Summary:

When using IIS auto-login, users may find that they are prompted for a username and password when using the Classic Outlook plugin. This only occurs when Anonymous authentication is disabled (as is correct for a CRM install using IIS auto-login). The Classic Outlook plugin does not support IIS auto-login out of the box. IIS auto-login is only supported when using the Exchange Lite plugin.


More information:

On inspecting a failed login request using Fiddler, you will see that the failed login by the Outlook plugin results in a HTTP 200 response. Ordinarily, if a client fails to provide a Windows authentication header when it is required, the server will return a HTTP 401 response. This response will describe the supported authentication methods on that server. This will then result in the client re-submitting its request, with the correct authorization header (if available).

In this instance, since the HTTP response is 200 (OK), the client (the Outlook plugin) will not re-submit the request.

This issue can be worked around by forcing the CRM web server to return a HTTP 401 response if it does not detect either an NTLM or Negotiate header present in logon requests from the Outlook plugin. On receiving this HTTP 401 response, the client will re-submit the request.

  1. Open Inetmgr.
  2. Select the CRM virtual directory, then the URL Rewrite option.
  3. Select Add Rules(s).
  4. In the Inbound rules section, select Blank rule.
  5. Give the rule a name of Outlook plugin - force Windows authentication.
  6. In the Match URL section, set Requested URL to Matches the Pattern. Set Using to Regular Expressions.
  7. Set the Pattern value to ".*eware.dll/go" (without quotes). Tick the Ignore case option.
  8. Under Conditions, set the Logical Grouping option to Match All.
  9. Add a condition with an input of "{QUERY_STRING}" (without quotes). Set the Check if input string option to Matches the Pattern. Set the Pattern to "OutlookAction=logon" (without quotes). Tick the Ignore case option.
  10. Add a condition with an input of "{HTTP_AUTHORIZATION}" (without quotes). Set the Check if input string option to Does Not Match the Pattern. Set the Pattern to "Negotiate.*" (without quotes). Tick the Ignore case option.
  11. Add a condition with an input of "{HTTP_AUTHORIZATION}" (again, without quotes). Set the Check if input string option to Does Not Match the Pattern. Set the Pattern to "NTLM.*" (without quotes). Tick the Ignore case option.
  12. In the Action section, set the Action type to Custom Response.
  13. Under the Action Properties section, set the following values:

    Status code401
    Substatus code0
    ReasonUnauthorized - plugin auth
    Error descriptionOutlook plugin must use Windows authentication


  14. Hit Apply.

 

Using this method with the Classic Outlook plugin is reasonably low-impact; the client will send out one or two additional HTTP requests in the background, but no further user interaction will be required. This workaround has not been tested with all functionality in the plugin, however since subsequent requests from the plugin after logon are likely to be authorised using the SID, it is not expected that further issues will be encountered.

References:

Setup instructions for IIS auto-login are included in section 8-2 of the Sage CRM 7.3 System Administrator Guide.