401 Unauthorized exception occurs in Dynamics 365 when using Server-Side Synchronization

 401 Unauthorized exception occurs in Dynamics 365 when using Server-Side Synchronization

Symptoms

When using Server-Side Synchronization in Dynamics 365, you encounter one of the following errors:

·       The email message "Test Message" cannot be sent. Make sure that the credentials specified in the mailbox <Mailbox Name> are correct and have sufficient permissions for sending email. Then, enable the mailbox for email processing.

·       Appointments, contacts, and tasks can't be synchronized. Make sure that the credentials specified in the mailbox <Mailbox Name> are correct and have sufficient permissions. Then, enable the mailbox for appointments, contacts, and tasks synchronization.

·       Email cannot be received for the mailbox <Mailbox Name>. Make sure that the credentials specified in the mailbox are correct and have sufficient permissions for receiving email. Then, enable the mailbox for email processing.

The message also includes the following error code:

Email Server Error Code: Http server returned 401 Unauthorized exception.

Cause

---

These errors can occur for one of the following reasons:

1.     The e-mail address of the mailbox record in Dynamics 365 does not match the e-mail address of the mailbox in Exchange.

2.     If you are using Dynamics 365 (online) with Exchange Online, this error can occur if you are using an Exchange Server (Hybrid) profile even though the user's mailbox is located in Exchange Online.

3.     If you are using Dynamics 365 with Exchange Online, this error can occur if the user does not have an Exchange Online license. 

4.     If you are using Dynamics 365 (online) with Exchange Online, this error can occur if your Dynamics 365 subscription is not in the same Office 365 tenant as your Exchange Online subscription. When using an Exchange Online email server profile, Dynamics 365 (online) and Exchange Online need to be in the same Office 365 account/tenant.

5.     If you are using Dynamics 365 (online) with Exchange on-premises, this error can occur if Basic authentication is not enabled for EWS (Exchange Web Services).

Resolution

---

1.     Verify the e-mail address of the mailbox record in Dynamics 365 matches the e-mail address in Exchange. The error includes a link to the mailbox record in Dynamics 365. You can use this link to quickly verify the Email Address field.

2.     If you are using Dynamics 365 (online) with Exchange Online, make sure you are using an Exchange Online email server profile. Only use an Exchange Server (Hybrid) profile for users that have mailboxes in Exchange on-premises. 

3.     If you are using Dynamics 365 with Exchange Online, verify the user has an Exchange Online license. For additional information on assigning licenses in Office 365, see Assign or remove licenses for Office 365 for business.

4.     If you are using Dynamics 365 (online) with Exchange Online, verify Dynamics 365 (online) and Exchange Online are in the same Office 365 account/tenant.

5.     If you are using Dynamics 365 (online) with Exchange on-premises, verify Basic authentication is enabled for EWS (Exchange Web Services).  For more information, see the Prerequisites section of Connect Dynamics 365 (online) to Exchange Server (on-premises).

 

"An impersonation error occurred" connecting Dynamics CRM

 "An impersonation error occurred" when connecting Dynamics 365 to Exchange on-premises

Applies to: Dynamics CRM

Symptoms

---

When Server-Side Synchronization is configured between Dynamics 365 (online) and Exchange Server (on-premises), you receive one of the following errors after attempting to enable a mailbox:  

·       An impersonation error occurred in accessing the mailbox while sending the email message "Test Message". Mailbox <Mailbox name> didn't synchronize. The owner of the associated email server profile <Email Server Profile name> has been notified.

·       An impersonation error occurred in accessing the mailbox while receiving email. <Mailbox name> didn't synchronize. The owner of the associated email server profile <Email Server Profile name> has been notified.

When you click Details for one of the errors mentioned above, you may see details such as the following:

  ActivityId: <GUID>
>Error : System.Web.Services.Protocols.SoapException: The account does not have permission to impersonate the requested user.
   at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.EndInvoke(IAsyncResult asyncResult)
   at Microsoft.Crm.Asynchronous.EmailConnector.ExchangeServiceBinding.EndFindItem(IAsyncResult asyncResult)
   at Microsoft.Crm.Asynchronous.EmailConnector.FindItemsStep.EndCall()
  at Microsoft.Crm.Asynchronous.EmailConnector.ExchangeIncomingEmailProviderStep.EndOperation()ActivityId: <GUID>
>Error : System.Web.Services.Protocols.SoapException: The account does not have permission to impersonate the requested user.
   at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.EndInvoke(IAsyncResult asyncResult)
   at Microsoft.Crm.Asynchronous.EmailConnector.ExchangeServiceBinding.EndCreateItem(IAsyncResult asyncResult)
   at Microsoft.Crm.Asynchronous.EmailConnector.ExchangeOutgoingEmailProvider.EndCreateItem()

Cause

---

This error can appear if the user account specified to access the mailbox does not have impersonation permissions for the mailbox.  The account used to access the mailbox is provided within the Email Server Profile record associated with the Mailbox record in Dynamics 365.

