Tuesday, 28 January 2014

Dynamics CRM 2013 ADFS 2.1 with windows 2012 - CRM Outlook client issue

If you configuring ADFS with Windows 2012 you will find that you can't configure the CRM Outlook Client. This is due to a bug in ADFS 2.1 which does not correctly set it's ADFS ActiveMexEndPoint to the correct location.

When you attempt to configure the CRM Outlook client you get:


14:44:16|  Error| Error connecting to URL: https://mycrm.com:444/XRMServices/2011/Discovery.svc Exception: Microsoft.Crm.CrmException: Authentication failed
   at Microsoft.Crm.Outlook.ClientAuth.ClaimsBasedAuthProvider`1.AuthenticateClaims()
   at Microsoft.Crm.Outlook.ClientAuth.ClaimsBasedAuthProvider`1.SignIn()
   at Microsoft.Crm.Outlook.ClientAuth.ClientAuthProvidersFactory`1.SignIn(Uri endPoint, Credential credentials, AuthUIMode uiMode, IClientOrganizationContext context, Form parentWindow, Boolean retryOnError)
   at Microsoft.Crm.Application.Outlook.Config.DeploymentsInfo.DeploymentInfo.LoadOrganizations(AuthUIMode uiMode, Form parentWindow, Credential credentials)
   at Microsoft.Crm.Application.Outlook.Config.DeploymentsInfo.InternalLoadOrganizations(OrganizationDetailCollection orgs, AuthUIMode uiMode, Form parentWindow)


In CRM the information for the ADFS ActiveMexEndpoint it's hold on the FederationProvider table column: ActiveMexEndPoint this information is written every time you configure Claims-Based Authentication. On the MSCRM_CONFIG database run the following command:

select * from FederationProvider

The default url looks like this:
https://myadfs.domain.com/adfs/ls/mex

And you need to update it to:
https://myadfs.domain.com/adfs/services/trust/mex

To udpate the ActiveMexEndpoint run the below query on your SQL database MSCRM_CONFIG database.

update FederationProvider
set ActiveMexEndpoint = 'https://myadfs.domain.com/adfs/services/trust/mex'

Alternatively you could run the following Powershell:
http://support.microsoft.com/kb/2828015/en-gb? 

You can also apply a hotfix released specifically to correct this issue:
http://support.microsoft.com/kb/2827748/en-us 


If you need assistance configuring ADFS in your company feel free to contact me on: nuno.m.costa@gmail.com







Posted by at

4 comments:

  1. Mayank Gadodia3 March 2014 at 07:01

    Hi,
    Do we need to reconfigure IFD after running update query?
    Thanks.

    ReplyDelete
    Replies
    1. Nuno Costa nuno.m.costa@gmail.com3 March 2014 at 07:07

      Hi Mayank,
      if you do the manual SQL update you don't have to, if you install the hotfix you just need re-configure Claims-based configuration it should pick up the new parameters. Let me know if you need assistance.
      Thanks
      Nuno

      Delete
    2. Mayank Gadodia3 March 2014 at 07:38

      Awesome! It worked... thanks for sharing! :)

      Delete
  2. Unknown26 April 2014 at 00:16

    Thank you very much, it worked great for me!
    I have manually updated two records in dbo.FederationProvider, restarted the server and that's it!

    Wrong records were
    https://sts.myorg.ru:444/adfs/ls/mex
    and right ones became
    https://sts.myorg.ru:444/adfs/services/trust/mex

    EmailRouter service is set to start after AD FS service.

    ReplyDelete

Subscribe to: Post Comments (Atom)