web
You’re offline. This is a read only version of the page.
close
Skip to main content
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics CRM (Archived) / CRM Hybrid Configurati...
Microsoft Dynamics CRM (Archived)

CRM Hybrid Configuration Error: "Aquiring [sic] Token from ACS has failed."

(0) ShareShare
ReportReport
Posted on by Andrew C RCG

I'm trying to configure CRM 2016 Update 1 on-premises to authenticate to Exchange Online (Office 365) for server-side sync.

I've followed all the steps in this document: https://technet.microsoft.com/en-us/library/mt703269.aspx but when I try to test the connection for my email server profile, I get an error at the step titled, "Authorizing by using Microsoft Azure Access Control service (ACS)".

Using Auto Discover, the error says:

*****************************
Response from Exchange:
*****************************
Microsoft.Exchange.WebServices.Data.ServiceRequestException: The request failed. The request was aborted: The request was canceled. ---> System.Net.WebException: The request was aborted: The request was canceled. ---> Microsoft.Crm.CrmException: Access token could not be obtained from: accounts.accesscontrol.windows.net/.../2 for resource: [server GUID]/autodiscover-s.outlook.com@[my tenantId]

When I specify the server location (https://outlook.office365.com/EWS/Exchange.asmx) instead of using AutoDiscover, I get the following error:

*********************
Message from CRM::
*********************
Aquiring Token from ACS has failed. Please check if your tenantId is specified correctly in your Email Server Profile, and make sure your Exchange and CRM are under the same tenant

I've verified that the tenantId is set properly, but it wouldn't make sense that a CRM on-premises installation would be "under the same tenant" as Exchange Online. What's more confusing is that the CRM on-premises <-> SharePoint Online side of things seems to be working fine.

Please help!

*This post is locked for comments

I have the same question (0)
  • Community Member Profile Picture
    Community Member on at
    RE: CRM Hybrid Configuration Error: "Aquiring [sic] Token from ACS has failed."

    We have the same issue. Have you solved the issue?

  • Andrew C RCG Profile Picture
    Andrew C RCG on at
    RE: CRM Hybrid Configuration Error: "Aquiring [sic] Token from ACS has failed."

    No, we have opened a support case with Microsoft. It seems the feature is so new the techs don't even know much about it.

    So far, a tech and I have walked through the official documentation and while I was confirming some of the parameters I used for the provided PowerShell scripts (e.g., which domain name to use for "rootDomainName"), he wasn't able to confirm that the values I was using were correct. Waiting to hear back.

  • Community Member Profile Picture
    Community Member on at
    RE: CRM Hybrid Configuration Error: "Aquiring [sic] Token from ACS has failed."

    Please post your findings as you learn more.  I am encountering the same error.

    Thank you!!

  • Rogerio Tortosa Profile Picture
    Rogerio Tortosa on at
    RE: CRM Hybrid Configuration Error: "Aquiring [sic] Token from ACS has failed."

