Dynamics 365 App for Outlook Authentication Issue

(0) Share

Report

Posted on by Community Member Microsoft Employee

Hi all;

We are working with a client to deploy the new Dynamics 365 App for Outlook in their environment (CRM: Dynamics 365 Update 2.1, Claims/IFD, Server 2016; Client: Win10/Office 2016).

We have successfully deployed the D365 app, but upon activation in Outlook, users are first presented with an ADFS pop-up window, asking for credentials. After entering credentials, the user gets a "We're sorry - Something went wrong during sign-in" error.

On the server, there are several ADFS errors that appear:

ADFS Error 1020: Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthUnauthorizedClientException: MSIS9321: Received invalid OAuth request. The client '806e5da7-0600-e611-80bf-6c3be5b27d7a' is forbidden to access the resource 'auth.alberdingkusa.com'. at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthProtocolContext.ValidateScopes(String scopeParameter, String clientId, String relyingPartyId) at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthAuthorization.OAuthAuthorizationRequestContext.ValidateCore()

ADFS Error 364: Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthUnauthorizedClientException: MSIS9321: Received invalid OAuth request. The client '806e5da7-0600-e611-80bf-6c3be5b27d7a' is forbidden to access the resource 'auth.alberdingkusa.com'. at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthProtocolContext.ValidateScopes(String scopeParameter, String clientId, String relyingPartyId) at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthAuthorization.OAuthAuthorizationRequestContext.ValidateCore() at Microsoft.IdentityServer.Web.Protocols.ProtocolContext.Validate() at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthAuthorization.OAuthAuthorizationProtocolHandler.GetRequiredPipelineBehaviors(ProtocolContext pContext) at Microsoft.IdentityServer.Web.PassiveProtocolListener.EvaluateHomeRealm(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext) at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

ADFS Error 1021: Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthAccessTokenMissingAuthorizationCodeException: MSIS9246: Received invalid OAuth access token request. The 'code' parameter is missing or found empty. at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthAccessTokenRequestContext.ValidateCore()

____________________________________________

The ADFS relying parties on the ADFS server have been deleted and rebuilt using powershell.

Access Control Policies for both have been set to Permit Access to All Users.

The ADFSClient for the D365 App for Outlook has been set.

Access via the web UI is normal.

*This post is locked for comments

All responses (12)

Answers (0)

Victor Parada 201 on at

Like (0)

Report

RE: Dynamics 365 App for Outlook Authentication Issue

Hello folks, how are you today?

Currently I'm facing issues with the MS Dynamics 365 Mobile App, so I want to know if you are able to share me your findings on the matter.

The error I'm getting after an successfully authentication on the ADFS is: AccessDenied. HostName: xxx, UserId: {00000000-0000-0000-0000-000000000000}, AppId: {00000000-0000-0000-0000-000000000000}, Context: ResourceAccessErrorResponseHandler.SendResponse: Rejecting claim with response 'Bearer authorization_uri=xxxx, resource_id=xxxxx

I see in one of the posts for Miss Saini that she had the same issue and she fixed it after did the execution of the above command. My question is: do you know if that command will also fix my issue with the Mobile App (Iphone / Ipad)?

Grant-AdfsApplicationPermission -ClientRoleIdentifier "806e5da7-0600-e611-80bf-6c3be5b27d7a" -ServerRoleIdentifier

Thank you in advance.
indlad 450 on at

Like (0)

Report

RE: Dynamics 365 App for Outlook Authentication Issue

Hi All,

   To make sure that the OAuth is working, run the following Powershell command

   Get-AdfsEndpoint -AddressPath "/adfs/.well-known/openid-configuration"

   And when you browse FullUrl from the above command on ADFS Server copy and paste on IE and you will get a JSON file with all the information.

Regards,

Daniel.
indlad 450 on at

Like (0)

Report

RE: Dynamics 365 App for Outlook Authentication Issue

Hi synaesthesia,

If you are prompted with credentials make sure that the IFD URls are added to the TRUSTED Sites and enable Protected Mode on Local Intranet and Trusted Sites and try.
Arpita Saini on at

Like (0)

Report

RE: Dynamics 365 App for Outlook Authentication Issue

indlad,

Thanks for the update and yes I agree with you on ADFS 4.0 issue. I updated my original reply.

In our case we are on ADFS 3.0 and upgraded to latest version and still hit same issue. working on that and will update this thread once it is fixed.
indlad 450 on at

Like (0)

Report

RE: Dynamics 365 App for Outlook Authentication Issue

Quick Update. As per my previous post our environment everything was working fine until the SSL was renewed. We are on ADFS 4.0 and CRM 8.2.2.112. What we are experiencing is close to https://community.dynamics.com/crm/f/117/t/224713. Hopefully the fix for ADFS4.0 will fix our issue. I will update this if the fix for ADFS 4.0 fixed our issue.
indlad 450 on at

Like (0)

Report

RE: Dynamics 365 App for Outlook Authentication Issue

Hi Arpita Saini,

Thank you for saying its a bug. But in our environment everything was working fine until SSL on Exchange was renewed and after renewal this issue started to happen. we started to get

Encountered error during OAuth authorization request.

