Error “You cannot get to your Dynamics 365 environment using the above URL.”

Applies to: Dynamics 365 Customer Engagement Online

Introduction


To provide better service and availability, we are upgrading our authentication protocol by replacing the URL redirector service.  The replaced URL redirector service will be removed on March 31, 2020.

When you access your Common Data Service environment for the first time or every time after you have logged out from a prior session, you are directed to Azure AD for login.  In the Sign-in page URL, it contains a set of internal values/codes that includes a link to the URL redirector service.  Upon successful login, the URL Redirector service directs you to your Common Data Service environment. 

The URL redirector service was replaced in September 2019.  This change would impact you if you have created a bookmark of the login page before September 2019 that contained the link of the replaced URL Redirector service.   

Some of the internal values/codes are time sensitive and are only valid for a short period of timeWe recommend that you bookmark the Common Data Service environment page instead of the sign-in page.   

Please note that only a small set of users are impacted by this change and the impacted users will see a notification page with instructions on how to correct the problem. 

Symptom


When you first access your environment, you are directed to a Sign-in page (below) to enter your credentials.  

Authentication Sign-in Dialog

Upon entering your credentials, you see this notification page:

Authentication Sign-in Error

 

Cause


In the Sign-in page URL, the link of the old Redirector service is embedded.  

Example (old): 

Old Example

The deprecated redirector service is called ‘cloudredirector.crm.dynamics.com. 

And it is replaced by something like this ‘bn1--namcrlivesg614.crm.dynamics.com’.   


Example
(new) 

New Example

To avoid user and business interruption with this upgrade, we have created thea notification page for users who accessed the environment that has a Sign-in page URL that contains the deprecated redirector URL.   

Please note that NOT all your users will see this notification page – only the following users may see the notification page: 

  1. Users who had saved the Sign-in page in their bookmark before September 2019, and 

  1. Users who access their environment via their company portal that has a link that contains the deprecated redirector URL.  

 

Resolution


The notification page will be rolled out starting the week of February 17, 2020.    

1. For bookmark scenario:

Correct your bookmark by following the instructions on the notification page. 

 2. For company portal or Single-SignOn (SSO) scenario:

This usually applies to customers who are using their own Secure Token Service (STS) that federates with Azure AD to provide an SSO experience for their users.

To provide an SSO experience, you might have an SSO link that looks something like this:

https://sts.contoso.com/adfs/ls/?client-request-id=... &wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=LoginOptions%3D3%26estsredirect%3d2%26estsrequest%3d<encodedPayload>&cbcxt=&mkt=&lc=&RedirectToIdentityProvider=... 

You most likely have captured the “<encodedPayload>” by recording the login process when you sign into your org URL in a fresh browser session.     

While we understand that this method allows you to mitigate certain STS SSO limitation, this is officially not supported as it uses the encoded payload captured at that time. There is some data that is short-lived in the encoded payload and once it expires, you will need to re-capture a new payload.  In addition, the captured encoded payload can easily be invalidated with changes in our backend service This is not recommended as it causes interruption to your user sign-in experience. 

A better approach is to pass your domain name such as “?whr=contoso.com” in your Dynamics 365 org url (see below). This tells Azure AD to skip the home realm discovery phase and goes directly to your STS serviceThis may achieve SSO depending on your STS configuration. 

Example: 

(replace org URL and contoso.com with your domain name) 

3. If you are running automation scripts, you may also have recorded the deprecated redirector URL.  These scripts will fail, and they need to be updated.