Resolution

---

Make sure the user account provided in the Email Server Profile record has impersonation permissions to each associated mailbox.  Within a mailbox record in Dynamics 365, you can click the Server Profile value and review which account is provided within the Credentials section of the Email Server Profile record.

For more information on configuring Exchange impersonation, see:

How to: Configure impersonation

Configuring Exchange Impersonation in Exchange 2010

Impersonation and EWS in Exchange

 

The solution file is invalid in dynamics 365 error visual studio

"The solution file is invalid" error occurs in Dynamics 365

Applies to: Dynamics 365

Symptom

---

When attempting to import a solution in Dynamics 365, you encounter the following error:

"The solution file is invalid. The compressed file must contain the following files at its root: solution.xml, customizations.xml, and [Content_Types].xml. Customization files exported from previous versions of Microsoft Dynamics 365 are not supported.

Error code 80048060."

Cause

---

This error can occur if you attempt to import a solution file that is not valid. Dynamics 365 solution files are stored as .zip files that contain files with the following names:

·       solution.xml

·       customizations.xml

·       [Content_Types].xml

 

If you attempt to import a solution file that does not contain these files, this error will occur.

Resolution

---

Verify the .zip file you are trying to import contains the files mentioned in the cause section and then attempt to import the solution again. 

Example: If you had extracted the solution .zip file and made manual changes to customizations.xml but rezipped just that file, you would encounter this error. You need to select all of the files that were in the .zip file and choose to compress them to a zipped folder before trying to reimport them.

 

An email fails to be created in Dynamics 365 with a NoRecipientMatch sync error

---

Symptom

When reviewing email messages that were analyzed for automatic promotion by Dynamics 365, you see an email message that failed to be created in Dynamics 365 with a NoRecipientMatch sync error or error code -2147218683.

Cause

---

When Dynamics 365 evaluates an email in your mailbox, multiple conditions are evaluated to determine if the message should automatically be created as an email activity in Dynamics 365. If the evaluation results in a NoRecipientMatch error, this indicates one of the following conditions:

1.     None of the email addresses on the To or Cc lines of the email are users or queues in Dynamics 365.

·       Example A: You received the email because it was sent to a distribution group and you are a member of that distribution group. Your email address stored in Dynamics 365 is not actually on the To or Cc lines of the email.

·       Example B: You have multiple email addresses (ex. paul@contoso.com and paul.cannon@contoso.com) for the same mailbox but the email addresses on the To or Cc line of the email does not match any of the email addresses stored in your user record in Dynamics 365.

2.     There is a user or queue on the To or Cc line of the email but the following conditions exist:

·       The email address used by the User or Queue exists on other records in Dynamics 365. For example: A User has the email address paul@contoso.com but that email address also exists on one of the email address fields of another email enabled entity such as a user, queue, contact, lead, or account.

·        Your organization is configured to leave email address values as unresolved if multiple matches are found. 

The combination of the two conditions mentioned above would cause the email to not be resolved to a user or queue record.

3.     The email address of the user or queue is on the Bcc of the email.

Example: You received the email because your email address was on the Bcc line of the email. Unless your personal options in Dynamics 365 are configured to track "All email messages", the email will not be tracked.

Unless the email address on the To or Cc line of the email matches the email address stored in Dynamics 365 or your personal options in Dynamics 365 are configured to track "All email messages", the email will not be tracked.

4.     There is not a row in the EmailSearchBase table for the User or Queue mailbox that received the email.

When looking for matching User or Queue records, Dynamics 365 queries a table called EmailSearchBase. This table should automatically have a row for the email address of every email enabled record including Users and Queues. On rare occassions this table may be missing a row which can then cause Dynamics 365 to not find a matching row when querying this table for Users or Queues that are on the email message. 

You can open a web browser and use the Dynamice 365 Web API to verify if a row exists for the user or queue email address that received the email message. Use the following syntax:

https://<Your Organization URL>/api/data/v9.1/emailsearches?$filter=emailaddress eq '<email address of user or queue>'

Example: https://contoso.crm.dynamics.com/api/data/v9.1/emailsearches?$filter=emailaddress eq 'paul@contoso.com'

If no record is returned, this would indicate a row does not exist for that email address in the EmailSearchBase table. 

