I’ve been trying hard to get the Outlook Client from a certain domain to connect to a CRM server belonging to a different domain.
When setting up the Microsoft CRM Outlook Client, you normally the Configuration Wizard, which looks like this:
So now, you are suppose to enter the CRM Server’s URL. And today, for some reason, I received this error message:
I thoroughly searched the Web for a solution to this problem, and tested all sorts of things (like uninstall/reinstall the client, clean up registry keys, adjust time settings, …). And yes, there is a KB about this issue! I was delighted to find it since it’s quite an accurate KB. Indeed, as described in cause 1, I was using an IP address:
This issue occurs if you used the IP address of the Microsoft Dynamics CRM server instead of the DNS name during the Microsoft Dynamics CRM client for Outlook installation. An example of a DNS name is http://crm.
Solution suggested by Microsoft:
Method 1: Add the IP address of the Microsoft CRM server to the Trusted Sites list of the Local intranet zone on the computer that is running the Microsoft Dynamics CRM client for Outlook
- Start Internet Explorer.
- On the Tools menu, click Internet Options.
- Click the Security tab.
- Click Local intranet, click Sites, and then click Advanced.
- In the Add this Web site to the zone box, type the IP address of the Microsoft CRM server, and then click OK three times.
- Restart Microsoft Outlook.
And guess what… the solution in the KB… didn’t work! I also tried to add an entry to the hosts file, and set Windows Credentials in the User Accounts. I also found somene mentioning potential SPN issues. Nothing worked.
In the end, I finally accepted the idea that the implementation guide was right. Here is what it says:
For users who access Microsoft Dynamics CRM from another domain and are not using claims-based authentication, a one-way trust must exist in which the domain where the Microsoft Dynamics CRM Server 2011 is located trusts the domain where the users are located.
When accessing CRM from Internet Explorer, you can decide to force IE to prompt for credentials. But Outlook and the Configuation Wizard don’t work the same way. The Configuration Wizard just passes your current credentials, which are the credentials you are currently logged on to your domain with.
To verify this, you can check the Security Log on the server when trying to connect from the Configuration Wizard.
For completion’s sake, here is the full list of Active Directory Requirements:
Active Directory requirements
The Active Directory directory service requirements are as follows:
- The computer that runs Microsoft Dynamics CRM Server 2011 and the computer that runs SQL Server, where the Microsoft Dynamics CRM databases are located, must be in the same Active Directory directory service domain.
- The Active Directory domain where the Microsoft Dynamics CRM Server 2011 is located must run in Windows 2000 native, Windows Server 2003 interim, Windows Server 2003 native, or any Windows Server 2008 domain modes.
- The Active Directory forest where the Microsoft Dynamics CRM Server 2011 is located can run in Windows 2000, Windows Server 2003 interim, Windows Server 2003, or Windows Server 2008 forest functional levels.
- The accounts that are used to run the Microsoft Dynamics CRM services must be in the same domain as the computer that is running Microsoft Dynamics CRM Server 2011.
- The Microsoft Dynamics CRM security groups (PrivUserGroup, SQLAccessGroup, ReportingGroup, and PrivReportingGroup) must be in the same domain as the computer that is running Microsoft Dynamics CRM. These security groups can be located in the same organizational unit (OU) or in different OUs. To use security groups that are located in different OUs, you must install Microsoft Dynamics CRM Server 2011 by using an XML configuration file and specify the correct distinguished name for each pre-existing security group within the <Groups> element. For more information see the Sample server XML configuration file for installing with pre-created groups topic in the Installing Guide.
- For users who access Microsoft Dynamics CRM from another domain and are not using claims-based authentication, a one-way trust must exist in which the domain where the Microsoft Dynamics CRM Server 2011 is located trusts the domain where the users are located.
- For users who access Microsoft Dynamics CRM from another forest and are not using claims-based authentication, a two-way trust must exist between the forests.