Integrated Authentication fails with the Microsoft Dynamics CRM 2015 for Outlook client

Symptoms
Silent Integrated Authentication with federated Dynamics CRM Online 2015 organizations may fail with the following error message:

>Exception during Signin Microsoft.Crm.CrmException: integrated_authentication_failed: Integrated authentication failed. You may try an alternative authentication method ---> Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException: integrated_authentication_failed: Integrated authentication failed. You may try an alternative authentication method ---> Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException: wstrust_endpoint_not_found: WS-Trust endpoint not found in metadata document
Cause
This occurs if the WindowsTransport endpoint is not enabled on the AD FS Server.


Resolution
On the AD FS Server:



1. Open the AD FS Management Console and in the left navigation pane, browse to AD FS |Service |Endpoints

2. Locate the Endpoint called /adfs/service/trust/13/windowstransport

3. Right-click and Enable 

4. Restart the AD FS Service


When using versions prior to CRM 2015 Update 1.1, use the direct organization URL, such as <yourorg>.crm.dynamics.com instead of the generic CRM Online option in the configuration drop down, otherwise configuration may fail.
More information

The ability to perform Silent Integrated Authentication with federated Dynamics CRM organizations has been removed with the release of Microsoft Dynamics CRM 2015 Update 1. Please do not install this update if you would like to use Integrated Authentication. This feature was added back with the release of CRM 2015 Update 1.1.

In addition to the error logged in the Crm70ClientConfig.log, the following error is logged in Event Viewer on the ADFS server under Applications and Services Logs\AD FS\Admin:

Encountered error during federation passive request.

Additional Data

Protocol Name:

wsfed

Relying Party:

urn:federation:MicrosoftOnline

Exception details:

Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.InvalidAuthenticationTypePolicyException: MSIS7102: Requested Authentication Method is not supported on the STS.

at Microsoft.IdentityServer.Web.Authentication.GlobalAuthenticationPolicyEvaluator.EvaluatePolicy(IList`1 mappedRequestedAuthMethods, AccessLocation location, ProtocolContext context, HashSet`1 authMethodsInToken, Boolean& validAuthMethodsInToken)

at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.RetrieveFirstStageAuthenticationDomain(Boolean& validAuthMethodsInToken)

at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.EvaluatePolicy(Boolean& isLastStage, AuthenticationStage& currentStage, Boolean& strongAuthRequried)

at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthMethodsFromAuthPolicyRules(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)

at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthenticationMethods(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)

at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.
Properties

Article ID: 3070297 - Last Review: 09/30/2015 14:39:00 - Revision: 5.0

Dynamics CRM Online, Microsoft Dynamics CRM 2015, Microsoft Dynamics CRM for Microsoft Office Outlook, Microsoft Dynamics CRM for Microsoft Office Outlook with Offline Access

  • kbmbsmigrate kbsurveynew KB3070297
Feedback