We were using the Office365 authentication inorder to connect to the CRM from c# code. when we started changing it to client secret authentication type the connection to the CRM became very slow.
We have batch job which connects to CRM and gets the data from CRM. Previously on Office365 authentication it takes 2 mins for retrieving 1300 records, however with client secret authentication it take 50 minutes.
CrmServiceClient.MaxConnectionTimeout = new TimeSpan(0, 5, 0);
var ConnectionStringClientSecret1 = string.Format("AuthType={0}; Url={1}; AppId={2}; ClientSecret = {3};", authType, organizationUri, appId, clientSecret);
CrmServiceClient connection = new CrmServiceClient(ConnectionStringClientSecret1);
proxy = connection;
Anyone had faced this issue or is there any workaround for fixing the issue.
Your connection string should start with "AuthType=ClientSecret;" and it should contain a token cache path setting, e.g. "TokenCacheStorePath=C:\Temp\myaadappregtoken.bin;"
Enabled verbose logging, and check the log.
I would suspect your being throttled.
to enabled, see: enter link description here
Related
I use Office.js's getCallbackTokenAsync to load the token to pass to the backend.
In the backend, I use EWS to retrieve the email data. Here is how I perform the authentication.
ExchangeService service = new ExchangeService();
service.Url = new Uri(ewsUrl); //retrieved from getCallbackTokenAsync
service.Credentials = new OAuthCredentials(ewsToken);// retrieved from getCallbackTokenAsync
It works well in exchange online enviroment. However when tested in on-premise exchange server, I got this authentication error:
Error Message: The remote server returned an error: (401) Unauthorized.
Stack Trace: at System.Net.HttpWebRequest.GetResponse() at Microsoft.Exchange.WebServices.Data.EwsHttpWebRequest.Microsoft.Exchange.WebServices.Data.IEwsHttpWebRequest.GetResponse() at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.GetEwsHttpWebResponse(IEwsHttpWebRequest request)
I then found this doc says the Oauth2 authentication is only for exchange online. I guess I need to use this NTLM (Exchange on-premises only).
The major reason I use EWS instead of Graph or Rest is it supports on-premise server more naturally. So should I change the authentication here? I certainly do not want to ask user for username and password.
We've had an application happily running with OAuth 2 security (service account and a p12 key) for a couple of years, updating Google directory information (i.e. telephone numbers, names, etc.) via the directory API. The account (i.e. user#domain.com) was mistakenly disabled, so the updates stopped working. The account has been re-enabled (I have verified this by logging in), but the application is now getting 403 - "Not Authorized to access this resource/api" errors when attempting to perform updates.
I've gone through everything I can think of the in the Google API console, and everything seems okay with the service account. Can anyone think of something obvious that I should check to figure out the problem?
If it helps any, the Java code used to do the build the authentication is:
HttpTransport httpTransport = new NetHttpTransport();
JsonFactory jsonFactory = new JacksonFactory();
GoogleCredential credential = new GoogleCredential.Builder()
.setTransport(httpTransport)
.setJsonFactory(jsonFactory)
.setServiceAccountId(googleServiceAttributes.getServiceAccountId())
.setServiceAccountScopes(serviceAccountScopes)
.setServiceAccountPrivateKey(googleServiceAttributes.getPrivateKey())
.setServiceAccountUser(googleServiceAttributes.getServiceAccountUsername())
.build();
(the account scope being used is "https://www.googleapis.com/auth/admin.directory.user", the client jar being used for the directory API is google-api-services-admin-directory_v1-rev22-1.16.0-rc.jar and the API jar is google-api-client-1.16.0-rc.jar)
Thanks...
Try to use the same API through 'Try It'.
We have an MVC app that connects to the Exchange server. We used to connect to an on premises server using this code to create the service:
if (string.IsNullOrEmpty(Current.UserPassword))
{
throw new UnauthorizedAccessException("Exchange access requires Authentication by Password");
}
return new ExchangeService
{
Credentials = new NetworkCredential(Current.User.LoginName, Current.UserPassword),
Url = new Uri(ConfigurationManager.AppSettings["ExchangeServiceUrl"]),
};
This worked fine, but now our IT department is migrating the Exchange server to the cloud, and some users are on the cloud server while others are on premises. So I changed the code to this:
if (string.IsNullOrEmpty(Current.UserPassword))
{
throw new UnauthorizedAccessException("Exchange access requires Authentication by Password");
}
var user = ConfigurationManager.AppSettings["ExchangeUser"];
var password = ConfigurationManager.AppSettings["ExchangePassword"];
var exchangeService = new ExchangeService(ExchangeVersion.Exchange2010_SP2)
{
Credentials = new NetworkCredential(user, password),
};
exchangeService.AutodiscoverUrl(Current.EmaiLuser + "#calamos.com", RedirectionCallback);
exchangeService.Credentials = new NetworkCredential(Current.EmaiLuser + "#calamos.com", Current.UserPassword);
return exchangeService;
I am using a service account to do the autodiscovery ( for some reason it doesn't work with a regular account) and then I am changing the credentials of the service to the user that logs in, so he can access the inbox. The problem is that , randomly, the server returns "The request failed. The remote server returned an error: (401) Unauthorized.".
I asked the IT department to check the Exchange logs, but there is nothing there about this error, so I don't know how to fix it...
So by cloud do you mean Office365 ?
I am using a service account to do the autodiscovery ( for some reason it doesn't work with a regular account)
For the users in the cloud you need to ensure the request are sent to the cloud servers maybe enable tracing https://msdn.microsoft.com/en-us/library/office/dd633676(v=exchg.80).aspx and then have a look at where the failed requests are being routed. From what you are saying your discovery is going to always point to your internal servers which is why the request will fail for the cloud based users. You need to have a way of identifying the users that are in the cloud and I would suggest you then just use the single Office365 Endpoint (eg you don't need Autodiscover for that) https//outlook.office365.com/EWS/Exchange.asmx
I'm trying to invoke any of the Google API using "Service account" authorization access. I have downloaded ".pk2" file and activated "URL Shortener API" in Services tab of Google API console. Whenever I try to invoke any API (URL shortener or Adsense). I've got following exception -
com.google.api.client.auth.oauth2.TokenResponseException: 400 Bad Request
{
"error" : "invalid_grant"
}
at com.google.api.client.auth.oauth2.TokenResponseException.from(TokenResponseException.java:105)
at com.google.api.client.auth.oauth2.TokenRequest.executeUnparsed(TokenRequest.java:303)
at com.google.api.client.auth.oauth2.TokenRequest.execute(TokenRequest.java:323)
at com.google.api.client.googleapis.auth.oauth2.GoogleCredential.executeRefreshToken(GoogleCredential.java:345)
at com.google.api.client.auth.oauth2.Credential.refreshToken(Credential.java:526)
at com.google.api.client.auth.oauth2.Credential.intercept(Credential.java:287)
at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:836)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:412)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:345)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:463)
Below is code snippet -
HttpTransport HTTP_TRANSPORT = new NetHttpTransport();
JsonFactory JSON_FACTORY = new JacksonFactory();
File privateKey = new File(ReportAdsense.class.getResource("mykey.p12").toURI());
GoogleCredential credential = new GoogleCredential.Builder().setTransport(HTTP_TRANSPORT)
.setJsonFactory(JSON_FACTORY)
.setServiceAccountId("my_valid_account_id#developer.gserviceaccount.com")
.setServiceAccountScopes(UrlshortenerScopes.URLSHORTENER)
.setServiceAccountPrivateKeyFromP12File(privateKey)
.build();
Urlshortener service = new Urlshortener.Builder(new NetHttpTransport(), JSON_FACTORY, null).setHttpRequestInitializer(credential).build();
UrlHistory history = service.url().list().execute();
First of all "Service account" will not work for Adsense, since it requires user authorization. Hence for Adsense you should use Oauth 2.0. When you are authorized first time using URL https://accounts.google.com/o/oauth2/token, copy-paste and hardcode your refresh token. Than you can use it to get access token, specify client_id, client_secret and your refresh_token to get new access token. Now access token can be used in your application.
Regarding your error, I have faced with similar issue and spent plenty of time to resolve it. First of all, make sure that you are using valid ServiceAccountId - it should point to email which finishes with "developer.gserviceaccount.com". Make sure, that you specified account scopes and activated services in Google Console API.
I fixed this issue by synchronizing system clock in my machine.
There are a lot of topics with similar error without answers. Even more, some people says, that sometimes it works, sometimes it returns invalid grant. It could work on one machine and fail on another. I don't know if it is system clock issue, but I would avoid using Service Account API, since looks like there are bugs and support would not help you
I am connecting to CRM with the intention of retrieving a list of picklist values. On my development machine I am working under my own login name and all works fine. On the test server, the code executes under the NETWORK SERVICE account. When it connects to the CRM web service everything is great. When it connects to the metadata service I get 401 Unauthorised messages.
This is the first time I have used the metadata service so I am hoping someone can tell me why I get the error. The connection is configured using the code below and the failure happens when you try to retrieve the picklist data.
CrmAuthenticationToken token = new CrmAuthenticationToken();
token.OrganizationName = config.AppSettings.Settings["CrmTargetOrganisation"].Value;
token.AuthenticationType = 0;
MetadataService service = new MetadataService();
service.Credentials = System.Net.CredentialCache.DefaultCredentials;
service.Url = config.AppSettings.Settings["CrmMetadataServiceUrl"].Value;
service.CrmAuthenticationTokenValue = token;
service.UnsafeAuthenticatedConnectionSharing = true;
I suspect it might be a Kerberos / delegation issue, to make sure it is try replacing DefaultCredentials with
new System.Security.Net.NetworkCredentials("username","password","domain");
See if that still gives you a 401.
This is the quick way I normally try to see if it is kerbos/security related.
I need a bit more information about your environment to make any other intelligent comments.
Hope it helps.
In my case (yes, we still use CRM 4), the website in IIS wasn't bound to the hostname being used to access the metadata service on port 5555.