Resolution

---

Review the characteristics of the email and which option you have configured in your personal options for email tracking.

1. To verify the email address stored in Dynamics 365:

1.     Navigate to Settings and then click Email Configuration.

2.     Click Mailboxes.

3.     Open your mailbox record and verify the email address on the To or Cc line of the email matches the email address found in your mailbox record.

NOTE: If you have multiple email addresses for your mailbox, you can click the Regarding lookup and add the other email address to one of the othe email address fields on your user record.

2. If the email address of the user or queue exists on multiple records (ex. another user, queue, lead, account, contact, etc...), either remove the email address from the other records or change the setting Set To, cc, bcc fields as unresolved values if multiple matches are found in Incoming Emails to No. You can find this setting by navigating to Settings, Email Configuration, and then clicking Email Configuration Settings. Within the Set Email form options section, locate the setting named "Set To, cc, bcc fields as unresolved values if multiple matches are found in Incoming Emails."

3. To view or change your email tracking setting:

1.     Access your personal options in Dynamics 365 by clicking settings (gear icon in upper-right corner) and then clicking Options.

2.     Click the Email tab.

3.     Under the Select the email messages to track in Microsoft Dynamics 365 section, locate the Track setting.

4.     Adjust the option as necessary to control which emails should be tracked in Dynamics 365 automatically.

For example: If you want every email you receive, regardless of the sender, to automatically be created as an email activity in Dynamics 365, select the option "All email messages".

For more information about email correlation, see Email message filtering and correlation

4. If no records are found when using the steps in Cause # 4, follow these steps:

1.     Open the User or Queue record in Dynamics 365.

2.     Change the email address value to something else and click Save.

3.     Then change the email address value back to the correct value and click Save. This will normally recreate the missing row.

 

Sorry, the authentication was not successful in Dynamics 365 App

"Sorry, the authentication was not successful" error occurs in Dynamics 365 App for Outlook

Applies to: Dynamics 365

Symptom

---

When attempting to use the Dynamics 365 App for Outlook on Outlook desktop, you see the following error:

"Sorry, the authentication was not successful. We can help you fix the problem."

Cause

---

Cause 1: This can occur if not all of the URLs used to authenticate and access Dynamics 365 are in the same Internet Explorer security zone.

NOTE: If you are using Dynamics 365 (online) with an Exchange Online mailbox, this is likely not the cause of the issue. 

Cause 2: This can occur if the LocalLow folder has an incorrect integrity level. The correct setting is to have the integrity level set to low as the folder name indicates.

Cause 3: If you click the option to show more and you see "Error: QuotaExceededError", this indicates your local browser storage limit has been met.

Cause 4: If you are accessing Outlook Web Access, this can occur if 3rd party cookies are blocked in your browser settings. 

Resolution

---

Resolution 1:

Use the steps in the following article to verify each of the necessary URLs are in the same Internet Explorer security zone.

https://support.microsoft.com/help/4035750

Resolution 2:

1. Open a command prompt.

2. Run the following command:

icacls %userprofile%\Appdata\LocalLow /t /setintegritylevel (OI)(CI)L

Resolution 3:

Clear your browser cache

Platform	Instructions
Outlook (same as Internet Explorer)	View and delete your browsing history in Internet Explorer
Internet Explorer	View and delete your browsing history in Internet Explorer
Edge	View and delete browser history in Microsoft Edge
Chrome	Clear cache & cookies

IMPORTANT

Although you may have other browsers installed on your computer, Outlook desktop always uses Internet Explorer when displaying web content such as inside Dynamics 365 App for Outlook.

After clearing your browser cache, close all Internet Explorer and Outlook desktop windows and make sure through Task Manager there are no remaining Internet Explorer processes running.

If this issue only appears in Outlook desktop and clearing the cache via Internet Options does not help, try clearing it via F12 chooser (not applicable for Windows 7):

1.     Open Dynamics app in Outlook desktop

2.     Open IEChooser.exe in %WindowsFolder%\System32\F12 (example: C:\Windows\System32\F12)

3.     Click Dynamics 365

4.     Click the Network tab and then click the Clear cache button.

After following the steps above, reopen Outlook and the Dynamics 365 App for Outlook to see if the issue is resolved.

Resolution 4: If the issue occurs in Outlook Web Access, open the settings for your browser to verify a setting is not enabled to block third party cookies. 

NOTE: Some browsers allow you to block 3rd party cookies but add specific URLs to a list of allowed sites. 

