Dynamics 365 App for Outlook Authentication Issue

(0) Share

Report

Posted on by Community Member

Hi all;

We are working with a client to deploy the new Dynamics 365 App for Outlook in their environment (CRM: Dynamics 365 Update 2.1, Claims/IFD, Server 2016; Client: Win10/Office 2016).

We have successfully deployed the D365 app, but upon activation in Outlook, users are first presented with an ADFS pop-up window, asking for credentials. After entering credentials, the user gets a "We're sorry - Something went wrong during sign-in" error.

On the server, there are several ADFS errors that appear:

ADFS Error 1020: Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthUnauthorizedClientException: MSIS9321: Received invalid OAuth request. The client '806e5da7-0600-e611-80bf-6c3be5b27d7a' is forbidden to access the resource 'auth.alberdingkusa.com'. at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthProtocolContext.ValidateScopes(String scopeParameter, String clientId, String relyingPartyId) at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthAuthorization.OAuthAuthorizationRequestContext.ValidateCore()

ADFS Error 364: Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthUnauthorizedClientException: MSIS9321: Received invalid OAuth request. The client '806e5da7-0600-e611-80bf-6c3be5b27d7a' is forbidden to access the resource 'auth.alberdingkusa.com'. at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthProtocolContext.ValidateScopes(String scopeParameter, String clientId, String relyingPartyId) at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthAuthorization.OAuthAuthorizationRequestContext.ValidateCore() at Microsoft.IdentityServer.Web.Protocols.ProtocolContext.Validate() at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthAuthorization.OAuthAuthorizationProtocolHandler.GetRequiredPipelineBehaviors(ProtocolContext pContext) at Microsoft.IdentityServer.Web.PassiveProtocolListener.EvaluateHomeRealm(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext) at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

ADFS Error 1021: Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthAccessTokenMissingAuthorizationCodeException: MSIS9246: Received invalid OAuth access token request. The 'code' parameter is missing or found empty. at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthAccessTokenRequestContext.ValidateCore()

____________________________________________

The ADFS relying parties on the ADFS server have been deleted and rebuilt using powershell.

Access Control Policies for both have been set to Permit Access to All Users.

The ADFSClient for the D365 App for Outlook has been set.

Access via the web UI is normal.

*This post is locked for comments

I have the same question (0)

All responses (12)

Answers (0)

Community Member on at

Like (0)

Report

Clarification: The Dynamics app within Outlook Web Access is available, but has the same authentication issue (and same errors in the event log).

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Addenda: This problem was resolved. The CRM/ADFS Server was 2016, so the additional ADFS configuration step of running the powershell command:

Grant-AdfsApplicationPermission -ClientRoleIdentifier "806e5da7-0600-e611-80bf-6c3be5b27d7a" -ServerRoleIdentifier https://auth.alberdingkusa.com

Although this resolves the original issue, we are still repeatedly challenged with a windows authentication prompt. The URL its trying to open is: https://adfs.alberdingkusa.com/adfs/oauth2/authorize/wia?client_id=806e5da7-0600-e611-80bf-6c3be5b27d7a&redirect_uri=https://crm.alberdingkusa.com/crmmailapp/code_auth.aspx&resource=https://crm.alberdingkusa.com/&response_type=code&state=https://adfs.alberdingkusa.com/adfs/oauth2/authorize?client_id=806e5da7-0600-e611-80bf-6c3be5b27d7a-1b0e6e30e3a2df3725f36234948bdbd5&client-request-id=a6b593c8-e591-4dad-2c01-0080000000d2

Eventually, after several tries, it gives up, and we're back to the "Sorry" error message.

There are no ADFS errors in the server log.

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

We are having the same issue - why doesn't Microsoft products talk to each other. This is so frustrating

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

More info: The problem in Outlook seems to be related to a javascript call to close the authentication window that works for a webmail interface, but not the Outlook window. Will post back here if I find any more concrete info.

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

have you found any solution?

Was this reply helpful? Yes No
Arpita Saini on at

Like (0)

Report

**Updated**

If you have followed the TechNet for step by step app for outlook configuration , NOT on ADFS 4.0 , ran below command too and still getting the prompt then there is a possibility we might be hitting a known issue.

