Solved

Dynamics CRM 2011 - Outlook 2013 Client - Cannot connect to Microsoft Dynamics CRM server...

Posted on 2013-01-31
16
6,445 Views
Last Modified: 2013-02-08
Environment:
Dynamics CRM 2011 Server + R6, R12 on Windows Server 2008 R2. Claims authentication and Internet facing deployment is configured
AD FS is configured on a separate Windows Server 2012, and is accessible on https://sts.domain.com
Outlook 2013 Preview, Dynamics CRM 2011 Client + R6, R12 on Windows 8, Windows Identity Framework 3.5 installed
All the machines are in the same LAN, in the same subnet and in the same domain (domain.local). Client (Windows 8) can access Dynamics CRM through Web browser at:
https://crmorganization.domain.com, and claims based authentication works perfectly.
Discovery service at https://dev.domain.com/XRMServices/2011/Discovery.svc (no authentication needed)
As far as I know - everything is OK so far. But When I try to configure Outlook client by entering discovery URL (https://dev.domain.com), I'm constantly getting "Cannot connect to Microsoft Dynamics CRM server because we cannot authenticate your credentials. Check your connection or contact your administrator for more help." Log file contains:
...
03:24:29|Verbose| Method entry: Microsoft.Crm.Application.Outlook.Config.ServerForm._testConnectionButton_Click
03:24:29|Verbose| Method entry: Microsoft.Crm.Application.Outlook.Config.ServerForm.TestConnection
03:24:29|Verbose| Method exit: Microsoft.Crm.Application.Outlook.Config.ServerForm.TestConnection
03:24:29|Verbose| Method exit: Microsoft.Crm.Application.Outlook.Config.ServerForm._testConnectionButton_Click
03:24:34|  Error| Error connecting to URL: https://dev.domain.com/XRMServices/2011/Discovery.svc Exception: Microsoft.Crm.CrmException: Authentication failed
   at Microsoft.Crm.Outlook.ClientAuth.ClaimsBasedAuthProvider`1.AuthenticateClaims()
   at Microsoft.Crm.Outlook.ClientAuth.ClaimsBasedAuthProvider`1.SignIn()
   at Microsoft.Crm.Outlook.ClientAuth.ClientAuthProvidersFactory`1.SignIn(Uri endPoint, Credential credentials, AuthUIMode uiMode, IClientOrganizationContext context, Form parentWindow, Boolean retryOnError)
   at Microsoft.Crm.Application.Outlook.Config.DeploymentsInfo.DeploymentInfo.LoadOrganizations(AuthUIMode uiMode, Form parentWindow, Credential credentials)
   at Microsoft.Crm.Application.Outlook.Config.DeploymentsInfo.InternalLoadOrganizations(OrganizationDetailCollection orgs, AuthUIMode uiMode, Form parentWindow)

Open in new window


The Outlook client should be able to access Dynamics CRM from outside world through TMG also, so I must retain claims authentication and IFE. I'm using split DNS, so internal and external URLs are the same.

What should I try to do to resolve this issue and to successfully connect?

Thanks
0
Comment
Question by:fd4u
  • 14
  • 2
16 Comments
 

Author Comment

by:fd4u
ID: 38839136
One important thing:
When I try to connect from outside, through TMG 2010, I'm getting the same error, but interesting thing is that TMG does not registers any traffic for login attempts. It seams that CRM client throws the error without even trying to connect to any of the servers (CRM nor AD FS)

Of course, all mentioned URLs are accessible through the browser from outside world also. (Corresponding Web site publishing rules are created.)

Thanks!
0
 

Author Comment

by:fd4u
ID: 38839213
One more important thing: Before I've set Internet faced deployment and claims authentication I was able to connect Outlook client easily by setting Server URL to https://crmorganization.domain.com. After setting IFD and claims authentication it is impossible. So it is probably claims related issue...
0
 

