Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Integrated Authentication fails with the Microsoft Dynamics CRM 2015 for Outlook client


View products that this article applies to.

Symptoms

Silent Integrated Authentication with federated Dynamics CRM Online 2015 organizations may fail with the following error message:

>Exception during Signin Microsoft.Crm.CrmException: integrated_authentication_failed: Integrated authentication failed. You may try an alternative authentication method ---> Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException: integrated_authentication_failed: Integrated authentication failed. You may try an alternative authentication method ---> Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException: wstrust_endpoint_not_found: WS-Trust endpoint not found in metadata document

↑ Back to the top


Cause

This occurs if the WindowsTransport endpoint is not enabled on the AD FS Server.


↑ Back to the top


Resolution

On the AD FS Server:



1. Open the AD FS Management Console and in the left navigation pane, browse to AD FS |Service |Endpoints

2. Locate the Endpoint called /adfs/service/trust/13/windowstransport

3. Right-click and Enable 

4. Restart the AD FS Service


When using versions prior to CRM 2015 Update 1.1, use the direct organization URL, such as <yourorg>.crm.dynamics.com instead of the generic CRM Online option in the configuration drop down, otherwise configuration may fail.

↑ Back to the top


More Information


The ability to perform Silent Integrated Authentication with federated Dynamics CRM organizations has been removed with the release of Microsoft Dynamics CRM 2015 Update 1. Please do not install this update if you would like to use Integrated Authentication. This feature was added back with the release of CRM 2015 Update 1.1.

In addition to the error logged in the Crm70ClientConfig.log, the following error is logged in Event Viewer on the ADFS server under Applications and Services Logs\AD FS\Admin:

Encountered error during federation passive request.

Additional Data

Protocol Name:

wsfed

Relying Party:

urn:federation:MicrosoftOnline

Exception details:

Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.InvalidAuthenticationTypePolicyException: MSIS7102: Requested Authentication Method is not supported on the STS.

at Microsoft.IdentityServer.Web.Authentication.GlobalAuthenticationPolicyEvaluator.EvaluatePolicy(IList`1 mappedRequestedAuthMethods, AccessLocation location, ProtocolContext context, HashSet`1 authMethodsInToken, Boolean& validAuthMethodsInToken)

at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.RetrieveFirstStageAuthenticationDomain(Boolean& validAuthMethodsInToken)

at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.EvaluatePolicy(Boolean& isLastStage, AuthenticationStage& currentStage, Boolean& strongAuthRequried)

at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthMethodsFromAuthPolicyRules(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)

at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthenticationMethods(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)

at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

↑ Back to the top


Keywords: kbmbspartner, kbmbsmigrate, kbsurveynew, kb

↑ Back to the top

Article Info
Article ID : 3070297
Revision : 1
Created on : 1/7/2017
Published on : 9/30/2015
Exists online : False
Views : 330