Dynamics CRM 2016 On-Premises API Authentication - dynamics-crm

Our setup consists of on-premises CRM 2016 in IFD configuration with ADFS. We have several custom web apps that are embedded in iframes in CRM as well. Our web apps are MVC running in IIS on .NET 4.7 and use the WS-Federation IIS module for authentication. This provides a pretty seemless experience where the embedded application does the redirect to and from ADFS to authenticate the user after they're already logged into CRM.
Our applications also call APIs we have created, which in turn make calls to Dynamics CRM web API using OData. Our APIs are setup to make calls to the CRM web API as a specific user chosen at deployment (it's a bit ugly, but it works). This causes issues associating created entities with the actual user, as CRM considers them created by the user in the API deployment. We need to fix that so that the user authentication is passed from our web application to our API and then to the CRM OData API.
From searching this site and other resources, I have determined this is not possible with WS-Federation and I would need to use OIDC. But, all the documentation that I have found about using OIDC in this manner has involve using Azure Active Directory and Dynamics 365, which does not apply in my scenario. I haven't found any information for the configuration of a local CRM 2016 instance or ADFS.
How is this accomplished for an all on-premises deployment?

To impersonate a user, set the CallerId property on an instance of
OrganizationServiceProxy before calling the service’s Web methods.
via https://learn.microsoft.com/en-us/dynamics365/customerengagement/on-premises/developer/org-service/impersonate-another-user
Or
To impersonate a user based on their systemuserid you can leverage
MSCRMCallerID with the corresponding guid value.
via https://learn.microsoft.com/en-us/powerapps/developer/data-platform/webapi/impersonate-another-user-web-api
Although I can't guarantee that it will work in version 8.1 and below.

Related

CRM 2016, OAuth and OData API

I have an on-premise CRM 2016 system that uses Active Directory and when I attempt to access the OData API from a desktop app, using network credentials, I get an un-authorised message.
After looking into this it would appear that I need to authenticate using OAuth which in turn would require installing AD Federation Services.
Before going down this path I would like to know if this is the correct approach to take?
I've been able to find plenty of examples on how to acheieve this using CRM online/Azure AD, but not much for on-premise 2016.
If your desktop app built on .NET framework and runs in the same local network as your CRM server then you can use XRM Tooling SDK instead.
https://learn.microsoft.com/en-us/previous-versions/dynamicscrm-2016/developers-guide/dn689057%28v%3dcrm.8%29
This SDK lets you create a CrmServiceClient object using a connection string from your configuration file. This object implements the IOrganization interface which means it has the CRUD methods you can use against your CRM.
CrmServiceClient service = new CrmServiceClient(ConfigurationManager.ConnectionStrings["mycrmconnstr"].ConnectionString);
Yes, that's the way to make it work with CRM On-Premise.
You will have to install and configure ADFS (according to documentation ADFS 3.0 is the latest version supported). Once everything is set up, the overall process is quite similar to when you're doing it in Online with AAD:
Register application
Add-AdfsClient -ClientId <CLIENT_ID> -Name <APP_NAME> -RedirectUri <REDIRECT_URI>
Grant application permission to CRM
Grant-AdfsApplicationPermission -ClientRoleIdentifier <CLIENT_ID> -ServerRoleIdentifier <CRM_URI>
Connect using Authorization Code Grant
Authorization Code is the only flow implemented in ADFS 3.0 (that's why I mentioned it before) so don't waste 4 o 5 hours trying to use Implicit like I did :(. ADFS 4.0 implements it (along with Client Credential and Resource Owner Password Credentials but in theory is not supported (although I've seen it working).
As you said the process is not well documented but you'll find some questions on forums or some blog post that will help you. I found THIS one very helpful, even though is not Dynamics related.

Dynamics 365 Online Claims-based or Active Directory (through federation) authentication

I have implemented Azure Active Directory Oath2.0 authentication and now I have to implement Claims-Based and Active Directory authentication in Java for Dynamics 365 Online/On-Premise.
I'm following this topic: https://msdn.microsoft.com/en-us/library/gg334502.aspx and here it says that Dynamics 365 online supports the following authentication scenarios: Claims Based Authentication or Active Directory Through Federation.
The problem is that I don't know from where to start and what configurations have to be done. I've played with azure portal and with the dynamics 365 online admin panel, but just can't figure out what I have to do :).
Can I use some info from https:// login.microsoftonline.com//FederationMetadata/2007-06/FederationMetadata.xml to perform such authentications?
Do I need do install a local Active Directory server?
I highly recommend looking through some Azure AD samples on how to setup oAuth2.0 to various Microsoft services. The dev landing page has tons of a great samples. Here is the java sample.
If you're trying to sign in purely Azure AD users the access some resources, then this is pretty straight forward. You'll want to register an app in the Azure Portal, setup all the delegated permissions and app configs necessary (the sample will help with this), then use the ADAL library to perform the oAuth2.0 flow. This flow will return back tokens that can be played to whatever service you requested access in the form of http requests.

Why is it mandatory to use Azure Active Directory for accessing CRM online instance through Web API from outside CRM?

I am curious to know why we always need to register our CRM online instance on an Azure Active Directory in order to authenticate the Web API while accessing from outside CRM domain.
That is, for example, if I need to access CRM online instance through another website using CRM's Web API endpoint, then I must register my CRM instance to Azure Active Directory.
Though I am aware that, its a very nominal charge to create an Azure Active Directory, still I would need to subscribe to Azure even if I just want to perform some general research for CRM connectivity through Web API.
Why this is must? Are there any security considerations behind this?
Why can't we use the same authentication mechanism as we used to do with Organization service?
Any details on this will be much appreciated.
The CRM WebAPI uses OAuth2 and Azure AD is the only currently supported authentication platform to provide this (Windows Server 2016 will support OAuth2 for on-premise).
The Organisation service is a WCF service and as such uses SOAP for authentication and authorization. This is an entirely different technology stack that brings it's own set of problems, many of which the OAuth2 protocol tries to solve in this scenario.
Although you manage your CRM Online users through the Office 365 portal the underlying technology for these accounts is also Azure AD. Check if you can use this existing AD tenant created as part of your subscription rather than having to create another.
If you are using CRM online you already have aan Azure Active Directory. If you haven't already done so, you can signup for an Azure subscription and import the underlying AAD into your Azure subscription. You will need a credit card, but as far is I know using the Azure AD is free.

ASP.NET WebApi - SharePoint Claims Authentication

I need to migrate some existing WCF services to a new WebAPI-based architecture. Unfortunately, they run on two SharePoint 2013 farms, trusted to one another, and rely on claims authentication to perform task with the application pool account.
I already have running Web API controllers in SharePoint, but I couldn't find a way to automatically authenticate the system user across farm.
Which is the preferred approach I could rely on?

Crm 2011 custom web service

I need to be able to extend CRM 2011 which is running in the cloud. I need to be able to perform CRUD operations from a completely separate internet web site. What options do I have? I have zero experience with CRM. I just found out that the OOB web services can only be accessed within the context of CRM.
I just found out that the OOB web services can only be accessed within the context of CRM.
This is only true for the REST endpoint. Not for the other endpoints. You can access the IOrganizationService if you use .NET as basis or you could access the web services via SOAP.
Use the WSDL Endpoint
http://blogs.msdn.com/b/girishr/archive/2011/03/22/crm-online-2011-web-services-soap-sample-now-ready-for-emea-amp-asia.aspx
CRM 2011 exposes webservices through oData and SOAP endpoints. If you are using CRM 2011 Online you can hit these endpoints over the internet. If hosting CRM yourself, you can set it up for IFD (Internet Facing Deploy). I would suggest taking a look at the CRM 2011 SDK for oData and SOAP examples.

Resources