Author Comment

by:fd4u
ID: 38841879
After entering discovery URL (https://dev.domain.com) into CRM Client Configuration Wizard and clicking "Test Connection" fiddler shows following traffic:
#	Result	Protocol	Host	URL	Body	Caching	Content-Type	Process	Comments	Custom	
14	200	HTTP	Tunnel to	dev.domain.com:443	605			microsoft.crm.application.outlook.configwizard:3756 		
15	200	HTTPS	dev.domain.com	/XRMServices/2011/Discovery.svc?wsdl	1,679	private  	text/xml; charset=UTF-8	microsoft.crm.application.outlook.configwizard:3756 		
16	200	HTTPS	dev.domain.com	/XRMServices/2011/Discovery.svc?wsdl=wsdl1	5,385	private  	text/xml; charset=UTF-8	microsoft.crm.application.outlook.configwizard:3756	
17	200	HTTPS	dev.domain.com	/XRMServices/2011/Discovery.svc?wsdl=wsdl0	14,682	private  	text/xml; charset=UTF-8	microsoft.crm.application.outlook.configwizard:3756 		
18	200	HTTP	Tunnel to	sts.domain.com:443	605			microsoft.crm.application.outlook.configwizard:3756 		
19	404	HTTPS	sts.domain.com	/adfs/ls/mex	1,245		text/html	microsoft.crm.application.outlook.configwizard:3756		
20	404	HTTPS	sts.domain.com	/adfs/ls/mex	1,245		text/html	microsoft.crm.application.outlook.configwizard:3756 		
21	404	HTTPS	sts.domain.com	/adfs/ls/mex	1,245		text/html	microsoft.crm.application.outlook.configwizard:3756		
22	200	HTTPS	sts.domain.com	/adfs/services/trust/mex	32,700		text/xml; charset=UTF-8	microsoft.crm.application.outlook.configwizard:3756		
23	200	HTTPS	sts.domain.com	/adfs/services/trust/mex?xsd=xsd2	1,497		text/xml; charset=UTF-8	microsoft.crm.application.outlook.configwizard:3756 		
24	200	HTTPS	sts.domain.com	/adfs/services/trust/mex?xsd=xsd1	1,106		text/xml; charset=UTF-8	microsoft.crm.application.outlook.configwizard:3756 		
25	200	HTTPS	sts.domain.com	/adfs/services/trust/mex?xsd=xsd0	394		text/xml; charset=UTF-8	microsoft.crm.application.outlook.configwizard:3756		
26	200	HTTPS	sts.domain.com	/adfs/services/trust/13/usernamemixed	4,211		application/soap+xml; charset=utf-8	microsoft.crm.application.outlook.configwizard:3756	

Open in new window


As I've already told - very interesting thing is that for every subsequent login attempt there's no any traffic! Although I'm getting login prompts again and again, there's no any communication.

Please heeeelp!!!

Thanks
0
 
LVL 29

Assisted Solution

by:feridun
feridun earned 100 total points
ID: 38843177
It does seem as if you have checked most things.  Did you look in the event logs on the CRM and ADFS servers? Sometimes you get a little more information (though not always).

You might also like to try this troubleshooter http://rc.crm.dynamics.com/rc/2011/en-us/online/5.0/outlook-troubleshooting.aspx. I suspect though it might not cover your scenario.
0
 

Author Comment

by:fd4u
ID: 38844681
Thanks feridun for trying to help!
I've tried troubleshooter you've mentioned before without luck.
But meanwhile I've noticed one problem with my AD FS service (it is actually AD FS role in Windows Server 2012). I've created two relying party trusts as documentation suggests: crminternal.domain.com and auth.domain.com. But after trying to manualy update crminternal.domain.com party trust by selecting "Update from Federation Metadata..." I've got an error:
An error occurred during an attempt to access the AD FS configuration database: Error message: MSIS7612: Each identifier for a relying party must be unique across all relying party trusts in AD FS configuration.
What a hack is this? My identifiers are different: https://crminternal.domain.com for the first relying party and https://crmorganization.comain.com, https://auth.domain.com, https://dev.domain.com for the second relying party. What went wrong now??
Thanks!
0
 

Author Comment

by:fd4u
ID: 38844718
I've just resolved the previous error by following instructions from http://support.microsoft.com/kb/2546710
Although my crminternal.domain.com is using 443, in Web Address tab all the addresses were entered with port number: crminternal.domain.com:443. I've removed the port numbers, applied changes, reset IIS, and both AD FS relying parties updated without any problems!
Now I'll check if the original problem is solved...
0
 

Author Comment

by:fd4u
ID: 38845325
No, the original problem is not solved. I'm still getting the same error and login prompt again and again. Here is part of trace log on client which, in my opinion gives a direction for further investigation:
>Kerberos Auth failed: System.NotSupportedException: The authentication endpoint Username was not found on the configured Secure Token Service!
   at Microsoft.Xrm.Sdk.Client.IssuerEndpointDictionary.GetIssuerEndpoint(TokenServiceCredentialType credentialType)
   at Microsoft.Xrm.Sdk.Client.AuthenticationCredentials.get_IssuerEndpoint()
   at Microsoft.Xrm.Sdk.Client.ServiceConfiguration`1.AuthenticateInternal(AuthenticationCredentials authenticationCredentials)
   at Microsoft.Xrm.Sdk.Client.ServiceConfiguration`1.AuthenticateFederationInternal(AuthenticationCredentials authenticationCredentials)
   at Microsoft.Xrm.Sdk.Client.ServiceConfiguration`1.Authenticate(AuthenticationCredentials authenticationCredentials)
   at Microsoft.Xrm.Sdk.Client.ServiceConfiguration`1.Authenticate(ClientCredentials clientCredentials)
   at Microsoft.Xrm.Sdk.Client.DiscoveryServiceConfiguration.Authenticate(ClientCredentials clientCredentials)
   at Microsoft.Crm.Outlook.ClientAuth.ClaimsBasedAuthProvider`1.<AuthenticateClaims>b__5()
   at Microsoft.Crm.Outlook.ClientAuth.ClientAuthProvider`1.HandleAuthenticationFailures(Action method)

