0

Okay, so I have a Dynamics CRM 2011 environment running with IFD Configured. CRM is running Update Rollup 11, ADFS 2.0 has no Update Rollups installed. All servers in the environment are 2008R2.

Our in-house developers have created a web app that serves documents through to CRM. When signed in using the browser, this functionality works as expected. However, when accessed via Outlook, when the link for the file is clicked, Outlook spawns iexplore.exe - the problem with this, it seems, is that Outlook does not pass its ADFS auth over into Internet Explorer, and thus the end user is presented with an ADFS login page. This is inconvenient.

Is there a way for me to make some configuration changes, either to Outlook, IE, CRM, or ADFS to make the behavior I desire function?

Thanks in advance, and feel free to ask for additional information. I'll provide as necessary.

Arun Vinoth - MVP
  • 314
  • 1
  • 3
  • 15
JohnThePro
  • 2,595
  • 14
  • 23

1 Answers1

0

If the user is logged in via AD, pass through auth should work in IE. You might need to go in and trust the web server so it does not prompt the locally logged in user for auth.

If they are outside the domain and have to login, then you'll probably be stuck. Outlook auths into the hub transport/exchange server (depending on version) for auth. So it is completely seperate from ADFS. I guess a different question would be how is the user logged into ADFS via Outlook? I was under the impression ADFS doesn't work for Outlook. So they would always need to login to both. But that is based on reading, not actual practice.

You could install a cert on the client side and the webapp could dish out the files based on trusting the machine, but that leaves lots of security holes. I assume you were trying to make life easier on the users so they only had to login once?

MikeAWood
  • 2,566
  • 1
  • 12
  • 13
  • True. That's the end goal was to reduce login to one prompt. The way Outlook uses ADFS is specifically when the CRM 2011 Outlook plugin is installed. There is no Exchange in this particular platform deployment. The one scenario I haven't been able to test yet is how this user experience performs when acting as a federated partner user. We're deploying ADFS internally within a day or two, and I should be able to elaborate a little more at that time. – JohnThePro Mar 06 '13 at 17:10
  • It's likely, and I am guessing here, that the federation will only work for the plugin functionailty in Outlook and nothing else. You might be stuck with having to have Internet Explorer remember the users login. But that isn't ideal either as it is far from secure. – MikeAWood Mar 11 '13 at 23:14