    hi, 

    the same problem, but other return de error

    ********************* Mensagem do CRM:: ********************* Falha ao adquirir Token do ACS. Verifique se sua tenantId está especificada corretamente em seu Perfil do Servidor de Email, e certifique-se de que o Exchange e o CRM estejam sob o mesmo locatário ***************************** Solicitar ao Exchange:: ***************************** <Trace Tag="AutodiscoverConfiguration" Tid="35" Time="2016-08-11 19:37:43Z"> Starting SCP lookup for domainName='prodatasystems.com.br', root path='' </Trace> <Trace Tag="AutodiscoverConfiguration" Tid="35" Time="2016-08-11 19:37:43Z"> Searching for SCP entries in LDAP://CN=Configuration,DC=prodatasystems,DC=local </Trace> <Trace Tag="AutodiscoverConfiguration" Tid="35" Time="2016-08-11 19:37:43Z"> Scanning for SCP pointers Domain=prodatasystems.com.br </Trace> <Trace Tag="AutodiscoverConfiguration" Tid="35" Time="2016-08-11 19:37:43Z"> No SCP pointers found for 'Domain=prodatasystems.com.br' in configPath='CN=Configuration,DC=prodatasystems,DC=local' </Trace> <Trace Tag="AutodiscoverConfiguration" Tid="35" Time="2016-08-11 19:37:43Z"> Scanning for SCP urls for the current computer Site=Default-First-Site-Name </Trace> <Trace Tag="AutodiscoverConfiguration" Tid="35" Time="2016-08-11 19:37:43Z"> Determining which endpoints are enabled for host prodatasystems.com.br </Trace> <Trace Tag="AutodiscoverConfiguration" Tid="35" Time="2016-08-11 19:37:43Z"> Request error: O nome remoto não pôde ser resolvido: 'prodatasystems.com.br' </Trace> <Trace Tag="AutodiscoverConfiguration" Tid="35" Time="2016-08-11 19:37:43Z"> No Autodiscover endpoints are available for host prodatasystems.com.br </Trace> <Trace Tag="AutodiscoverConfiguration" Tid="35" Time="2016-08-11 19:37:43Z"> Determining which endpoints are enabled for host autodiscover.prodatasystems.com.br </Trace> <Trace Tag="AutodiscoverConfiguration" Tid="35" Time="2016-08-11 19:37:54Z"> Request error: Impossível conectar-se ao servidor remoto </Trace> <Trace Tag="AutodiscoverConfiguration" Tid="35" Time="2016-08-11 19:37:54Z"> No Autodiscover endpoints are available for host autodiscover.prodatasystems.com.br </Trace> <Trace Tag="AutodiscoverConfiguration" Tid="35" Time="2016-08-11 19:37:54Z"> Trying to get Autodiscover redirection URL from autodiscover.prodatasystems.com.br/.../autodiscover.xml. </Trace> <Trace Tag="AutodiscoverConfiguration" Tid="35" Time="2016-08-11 19:37:54Z"> Redirection URL found: 'autodiscover-s.outlook.com/.../autodiscover.xml' </Trace> <Trace Tag="AutodiscoverConfiguration" Tid="35" Time="2016-08-11 19:37:54Z"> Determining which endpoints are enabled for host autodiscover-s.outlook.com </Trace> <Trace Tag="AutodiscoverConfiguration" Tid="35" Time="2016-08-11 19:37:54Z"> Request error: O servidor remoto retornou um erro: (401) Não Autorizado. </Trace> <Trace Tag="AutodiscoverConfiguration" Tid="35" Time="2016-08-11 19:37:54Z"> Host returned enabled endpoint flags: Legacy, Soap, WsSecurity, WSSecuritySymmetricKey, WSSecurityX509Cert, OAuth </Trace> <Trace Tag="AutodiscoverRequestHttpHeaders" Tid="35" Time="2016-08-11 19:37:54Z"> POST /autodiscover/autodiscover.svc HTTP/1.1 Content-Type: text/xml; charset=utf-8 Accept: text/xml User-Agent: CRM/8.0.0.0/OnPremise (ExchangeServicesClient/15.00.1076.004) client-request-id: 2eccad0a-1f03-4f91-b149-bf33ba707f66 return-client-request-id: true </Trace> <Trace Tag="AutodiscoverRequest" Tid="35" Time="2016-08-11 19:37:54Z" Version="15.00.1076.004"> <?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:a="schemas.microsoft.com/.../Autodiscover" xmlns:wsa="www.w3.org/.../addressing" xmlns:xsi="www.w3.org/.../XMLSchema-instance" xmlns:soap="schemas.xmlsoap.org/.../envelope"> <soap:Header> <a:RequestedServerVersion>Exchange2013</a:RequestedServerVersion> <wsa:Action>schemas.microsoft.com/.../GetUserSettings&lt;/wsa:Action> <wsa:To>autodiscover-s.outlook.com/.../autodiscover.svc&lt;/wsa:To> </soap:Header> <soap:Body> <a:GetUserSettingsRequestMessage xmlns:a="schemas.microsoft.com/.../Autodiscover"> <a:Request> <a:Users> <a:User> <a:Mailbox>rogerio@prodatasystems.com.br</a:Mailbox> </a:User> </a:Users> <a:RequestedSettings> <a:Setting>ExternalEwsUrl</a:Setting> <a:Setting>InternalEwsUrl</a:Setting> </a:RequestedSettings> </a:Request> </a:GetUserSettingsRequestMessage> </soap:Body> </soap:Envelope> </Trace> ***************************** Resposta