Open in new window

Suspicious part is: The authentication endpoint Username was not found on the configured Secure Token Service!
I'll be back...
0
 

Author Comment

by:fd4u
ID: 38845675
I've just opened another question related to this problem here. Answering this second question will resolve my problem also.
Thanks
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:fd4u
ID: 38845807
Some trustworthy guy offered resolution for "The authentication endpoint Username was not found on the configured Secure Token Service" in this post. But can anyone help me to understand what the following sentence from the post means:
First, make sure the user you have set up as the service account has Read/Write access to CRM and has a security role assigned that enables it to log into CRM remotely.
What is "user you have set up"? Account under which Dynamics CRM runs?
What "Read/Write access to CRM" means?
"security role assigned..." Does it mean that Dynamics CRM service account (DOMAIN\crmaccount) should be added as CRM user with remote access rights?
One sentence produced three questions - as you can see I don't understand a thing there :)
Thanks
0
 

Author Comment

by:fd4u
ID: 38847865
Solved by reinstalling everything (CRM server and ADFS). And changing few things in topology:
Instead of ADFS on Windows Server 2012, now I'm using ADFS 2.0 on Windows Server 2008 R2
Now AD FS resides on the same machine with CRM server (previously there were two machines)
In previous setup CRM server was with R6, R8 (not R6, R12 as I've told in the original question). There was R12 just for SRS... Now I do have R12
So what was the reason? Who knows... I've spent almost 80 hours in searching for the reason without luck. Probably I've made some mistake. Anyway, today I've installed everything from scratch for just few hours (!!!), and everything is working in LAN.
Now I have problems with publishing everything with TMG and connecting external Outlook clients, but it'll be new question :)
So I'll give 100 points to feridun for trying to help (THANKS!) and I'll close this question. I wouldn't be able to test new offered answers anyway since environment is erased.
Thanks
0
 

Author Comment

by:fd4u
ID: 38849016
I've requested that this question be closed as follows:

Accepted answer: 100 points for feridun's comment #a38843177
Assisted answer: 0 points for fd4u's comment #a38847865

for the following reason:

These actually aren't the answers. Problem is solved by reinstalling everything, but the question stays unanswered.
0
 
LVL 29

Expert Comment

by:feridun
ID: 38848129
Thanks for the points, sorry I couldn't help in time.  

I see you have ADFS and CRM on the same server. Did you install CRM to its own web site? (i.e. separate from the Default Web Site). ADFS has to be installed on the Default Web Site and I think it best CRM goes in its own web site.
0
 

Author Comment

by:fd4u
ID: 38848416
Yes, of course, CRM site is on site other than default, on port 4443. And everything works localy without problems. Outlook clients can connect either using https://crminternal.domain.com:4443, or https://dev.domain.com:4443.
Setup for external users includes TMG 2010 which forwards external 443 to internal 4443. And this works in browser, but there are again some issues with Outlook client. I'll create new question...

Thanks very much!
0
 

Author Comment

by:fd4u
ID: 38849017
I think that I've found the correct answer!
0
 

Accepted Solution

by:
fd4u earned 0 total points
ID: 38849059
According to this article, and this thread - I didn't have a chance for success. Dynamics CRM 2011 IFD can not be successfully set with ADFS 2.1 (embeded in Windows Server 2012).

I hope this thread will save some time to others...

Thanks
0
 

Author Closing Comment

by:fd4u
ID: 38867414
This is the accurate answer to the original question. Still I want to reward feridun with 100 points for his kindness.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Automatically creating a Trello card using data from a Microsoft Dynamics CRM record turned out to be an easy project that yielded great results.  Here's how I did this for an internal team at General Code.
For cloud, the “train has left the station” and in the Microsoft ERP & CRM world, that means the next generation of enterprise software from Microsoft is here: Dynamics 365 is Microsoft’s new integrated business solution that unifies CRM and ERP fun…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now