use host headers. Because deploying AD FS on the same server where the CRM lives requires the considerations mentioned earlier, we recommend using a separate server for this purpose.

    Wolenik, Marc J.; Sinay, Damian; Bhaiya, Rajya Vardhan (2011-09-27). Microsoft Dynamics CRM 2011 Unleashed (Kindle Locations 8512-8517). Pearson Education (US). Kindle Edition.

    So, extra cautious/steps when installing ADFS and CRM on the same server.

     


    View Kevin Dan's LinkedIn profileView Kevin Dan's profile Please click "Mark As Answer" on the post if this post answers the question or "Vote as Helpful" when it helps.
    • Edited by Kevin Dan Monday, February 6, 2012 2:46 PM
    • Proposed as answer by MWOLE Wednesday, February 8, 2012 4:04 PM
    Monday, February 6, 2012 6:31 AM
  • HI Assaf,             

                    Be sure you also have the http port open on the firewall as the AD FS might require this port open for the service, I had a similar problem last week where there as an ISA server that was not redirecting to the HTTP port and forcing to HTTPS didn’t allow a ADFS service to connect, did you check with the Fiddler tool on the client what URL is failing?

     

     


    Regards,
    Damian Sinay
    Monday, February 6, 2012 6:42 AM
  • Kevin,

     

    Those extra cautious steps were indeed takes, as I have created a new website for the CRM with port 443, and used 442 for the ADFS service on the default website.

     

    Damian,

    I have checked with the fiddler tool and that's what i get:

     

    any ideas?

    THANK YOU ALL FOR HELPING ME

    Assaf

    Monday, February 6, 2012 6:29 PM
  • Hi Assaf,

                    Check the endpoints that are failing on the ADFS to see if they are enabled. If they are disabled you can enabled them by selecting and right click on the item and click on Enable

     

     


    Regards,
    Damian Sinay
    Monday, February 6, 2012 7:00 PM
  • Hi Damian,

     

    Kerberosmixed and usernamemixed both are enabled on my ADFS configuration.

    Does anyone know where i can find some kind of log for seeing what fails with the ticket?

     

    10x,

    Assaf

    Monday, February 6, 2012 9:39 PM
  • You could enable WCF/WIF tracing, but I cannot give you exact steps. I'd like to know the root cause, but I would work around the issue by finding an easy way out, like setting up ADFS server on different machine, and reconfigure ADFS/IFD for CRM, etc.

    Do you have latest Update Rollup 6 on your client and server?

    Do you have an option to have Microsoft Support to look into this issue?

     


    View Kevin Dan's LinkedIn profileView Kevin Dan's profile Please click "Mark As Answer" on the post if this post answers the question or "Vote as Helpful" when it helps.
    Monday, February 6, 2012 9:53 PM
  • Thanks everyone.

    I have decided to leave the crm with regular HTTPS connection without claims based authentication.

    • Marked as answer by Assaf Lev Sunday, February 12, 2012 11:17 AM
    Tuesday, February 7, 2012 7:43 PM
  • I have similar issue as reported above I tried the fidler tool but all shows 200 Ok responses.. ADFS and IFD works in browser but not in outlook... The error is

    20:00:31|  Error| Error connecting to URL: https://IFD link :444/XRMServices/2011/Discovery.svc Exception: Microsoft.Crm.CrmException: Authentication failed
       at Microsoft.Crm.Outlook.ClientAuth.ClaimsBasedAuthProvider`1.AuthenticateClaims()
       at Microsoft.Crm.Outlook.ClientAuth.ClaimsBasedAuthProvider`1.SignIn()
       at Microsoft.Crm.Outlook.ClientAuth.ClientAuthProvidersFactory`1.SignIn(Uri endPoint, Credential credentials, AuthUIMode uiMode, IClientOrganizationContext context, Form parentWindow, Boolean retryOnError)
       at Microsoft.Crm.Application.Outlook.Config.DeploymentsInfo.DeploymentInfo.LoadOrganizations(AuthUIMode uiMode, Form parentWindow, Credential credentials)
       at Microsoft.Crm.Application.Outlook.Config.DeploymentsInfo.InternalLoadOrganizations(OrganizationDetailCollection orgs, AuthUIMode uiMode, Form parentWindow)

    Can someone please assist?

    Wednesday, August 8, 2012 2:44 PM
  • Hi All,

    I am getting the same error as

    Error| Error connecting to URL: <a href="https:///XRMServices/2011/Discovery.svc">https://<URL>/XRMServices/2011/Discovery.svc Exception: Microsoft.Crm.CrmException: Authentication failed
       at Microsoft.Crm.Outlook.ClientAuth.ClaimsBasedAuthProvider`1.AuthenticateClaims()
       at Microsoft.Crm.Outlook.ClientAuth.ClaimsBasedAuthProvider`1.SignIn()
       at Microsoft.Crm.Outlook.ClientAuth.ClientAuthProvidersFactory`1.SignIn(Uri endPoint, Credential credentials, AuthUIMode uiMode, IClientOrganizationContext context, Form parentWindow, Boolean retryOnError)
       at Microsoft.Crm.Application.Outlook.Config.DeploymentsInfo.DeploymentInfo.LoadOrganizations(AuthUIMode uiMode, Form parentWindow, Credential credentials)
       at Microsoft.Crm.Application.Outlook.Config.DeploymentsInfo.InternalLoadOrganizations(OrganizationDetailCollection orgs, AuthUIMode uiMode, Form parentWindow)

    for me I am able to configure outlook with Windows 7 OS, but for Windows Vista I am getting error.

    any idea what missing on Vista machine?

    Regards,

    Yes.Sudhanshu


    yes.sudhanshu

    http://bproud2banindian.blogspot.com
    http://ms-crm-2011-beta.blogspot.com

    Thursday, December 19, 2013 4:14 AM
  • I got it fixed by looking the mapi file in the below locations as both were not same, not sure why? can be the access permissions...

    compare the files "C:\Windows\System32\" and "C:\Program Files\Common Files\System\MSMAPI\1033\".

    for me both were not same...

    please take a copy of the updating one...

    Regards,

    Sudhanshu


    yes.sudhanshu

    http://bproud2banindian.blogspot.com
    http://ms-crm-2011-beta.blogspot.com

    • Proposed as answer by yes.sudhanshu Sunday, December 29, 2013 6:42 AM
    Sunday, December 29, 2013 6:42 AM