do Exchange: ***************************** Microsoft.Exchange.WebServices.Data.ServiceRequestException: The request failed. A solicitação foi anulada: A solicitação foi cancelada. ---> System.Net.WebException: A solicitação foi anulada: A solicitação foi cancelada. ---> Microsoft.Crm.CrmException: Access token could not be obtained from: accounts.accesscontrol.windows.net/.../2 for resource: 00000002-0000-0ff1-ce00-000000000000/autodiscover-s.outlook.com@3239fc6d-7ee5-459f-87e1-931ba0edaa04 ---> System.ArgumentOutOfRangeException: IDX10630: The 'System.IdentityModel.Tokens.X509AsymmetricSecurityKey' for signing cannot be smaller than '2048' bits. Nome do parâmetro: key.KeySize Valor real era 1024. em System.IdentityModel.Tokens.SignatureProviderFactory.CreateProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures) em System.IdentityModel.Tokens.JwtSecurityTokenHandler.CreateSignature(String inputString, SecurityKey key, String algorithm, SignatureProvider signatureProvider) em System.IdentityModel.Tokens.JwtSecurityTokenHandler.WriteToken(SecurityToken token) em Microsoft.Crm.Authentication.S2S.Extensions.OAuth2MessageFactory.CreateAccessTokenRequestWithAssertion(JwtSecurityToken token, SecurityTokenHandlerCollection securityTokenHandlers, String resource) em Microsoft.Crm.Authentication.S2S.AuthorizationServerIssuedOAuthCredentials.GetSignedAccessTokenData(ServicePrincipal issuerPrincipal, WebRequest request) --- Fim do rastreamento de pilha de exceções internas --- em Microsoft.Crm.Authentication.S2S.AuthorizationServerIssuedOAuthCredentials.GetSignedAccessTokenData(ServicePrincipal issuerPrincipal, WebRequest request) em Microsoft.Crm.Authentication.S2S.AccessTokenCache.AccessTokenFactory.GetAccessToken(GetNewAccessTokenDelegate getNewAccessTokenDelegate, ITraceListener traceListener) em Microsoft.Crm.Authentication.S2S.AuthorizationServerIssuedOAuthCredentials.GetAccessToken(ServicePrincipal issuerPrincipal, WebRequest request) em Microsoft.Crm.Authentication.S2S.OAuthCredentials.AuthenticateInternal(ServicePrincipal issuerPrincipal, WebRequest request) em System.Net.AuthenticationManagerDefault.Authenticate(String challenge, WebRequest request, ICredentials credentials) em System.Net.AuthenticationState.AttemptAuthenticate(HttpWebRequest httpWebRequest, ICredentials authInfo) em System.Net.HttpWebRequest.CheckResubmitForAuth() em System.Net.HttpWebRequest.CheckResubmit(Exception& e, Boolean& disableUpload) em System.Net.HttpWebRequest.DoSubmitRequestProcessing(Exception& exception) em System.Net.HttpWebRequest.ProcessResponse() em System.Net.HttpWebRequest.SetResponse(CoreResponseData coreResponseData) --- Fim do rastreamento de pilha de exceções internas --- em System.Net.HttpWebRequest.GetResponse() em Microsoft.Exchange.WebServices.Data.EwsHttpWebRequest.Microsoft.Exchange.WebServices.Data.IEwsHttpWebRequest.GetResponse() em Microsoft.Exchange.WebServices.Autodiscover.AutodiscoverRequest.InternalExecute() --- Fim do rastreamento de pilha de exceções internas --- em Microsoft.Exchange.WebServices.Autodiscover.AutodiscoverRequest.InternalExecute() em Microsoft.Exchange.WebServices.Autodiscover.GetUserSettingsRequest.Execute() em Microsoft.Exchange.WebServices.Autodiscover.AutodiscoverService.InternalGetUserSettings(List`1 smtpAddresses, List`1 settings, Nullable`1 requestedVersion, Uri& autodiscoverUrl) em Microsoft.Exchange.WebServices.Autodiscover.AutodiscoverService.GetSettings[TGetSettingsResponseCollection,TSettingName](List`1 identities, List`1 settings, Nullable`1 requestedVersion, GetSettingsMethod`2 getSettingsMethod, Func`1 getDomainMethod) em Microsoft.Exchange.WebServices.Autodiscover.AutodiscoverService.GetUserSettings(List`1 smtpAddresses, List`1 settings) em Microsoft.Exchange.WebServices.Autodiscover.AutodiscoverService.InternalGetSoapUserSettings(String smtpAddress, List`1 requestedSettings) em Microsoft.Exchange.WebServices.Autodiscover.AutodiscoverService.GetUserSettings(String userSmtpAddress, UserSettingName[] userSettingNames) em Microsoft.Crm.Asynchronous.EmailConnector.ExchangeConnectivityDiscoverer.DiscoverUserSettingsInternal()