Grant-AdfsApplicationPermission -ClientRoleIdentifier "806e5da7-0600-e611-80bf-6c3be5b27d7a" -ServerRoleIdentifier https://auth.alberdingkusa.com

------------------

Check in CRM plat traces if you notice error similar to below:-

AccessDenied. HostName: xxx.abc.com, UserId: {00000000-0000-0000-0000-000000000000}, AppId: {00000000-0000-0000-0000-000000000000}, Context: ResourceAccessErrorResponseHandler.SendResponse: Rejecting claim with response 'Bearer authorization_uri=xxx.abc.com.com/.../authorize, resource_id=https://xxx.abc.com.com/'

There was one similar bug with above error which is fixed in 8.2.1.410 and then in 8.2.2.175 but my customer upgraded to latest version and still hitting same error. So, we are working on it further to find what is going on.

I will update this thread once we fix this issue at our end.

Was this reply helpful? Yes No
indlad 450 on at

Like (0)

Report

Hi Arpita Saini,

Thank you for saying its a bug. But in our environment everything was working fine until SSL on Exchange was renewed and after renewal this issue started to happen. we started to get

Encountered error during OAuth authorization request.

Additional Data

Exception details:

System.ArgumentNullException: Value cannot be null.

Parameter name: issuer

   at Microsoft.IdentityModel.Tokens.JSON.JsonWebSecurityToken.Initialize(String issuer, String audience, DateTime validFrom, DateTime validTo, IEnumerable`1 claims)

   at Microsoft.IdentityModel.Tokens.JSON.JsonWebSecurityToken..ctor(String issuer, String audience, DateTime validFrom, DateTime validTo, SigningCredentials signingCredentials, IEnumerable`1 claims)

   at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthProtocolHandler.CreateIdToken(String clientId, String nonce, SessionSecurityToken ssoToken, JsonWebSecurityToken accessToken, List`1 userInfoClaims)

   at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthProtocolHandler.BuildTokenResponseWithSerializedToken(OAuthProtocolContext context, WrappedHttpListenerContext httpContext, Uri originalRequestBaseUri, SecurityTokenElement signOnTokenElement, ArtifactSecurityTokenType originalTokenType, String clientId, String clientRedirectUri, String resource, Boolean isKmsiRequested, String authMethod)

   at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthAuthorization.OAuthAuthorizationProtocolHandler.CreateAuthorizationResponseMessage(OAuthAuthorizationRequestContext authorizationContext, SecurityToken ssoSecurityToken, Boolean ssoSignInAttempted)

we thought that as the issue is complaining about Issuer renewing SSL on CRM and ADFS will solve the issue. We renewed SSL on ADFS and CRM and reconfigured Claims and IFD and redeployed Dynamics 365 App for Outlook then the error on ADFS is

We're sorry
Something went wrong during sign-in. Please try again. If the problem persists, contact your system administrator.

Help me resolve this issue

Show less

Activity ID: 742b0e50-683e-e49e-c761-8e4d19bdb687 Date: Sun, 29 Apr 2018 09:45:27 GMT Error: OnPremAuthenticationManager: State mismatch Trace: Error at ClientError (dynamics-x.xxxxx.com/.../shim.js:1837:25) at tokenCallback (dynamics-x.xxxxx.com/.../shim.js:630:33)

and the CRM Trace show Access Denied Error as

AccessDenied. HostName: dynamics-x.xxxxx.com, UserId: {00000000-0000-0000-0000-000000000000}, AppId: {00000000-0000-0000-0000-000000000000}, Context: ResourceAccessErrorResponseHandler.SendResponse: Rejecting claim with response 'Bearer authorization_uri=adfs.xxxxx.com/.../authorize, resource_id=https://dynamics-x.xxxxx.com/'

we are on 8.2.2.112 . Is there any workAround or hotfix just for this isue? or only option is to Upgrade?

Daniel.

Was this reply helpful? Yes No
indlad 450 on at

Like (0)

Report

Quick Update. As per my previous post our environment everything was working fine until the SSL was renewed. We are on ADFS 4.0 and CRM 8.2.2.112. What we are experiencing is close to https://community.dynamics.com/crm/f/117/t/224713. Hopefully the fix for ADFS4.0 will fix our issue. I will update this if the fix for ADFS 4.0 fixed our issue.

Was this reply helpful? Yes No
Arpita Saini on at

Like (0)

Report

indlad,

Thanks for the update and yes I agree with you on ADFS 4.0 issue. I updated my original reply.

In our case we are on ADFS 3.0 and upgraded to latest version and still hit same issue. working on that and will update this thread once it is fixed.

Was this reply helpful? Yes No
indlad 450 on at

Like (0)

Report

Hi synaesthesia,

If you are prompted with credentials make sure that the IFD URls are added to the TRUSTED Sites and enable Protected Mode on Local Intranet and Trusted Sites and try.

Was this reply helpful? Yes No