Improve company productivity with a Business Account.Sign Up


Dynamics CRM 2011 - Outlook 2013 Client - Cannot connect to Microsoft Dynamics CRM server...

Posted on 2013-01-31
Medium Priority
Last Modified: 2013-02-08
Dynamics CRM 2011 Server + R6, R12 on Windows Server 2008 R2. Claims authentication and Internet facing deployment is configured
AD FS is configured on a separate Windows Server 2012, and is accessible on
Outlook 2013 Preview, Dynamics CRM 2011 Client + R6, R12 on Windows 8, Windows Identity Framework 3.5 installed
All the machines are in the same LAN, in the same subnet and in the same domain (domain.local). Client (Windows 8) can access Dynamics CRM through Web browser at:, and claims based authentication works perfectly.
Discovery service at (no authentication needed)
AD FS at
As far as I know - everything is OK so far. But When I try to configure Outlook client by entering discovery URL (, I'm constantly getting "Cannot connect to Microsoft Dynamics CRM server because we cannot authenticate your credentials. Check your connection or contact your administrator for more help." Log file contains:
03:24:29|Verbose| Method entry: Microsoft.Crm.Application.Outlook.Config.ServerForm._testConnectionButton_Click
03:24:29|Verbose| Method entry: Microsoft.Crm.Application.Outlook.Config.ServerForm.TestConnection
03:24:29|Verbose| Method exit: Microsoft.Crm.Application.Outlook.Config.ServerForm.TestConnection
03:24:29|Verbose| Method exit: Microsoft.Crm.Application.Outlook.Config.ServerForm._testConnectionButton_Click
03:24:34|  Error| Error connecting to URL: Exception: Microsoft.Crm.CrmException: Authentication failed
   at Microsoft.Crm.Outlook.ClientAuth.ClaimsBasedAuthProvider`1.AuthenticateClaims()
   at Microsoft.Crm.Outlook.ClientAuth.ClaimsBasedAuthProvider`1.SignIn()
   at Microsoft.Crm.Outlook.ClientAuth.ClientAuthProvidersFactory`1.SignIn(Uri endPoint, Credential credentials, AuthUIMode uiMode, IClientOrganizationContext context, Form parentWindow, Boolean retryOnError)
   at Microsoft.Crm.Application.Outlook.Config.DeploymentsInfo.DeploymentInfo.LoadOrganizations(AuthUIMode uiMode, Form parentWindow, Credential credentials)
   at Microsoft.Crm.Application.Outlook.Config.DeploymentsInfo.InternalLoadOrganizations(OrganizationDetailCollection orgs, AuthUIMode uiMode, Form parentWindow)

Open in new window

The Outlook client should be able to access Dynamics CRM from outside world through TMG also, so I must retain claims authentication and IFE. I'm using split DNS, so internal and external URLs are the same.

What should I try to do to resolve this issue and to successfully connect?

Question by:fd4u
  • 14
  • 2

Author Comment

ID: 38839136
One important thing:
When I try to connect from outside, through TMG 2010, I'm getting the same error, but interesting thing is that TMG does not registers any traffic for login attempts. It seams that CRM client throws the error without even trying to connect to any of the servers (CRM nor AD FS)

Of course, all mentioned URLs are accessible through the browser from outside world also. (Corresponding Web site publishing rules are created.)


Author Comment

ID: 38839213
One more important thing: Before I've set Internet faced deployment and claims authentication I was able to connect Outlook client easily by setting Server URL to After setting IFD and claims authentication it is impossible. So it is probably claims related issue...

