Configuring Dynamics CRM 2013 for Outlook client fails in an IFD/ADFS scenario when you use WAP to publish the CRM URL's
Imagine the scenario:
You have configured your CRM 2013 to use claims based authentication and configured IFD as well. Everything is working fine except CRM for Outlook. It fails at the configuration level itself with below error in the config log
11:24:25| Error|
Error connecting to URL:
https://crm.contoso.com/XRMServices/2011/Discovery.svc Exception:
System.InvalidOperationException: Metadata contains a reference that cannot be
resolved: 'https://adfs.contoso.com/adfs/ls?version=1.0&action=signin&realm=urn:AppProxy:com&appRealm=1e72fc64-781c-e411-80c6-0050568757b5&returnUrl=https://crm.contoso.com/XRMServices/2011/Discovery.svc?wsdl&client-request-id=D8A4D498-B0AD-0000-AFB9-D7D8ADB0CF01'.
---> System.Xml.XmlException: CData elements not valid at top level of an
XML document. Line 1, position 3.
at
System.Xml.XmlExceptionHelper.ThrowXmlException(XmlDictionaryReader reader,
XmlException exception)
at
System.Xml.XmlUTF8TextReader.Read()
at
System.Xml.XmlBaseReader.MoveToContent()
at
System.ServiceModel.Description.MetadataExchangeClient.MetadataLocationRetriever.GetXmlReader(HttpWebResponse
response, Int64 maxMessageSize, XmlDictionaryReaderQuotas readerQuotas)
at System.ServiceModel.Description.MetadataExchangeClient.MetadataLocationRetriever.DownloadMetadata(TimeoutHelper
timeoutHelper)
at
System.ServiceModel.Description.MetadataExchangeClient.MetadataRetriever.Retrieve(TimeoutHelper
timeoutHelper)
--- End of inner
exception stack trace ---
at
System.ServiceModel.Description.MetadataExchangeClient.MetadataRetriever.Retrieve(TimeoutHelper
timeoutHelper)
at
System.ServiceModel.Description.MetadataExchangeClient.ResolveNext(ResolveCallState
resolveCallState)
at System.ServiceModel.Description.MetadataExchangeClient.GetMetadata(MetadataRetriever
retriever)
at
System.ServiceModel.Description.MetadataExchangeClient.GetMetadata(Uri address,
MetadataExchangeClientMode mode)
at
Microsoft.Xrm.Sdk.Client.ServiceMetadataUtility.RetrieveServiceEndpointMetadata(Type
contractType, Uri serviceUri, Boolean checkForSecondary)
11:24:26| Error|
Exception : Metadata contains a reference that cannot be resolved:
'https://adfs.contoso.com/adfs/ls?version=1.0&action=signin&realm=urn:AppProxy:com&appRealm=1e72fc64-781c-e411-80c6-0050568757b5&returnUrl=https://crm.contoso.com/XRMServices/2011/Discovery.svc?wsdl&client-request-id=D8A4D498-B0AD-0000-AFB9-D7D8ADB0CF01'. at Microsoft.Crm.Application.Outlook.Config.DeploymentsInfo.LoadOrganizations(AuthUIMode
uiMode, Form parentWindow)
at
Microsoft.Crm.Application.Outlook.Config.ServerForm.LoadOrganizations(Boolean
forceUI)
at
Microsoft.Crm.Application.Outlook.Config.ServerForm.<InitializeBackgroundWorkers>b__0(Object
sender, DoWorkEventArgs e)
at
System.ComponentModel.BackgroundWorker.OnDoWork(DoWorkEventArgs e)
at
System.ComponentModel.BackgroundWorker.WorkerThreadStart(Object argument)
11:24:26| Error|
Exception : CData elements not valid at top level of an XML document. Line 1,
position 3. at
System.Xml.XmlExceptionHelper.ThrowXmlException(XmlDictionaryReader reader,
XmlException exception)
at
System.Xml.XmlUTF8TextReader.Read()
at
System.Xml.XmlBaseReader.MoveToContent()
at
System.ServiceModel.Description.MetadataExchangeClient.MetadataLocationRetriever.GetXmlReader(HttpWebResponse
response, Int64 maxMessageSize, XmlDictionaryReaderQuotas readerQuotas)
at
System.ServiceModel.Description.MetadataExchangeClient.MetadataLocationRetriever.DownloadMetadata(TimeoutHelper
timeoutHelper)
at
System.ServiceModel.Description.MetadataExchangeClient.MetadataRetriever.Retrieve(TimeoutHelper
timeoutHelper)
In the error message we can see the request hits WS-Federation endpoint https://adfs.contoso.com/adfs/ls/
but fails on Discovery service URL https://crm.contoso.com/XRMServices/2011/Discovery.svc?wsdl
saying “Error connecting to URL:
https://crm.contoso.com/XRMServices/2011/Discovery.svc Exception:
System.InvalidOperationException: Metadata contains a reference that cannot be
resolved”
Further if you access the Discovery service URL directly from the internet you will see it being redirected to the ADFS Server. This is not good.
The Discovery service URL should be accessible using the Anonymous authentication after IFD/ADFS implementation.
A fiddler trace in the scenario gives a HTTP Status code 307 “temporary redirect” on accessing the discovery service.
A platform trace of CRM will not give any trace of this redirection happening in the background. This means the request does not hit CRM and the redirection happens before that.
You will hit this behaviour/ issue if you have configured ADFS WAP and published CRM external URL’s through that and the External Discovery service URL was set to True for “DisableTranslateUrlInResponseHeaders”, causing the redirection.
Information on WAP (Web Application Proxy) can be seen here
To resolve the issue you need to set the value for DisableTranslateUrlInResponseHeaders to False.
Below URL’s discusses what is DisableTranslateUrlInResponseHeaders and AD FS Preauthentication. If you want to know more about this refer to the below URL’s
https://technet.microsoft.com/en-in/library/dn383640.aspx
https://technet.microsoft.com/en-in/library/dn383641.aspx
Also make sure that Discovery service URL is not using ADFS Preauthentication. If the ADFS Preauth is in place, Web Application Proxy will redirect the HTTPS request to the AD FS server with URL encoded parameters. If not, we may get into a problem where CRM Outlook is not handling the 307 redirect correctly.
Best Regards
Dynamics CRM Support Team
Share this Blog Article on Twitter
Follow Us on Twitter