Monday, January 16, 2012

Authentication issues with the Microsoft CRM Outlook Plugin


The outlook plugin is a nice feature of Microsoft Dynamics CRM that enables users to view CRM information from within outlook. I have been a longtime user of the plugin but came across a significant problem with authentication once CRM Online became popular. The problem was that when running in IE everything seemed to work fine for the users but once they switched to the outlook plugin they will constantly get asked for a username and password. The root cause of this is because in some Rollup Microsoft decided that the plugin would add the URL it uses to access CRM to the trusted sites list upon startup and this is the root of the problem.

Adding the URL automatically to the trusted sites list is great for users of CRM Online or other third party hosted CRM. Back in the early days of CRM Online one of the most asked questions was why is CRM not loading properly in my environment and the most common answer was that CRM was not in the trusted sites list of IE. Unfortunately for those of us who use the on-premise version having CRM in the trusted sites list is a little less than convenient. One downside of having the site in the trusted sites list is that integrated authentication does not happen in the trusted sites zone, I don't condone enabling integrated authentication in the trusted sites zone just to get this working there is a better solution below. As you may know integrated authentication only happens in the Intranet zone with the IE default settings. So in order to get the plugin to stop asking for a username and password you will need to add the site to the Local Intranet Sites list.

Internet Options -> Security -> Local Intranet -> Sites -> Advanced

Be aware when adding your site to this list that adding a wildcard will not work in this case it needs to be the exact URL that you use to access CRM. So if I work at foo.com having *.foo.com in the local intranet list will not work, if this is done the plugin will still add the specific site to the trusted hosts and authentication will still be broken. You need to add the exact CRM host ex. https://crm.foo.com/ when the outlook plugin sees this in the local intranet list it will skip the step of adding the URL to the trusted sites list and authentication will work successfully. As an easy solution I suggest just pushing this change out to all hosts via group policy, if you do not use group policy then you will need to manually go and add this URL to the local intranet sites.

If you have yet to install the outlook plugin then you should be good and everything should work fine.  However if the outlook plugin is installed on the machine you need to uninstall (and double check to make sure the site is still in the local intranet zone) and then re-install the plugin.

I wish there was a better solution to not have the plugin add its URL to the trusted sites list but unfortunately this is the only solution I have been able to find that works.