 

 

"Http server returned Forbidden exception" error appears in Dynamics 365 mailbox

Applies to: Dynamics 365

Symptom

---

When you click the Test & Enable Mailbox button on a mailbox record in Dynamics 365, the test results section shows Failure and the following alert is logged:

"The email message "Your mailbox is now connected to Dynamics 365" cannot be sent because an error occurred while establishing a secure connection to the email server. Mailbox [Mailbox Name] didn't synchronize. The owner of the email server profile Microsoft Exchange Online has been notified.

Email Server Error Code: Http server returned Forbidden exception." 

If you click Details, the following additional details are shown:

"Error : System.Net.WebException: The request failed with HTTP status 403: Forbidden.
   at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.EndInvoke(IAsyncResult asyncResult)
   at Microsoft.Crm.Asynchronous.EmailConnector.ExchangeServiceBinding.EndCreateItem(IAsyncResult asyncResult)
   at Microsoft.Crm.Asynchronous.EmailConnector.ExchangeOutgoingEmailProvider.EndCreateItem()"

Cause

---

Dynamics 365 communicates with Microsoft Exchange using Exchange Web Services (EWS) requests. If EWS is disabled, this error will occur. The following are some potential ways EWS may be disabled or restricted in Exchange:

1.     EWS is disabled for the mailbox

2.     EWS is disabled for the entire organization

3.     The EwsApplicationAccessPolicy is set to EnforceAllowList and the EwsAllowList does not allow access from Dynamics 365 (CRM).

4.     The EwsApplicationAccessPolicy is set to EnforceBlockList and the EwsBlockList includes Dynamics 365 (CRM).

Resolution

---

If the issue only occurs for some mailboxes, check if EWS is disabled for the mailbox:

1.     First check to see if EWS has been disabled for the mailbox. Use the following PowerShell command:

Get-CASMailbox <mailbox-alias> | ft EwsEnabled

2.     If EwsEnabled is set to False, use the following PowerShell command to enable Exchange Web Services (EWS) for the mailbox:

Set-CASMailbox <mailbox-alias> -EwsEnabled $True

IMPORTANT: After running this command, it may take up to 120 minutes before the setting change takes effect. 

If the issue occurs for all mailboxes, check if EWS is disabled at the organization level or if the EwsAllowList is being used to limit what EWS traffic is allowed.

1.     Use the following PowerShell command to see if any of the EWS settings are configured:

Get-OrganizationConfig |ft Name, EwsEnabled,EwsApplicationAccessPolicy,EwsBlockList,EwsAllowList
 

2.     Verify that EwsEnabled is not set to False. The following command can be used to set EwsEnabled to True if it is currently set to False:

Set-OrganizationConfig -EwsEnabled $True

IMPORTANT: After running this command, it may take up to 120 minutes before the setting change takes effect. 
 

3.     If EwsApplicationAccessPolicy is set to EnforceAllowList and the EwsAllowList does not contain a value for CRM (Example: CRM/*), this would prevent Dynamics 365 (CRM) from being able to communicate with Exchange. Use the following command to update the list to include CRM/* and whatever other applications you want to allow (<PreviousAllowList> in the following example):

Set-OrganizationConfig -EwsApplicationAccessPolicy:EnforceAllowList -EwsAllowList:CRM/*,<PreviousAllowedList>

IMPORTANT: After running this command, it may take up to 120 minutes before the setting change takes effect. 
 

4.     If EwsApplicationAccessPolicy is set to EnforceBlockList and the EwsAllowList contains a value for CRM (Example: CRM/*), this would prevent Dynamics 365 (CRM) from being able to communicate with Exchange. Use the following command to update the list to no longer include CRM:

Set-OrganizationConfig -EwsApplicationAccessPolicy:EnforceBlockList -EwsBlockList:<PreviousBlockList WITH CRM REMOVED>

IMPORTANT: After running this command, it may take up to 120 minutes before the setting change takes effect. 

More Information

---

See the following articles for additional information about changing Exchange settings using PowerShell and controlling access to EWS:

Exchange Server PowerShell (Exchange Management Shell)
https://docs.microsoft.com/powershell/exchange/exchange-server/exchange-management-shell?view=exchange-ps 

Connect to Exchange Online PowerShell
https://docs.microsoft.com/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/connect-to-exchange-online-powershell?view=exchange-ps

Control access to EWS in Exchange
https://docs.microsoft.com/exchange/client-developer/exchange-web-services/how-to-control-access-to-ews-in-exchange 

Set-CASMailbox
https://docs.microsoft.com/powershell/module/exchange/client-access/set-casmailbox?view=exchange-ps