Additional Data

Exception details:

System.ArgumentNullException: Value cannot be null.

Parameter name: issuer

   at Microsoft.IdentityModel.Tokens.JSON.JsonWebSecurityToken.Initialize(String issuer, String audience, DateTime validFrom, DateTime validTo, IEnumerable`1 claims)

   at Microsoft.IdentityModel.Tokens.JSON.JsonWebSecurityToken..ctor(String issuer, String audience, DateTime validFrom, DateTime validTo, SigningCredentials signingCredentials, IEnumerable`1 claims)

   at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthProtocolHandler.CreateIdToken(String clientId, String nonce, SessionSecurityToken ssoToken, JsonWebSecurityToken accessToken, List`1 userInfoClaims)

   at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthProtocolHandler.BuildTokenResponseWithSerializedToken(OAuthProtocolContext context, WrappedHttpListenerContext httpContext, Uri originalRequestBaseUri, SecurityTokenElement signOnTokenElement, ArtifactSecurityTokenType originalTokenType, String clientId, String clientRedirectUri, String resource, Boolean isKmsiRequested, String authMethod)

   at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthAuthorization.OAuthAuthorizationProtocolHandler.CreateAuthorizationResponseMessage(OAuthAuthorizationRequestContext authorizationContext, SecurityToken ssoSecurityToken, Boolean ssoSignInAttempted)

we thought that as the issue is complaining about Issuer renewing SSL on CRM and ADFS will solve the issue. We renewed SSL on ADFS and CRM and reconfigured Claims and IFD and redeployed Dynamics 365 App for Outlook then the error on ADFS is

We're sorry
Something went wrong during sign-in. Please try again. If the problem persists, contact your system administrator.

Help me resolve this issue

Show less

Activity ID: 742b0e50-683e-e49e-c761-8e4d19bdb687 Date: Sun, 29 Apr 2018 09:45:27 GMT Error: OnPremAuthenticationManager: State mismatch Trace: Error at ClientError (dynamics-x.xxxxx.com/.../shim.js:1837:25) at tokenCallback (dynamics-x.xxxxx.com/.../shim.js:630:33)

and the CRM Trace show Access Denied Error as

AccessDenied. HostName: dynamics-x.xxxxx.com, UserId: {00000000-0000-0000-0000-000000000000}, AppId: {00000000-0000-0000-0000-000000000000}, Context: ResourceAccessErrorResponseHandler.SendResponse: Rejecting claim with response 'Bearer authorization_uri=adfs.xxxxx.com/.../authorize, resource_id=https://dynamics-x.xxxxx.com/'

we are on 8.2.2.112 . Is there any workAround or hotfix just for this isue? or only option is to Upgrade?

Daniel.
Arpita Saini on at

Like (0)

Report

RE: Dynamics 365 App for Outlook Authentication Issue

**Updated**

If you have followed the TechNet for step by step app for outlook configuration , NOT on ADFS 4.0 , ran below command too and still getting the prompt then there is a possibility we might be hitting a known issue.

Grant-AdfsApplicationPermission -ClientRoleIdentifier "806e5da7-0600-e611-80bf-6c3be5b27d7a" -ServerRoleIdentifier https://auth.alberdingkusa.com

------------------

Check in CRM plat traces if you notice error similar to below:-

AccessDenied. HostName: xxx.abc.com, UserId: {00000000-0000-0000-0000-000000000000}, AppId: {00000000-0000-0000-0000-000000000000}, Context: ResourceAccessErrorResponseHandler.SendResponse: Rejecting claim with response 'Bearer authorization_uri=xxx.abc.com.com/.../authorize, resource_id=https://xxx.abc.com.com/'

There was one similar bug with above error which is fixed in 8.2.1.410 and then in 8.2.2.175 but my customer upgraded to latest version and still hitting same error. So, we are working on it further to find what is going on.

I will update this thread once we fix this issue at our end.
Community Member Microsoft Employee on at

Like (0)

Report

RE: Dynamics 365 App for Outlook Authentication Issue

have you found any solution?
Community Member Microsoft Employee on at

Like (0)

Report

RE: Dynamics 365 App for Outlook Authentication Issue

More info: The problem in Outlook seems to be related to a javascript call to close the authentication window that works for a webmail interface, but not the Outlook window. Will post back here if I find any more concrete info.
Community Member Microsoft Employee on at

Like (0)

Report

RE: Dynamics 365 App for Outlook Authentication Issue

We are having the same issue - why doesn't Microsoft products talk to each other. This is so frustrating