You’re offline. This is a read only version of the page.
Hallo we have a problem with the Dynamics 365 App for Outlook in Outlook 2016.
the App Work fine the first time the Outlook ist started with a clean IE Cache. The second start of the Outlook and the App will fail.
The envirement:
The first time after clear the Cache from the Internet Explorer and start Outlook and then the Dynamics 365 App a ADFS LogOn Dialog pop up in a IE window. After enter username and password the App will work.
After a close from Outlook and reopen it (without a clear Cache from Internet Explorer) and then the Dynamics 365 App pop up a ADFS LogOn in Edge Browser after enter username and password the Edge Browser finish with a 404 Error on url "https://anwendertreffen.e2016sp2.adfs/crmmailapp/default.aspx"
Now every times the outlook will access the Dynamics 365 App it will not work and end with error 404.
After a clear the Cache from the Internet Explorer the Outlook app open a InternetExplorer Popup for the ADFS LogOn and will work one Time
The same problem/behavior we have in 3 different Server/CRM Environments all with the (same) config.
CRM Server Config:
PS C:\Users\crmadmin> Get-CrmSetting ClaimsSettings Enabled : True EncryptionCertificate : CN=CRM ADFS TOKEN FederationMetadataUrl : sts2016.crm.adfs/.../federationmetadata.xml FederationProviderType : 0 SessionSecurityTokenLifetimeInHours : 24 PS C:\Users\crmadmin> Get-CrmSetting OAuthClaimsSettings Enabled : True EncryptionCertificate : CN=CRM ADFS TOKEN FederationMetadataUrl : sts2016.crm.adfs/.../federationmetadata.xml FederationProviderType : 1 SessionSecurityTokenLifetimeInHours : 24 PS C:\Users\crmadmin> Get-CrmSetting IfdSettings DiscoveryWebServiceRootDomain : e2016sp2.adfs Enabled : True ExternalDomain : https://auth.e2016sp2.adfs/ IntranetAccessEnabled : False OrganizationWebServiceRootDomain : e2016sp2.adfs WebApplicationRootDomain : e2016sp2.adfs PS C:\Users\crmadmin> Get-CrmSetting WebAddressSettings DeploymentSdkRootDomain : e2016sp2app.crm.local DiscoveryRootDomain : e2016sp2app.crm.local HelpServerUrl : NlbEnabled : False RootDomainScheme : https SdkRootDomain : e2016sp2app.crm.local SslHeader : WebAppRootDomain : e2016sp2app.crm.local
ADFS Server Config:
PS C:\Users\crmadmin> Get-AdfsRelyingPartyTrust | fl
Share
ReportAllowedAuthenticationClassReferences : {}
EncryptionCertificateRevocationCheck : CheckChainExcludeRoot
PublishedThroughProxy : False
SigningCertificateRevocationCheck : None
WSFedEndpoint : https://e2016sp2app.crm.local/
AdditionalWSFedEndpoint : {}
ClaimsProviderName : {}
ClaimsAccepted : {, , }
EncryptClaims : True
Enabled : True
EncryptionCertificate : [Subject]
CN=CRM ADFS TOKEN
[Issuer]
CN=crm-CRMMASTERAD-CA, DC=crm, DC=local
[Serial Number]
7B00000029577049BABFE6F816000000000029
[Not Before]
09.11.2017 14:28:27
[Not After]
09.11.2019 14:38:27
[Thumbprint]
E6DE2C77F299B5F703C4A2DF4D8BF94578F39FE2
Identifier : {https://e2016sp2app.crm.local/}
NotBeforeSkew : 0
EnableJWT : False
AlwaysRequireAuthentication : False
Notes :
OrganizationInfo :
ObjectIdentifier : 116848a8-54c5-e711-b519-00155dca1145
ProxyEndpointMappings : {}
ProxyTrustedEndpoints : {}
ProtocolProfile : WsFed-SAML
RequestSigningCertificate : {}
EncryptedNameIdRequired : False
SignedSamlRequestsRequired : False
SamlEndpoints : {}
SamlResponseSignature : AssertionOnly
SignatureAlgorithm : http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
TokenLifetime : 0
AllowedClientTypes : Public, Confidential
IssueOAuthRefreshTokensTo : AllDevices
RefreshTokenProtectionEnabled : True
RequestMFAFromClaimsProviders : False
ScopeGroupId :
Name : e2016sp2app.crm.local
AutoUpdateEnabled : True
MonitoringEnabled : True
MetadataUrl : https://e2016sp2app.crm.local/FederationMetadata/2007-06/FederationMetadata.xml
ConflictWithPublishedPolicy : False
IssuanceAuthorizationRules :
IssuanceTransformRules : @RuleTemplate = "PassThroughClaims"
@RuleName = "UPN"
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
=> issue(claim = c);
@RuleTemplate = "PassThroughClaims"
@RuleName = "PriID"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"]
=> issue(claim = c);
@RuleTemplate = "MapClaims"
@RuleName = "SAM to Name"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);
DelegationAuthorizationRules :
LastPublishedPolicyCheckSuccessful : True
LastUpdateTime : 13.11.2017 15:20:23
LastMonitoredTime : 16.11.2017 14:00:12
ImpersonationAuthorizationRules :
AdditionalAuthenticationRules :
AccessControlPolicyName : Jedem Einzelnen Zugriff gewähren
AccessControlPolicyParameters :
ResultantPolicy : RequireFreshAuthentication:False
IssuanceAuthorizationRules:
{
Jedem Einzelnen Zugriff gewähren
}
AllowedAuthenticationClassReferences : {}
EncryptionCertificateRevocationCheck : CheckChainExcludeRoot
PublishedThroughProxy : False
SigningCertificateRevocationCheck : None
WSFedEndpoint : https://auth.e2016sp2.adfs/
AdditionalWSFedEndpoint : {}
ClaimsProviderName : {}
ClaimsAccepted : {, , }
EncryptClaims : True
Enabled : True
EncryptionCertificate : [Subject]
CN=CRM ADFS TOKEN
[Issuer]
CN=crm-CRMMASTERAD-CA, DC=crm, DC=local
[Serial Number]
7B00000029577049BABFE6F816000000000029
[Not Before]
09.11.2017 14:28:27
[Not After]
09.11.2019 14:38:27
[Thumbprint]
E6DE2C77F299B5F703C4A2DF4D8BF94578F39FE2
Identifier : {https://anwendertreffen.e2016sp2.adfs/, https://auth.e2016sp2.adfs/, ...}
NotBeforeSkew : 0
EnableJWT : False
AlwaysRequireAuthentication : False
Notes :
OrganizationInfo :
ObjectIdentifier : 18fbc29c-56c5-e711-b519-00155dca1145
ProxyEndpointMappings : {}
ProxyTrustedEndpoints : {}
ProtocolProfile : WsFed-SAML
RequestSigningCertificate : {}
EncryptedNameIdRequired : False
SignedSamlRequestsRequired : False
SamlEndpoints : {}
SamlResponseSignature : AssertionOnly
SignatureAlgorithm : http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
TokenLifetime : 0
AllowedClientTypes : Public, Confidential
IssueOAuthRefreshTokensTo : AllDevices
RefreshTokenProtectionEnabled : True
RequestMFAFromClaimsProviders : False
ScopeGroupId :
Name : auth.e2016sp2.adfs
AutoUpdateEnabled : True
MonitoringEnabled : True
MetadataUrl : https://auth.e2016sp2.adfs/FederationMetadata/2007-06/FederationMetadata.xml
ConflictWithPublishedPolicy : False
IssuanceAuthorizationRules :
IssuanceTransformRules : @RuleTemplate = "PassThroughClaims"
@RuleName = "UPN"
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
=> issue(claim = c);
@RuleTemplate = "PassThroughClaims"
@RuleName = "Pri ID"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"]
=> issue(claim = c);
@RuleTemplate = "MapClaims"
@RuleName = "sAM to name"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);
DelegationAuthorizationRules :
LastPublishedPolicyCheckSuccessful : True
LastUpdateTime : 13.11.2017 15:20:27
LastMonitoredTime : 16.11.2017 14:00:12
ImpersonationAuthorizationRules :
AdditionalAuthenticationRules :
AccessControlPolicyName : Jedem Einzelnen Zugriff gewähren
AccessControlPolicyParameters :
ResultantPolicy : RequireFreshAuthentication:False
IssuanceAuthorizationRules:
{
Jedem Einzelnen Zugriff gewähren
}
PS C:\Users\crmadmin> Get-AdfsClient | fl
RedirectUri : {ms-app://windows.immersivecontrolpanel/, ms-appx-web://microsoft.aad.brokerplugin/dd762716-544d-4aeb-a526-687b73838a22}
Name : Geräteregistrierungsclient
Description : Client für den Geräteregistrierungsdienst
ClientId : dd762716-544d-4aeb-a526-687b73838a22
BuiltIn : True
Enabled : True
ClientType : Public
ADUserPrincipalName :
ClientSecret :
JWTSigningCertificateRevocationCheck : None
JWTSigningKeys : {}
JWKSUri :
RedirectUri : {https://168f3ee4-63fc-4723-a61a-6473f6cb515c/redir, ms-appx-web://microsoft.aad.brokerplugin/168F3EE4-63FC-4723-A61A-6473F6CB515C}
Name : Client für Windows Server-Arbeitsordner
Description : Client zum Synchronisieren von Benutzerdateien mit einer Arbeitsordner-Synchronisierungsfreigabe
ClientId : 168f3ee4-63fc-4723-a61a-6473f6cb515c
BuiltIn : True
Enabled : True
ClientType : Public
ADUserPrincipalName :
ClientSecret :
JWTSigningCertificateRevocationCheck : None
JWTSigningKeys : {}
JWKSUri :
RedirectUri : {app://5d3e90d6-aa8e-48a8-8f2c-58b45cc67315/}
Name : Dynamics 365 Development Tools
Description :
ClientId : 2ad88395-b77d-4561-9441-d0e40824f9bc
BuiltIn : False
Enabled : True
ClientType : Public
ADUserPrincipalName :
ClientSecret :
JWTSigningCertificateRevocationCheck : None
JWTSigningKeys : {}
JWKSUri :
RedirectUri : {ms-appx-web://microsoft.aad.brokerplugin/}
Name : Tokenbrokerclient
Description : Client für Microsoft Windows-Tokenbroker
ClientId : 29d9ed98-a469-4536-ade2-f981bc1d605e
BuiltIn : True
Enabled : True
ClientType : Public
ADUserPrincipalName :
ClientSecret :
JWTSigningCertificateRevocationCheck : None
JWTSigningKeys : {}
JWKSUri :
RedirectUri : {ms-app://s-1-15-2-1485522525-4007745683-1678507804-3543888355-3439506781-4236676907-2823480090/, ms-app://s-1-15-2-2572088110-3042588940-2540752943-3284303419-1153817965-2476348055-1136196650/,
ms-app://s-1-15-2-3389625500-1882683294-3356428533-41441597-3367762655-213450099-2845559172/, ms-app://s-1-15-2-3781685839-595683736-4186486933-3776895550-3781372410-1732083807-672102751/...}
Name : Microsoft Dynamics CRM for tablets and phones
Description :
ClientId : ce9f9f18-dd0c-473e-b9b2-47812435e20d
BuiltIn : False
Enabled : True
ClientType : Public
ADUserPrincipalName :
ClientSecret :
JWTSigningCertificateRevocationCheck : None
JWTSigningKeys : {}
JWKSUri :
RedirectUri : {https://anwendertreffen.e2016sp2.adfs/crmmailapp/code_auth.aspx}
Name : Dynamics 365 App vor Outlook Forum+
Description :
ClientId : 806e5da7-0600-e611-80bf-6c3be5b27d7a
BuiltIn : False
Enabled : True
ClientType : Public
ADUserPrincipalName :
ClientSecret :
JWTSigningCertificateRevocationCheck : None
JWTSigningKeys : {}
JWKSUri :
RedirectUri : {app://41889de4-3fe1-41ab-bcff-d6f0a6900264/}
Name : Dynamics 365 Unified Service Desk
Description :
ClientId : 4906f920-9f94-4f14-98aa-8456dd5f78a8
BuiltIn : False
Enabled : True
ClientType : Public
ADUserPrincipalName :
ClientSecret :
JWTSigningCertificateRevocationCheck : None
JWTSigningKeys : {}
JWKSUri :
RedirectUri : {ms-appx-web://microsoft.aad.brokerplugin/}
Name : Windows-Anmeldeclient
Description : Client für Microsoft Windows-Anmeldung
ClientId : 38aa3b87-a06d-4817-b275-7a316988d93b
BuiltIn : True
Enabled : True
ClientType : Public
ADUserPrincipalName :
ClientSecret :
JWTSigningCertificateRevocationCheck : None
JWTSigningKeys : {}
JWKSUri :
RedirectUri : {app://6bc88131-f2f5-4c86-90e1-3b710c5e308c/}
Name : Dynamics CRM Outlook Client
Description :
ClientId : 2f29638c-34d4-4cf2-a16a-7caf612cee15
BuiltIn : False
Enabled : True
ClientType : Public
ADUserPrincipalName :
ClientSecret :
JWTSigningCertificateRevocationCheck : None
JWTSigningKeys : {}
JWKSUri :
RedirectUri : {https://anwendertreffen.e2016sp2.adfs/crmmailapp/code_auth.aspx}
Name : Dynamics 365 App for Outlook
Description :
ClientId : d55784eb-2499-e711-80bc-00155dca1139
BuiltIn : False
Enabled : True
ClientType : Public
ADUserPrincipalName :
ClientSecret :
JWTSigningCertificateRevocationCheck : None
JWTSigningKeys : {}
JWKSUri :
PS C:\Users\crmadmin> Get-AdfsApplicationPermission | fl
ConsentType : Administrator
ClientRoleIdentifier : d55784eb-2499-e711-80bc-00155dca1139
ServerRoleIdentifier : https://anwendertreffen.e2016sp2.adfs/
Description :
ObjectIdentifier : 7051ecd2-45b6-4d25-8295-03145fdc8ce4
ScopeNames : {}
ConsentType : Administrator
ClientRoleIdentifier : 38aa3b87-a06d-4817-b275-7a316988d93b
ServerRoleIdentifier : http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope
Description :
ObjectIdentifier : 54c8e6b2-68dd-44c7-8273-0eea9c43994d
ScopeNames : {aza, openid}
ConsentType : Administrator
ClientRoleIdentifier : 38aa3b87-a06d-4817-b275-7a316988d93b
ServerRoleIdentifier : urn:ms-drs:enterpriseregistration.windows.net
Description :
ObjectIdentifier : 991ecc03-186f-4a1f-9b18-2070c024d96a
ScopeNames : {openid}
ConsentType : Administrator
ClientRoleIdentifier : 29d9ed98-a469-4536-ade2-f981bc1d605e
ServerRoleIdentifier : urn:ms-drs:enterpriseregistration.windows.net
Description :
ObjectIdentifier : 0eb9d090-6cf1-4d41-b4b4-4cc7c6183711
ScopeNames : {openid}
ConsentType : Administrator
ClientRoleIdentifier : 29d9ed98-a469-4536-ade2-f981bc1d605e
ServerRoleIdentifier : http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope
Description :
ObjectIdentifier : 9ae9be5d-fee4-41e5-8fe4-601e1750597b
ScopeNames : {aza, openid}
ConsentType : Administrator
ClientRoleIdentifier : 806e5da7-0600-e611-80bf-6c3be5b27d7a
ServerRoleIdentifier : https://anwendertreffen.e2016sp2.adfs/
Description :
ObjectIdentifier : f5e91bf2-aa8a-4d5b-a436-bdca9c0432fe
ScopeNames : {}
ConsentType : Administrator
ClientRoleIdentifier : AllRegisteredClients
ServerRoleIdentifier : urn:microsoft:userinfo
Description :
ObjectIdentifier : 2683d00f-ef39-447f-a82f-c50a771b2512
ScopeNames : {openid}
ConsentType : Administrator
ClientRoleIdentifier : 2f29638c-34d4-4cf2-a16a-7caf612cee15
ServerRoleIdentifier : https://anwendertreffen.e2016sp2.adfs/
Description :
ObjectIdentifier : 071f0ae3-584f-45f2-b932-e181d8581c66
ScopeNames : {}
ConsentType : Administrator
ClientRoleIdentifier : AllRegisteredClients
ServerRoleIdentifier : urn:ms-drs:434DF4A9-3CF2-4C1D-917E-2CD2B72F515A
Description :
ObjectIdentifier : 356ca934-b526-433e-893e-e940ecfa3435
ScopeNames : {openid}
PS C:\Users\crmadmin> Get-AdfsProperties | fl
AcceptableIdentifiers : {}
AddProxyAuthorizationRules : exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-32-544", Issuer =~ "^AD AUTHORITY$"]) => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value =
"true");
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", Issuer =~ "^AD AUTHORITY$" ]
=> issue(store="_ProxyCredentialStore",types=("http://schemas.microsoft.com/authorization/claims/permit"),query="isProxyTrustManagerSid({0})", param=c.Value );
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/proxytrustid", Issuer =~ "^SELF AUTHORITY$" ]
=> issue(store="_ProxyCredentialStore",types=("http://schemas.microsoft.com/authorization/claims/permit"),query="isProxyTrustProvisioned({0})", param=c.Value );
ArtifactDbConnection : Data Source=np:\\.\pipe\microsoft##wid\tsql\query;Initial Catalog=AdfsArtifactStore;Integrated Security=True
AuthenticationContextOrder : {urn:oasis:names:tc:SAML:2.0:ac:classes:Password, urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport, urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient, urn:oasis:names:tc:SAML:2.0:ac:classes:X509...}
AuditLevel : {Basic}
AutoCertificateRollover : True
CertificateCriticalThreshold : 2
CertificateDuration : 365
CertificateGenerationThreshold : 20
CertificatePromotionThreshold : 5
CertificateRolloverInterval : 720
CertificateSharingContainer : CN=983e13f6-0109-4a88-bbbe-b51e425fa650,CN=ADFS,CN=Microsoft,CN=Program Data,DC=crm,DC=local
CertificateThresholdMultiplier : 1440
ClientCertRevocationCheck : None
ContactPerson :
DisplayName : Entwicklung 2016
IntranetUseLocalClaimsProvider : False
ExtendedProtectionTokenCheck : Allow
FederationPassiveAddress : /adfs/ls/
HostName : sts2016.crm.adfs
HttpPort : 80
HttpsPort : 443
TlsClientPort : 49443
Identifier : http://sts2016.crm.adfs/adfs/services/trust
IdTokenIssuer : https://sts2016.crm.adfs/adfs
InstalledLanguage : de-DE
LogLevel : {Errors, FailureAudits, Information, Verbose...}
MonitoringInterval : 1440
NetTcpPort : 1501
NtlmOnlySupportedClientAtProxy : False
OrganizationInfo :
PreventTokenReplays : False
ProxyTrustTokenLifetime : 21600
ReplayCacheExpirationInterval : 60
SignedSamlRequestsRequired : False
SamlMessageDeliveryWindow : 5
SignSamlAuthnRequests : False
SsoLifetime : 480
PersistentSsoLifetimeMins : 129600
KmsiLifetimeMins : 1440
PersistentSsoEnabled : True
PersistentSsoCutoffTime : 01.01.0001 01:00:00
KmsiEnabled : False
LoopDetectionEnabled : True
LoopDetectionTimeIntervalInSeconds : 20
LoopDetectionMaximumTokensIssuedInInterval : 5
PasswordValidationDelayInMinutes : 60
SendClientRequestIdAsQueryStringParameter : False
WIASupportedUserAgents : {MSAuthHost/1.0/In-Domain, MSIE 6.0, MSIE 7.0, MSIE 8.0...}
BrowserSsoSupportedUserAgents : {Windows NT 1, Windows Phone 1}
ExtranetLockoutThreshold : 2147483647
ExtranetLockoutEnabled : False
ExtranetObservationWindow : 00:30:00
GlobalRelyingPartyClaimsIssuancePolicy : c:[Type == "http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser"] => issue(claim = c);c:[Type == "http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier"] => issue(claim = c);
ExtranetLockoutRequirePDC : True
LocalAuthenticationTypesEnabled : True
RelayStateForIdpInitiatedSignOnEnabled : False
BrowserSsoEnabled : True
DelegateServiceAdministration :
AllowSystemServiceAdministration : False
AllowLocalAdminsServiceAdministration : True
CurrentFarmBehavior : 3
DeviceUsageWindowInDays : 14
EnableIdpInitiatedSignonPage : False
IgnoreTokenBinding : False
PS C:\Users\crmadmin> Get-AdfsAuthenticationProvider
AdminName : Formularauthentifizierung
AllowedForPrimaryExtranet : True
AllowedForPrimaryIntranet : True
AllowedForAdditionalAuthentication : False
AuthenticationMethods : {urn:oasis:names:tc:SAML:1.0:am:password, urn:oasis:names:tc:SAML:2.0:ac:classes:Password, urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport,
http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password}
Descriptions : {}
DisplayNames : {}
Name : FormsAuthentication
IdentityClaims : {}
IsCustom : False
RequiresIdentity : False
AdminName : Windows-Authentifizierung
AllowedForPrimaryExtranet : False
AllowedForPrimaryIntranet : True
AllowedForAdditionalAuthentication : False
AuthenticationMethods : {urn:ietf:rfc:1510, urn:federation:authentication:windows, urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos, http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/kerberos...}
Descriptions : {}
DisplayNames : {}
Name : WindowsAuthentication
IdentityClaims : {}
IsCustom : False
RequiresIdentity : False
*This post is locked for comments
We have the same problem with a slightly different environment:
The start of Dynamics 365 App / logon only works the first time - the subsequent App starts / logons end up in the 404 error webpage (url: https://host.domain.name/crmmailapp/default.aspx)
"Cookies and website data" in Internet Explorer is the only data we need to delete, so that it works for another logon.
Stay up to date on forum activity by subscribing. You can also customize your in-app and email Notification settings across all subscriptions.
#1
André Arnaud de Cal...
291,240
Super User 2024 Season 2
#2
Martin Dráb
230,149
Most Valuable Professional
#3
nmaenpaa
101,156
All responses (
Answers (