Issue Definition:
Users unable to configure CRM 2013 Outlook Client for configured organization (i.e. "https://crm.domain.com/CRMOrgName".
Error Messages:
Exception : An error has occurred. Try this action again. If the problem continues, check the Microsoft Dynamics CRM Community for solutions or contact your organization's Microsoft Dynamics CRM Administrator. Finally, you can contact Microsoft Support. at Microsoft.Crm.Application.Outlook.Config.OutlookConfigurator.InitializeMapiStoreForFirstTime()
at Microsoft.Crm.Application.Outlook.Config.OutlookConfigurator.Configure(IProgressEventHandler progressEventHandler)
at Microsoft.Crm.Application.Outlook.Config.ConfigEngine.Configure(Object stateInfo)
01:50:43| Error| Exception : Server was unable to process request.
Error connecting to URL: https://externalcrmorgname.domain.com/XRMServices/2011/Discovery.svc Exception: Microsoft.Crm.CrmException: Authentication failed
at Microsoft.Crm.Outlook.ClientAuth.ClaimsBasedAuthProvider`1.AuthenticateClaims()
at Microsoft.Crm.Outlook.ClientAuth.ClaimsBasedAuthProvider`1.SignIn()
at Microsoft.Crm.Outlook.ClientAuth.ClientAuthProvidersFactory`1.SignIn(Uri endPoint, Credential credentials, AuthUIMode uiMode, IClientOrganizationContext context, Form parentWindow, Boolean retryOnError)
at Microsoft.Crm.Application.Outlook.Config.DeploymentsInfo.DeploymentInfo.LoadOrganizations(AuthUIMode uiMode, Form parentWindow, Credential credentials)
at Microsoft.Crm.Application.Outlook.Config.DeploymentsInfo.InternalLoadOrganizations(OrganizationDetailCollection orgs, AuthUIMode uiMode, Form parentWindow)
Error connecting to URL: https://crm.domain.com/CRMOrgName/XRMServices/2011/Discovery.svc Exception: Microsoft.Crm.CrmException: Authentication failed
at Microsoft.Crm.Outlook.ClientAuth.ClaimsBasedAuthProvider`1.AuthenticateClaims()
at Microsoft.Crm.Outlook.ClientAuth.ClaimsBasedAuthProvider`1.SignIn()
at Microsoft.Crm.Outlook.ClientAuth.ClientAuthProvidersFactory`1.SignIn(Uri endPoint, Credential credentials, AuthUIMode uiMode, IClientOrganizationContext context, Form parentWindow, Boolean retryOnError)
at Microsoft.Crm.Application.Outlook.Config.DeploymentsInfo.DeploymentInfo.LoadOrganizations(AuthUIMode uiMode, Form parentWindow, Credential credentials)
at Microsoft.Crm.Application.Outlook.Config.DeploymentsInfo.InternalLoadOrganizations(OrganizationDetailCollection orgs, AuthUIMode uiMode, Form parentWindow)
Cause:
The original configuration was done over HTTPS URL with no Claims and IFD configured. The issue was caused due to missing SPNs.
Later Claims and IFD was configured and below error was seen on configuring CRM for Outlook using ADFS URL:
15:49:34| Error| Error connecting to URL: https://externalcrmorgname.domain.com/XRMServices/2011/Discovery.svc Exception: Microsoft.Crm.CrmException: Authentication failed
at Microsoft.Crm.Outlook.ClientAuth.ClaimsBasedAuthProvider`1.AuthenticateClaims()
at Microsoft.Crm.Outlook.ClientAuth.ClaimsBasedAuthProvider`1.SignIn()
at Microsoft.Crm.Outlook.ClientAuth.ClientAuthProvidersFactory`1.SignIn(Uri endPoint, Credential credentials, AuthUIMode uiMode, IClientOrganizationContext context, Form parentWindow, Boolean retryOnError)
at Microsoft.Crm.Application.Outlook.Config.DeploymentsInfo.DeploymentInfo.LoadOrganizations(AuthUIMode uiMode, Form parentWindow, Credential credentials)
at Microsoft.Crm.Application.Outlook.Config.DeploymentsInfo.InternalLoadOrganizations(OrganizationDetailCollection orgs, AuthUIMode uiMode, Form parentWindow)
Resolution:
Below steps were followed
In order to verify and set the SPNs, open an admin elevated command prompt and run the following commands:
Setspn –q HTTP/* # Command queries AD to verify what SPNs have been configured
Setspn –s HTTP/adfs.domain.com # Configures ADFS URL
Setspn –s HTTP/CRMSrvrHostName Domain\CRMAppPoolAcct # Configures CRM Server Hostname with IIS App Pool account
Setspn –s HTTP/CRMSrvrFQDN Domain\CRMAppPoolAcct # Configures CRM Server FQDN with IIS App Pool account
Setspn –s HTTP/CRMinternalURL Domain\CRMAppPoolAcct # Configures CRM Internal URL with IIS App Pool account
Used Fiddler to collect traces and found that 404 Error is seen at Mex endpoint. Found below KB articles addressing the same issue
https://support.microsoft.com/en-us/kb/2827748
https://support.microsoft.com/en-us/kb/2828015
- Verified that ADFS 2.1 is configured on Windows 2012 Standard edition machine
- Got the hotfix from https://support.microsoft.com/en-us/kb/2827748
- Installed the hotfix and restarted the ADFS server
- Disabled IFD and Claims based Authentication on CRM Server
- Note: we saw that there is some issues adding Relying Party trust for external URL in ADFS. The internal URL was working fine. Also, the certificate that is being used needs to be a Wild Card certificate. You may have to get a wild card certificate from a public CA in order for users to be able to access CRM externally.
Verified in DB that Mex Endpoint is pointing to correct URL by executing below query in MSCRM_CONFIG DB
select activemexendpoint from federationprovider
Result: https://adfs.domain.com/adfs/services/trust/mex
- Restarted IIS on CRM Server.
We successfully configured Claims and IFD in our environment.
https://externalcrmorgname.domain.com - External URL
https://crm.domain.com/CRMOrgName - Internal URL
- We are able to access CRM using both the above URLs
- Then, Tried configuring CRM using ADFS URL from Configuration wizard and it completed successfully.
We opened Outlook and verified that CRM was accessible without any issues. The above error was seen due to incorrect MEX endpoint.
We also verified that Outlook configuration is successful with internal URL https://crm.domain.com/CRMOrgName.