We are trying to integrate Microsoft Exchange (sync appointments) into our web site (SPA)(Software as a Service), for this we are looking at EWS managed API as the preferred route, we have the end users email, but we do not want to store there exchange passwords (as they are generally same as users domain password), in such a scenario which is the best approach to take. Please Help.
The preferred way would be to define a new Exchange id for your integration program and allow it impersonation rights for each user whose mailbox you want to examine. The managed API will allow you to specify an impersonation id on each call. You authenticate with your program's userid and password, but have the rights within the Exchange store of the user you are impersonating. Thus you only have to manage a single password for your program and need not know users' passwords. Setting up the impersonation rights requires some fancy PowerShell commands from the Exchange Admin, but you only do it once.
Related
I'm creating a powerapp interface for a small corporation that using office365/sharepoint to log in to their network. Is it possible to use both the username or email and password to login and pass on to the next screen? so far this is what I’m working with "-----" don't know what to use.
If (User().Email = Txt_Inpt_Us, User().
and
If(User().Email exactin Txt_Inpt_Us.Text).------ = Txt_Inpt_Pas.Text, false, true)
I've tried various combinations and combing through powerapps help but am growing tired and wanted to get y'alls take.
PowerApps will be used by internal employees in a corporate using Azure AD user account, which is used for Single signon across Sharepoint, O365, etc. In some cases external guests can be shared with this PowerApp but still they have to be in some AAD and invited through your company AAD as guests.
That being said, Authentication for PowerApp is already taken care by Azure AD challenge. Not sure why you want to have a separate login screen to mimic the behavior.
In case you want some registration process to use and authorization on multiple role/persona, then you should maintain a separate database to handle the entitlements and authorization.
Don’t forget, this is going to be extra step for users, to get authenticated in addition to AAD always.
We are integrating Google Calendar with our room booking system. Users in GSuite domain should login on our reservation screen and book a room. So far I made use of an service account with domain wide delegation to impersonate the users (the setSubject() method, passing the e-mail address of the impersonated user). Everything works, although this way we cannot verify if the user we want to impersonate is logged in successfully or not, the event will be just created with him as the organizer, because setSubject() only requires the email to work properly.
In IBM Domino, when using an Java XPage I was able to compare passwords of the user, not in plain text but there was a function which compared plain text with user's hashed password and returned true if they were equal.
As I see Google doesn't have such a thing if I'm right. How could I check if the user can successfully log in programmatically?
If you want to perform actions in Google Calendar on behalf of a currently logged-in user from a web browser, you might want to use OAuth2 for Web Server Applications instead of using a service account with impersonation.
So far all information that I read about streaming notifications says that you are expected to use impersonation with streaming subscriptions when you want to subscribe to not your mailboxes. This sounds reasonable when you have service application that accesses user mailboxes. In my case I need to subscribe to calendars of room mailboxes.
Based on this answer: Getting notification from Resource calendar in EWS room mailboxes usually have their account disabled and I need to use delegation.
So what is proper way to subscribe and maintain affinity when using delegation? Should I just ignore setting the impersonation header and do everything else as described in How to: Maintain affinity between a group of subscriptions and the Mailbox server in Exchange?
When you creating folder object, pass the other user email address which shared his calendar with you. AS below
folders[0] = new FolderId(WellKnownFolderName.Calendar, new Mailbox("OtherUserEmail"));
And then subscribe.
service.SubscribeToStreamingNotifications
For resource rooms I use impersonation as the preferred access. I know that in general the AD userids for room resources are disabled for login in AD, but my guess is that affects only Windows login. Technically when you impersonate, you don't really login as the room user. You log in as the service account with those credentials, and then indicate with the impersonation id that you want Exchange to pretend it's actually the room making all the requests you are about to make.
I know how to grab guid and User Name of current logged in user in Dynamics CRM 2016 on prem. But I also need to grab the password for some business reason and pass it to another application for managing documents of the user.
What I have searched I find only to get the id and user name of the user but nothing find about the password of the user. I need to know how can I get the password of the current logged in user. Any idea/suggestion will be helpful.
You can't - unless the user gives it to you.
Passwords are handled by the authentication layer (Windows Integrated or ADFS) and CRM has no knowledge of the user's password. I do not believe Active Directory (or any other LDAP service on which ADFS might use) would allow you to read a user password.
In Server Side Sync a user may provide their password to CRM for Exchange authentication BUT that password cannot be read by anything other than the CRM platform (and they are encrypted in SQL.) You will not be able to read that password using code or SQL.
I do believe CRM On-Premise utilizes Active Directory. AD passwords are stored using non-reversible encryption, so you wont be able to get that in a readable format unless you enable reversible encryption, which i'd not advise doing for security reasons.
There are some steps mentioned to set up single sign on for sharepoint integration, this might help your cause.
Reference : https://sharepoint.stackexchange.com/questions/19662/how-to-set-up-single-sign-on-for-sharepoint-integration-in-crm-2011
I'm writing an application that needs to create Calendar events on a user's Outlook Calendar. However, I will not have access to their passwords, and they will most likely not be involved in the workflow to enter them at any point.
Is it possible to create these events with the user being authenticated? If not, are there alternatives?
This is for an on-premise Exchange Server, not Exchange Online.
You can use app impersonation, as long as the admin can add a service account and grant app impersonation. See https://msdn.microsoft.com/en-us/library/office/dd633680(v=exchg.80).aspx for more details.
If the user can use his Windows Login to login to the Exchange Server, you can simply use that - if your application runs on the users machine under his account. EWS-managed-API does that out-of-the-box.
If not, you could create an additional user on the Exchange Server, who creates the appointments on his own account and invites everyone per email.