Author Comment

ID: 38841879
After entering discovery URL ( into CRM Client Configuration Wizard and clicking "Test Connection" fiddler shows following traffic:
#	Result	Protocol	Host	URL	Body	Caching	Content-Type	Process	Comments	Custom	
14	200	HTTP	Tunnel to	605			microsoft.crm.application.outlook.configwizard:3756 		
15	200	HTTPS	/XRMServices/2011/Discovery.svc?wsdl	1,679	private  	text/xml; charset=UTF-8	microsoft.crm.application.outlook.configwizard:3756 		
16	200	HTTPS	/XRMServices/2011/Discovery.svc?wsdl=wsdl1	5,385	private  	text/xml; charset=UTF-8	microsoft.crm.application.outlook.configwizard:3756	
17	200	HTTPS	/XRMServices/2011/Discovery.svc?wsdl=wsdl0	14,682	private  	text/xml; charset=UTF-8	microsoft.crm.application.outlook.configwizard:3756 		
18	200	HTTP	Tunnel to	605			microsoft.crm.application.outlook.configwizard:3756 		
19	404	HTTPS	/adfs/ls/mex	1,245		text/html	microsoft.crm.application.outlook.configwizard:3756		
20	404	HTTPS	/adfs/ls/mex	1,245		text/html	microsoft.crm.application.outlook.configwizard:3756 		
21	404	HTTPS	/adfs/ls/mex	1,245		text/html	microsoft.crm.application.outlook.configwizard:3756		
22	200	HTTPS	/adfs/services/trust/mex	32,700		text/xml; charset=UTF-8	microsoft.crm.application.outlook.configwizard:3756		
23	200	HTTPS	/adfs/services/trust/mex?xsd=xsd2	1,497		text/xml; charset=UTF-8	microsoft.crm.application.outlook.configwizard:3756 		
24	200	HTTPS	/adfs/services/trust/mex?xsd=xsd1	1,106		text/xml; charset=UTF-8	microsoft.crm.application.outlook.configwizard:3756 		
25	200	HTTPS	/adfs/services/trust/mex?xsd=xsd0	394		text/xml; charset=UTF-8	microsoft.crm.application.outlook.configwizard:3756		
26	200	HTTPS	/adfs/services/trust/13/usernamemixed	4,211		application/soap+xml; charset=utf-8	microsoft.crm.application.outlook.configwizard:3756	

Open in new window

As I've already told - very interesting thing is that for every subsequent login attempt there's no any traffic! Although I'm getting login prompts again and again, there's no any communication.

Please heeeelp!!!

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

LVL 30

Assisted Solution

by:Feridun Kadir
Feridun Kadir earned 400 total points
ID: 38843177
It does seem as if you have checked most things.  Did you look in the event logs on the CRM and ADFS servers? Sometimes you get a little more information (though not always).

You might also like to try this troubleshooter I suspect though it might not cover your scenario.

Author Comment

ID: 38844681
Thanks feridun for trying to help!
I've tried troubleshooter you've mentioned before without luck.
But meanwhile I've noticed one problem with my AD FS service (it is actually AD FS role in Windows Server 2012). I've created two relying party trusts as documentation suggests: and But after trying to manualy update party trust by selecting "Update from Federation Metadata..." I've got an error:
An error occurred during an attempt to access the AD FS configuration database: Error message: MSIS7612: Each identifier for a relying party must be unique across all relying party trusts in AD FS configuration.
What a hack is this? My identifiers are different: for the first relying party and,, for the second relying party. What went wrong now??

Author Comment

ID: 38844718
I've just resolved the previous error by following instructions from
Although my is using 443, in Web Address tab all the addresses were entered with port number: I've removed the port numbers, applied changes, reset IIS, and both AD FS relying parties updated without any problems!
Now I'll check if the original problem is solved...

Author Comment

ID: 38845325
No, the original problem is not solved. I'm still getting the same error and login prompt again and again. Here is part of trace log on client which, in my opinion gives a direction for further investigation:
>Kerberos Auth failed: System.NotSupportedException: The authentication endpoint Username was not found on the configured Secure Token Service!
   at Microsoft.Xrm.Sdk.Client.IssuerEndpointDictionary.GetIssuerEndpoint(TokenServiceCredentialType credentialType)
   at Microsoft.Xrm.Sdk.Client.AuthenticationCredentials.get_IssuerEndpoint()
   at Microsoft.Xrm.Sdk.Client.ServiceConfiguration`1.AuthenticateInternal(AuthenticationCredentials authenticationCredentials)
   at Microsoft.Xrm.Sdk.Client.ServiceConfiguration`1.AuthenticateFederationInternal(AuthenticationCredentials authenticationCredentials)
   at Microsoft.Xrm.Sdk.Client.ServiceConfiguration`1.Authenticate(AuthenticationCredentials authenticationCredentials)
   at Microsoft.Xrm.Sdk.Client.ServiceConfiguration`1.Authenticate(ClientCredentials clientCredentials)
   at Microsoft.Xrm.Sdk.Client.DiscoveryServiceConfiguration.Authenticate(ClientCredentials clientCredentials)
   at Microsoft.Crm.Outlook.ClientAuth.ClaimsBasedAuthProvider`1.<AuthenticateClaims>b__5()
   at Microsoft.Crm.Outlook.ClientAuth.ClientAuthProvider`1.HandleAuthenticationFailures(Action method)

Open in new window

Suspicious part is: The authentication endpoint Username was not found on the configured Secure Token Service!
I'll be back...

Author Comment

ID: 38845675
I've just opened another question related to this problem here. Answering this second question will resolve my problem also.

Author Comment

ID: 38845807
Some trustworthy guy offered resolution for "The authentication endpoint Username was not found on the configured Secure Token Service" in this post. But can anyone help me to understand what the following sentence from the post means:
First, make sure the user you have set up as the service account has Read/Write access to CRM and has a security role assigned that enables it to log into CRM remotely.
What is "user you have set up"? Account under which Dynamics CRM runs?
What "Read/Write access to CRM" means?
"security role assigned..." Does it mean that Dynamics CRM service account (DOMAIN\crmaccount) should be added as CRM user with remote access rights?
One sentence produced three questions - as you can see I don't understand a thing there :)

Author Comment

ID: 38847865
Solved by reinstalling everything (CRM server and ADFS). And changing few things in topology:
Instead of ADFS on Windows Server 2012, now I'm using ADFS 2.0 on Windows Server 2008 R2
Now AD FS resides on the same machine with CRM server (previously there were two machines)
In previous setup CRM server was with R6, R8 (not R6, R12 as I've told in the original question). There was R12 just for SRS... Now I do have R12
So what was the reason? Who knows... I've spent almost 80 hours in searching for the reason without luck. Probably I've made some mistake. Anyway, today I've installed everything from scratch for just few hours (!!!), and everything is working in LAN.
Now I have problems with publishing everything with TMG and connecting external Outlook clients, but it'll be new question :)
So I'll give 100 points to feridun for trying to help (THANKS!) and I'll close this question. I wouldn't be able to test new offered answers anyway since environment is erased.

Author Comment

ID: 38849016
I've requested that this question be closed as follows:

Accepted answer: 100 points for feridun's comment #a38843177
Assisted answer: 0 points for fd4u's comment #a38847865

for the following reason:

These actually aren't the answers. Problem is solved by reinstalling everything, but the question stays unanswered.
LVL 30

Expert Comment

by:Feridun Kadir
ID: 38848129
Thanks for the points, sorry I couldn't help in time.  

I see you have ADFS and CRM on the same server. Did you install CRM to its own web site? (i.e. separate from the Default Web Site). ADFS has to be installed on the Default Web Site and I think it best CRM goes in its own web site.

Author Comment

ID: 38848416
Yes, of course, CRM site is on site other than default, on port 4443. And everything works localy without problems. Outlook clients can connect either using, or
Setup for external users includes TMG 2010 which forwards external 443 to internal 4443. And this works in browser, but there are again some issues with Outlook client. I'll create new question...

Thanks very much!

Author Comment

ID: 38849017
I think that I've found the correct answer!

Accepted Solution

fd4u earned 0 total points
ID: 38849059
According to this article, and this thread - I didn't have a chance for success. Dynamics CRM 2011 IFD can not be successfully set with ADFS 2.1 (embeded in Windows Server 2012).

I hope this thread will save some time to others...


Author Closing Comment

ID: 38867414
This is the accurate answer to the original question. Still I want to reward feridun with 100 points for his kindness.

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

For cloud, the “train has left the station” and in the Microsoft ERP & CRM world, that means the next generation of enterprise software from Microsoft is here: Dynamics 365 is Microsoft’s new integrated business solution that unifies CRM and ERP fun…
Having trouble getting your hands on Dynamics 365 Field Service or Project Service trial? Worry No More!!!
Free Data Recovery software is an advanced solution from Kernel Tools to recover data and files such as documents, emails, database, media and pictures, etc. It supports recovery from physical & logical drive after a hard disk crash, accidental/inte…
Watch the video to learn how one can deal with PST file corruption issue with an outstanding Kernel for Outlook PST Repair Tool easily. Using this tool, non-technical users can swiftly perform the repair process to restore their essential data witho…

595 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question