web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics CRM (Archived) / Unable to use Apps whi...
Microsoft Dynamics CRM (Archived)

Unable to use Apps which Utilize OAUTH via IFD (CRM 2016 On-Premise + Server 2012 R2)

(0) ShareShare
ReportReport
Posted on by George Rizk 7

Hi All,

Back in the days when ADFS was running in IIS we where able to adjust the permissions on the ADFS virtual folders so that things like "Windows Authentication" and "Anonymous" could be adjusted on the "/ADFS/LS" folders etc.

We are having an issue which I have tracked down using the fiddler tool. Following this great article to help me I was able to find that there are permission issues with an ADFS Endpoint "adfs/oauth2"

[View:http://survivingcrm.com/2014/08/troubleshooting-crm-tablets-login-issues/]

Issue we are having is this:

We are getting a HTTP 401 on the ADFS/oauth2 folder when trying to access our CRM instance Externally via IFD. Apps like Dynamics CRM for Outlook 2016 and Dynamics CRM for Phone (iphone) are just not logging in to CRM when accessed Externally.

Our Claims + IFD was working perfectly in CRM 2015 and it seems to be working perfectly in CRM 2016 as we can login internally and externally without any issues via the website. It just seems that any login attempts that utilises the OAUTH endpoint when accessed externally are being knocked back due to permission. Issues with the OAUTH endpoint. When I VPN in it works perfectly.

Have tried the following:

1. Repaired CRM 2016 instance

2. Rebooted

3. Removed and Reinserted the Post installation ADFS commands to allow OAUTH applications as per Microsoft Article:

[View:https://technet.microsoft.com/en-us/library/hh699726.aspx]

4. Have also checked if we have any MEX Endpoint issues as per CRM 2011 / 2013 but that is not the case.

5. Have also re-ran the Claims and IFD setup through deployment manager.

6. Checked for ADFS logs on server and none are generated during login of the client.

Ideally what I would like to do is add "Windows Authentication" option to ADFS 3.0 Endpoint "ADFS/oauth2". I feel I have almost fixed the issue and just need some further expert assistance to push this one over the line.

Some have suggested disabling "Windows Authentication" on the "Intranet" section of the Relaying Party Trust but this is not an option for us as we have systems that required "Windows Authentication" when using CRM as its not possible to login using Forms on those systems.

Our environment is mixed "Forms Based Authentixation + Windows Authentication"

This was all working perfectly in CRM 2015 on Server 2012 R2.

Our in-place upgrade also went through very smoothly to CRM 2016 a couple of weeks ago.

Is anyone using CRM 2016 + Server 2012 R2 and having similar issues with OAUTH?

Would love to hear your expert thoughts.

*This post is locked for comments

I have the same question (0)
  • Suggested answer
    George Rizk Profile Picture
    George Rizk 7 on at

    Got it working using the following:

    1. Once you have configured the Post Installation tasks required by Microsoft using Powershell for OAUTH you than strangely need to go back to deployment manager and re-run Claims setup + IFD setup using the exact same details. Simply a Next Next Next job!

    2. Once you re-run both of those you than go into ADFS Management console and update the Federation Metadata for both Internal and External access.

    Strange thing Im finding though is  when setting up Dynamics CRM 2016 for Outlook we get prompted for CRM credentials and when entering them in we get MSIS7068 Authentication failure. To overcome this I had to temporarily disable MFA on the ADFS instance to setup the user. Once the user was setup I than re-enabled MFA.

    All seems to be working OK for now. If further issues are found will report back.

  • George Rizk Profile Picture
    George Rizk 7 on at

    Spoke to soon! When you re-run Claims + IFD Setup from Deployment Manager it resets the "OAuthClaimsSettings" back to "Enabled = False"

    Funny thing I found however was when OAuthClaimsSettings is not Enabled than the Dynamics CRM for Phones app works perfectly on the iPhone. When you Enable OAuthClaimsSettings it all of a sudden stops working.

    Here is what I have so far:

    OAuthClaimsSettings (Enabled = True) - Internal Desktop computers utilizing OAUTH will work perfectly and sign into CRM 2016 perfectly when using Dynamics CRM for Outlook 2016.

    OAuthClaimsSettings (Enabled = False) - External desktops using IFD with Dynamics CRM for Outlook 2016 and Phones will not connect to CRM 2016. However Login via the External IFD is working fine via the browser.

    The following setting seems to break external IFD access for Dynamics CRM for Outlook 2016 and Dynamics CRM for Phones.

    $ClaimsSettings = Get-CrmSetting -SettingType OAuthClaimsSettings

    $ClaimsSettings.Enabled = $true

    Set-CrmSetting -Setting $ClaimsSettings

    FYI I already have the following setup as well for the apps:

    Add-AdfsClient -ClientId ce9f9f18-dd0c-473e-b9b2-47812435e20d -Name "Microsoft Dynamics CRM for tablets and phones" -RedirectUri ms-app://s-1-15-2-2572088110-3042588940-2540752943-3284303419-1153817965-2476348055-1136196650/, ms-app://s-1-15-2-1485522525-4007745683-1678507804-3543888355-3439506781-4236676907-2823480090/, ms-app://s-1-15-2-3781685839-595683736-4186486933-3776895550-3781372410-1732083807-672102751/, urn:ietf:wg:oauth:2.0:oob

    Add-AdfsClient -ClientId  2f29638c-34d4-4cf2-a16a-7caf612cee15  -Name "Dynamics CRM Outlook Client" -RedirectUri app://6BC88131-F2F5-4C86-90E1-3B710C5E308C/

    We are also using MFA (Multifactor Authentication) which I have turned off when testing.

