Tip #544: Enabling JWT in ADFS breaks Dynamics CRM for Outlook

If you ever dealt with Dynamics CRM authentication at “close range”, you know that CRM supports OAuth. Presumably, with CRM 2016 and ADFS 3.0 (Windows Server 2012 R2), we should be able to use OAuth for CRM On-premises, right? Especially now that ADFS supports JSON Web Tokens, so we should be able just enable JWT and move on. As it turns out, enabling JWT on ADFS completely breaks Dynamics CRM for Outlook that can no longer authenticate.

Not enabling JWT is not an option either because according to that article

JWTs are the only supported token type for OAuth requests.

So unless you are not using CRM for Outlook, OAuth implementation for CRM On-premises would have to wait. There are other obstacles in ADFS 3.0 as well, and looks like we’ll have to wait for Windows Server 2016 but that’s for another tip.

4 thoughts on “Tip #544: Enabling JWT in ADFS breaks Dynamics CRM for Outlook

  1. Soto says:

    Thanks, that was really usuefl. One other thing I’m trying to achieve is the ability to support multiple ADFS authentication providers, so a user hitting /CustomerA logs in with their ADFS and a user hitting /CustomerB logs in with their ADFS. Did you ever get as far as implementing that? Any clues would be most weclome

    • What we’ve done in the past to “separate” the customers, is to customise appearance of the login page (add customer’s logo, etc). Separate ADFS servers could be a challenge though – there is only one ADFS server address defined in CRM. I’m thinking of making that address a front-end ADFS and then route the requests appropriately. To route requests though, you’d have to parse the URL as it’s the only place where original requested URL is available.

  2. Vishal says:

    This issue is only there for On-premise 2016 instances or is it there for Online instances too ?

    Our CRM is Dynamics CRM 2015 Online but we use ADFS to login our users directly into Outlook and Dynamics CRM for Outlook . CRM instance is about to be upgraded to 2016 in a few days . Wondering if this will break the SSO functionality for users .

Leave a Reply

Your email address will not be published. Required fields are marked *