The E-mail Router service could not process a provider work item using assembly

We had successfully setup the email router for CRM 2011 in an IFD-ADFS environment for a client and then some weeks later it stopped working. No workflow generated emails were leaving the system.

Their event log looked as follows with MSCRMEmail errors appearing every few minutes.

On inspection of the error details we viewed the following:

#26234 – The E-mail Router service could not process a provider work item using assembly: Microsoft.Crm.Tools.EmailProviders.dll and class: Microsoft.Crm.Tools.Email.Providers.SmtpPollingSendEmailProvider. System.ServiceModel.Security.MessageSecurityException: An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail. —> System.ServiceModel.FaultException: ID3242: The security token could not be authenticated or authorized.    — End of inner exception stack trace —

Server stack trace:    at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.ProcessReply(Message reply, SecurityProtocolCorrelationState correlationState, TimeSpan timeout)    at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)    at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)    at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)    at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:    at Microsoft.Crm.ServiceProxyCache`1.BuildServiceProxy(Uri serviceUrl, Credential credentials, Uri homeRealmUrl, String passportEnvironment, String onlineServiceEnvironment, IServiceConfiguration`1 serviceConfiguration)    at Microsoft.Crm.ServiceProxyCache`1.GetNewServiceProxy(Uri serviceUrl, Credential credentials, Uri homeRealmUrl, String passportEnvironment, String onlineServiceEnvironment)    at Microsoft.Crm.Tools.Email.Providers.Utility.GetOrganizationUrl(Uri discoveryServiceUrl, Credential credentials, String organizationName)    at Microsoft.Crm.Tools.Email.Providers.Utility.GetCrmService(Uri discoveryUri, String authMode, String userName, String password)    at Microsoft.Crm.Tools.Email.Providers.CrmPollingSendEmailProvider.Run()    at Microsoft.Crm.Tools.Email.Agent.ServiceCore.ExecuteProviderWork(Object providerQueueRequestObject

When you Bing the following: crm 2011email router id3242: The security token could not be authenticated or authorized you get 10 results:

The second listing looked the most promising so we went to this page: http://social.microsoft.com/Forums/en/crmdeployment/thread/6465166b-8ef4-4240-9601-0cf08178b209

However, we know from experience that changing the AFDS\Service\Endpoints Username to enabled is not the action to take as it has proven to break the Outlook integration. So we then read a posting later down the page by XAirrick suggesting that the username & password on the Deployment tab of the Email Router be verified.

We then were hit with a stroke of brilliance – let’s update the password for the User. Guess what – that fixed it.

Solution – set the password never to expire in Active Directory for the Access Credential account being used to authenticate to CRM.