We are trying to send NServiceBus messages from a Microsoft Dynamics CRM plugin and running into issues like this:
Attempt by security transparent method [Our_Namespace].GetStandardBus(System.String)' to access security critical type 'NServiceBus.IBus' failed at [Our_Namespace].GetStandardBus(String endpointName)
The CRM plugins are running in the sandbox which means they are running as partial trust in IIS and we really want to keep it that way.
So my question is, is it possible to access NServiceBus from an IIS partial trust application?
Thanks,
Mark
Check out the Dynamics Adapter for NServiceBus:
https://github.com/ParticularLabs/NServiceBus.DynamicsAdapter
... contains an example application that demonstrates bi-directional integration between cloud hosted Dynamics 365 2016 and an on-premises NServiceBus system using Azure Service Bus Queues.
Related
What is the most performant and secure method to call an on-premise API (integrated to on-premise systems not related to CRM) from a Dynamics 365 plugin in Azure?
Why do you want to user Dynamics API when you are already in Plugin for Azure.
Why not user native SDK for Dynamics on-prem .net4.6.2
Connect to Dynamics in Plugin using connection tool and use it.
Here is an example to do so, once connected you can perform CURD operation against dynamics.
https://crm365blog.wordpress.com/2018/05/27/connecting-to-crm-2013-2015-2016-and-dynamics-365-in-c/
one more article
https://rawishblog.wordpress.com/2018/07/16/how-to-connect-to-dynamics-crm-onpremises-ad-ifd-from-a-windows-form-application/
Our setup consists of on-premises CRM 2016 in IFD configuration with ADFS. We have several custom web apps that are embedded in iframes in CRM as well. Our web apps are MVC running in IIS on .NET 4.7 and use the WS-Federation IIS module for authentication. This provides a pretty seemless experience where the embedded application does the redirect to and from ADFS to authenticate the user after they're already logged into CRM.
Our applications also call APIs we have created, which in turn make calls to Dynamics CRM web API using OData. Our APIs are setup to make calls to the CRM web API as a specific user chosen at deployment (it's a bit ugly, but it works). This causes issues associating created entities with the actual user, as CRM considers them created by the user in the API deployment. We need to fix that so that the user authentication is passed from our web application to our API and then to the CRM OData API.
From searching this site and other resources, I have determined this is not possible with WS-Federation and I would need to use OIDC. But, all the documentation that I have found about using OIDC in this manner has involve using Azure Active Directory and Dynamics 365, which does not apply in my scenario. I haven't found any information for the configuration of a local CRM 2016 instance or ADFS.
How is this accomplished for an all on-premises deployment?
To impersonate a user, set the CallerId property on an instance of
OrganizationServiceProxy before calling the service’s Web methods.
via https://learn.microsoft.com/en-us/dynamics365/customerengagement/on-premises/developer/org-service/impersonate-another-user
Or
To impersonate a user based on their systemuserid you can leverage
MSCRMCallerID with the corresponding guid value.
via https://learn.microsoft.com/en-us/powerapps/developer/data-platform/webapi/impersonate-another-user-web-api
Although I can't guarantee that it will work in version 8.1 and below.
Good morning everyone,
My apologies if this post is too similar to this post:
Dynamics 365 and Azure integration
but I am struggling to understand exactly what is needed in order to setup a web service on an Azure server that is consumable by a Dynamics 365 plugin. Based on my research it appears that it goes as follows but I would like to see if any knows of a better guide.
1.) Construct the web service as normal on the Azure Windows Server.
2.) Register a proper DNS Domain name (friendly-name) and route it to the Azure server.
3.) Secure that Azure server/URL with a certificate.
4.) Call the web service from my C# Dynamics 365 plugin.
Is that everything or might I be missing something critical? Thank you!
4 might be an issue, given you want to use certificate based security, not sure that will work, you might need to use another mechanism, e.g. basic user name and password. Otherwise looks okay.
Plug-in isolation, trusts, and statistics
Web access
Sandboxed plug-ins and custom workflow activities can access the
network through the HTTP and HTTPS protocols. This capability provides
support for accessing popular web resources like social sites, news
feeds, web services, and more. The following web access restrictions
apply to this sandbox capability.
Only the HTTP and HTTPS protocols are allowed.
Access to localhost (loopback) is not permitted.
IP addresses cannot be used. You must use a named web address that requires DNS name resolution.
Anonymous authentication is supported and recommended. There is no provision for prompting the logged on user for credentials or saving
those credentials.
I have an Azure Logic app that needs to connect to an on-premise Dynamics CRM instance.
I'd like to use the "Dynamics 365" connector so I had a look at this article
Connect to data sources on premises from logic apps with on-premises data gateway
But I can't see CRM as part of the supported data source.
For the moment, I plan to connect directly to CRM Sql Server database (available from the data gateway) but I am wondering if there is any workaround to use "Dynamics 365" connector to connect to an on-premise Dynamics CRM instance?
At the moment, the CRM connector does not support the on-prem data gateway. Another option is to use Custom Connectors and wrap your CRM Soap endpoints with it.
Custom Connectors support the on-prem data gateway, thus you can wrap your CRM Soap Endpoints with the Custom Connector and use either SOAP to REST or SOAP pass-through.
This is still in preview and the team are still working on the documentation, but it works :)
HTH
I am curious to know why we always need to register our CRM online instance on an Azure Active Directory in order to authenticate the Web API while accessing from outside CRM domain.
That is, for example, if I need to access CRM online instance through another website using CRM's Web API endpoint, then I must register my CRM instance to Azure Active Directory.
Though I am aware that, its a very nominal charge to create an Azure Active Directory, still I would need to subscribe to Azure even if I just want to perform some general research for CRM connectivity through Web API.
Why this is must? Are there any security considerations behind this?
Why can't we use the same authentication mechanism as we used to do with Organization service?
Any details on this will be much appreciated.
The CRM WebAPI uses OAuth2 and Azure AD is the only currently supported authentication platform to provide this (Windows Server 2016 will support OAuth2 for on-premise).
The Organisation service is a WCF service and as such uses SOAP for authentication and authorization. This is an entirely different technology stack that brings it's own set of problems, many of which the OAuth2 protocol tries to solve in this scenario.
Although you manage your CRM Online users through the Office 365 portal the underlying technology for these accounts is also Azure AD. Check if you can use this existing AD tenant created as part of your subscription rather than having to create another.
If you are using CRM online you already have aan Azure Active Directory. If you haven't already done so, you can signup for an Azure subscription and import the underlying AAD into your Azure subscription. You will need a credit card, but as far is I know using the Azure AD is free.