web
You’re offline. This is a read only version of the page.
close
Skip to main content
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics CRM (Archived) / Aquiring Token from AC...
Microsoft Dynamics CRM (Archived)

Aquiring Token from ACS has failed. Please check if your tenantId is specified correctly in your Email Server Profile, and make sure your Exchange and CRM are under the same tenant

(0) ShareShare
ReportReport
Posted on by Joe Woltering 12,163

Dynamics 365 (On-Prem) to Exchange Online

I am getting this error when running the Email Server Profile Test after setting up Server Side Email synchronization and configuring an Exchange Online (Hybrid) Email Server Profile. It passes the first two tests (Connecting to Exchange Online, Authorizing by using Microsoft Azure...) but fails on the third test (Checking authentication).

The strange thing is that in the "Response from Exchange" section under the Failure Details I see 'HTTP/1.1 200 OK' which would suggest that everything is hunky dory and no authentication or authorization failures. What follows is a long string of code, which looks like the XML response from EWS perhaps; but no discernible error can be found after combing through it.

Any ideas?

*This post is locked for comments

I have the same question (0)
  • Joe Woltering Profile Picture
    Joe Woltering 12,163 on at
    RE: Aquiring Token from ACS has failed. Please check if your tenantId is specified correctly in your Email Server Profile, and make sure your Exchange and CRM are under the same tenant

    I forgot to mention that I did read through the couple of other threads regarding this topic which suggested checking that the Service Account of the App Pool Identity has access to the certificate in use (which it does). In those cases people were receiving '401 Unauthorized'  response from EWS which I am not getting (as previously stated).

  • Joe Woltering Profile Picture
    Joe Woltering 12,163 on at
    RE: Aquiring Token from ACS has failed. Please check if your tenantId is specified correctly in your Email Server Profile, and make sure your Exchange and CRM are under the same tenant

    In the CRMAsyncService trace log on the server I see the following error:

    EmailServerProfile with id xxxxxxxx-xxxx-xxxx-xxxxxxx-xxxxxxx failed to run the Exchange Connection test with Exception: Unhandled Exception: Microsoft.Exchange.WebServices.Data.ServiceRequestException: The response received from the service didn't contain valid XML.

    followed by:

    Inner Exception: System.Xml.XmlException: DTD is prohibited in this XML document

    ???

  • Verified answer
    Joe Woltering Profile Picture
    Joe Woltering 12,163 on at
    RE: Aquiring Token from ACS has failed. Please check if your tenantId is specified correctly in your Email Server Profile, and make sure your Exchange and CRM are under the same tenant

    Well, I'm a dummy. Long story short, it was the certificate issue. I just didn't cop it straight away because I had the wrong URL entered in the Server Location (I was missing .../EWS/exchange.asmx'). Once I put that back in, the Test failed all 3 tests and I was able to check the trace and then find errors relating to the Keyset --> Certificate problem. Once I gave Read permission to the ASyncService User Account, all is well.

  • Sudeep Profile Picture
    Sudeep 75 on at
    RE: Aquiring Token from ACS has failed. Please check if your tenantId is specified correctly in your Email Server Profile, and make sure your Exchange and CRM are under the same tenant

    Can you please describe in detail how did you solve this issue?

    I am getting the same issue and all the 3 steps of the test connections fail. 

    What was the certificate problem you were referring to and how did you solve it.

    Any steps will be grateful. 

  • Joe Woltering Profile Picture
    Joe Woltering 12,163 on at
    RE: Aquiring Token from ACS has failed. Please check if your tenantId is specified correctly in your Email Server Profile, and make sure your Exchange and CRM are under the same tenant

    So it was either the certificate CRM uses internally or the certificate for EWS (can't remember which). You just need to always allow Read permissions to the App Pool AD account and/or the Async Service account to this certificate by using the MMC console, locating the certificate and then right-click on the cert and "Manage Private Keys".

    Hope this helps. 

  • Sudeep Profile Picture
    Sudeep 75 on at
    RE: Aquiring Token from ACS has failed. Please check if your tenantId is specified correctly in your Email Server Profile, and make sure your Exchange and CRM are under the same tenant

    Thanks for the prompt response Joe. I have already done the permissions part. But still i get the issue. Not much help available online as well.

  • Joe Woltering Profile Picture
    Joe Woltering 12,163 on at
    RE: Aquiring Token from ACS has failed. Please check if your tenantId is specified correctly in your Email Server Profile, and make sure your Exchange and CRM are under the same tenant

    Are you able to enable tracing and gather the exact error msg?

  • Sudeep Profile Picture
    Sudeep 75 on at
    RE: Aquiring Token from ACS has failed. Please check if your tenantId is specified correctly in your Email Server Profile, and make sure your Exchange and CRM are under the same tenant

    I started the trace and below are the few statements that could make sense:

    Auto Discover failed: Service Account ___________________ Auto Discover failed with exceptions

    Inner Exception: Microsoft.Crm.CrmException: Access token could not be obtained from: https://accounts.accesscontrol.windows.net/tokens/OAuth/2

    Inner Exception: Microsoft.Crm.CrmException: CertificateData for CertificateType: S2STokenIssuer not found.

    Does any of the above make sense?

  • Joe Woltering Profile Picture
    Joe Woltering 12,163 on at
    RE: Aquiring Token from ACS has failed. Please check if your tenantId is specified correctly in your Email Server Profile, and make sure your Exchange and CRM are under the same tenant

    And this is for connecting CRM On-Prem to Exchange Online, correct?

    IFD is enabled, I assume?

    Are you, by any chance, using a wildcard SSL cert for your CRM org?

    Have you "purchased" and configured the Dynamics 365 Hybrid Connector?

    us.hitachi-solutions.com/.../setup-dynamics-365-server-side-synchronization-premise-exchange-online

  • Sudeep Profile Picture
    Sudeep 75 on at
    RE: Aquiring Token from ACS has failed. Please check if your tenantId is specified correctly in your Email Server Profile, and make sure your Exchange and CRM are under the same tenant

    Yes this is to connect CRM On-Prem to Exchange Online.

    Yes i am using a wildcard SSL cert for our CRM org.  Is that a problem?

    I have purchased the Dynamics 365 Hybrid Connector. Not sure about configuring it as the steps did not mention the same. It just mentions that we need to purchase it and that was done successfully

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Join experts in person to explore low code and AI agents at the Power Platform Community Conference sponsored by Microsoft

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Abhilash Warrier – Community Spotlight

We are honored to recognize Abhilash Warrier as our Community Spotlight honoree for…

Congratulations to the September Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics CRM (Archived)

#1
HR-09070029-0 Profile Picture

HR-09070029-0 2

#2
ED-30091530-0 Profile Picture

ED-30091530-0 1

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans