Tuesday 28 January 2014

Dynamics CRM 2013 ADFS 2.1 with windows 2012 - CRM Outlook client issue

If you configuring ADFS with Windows 2012 you will find that you can't configure the CRM Outlook Client. This is due to a bug in ADFS 2.1 which does not correctly set it's ADFS ActiveMexEndPoint to the correct location.

When you attempt to configure the CRM Outlook client you get:


14:44:16|  Error| Error connecting to URL: https://mycrm.com:444/XRMServices/2011/Discovery.svc Exception: Microsoft.Crm.CrmException: Authentication failed
   at Microsoft.Crm.Outlook.ClientAuth.ClaimsBasedAuthProvider`1.AuthenticateClaims()
   at Microsoft.Crm.Outlook.ClientAuth.ClaimsBasedAuthProvider`1.SignIn()
   at Microsoft.Crm.Outlook.ClientAuth.ClientAuthProvidersFactory`1.SignIn(Uri endPoint, Credential credentials, AuthUIMode uiMode, IClientOrganizationContext context, Form parentWindow, Boolean retryOnError)
   at Microsoft.Crm.Application.Outlook.Config.DeploymentsInfo.DeploymentInfo.LoadOrganizations(AuthUIMode uiMode, Form parentWindow, Credential credentials)
   at Microsoft.Crm.Application.Outlook.Config.DeploymentsInfo.InternalLoadOrganizations(OrganizationDetailCollection orgs, AuthUIMode uiMode, Form parentWindow)


In CRM the information for the ADFS ActiveMexEndpoint it's hold on the FederationProvider table column: ActiveMexEndPoint this information is written every time you configure Claims-Based Authentication. On the MSCRM_CONFIG database run the following command:

select * from FederationProvider

The default url looks like this:
https://myadfs.domain.com/adfs/ls/mex

And you need to update it to:
https://myadfs.domain.com/adfs/services/trust/mex

To udpate the ActiveMexEndpoint run the below query on your SQL database MSCRM_CONFIG database.

update FederationProvider
set ActiveMexEndpoint = 'https://myadfs.domain.com/adfs/services/trust/mex'

Alternatively you could run the following Powershell:
http://support.microsoft.com/kb/2828015/en-gb? 

You can also apply a hotfix released specifically to correct this issue:
http://support.microsoft.com/kb/2827748/en-us 


If you need assistance configuring ADFS in your company feel free to contact me on: nuno.m.costa@gmail.com







4 comments:

  1. Hi,
    Do we need to reconfigure IFD after running update query?
    Thanks.

    ReplyDelete
    Replies
    1. Hi Mayank,
      if you do the manual SQL update you don't have to, if you install the hotfix you just need re-configure Claims-based configuration it should pick up the new parameters. Let me know if you need assistance.
      Thanks
      Nuno

      Delete
    2. Awesome! It worked... thanks for sharing! :)

      Delete
  2. Thank you very much, it worked great for me!
    I have manually updated two records in dbo.FederationProvider, restarted the server and that's it!

    Wrong records were
    https://sts.myorg.ru:444/adfs/ls/mex
    and right ones became
    https://sts.myorg.ru:444/adfs/services/trust/mex

    EmailRouter service is set to start after AD FS service.

    ReplyDelete