    Will keep smashing away at this and post my trip along the way.

    Strange as all this was working perfectly with CRM 2015.

    If anyone has any suggestions would love to hear from some ADFS / CRM 2016 experts.

  • Community Member Profile Picture
    Community Member on at

    Hi George,

    I am wondering if you ever found a resolution for this. I am faced with a similar issue, we ran the powershell scripts suggested by Microsoft but it seems no matter what we do we are unable to access CRM using the CRM for Phones app. We are seeing errors in ADFS, which is a little unlike what you describe. If you did end up resolving this issue, I would be interested to hear what you did.

    Thanks!

    Clint

  • George Rizk Profile Picture
    George Rizk 7 on at

    Hi Clint,

    We are still having this issue. Have even installed update rollup 0.1 for CRM 2016 and still getting this issue.

    I am attacking this problem very aggressively and will continue to try and resolve it.

    If you turn off MFA you will most likely find the mobile app will work perfectly. But having said that this is not a solution.

    Another interesting development we have since found is that Outlook for CRM 2016 Client loads a blank white box (I suspect this is the MFA Window) and closes it multiple times without prompting us for MFA when our Outlook client is authenticating over IFD. Outlook than finally opens with all the CRM toolbars greyed out meaning it was not able to make a connection to CRM. When running Fiddler to analyze the issue it appears we are having the same issue as when we try to use the Mobile App on the phone. If we first establish a VPN connection we are than prompted with the MFA window which is how we expect it to work.

    For me personally I am beginning to think MFA breaks when used with Apps over IFD. I know however that our MFA works over IFD as where able to authenticate through the CRM website using MFA over IFD.

    It's just the bloody Apps refuse to work with MFA over IFD. Outlook For CRM and Phone Apps alike.

    Have not spent too much time on this problem recently but happy to continue if anyone has any ideas.

  • Community Member Profile Picture
    Community Member on at

    This could be the Claims/IFD problems reported in the 0.1 crm update.

    Contact MS support and ask for the COD that fix Claims/ifd. It will also come in the 0.2 patch.

    Cause: It’s a known bug with recently reported in 0.1 Update for CRM 2016.

     Possible Case for the Issue: There were major code changes in Ara UR1 for authentication. The affected code is in Microsoft.Crm.Core.Security.Identity.IdentityExtensions.GetUserPrincipalName(). We are unable to cast to a from type ClaimsIdentity to a new type CrmIdentity.

    Therefore, the variable is null, and we cannot retrieve the information

    From MS support:

    Indeed the issue you state is known internally as TFS 295428 / 290182 and the HFI was resolved as COD and I have the COD available to send to you if your CRM 2016 server is English based.

    We just rescived a fix for a customer today. Installing and testing this tomorrow.

    Have a nice day.

  • Community Member Profile Picture
    Community Member on at

    Has anyone been able to solve this issue?

  • http://.Interactivewebs.com Profile Picture
    http://.Interactive... on at

    Just wondering if you got things working? We have the same issue. Very frustrating!

  • Suggested answer
    Jigar Patel 04 Profile Picture
    Jigar Patel 04 on at

    Hi ,

    Try the Disabling windows auth for few IIS directory solution provided here :

    http://www.bizsensetech.com/2018/02/dynamics-365-app-for-outlook-auth-issue.html

  • Community Member Profile Picture
    Community Member on at

    We have the same issue, if I enable Oauth i break mobile app, if disable it mobile app works but i break the Dynamics app for outlook.  

  • Victor Parada Profile Picture
    Victor Parada 201 on at

    Good afternoon to all of yours, 

    Currently we have installed the version 8.2.8.15 of MS Dynamics 365 and we are facing the same issue as is described in this topic. When we activate the OAuth the Outlook Plugin and also the Mobile App stop to work but the Browser version and the integration with Power BI using OData feed works very well. When we deactivate the OAuth the Outlook Plugin and also the Mobile App works fine as well the Browser version but the Integration with Power BI using OData feed stop to work.

    We need to ensure that all the Apps and integrations are working well for our environment, so we need to have the OAuth active as this is mandatory for the Power BI integration, but at the same time we need to have working the Outlook client and the Mobile App as well, so my question here is, did someone find an solution to this issue? Could be shared with me?

    Looking forward to hear from you soon.

    Thank you in advance

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics CRM (Archived)

#1
SA-08121319-0 Profile Picture

SA-08121319-0 4

#1
Calum MacFarlane Profile Picture

Calum MacFarlane 4

#3
Alex Fun Wei Jie Profile Picture

Alex Fun Wei Jie 2

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans