Dynamics CRM IFD on Windows server 2012 R2 ADFS (aka ADFS 3.0) – CRM Addin for Outlook

Hearing questions on previous post I thought of checking CRM Outlook on the same VM. Luckily I didn’t nuke it right after the purpose so could get the CRM for Outlook Configuration Wizard spinning by starting Windows 7 VM, installing Office and CRM for Outlook.

Configuration wizard prompted for credentials, thrown an error after I entered credentials. Looking at config log it seemed like authentication failure. Here is snippet from configuration log:

07:50:38| Error| Error connecting to URL: https://crm.contoso.com:444/XRMServices/2011/Discovery.svc Exception: Microsoft.Crm.CrmException: Authentication failed
   at Microsoft.Crm.Outlook.ClientAuth.ClaimsBasedAuthProvider`1.AuthenticateClaims()
   at Microsoft.Crm.Outlook.ClientAuth.ClaimsBasedAuthProvider`1.SignIn()
   at Microsoft.Crm.Outlook.ClientAuth.ClientAuthProvidersFactory`1.SignIn(Uri endPoint, Credential credentials, AuthUIMode uiMode, IClientOrganizationContext context, Form parentWindow, Boolean retryOnError)
   at Microsoft.Crm.Application.Outlook.Config.DeploymentsInfo.DeploymentInfo.LoadOrganizations(AuthUIMode uiMode, Form parentWindow, Credential credentials)
   at Microsoft.Crm.Application.Outlook.Config.DeploymentsInfo.InternalLoadOrganizations(OrganizationDetailCollection orgs, AuthUIMode uiMode, Form parentWindow)

Above stack and exception from CRM doesn’t tell me the cause of failure, looking the ADFS event logs and debug tracing also left me clueless. Learnt from Fiddler trace that it’s a 503 Service Unavailable for the mex endpoint of ADFS, i.e. - https://sts.contoso.com/adfs/services/trust/mex. Browsed mex end point URL in IE to see 503 and again looked at ADFS event logs and debug trace but nothing relevant. Restarted ADFS service to see if there is something and I see it’s an error telling it couldn’t enable FS endpoints.

Event ID:      102
Description:
There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.
 
Additional Data
Exception details:
System.ServiceModel.AddressAlreadyInUseException: There is already a listener on IP endpoint 0.0.0.0:808. This could happen if there is another application already listening on this endpoint or if you have multiple service endpoints in your service host with the same IP endpoint but with incompatible binding configurations. ---> System.Net.Sockets.SocketException: Only one usage of each socket address (protocol/network address/port) is normally permitted
 

Reason is clear and this VM being CRM server I know its CRM Sandbox service listening on 808 port, TechNet reference. This is where an ADFS configuration option comes handy. NetTcpPort is a setting available with ADFS tells ADFS to use a port other than 808, here is an article referring this setting. After setting my ADFS service to use port 809 using below PowerShell command and restarting ADFS service, mex endpoint could be browsed normally and so my CRM for Outlook configuration worked like a song.

Set-ADFSProperties –nettcpport 809

 

Hope this helps and Thank you!

Bhavesh Shastri