I know how to grab guid and User Name of current logged in user in Dynamics CRM 2016 on prem. But I also need to grab the password for some business reason and pass it to another application for managing documents of the user.
What I have searched I find only to get the id and user name of the user but nothing find about the password of the user. I need to know how can I get the password of the current logged in user. Any idea/suggestion will be helpful.
You can't - unless the user gives it to you.
Passwords are handled by the authentication layer (Windows Integrated or ADFS) and CRM has no knowledge of the user's password. I do not believe Active Directory (or any other LDAP service on which ADFS might use) would allow you to read a user password.
In Server Side Sync a user may provide their password to CRM for Exchange authentication BUT that password cannot be read by anything other than the CRM platform (and they are encrypted in SQL.) You will not be able to read that password using code or SQL.
I do believe CRM On-Premise utilizes Active Directory. AD passwords are stored using non-reversible encryption, so you wont be able to get that in a readable format unless you enable reversible encryption, which i'd not advise doing for security reasons.
There are some steps mentioned to set up single sign on for sharepoint integration, this might help your cause.
Reference : https://sharepoint.stackexchange.com/questions/19662/how-to-set-up-single-sign-on-for-sharepoint-integration-in-crm-2011
Related
I have just created a personal access token at visualstudio.com, because in SourceTree I could not manage to log in with my visualstudio.com e-mail and password. Now that I have the token, how to I use it? I cannot find any information online on how to use it in SourceTree. If I choose Clone/New, and enter the URL to the git repo, I am asked a username and password, not a token... Can anyone help please?
Just use a token as your per-application password.
VisualStudio.com used to have alternate authentication credentials (something like a second password), s.t. you don't need to trust 3rd-party applications with your MS account password. This has been refined in favor of access tokens, which allow to control access on a granular level (per application / service / read-only, read-write). This allows to enter such an access token e.g. on a 3rd-party build service, without fear that your main password is disclosed or mis-used (e.g. when the 3rd-party provider is hacked). Also, access can easily be revoked (instead of setting a new password and then entering it everywhere except for the application you don't trust / want to use anymore).
From a client applications point of view, the access token is just a password.
We are trying to integrate Microsoft Exchange (sync appointments) into our web site (SPA)(Software as a Service), for this we are looking at EWS managed API as the preferred route, we have the end users email, but we do not want to store there exchange passwords (as they are generally same as users domain password), in such a scenario which is the best approach to take. Please Help.
The preferred way would be to define a new Exchange id for your integration program and allow it impersonation rights for each user whose mailbox you want to examine. The managed API will allow you to specify an impersonation id on each call. You authenticate with your program's userid and password, but have the rights within the Exchange store of the user you are impersonating. Thus you only have to manage a single password for your program and need not know users' passwords. Setting up the impersonation rights requires some fancy PowerShell commands from the Exchange Admin, but you only do it once.
So I have CRM Online and SharePoint Online as document storage. I have the list component installed and everything is working there. I have a plugin I have built which generates emails, and as part of the process, grabs documents from various SharePoint folders and attaches the to the email before sending.
To do this in a SharePoint online environment, I have to go out, grab a SAML token from MS's login STS service, pass the token to SharePoint, receive a couple of authentication cookies back, and pass those cookies along with any requests I make to SharePoint. All of this is working. The bad news is I have to have a username and password hardcoded in (or prompt the user). Is there any way from inside CRM Online to grab the current user's credentials and pass that to get the SAML token? I mean there has to be since CRM does it when you create the document libraries when you turn on Document Management, right?
I can't use the SharePoint dlls inside CRM Online plugins, it is security restricted. I cannot access the CredentialCache, security restricted. Hell, I even looked at trying to intercept the cookies somehow with Javascript, but it looks like they are HTTPOnly and pretty much inaccessible.
Tried putting in a Microsoft ticket and got some low level guy who immediately passed the buck and called it unsupported.
You can't get user's password in CRM. If you are developing a plugin, the plugin can run in the user context and the code will execute based on the logged in user. Therefore you don't need to pass any creds for adding a document in CRM.
Check out this url, it helps you understanding how impersonating works in CRM.
https://msdn.microsoft.com/en-us/library/gg309416.aspx
Hope this helps.
I am using Google Admin SDK Directory API to create users and using Service account I am able to perform CRUD operations on them.
I have a requirement whereby I have to check the credentials of users created using SDK.
When you fetch the users the password is not returned, hence comparison cannot be done.
I'll really appreciate if someone lets me know what would be effective way of approaching the checkCredentials function.
Thanks.
Google does not ever return the value of the password. That would be a monumental security risk.
See their documentation in regards to the user resource used in the directory API. It specifically states that the password field is never returned. It can only be used for setting the password.
If your requirement is too check creds on a newly created user, you should look into trying to login as the user with the password you just sent, using the google auth Apis
At the moment, the only solution I've found is to simulate the user login flow with a fake browser (Apache's httpcomponents-client for Java for example) pointing to Google Account ServiceLogin.
Assume a user uses the domain name and password to login his personal computer, and then i want to get the current user information(such as a session) from the ldap server. Because i would like to use this session to login another web site without password.
I am not sure if i describe this question clearly, i summarize it again as below:
1. User login PC with his password and username
2. The script get this user's session from ldap server and stored
3. When this user want to login another webpage, this website use the session to login (without password)
Is there any ideas about this? i still don't know how to implement with this.
As far as I'm aware LDAP does not have a concept of a session on the level of authenticating the people in the directory (as opposed to authenticating access to the LDAP server). So the answer is that you don't. LDAP is typically only used to store the user information.
What you need is some sort of single sign-on (SSO) solution. It can use LDAP to store the user data of course.
I agree with Lennart. From LDAP, there is no mechanism to determine if the user is already bound.
There maybe some extensions or controls or SASL mechanisms that could provide that information from some LDAP server vendor implementations.
-jim