Stopping Internet Explorer 11 from showing the mobile express version of Dynamics CRM 2011

If you have a Dynamics CRM 2011 installation, and users have started using Internet Explorer 11 (either by upgrading from IE10, or by installing Windows 8), then you’ve undoubtedly noticed that, when an IE11 user goes to your CRM site, they are greeted by the Mobile Express version, rather than the standard site. There are a few manual workarounds to this:

  • Downgrade from IE11 to IE10 (not an option for Windows 8).
  • Add your CRM domain name to the compatibility list in IE11 (not an option if you don’t want the entire domain to be in compatibility mode, or if you have group policy settings which prohibit this).
  • Instruct users to go to

That third bullet is interesting… If you go to the root of your CRM domain name in IE11, you will be redirected to the Mobile Express site. If you go to the “main.aspx” page on the root, you go to the full CRM site. Which got me thinking… How can we identify IE11 users accessing the Mobile Express site, and redirect them to /main.aspx?

The solution is in IIS’s URL Rewrite library, which, if you don’t already have, you should get, because I’ve used it before to fix issues related to Dynamics CRM (not to mention its multitude of other uses).

Here’s what our rewrite rule will do:

The full IIS rewrite rule is below. You can drop this into the web.config in the root of your Dynamics CRM 2011 web site, or set it up manually using the URL Rewrite wizard. Either way, when you’re done, you’ll always get the full version of Dynamics CRM when using the IE11 browser.

<rule name="Redirect IE11 from mobile site to main.aspx" patternSyntax="Wildcard" stopProcessing="true">
 <match url="*m/default.aspx" />
 <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
 <add input="{HTTP_USER_AGENT}" pattern="*; rv:11.0) like Gecko" />
 <action type="Redirect" url="" redirectType="Temporary" />

By the way, there is only one gotcha: You can’t use IE11 and deliberately go to the Mobile Express site. A small price to pay to fix a much larger problem.

Troubleshooting Windows Authentication in IIS

In a recent deployment of Microsoft Dynamics CRM 2011, users were accessing the application via the server’s host name, e.g. That is rather unfriendly, so we created a new DNS record for — giving users the easier-to-remember (and removing a dependency on a server name).

Unfortunately, authenticating to didn’t work for Internet Explorer users. IE would prompt for the credentials, but they were never accepted. Authentication did work for other browsers, and all browsers — including IE — were able to authenticate to without issue.

This didn’t make sense. The domain name of the server shouldn’t matter (both were in IE’s Local Intranet Zone), nor should the browser version. But the different experience between browsers was all I had to go on, so I did some (network) sniffing.

Using Fiddler2 to monitor the network traffic created by web browsers, I opened Firefox and connected to (no SSL, so it’s easier to monitor network traffic). Firefox prompted me for my password, I typed it in, and was taken to the Dynamics CRM “unsupported browser” page. (That lack of support for non-IE browsers is a separate issue, but a fix is supposedly in the works.)

Here’s what Fiddler reported for those requests. I’ve truncated the request/response text to only show what’s relevant.

  1. Request
  2. Response
    HTTP/1.1 401 Unauthorized
    WWW-Authenticate: Negotiate
    WWW-Authenticate: NTLM
  3. Request
    Authorization: NTLM <token>

The responses after that don’t matter; I’m connected. I then did the same steps with Internet Explorer: connected to, get prompted for the password, type the password, get prompted again, wash rinse repeat two times, then get the boilerplate “401 Unauthorize” page. Here’s the Fiddler report:

  1. Request
  2. Response
    HTTP/1.1 401 Unauthorized
    WWW-Authenticate: Negotiate
    WWW-Authenticate: NTLM
  3. Request
    Authorization: Negotiate <token>

IIS7 comes with Negotiate (Kerberos) and NTLM providers for Windows AuthenticationNote the difference? Firefox uses NTLM to authenticate; IE uses Negotiate (Kerberos). This was the root of the problem: Kerberos isn’t permitted to authorize users accessing, but it is permitted to authorize users accessing NTLM doesn’t have that restriction. So, it’ll always work in non-IE (non-Kerberos) browsers; and it will work to the host name URL in IE browsers; but it won’t work to the alternate host name in IE.

How do you fix this? By reading the blog post, Configuring and Troubleshooting NTLM and Kerberos on Windows 7 (Windows Server 2008) and IIS7. Essentially, you tell the server to allow Kerberos to the “other” domain name by running the following command from the console: setspn -A HTTP/ crmserver01

Another solution is to configure your web site to only use NTLM authentication, or to give NTLM authentication higher priority than Kerberos. However, this is more a workaround than a fix: the point of IE/Windows is to use Kerberos, not to avoid it. Still, it’s an option if you can’t run the setspn command for some reason.

Once you do either of those, all browsers will work to either domain name, as you would expect, and your users will be happy. 🙂

Forcing users to choose a browser other than Internet Explorer doesn’t help them

In the news this morning, I stumbled across an article, EU: 100 million Microsoft users to choose browser. Reading this, there were a few instances of questionable logic.

The first instance (emphasis added):

Microsoft is starting this month to send updates to Windows computers in Europe so that when computer users log on, they will see a pop-up screen asking them to pick one or more of 12 free Web browsers to download and install, including Microsoft.

Microsoft is allowing users to choose one of more than 12 free web browsers, because the EU didn’t like Microsoft bundling its own free web browser into Windows. Call me strange, but punishing a company to give something away for free because it blocks out other companies from giving their own products away for free strikes me as odd.

The second instance (emphasis added):

The EU’s executive commission said giving consumers the chance to try an alternative to Microsoft’s Internet Explorer browser that comes with the widely used Windows operating system would “bring more competition and innovation in this important area.”

Wait, didn’t we just read that there are “more than 12 free web browsers”? That doesn’t sound like lack of competition and innovation to me at all. How many industries offer a choice of over a dozen free items? None that I can think of.

web-browser-market-shareI am aware of Microsoft’s predatory practices in the web browser arena, particularly related to the browser wars between them and Netscape. Microsoft muscled out Netscape by giving away its browser for free, something Netscape didn’t do until early 1998. Isn’t that a good thing for consumers? Further, client software (such as Navigator) was a small portion of Netscape’s revenues, and at the time, “Netscape has successfully shifted its business over the past year toward enterprise software sales and to revenues from its Web site business, and away from standalone client revenues” (source: Mitchell’s Blog). If Netscape was successful in transitioning away from a client product, but ultimately failed in the enterprise marketplace, why is Microsoft being punished?

In the end, Microsoft was penalized for providing a product for free – and forcing the market leader to ultimately transform their business (“successfully”) and offer their own (similar) product for free. The fact is, Microsoft’s efforts were largely responsible for the explosion of free web browser alternatives – yet the EU still feels a need to punish them because there is “[not enough] competition and innovation in this area,” as they say.

Final point: let’s not mention the pain and suffering that novice users will have after installing other browsers, wondering where their bookmarks went, and wondering why they are being prompted to (re-)install Adobe Flash so they can play YouTube videos.

Some things are better left alone. This is one of them.

Google starts the “anti-IE6 crusade”. Let’s hope it works

Google has taken the torch in the anti-IE6 crusade, as reported on Slashdot.

“Google is now urging Gmail users to drop Internet Explorer 6 (IE6) in favor of Firefox or Chrome. Google recently removed Firefox from the Google Pack bundle, replaced it with Chrome, then added a direct download link for Chrome on Google and YouTube. Google’s decision to list IE6 as an unsupported Gmail browser does not affect just consumers: Tens of thousands of small- and mid-sized businesses that run Google Apps hosted services may dump IE6 as well. What’s especially interesting is the fact that Mozilla is picking up two out of three browser users that Microsoft surrenders.”

All I can say is, “It’s about time!” Internet Explorer 6  was first released on August 27, 2001 – over seven years ago. Upgrades are free (in the forms of IE7+, Firefox, Safari, Chrome, etc.) and can easily give a much richer Internet experience.

Despite that, many users have not upgraded beyond IE6. According to W3Schools, IE6 use is down to 20%., but that’s a tech-heavy site. W3Counter reports the IE6 market share at 28%.

Perhaps it’s too many people running old computers, or too many people lacking the savvy to upgrade. Either way, Google is taking a good step forward in solving a nagging problem for all web developers.

Over the past two years, use of 800×600 has dropped to about 5%, which makes it much more practical to develop web sites optimized for at least 1024-pixel wide resolutions. That is a big step forward. Let’s hope the same can be said for IE6 before it’s tenth birthday.

Update @ 11:43AM: Seems Ajaxian is talking up the cause as well. Despite this, Dion’s take matches mine: “Still far too high a percentage and enough to make you grown [sic]”. I think he meant “groan”, but I digress.

Outlining textbox input fields (and getting it to work in IE)

While using Google GMail today, I noticed that they put a blue highlighting around the text input boxes when they have input focus. It’s a nice touch that makes it just a bit easier for users to identify which field their typing in. (Safari users, of course, get this on all web sites out of the box.)

Getting this to work on your web site is a simple matter of applying some CSS styles. The trick is to give your normal inputs fields a 1px border and a 1px margin; then, when they have focus, give them a 2px border (with a different color if you so choose) and no margin. This will ensure the dimensions of the element don’t change when the border width changes.

The following CSS provides an example of styling text boxes (both text and password inputs, and multi-line text boxes) and select lists (single and multi-line) with an alternate outline when holding the input focus.

input[type=text], input[type=password], textarea, select {
border-top: solid 1px #8e8e8e;
border-right: solid 1px #d1d1d1;
border-left: solid 1px #d1d1d1;
border-bottom: solid 1px #e4e4e4;
margin: 1px;
padding: 2px;
input[type=text]:focus, input[type=password]:focus, textarea:focus, select:focus {
border-color: #4488cc;
border-style: solid;
border-width: 2px;
margin: 0;

Like many good web tricks, this’ll look great in Firefox but won’t do anything in Internet Explorer. That’s because IE (through version 7) doesn’t support attribute selectors (as in [type=text]) or the :focus selector. To get things to work in IE, we need to rely on a little more CSS and some JavaScript.

Continue reading