  • Andrew C RCG Profile Picture
    Andrew C RCG on at
    RE: CRM Hybrid Configuration Error: "Aquiring [sic] Token from ACS has failed."

    After another round of troubleshooting with the technician from Microsoft, still no luck. He suspected there was an issue with the wildcard certificate I was using, but when we tried to use a self-signed certificate, it didn't work either.

  • Andrew C RCG Profile Picture
    Andrew C RCG on at
    RE: CRM Hybrid Configuration Error: "Aquiring [sic] Token from ACS has failed."

    [quote user="Rogerio Tortosa"]

    System.ArgumentOutOfRangeException: IDX10630: The 'System.IdentityModel.Tokens.X509AsymmetricSecurityKey' for signing cannot be smaller than '2048' bits. Nome do parâmetro: key.KeySize Valor real era 1024.

    [/quote]

    Hi Rogerio,

    It looks like the certificate you are using doesn't have a key that's long enough. Can you try again with a certificate that has a key that's at least 2048 bits long?

    Pode tentar com um certificato que tenha uma chave de, no mínimo, 2048 bits? O erro diz que o seu certificado tem uma chave de só 1024 bits.

  • Suggested answer
    Andrew C RCG Profile Picture
    Andrew C RCG on at
    RE: CRM Hybrid Configuration Error: "Aquiring [sic] Token from ACS has failed."

    The support technician was able to help us fix this issue. The documentation is lacking.

    We use separate domain accounts for each of the CRM services. The service account under which the "Microsoft Dynamics CRM Asynchronous Processing Service" service runs needs to be given read permission to the private key of the certificate you're trying to use for authentication with Exchange Online.

    As a reminder:

    1. Run mmc.
    2. File -> Add/remove snap-in...
    3. Add "Certificates" (Computer account, Local Computer).
    4. Navigate to Certificates/Personal/Certificates.
    5. Right-click the certificate you're trying to use for authentication with Exchange Online -> All Tasks -> Manage Private Keys.
    6. Add the service account the Asynchronous Service runs under and give it read permission.
    7. Restart the "Microsoft Dynamics CRM Asynchronous Processing Service" and the "Microsoft Dynamics CRM Asynchronous Processing Service (maintenance)" services.

     We were able to successfully test the connection after that.

  • Community Member Profile Picture
    Community Member on at
    RE: CRM Hybrid Configuration Error: "Aquiring [sic] Token from ACS has failed."

    We have the same issue but with CRM Online and Exchange On Premise so we can not apply this fix

  • Community Member Profile Picture
    Community Member on at
    RE: CRM Hybrid Configuration Error: "Aquiring [sic] Token from ACS has failed."

    I have the same problem but with CRM Online and exchange on premise so we can not use this fix

  • gledesma Profile Picture
    gledesma on at
    RE: CRM Hybrid Configuration Error: "Aquiring [sic] Token from ACS has failed."

    I have the same problem but with CRM 8.2 and Exchange 2010 On-Prem so we can not use this fix.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Join experts in person to explore low code and AI agents at the Power Platform Community Conference sponsored by Microsoft

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Abhilash Warrier – Community Spotlight

We are honored to recognize Abhilash Warrier as our Community Spotlight honoree for…

Congratulations to the September Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics CRM (Archived)

#1
HR-09070029-0 Profile Picture

HR-09070029-0 2

#2
ED-30091530-0 Profile Picture

ED-30091530-0 1

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans