I am trying to call a Web application from an IFrame in CRM 2011 On-Premises. In the Web Application , how can I get the Client Credentials of the User Logged in CRM to pass to the IOrganizationService?
I haven't worked with web applications for CRM 2011, as Microsoft is doing everything they can to make this as infeasible an option as possible, but in a client application, the following works for the credentials object to pass to the DiscoveryService/OrganizationService:
ClientCredentials credentials = new ClientCredentials()
{
Windows.ClientCredential = System.Net.CredentialCache.DefaultNetworkCredentials
};
It was somewhat similar for CRM 4 web applications, so this might work, but I have no idea what influence the fact might have that web applications for Eleven are supposed to run in their own IIS "Application" instead of the CRMWeb/ISV folder as in previous versions.
I've done it before,
Actually, I give a username, password and domain (impersonation) for an existing CRM user.
but I had not tried this before
Windows.ClientCredential = System.Net.CredentialCache.DefaultNetworkCredentials
Related
I want to access Microsoft Dynamics 365 online.
It is the first time I am working with this tool.
I want to access this through API.
I have gone through the following links :
Link 1
Link 2
It shows that AUTHORIZATION_URL or clientid or tokenendpoint
are needed.
I have a simple MSD 365, I only have username and password with me.
So I am not able to understand how to connect to MSD 365.
My simple question is, is it possible to access/connect using username and password?
Or is it mandatory to have all these details?
If you are planning to use Dynamics CRM 365 web api inside CRM context like Javascript web resource then no need.
If planning to use it in any external app (developed using nodejs, python) then need to register App in Azure AD to get App client Id and get login token for accessing web api.
Second link example uses adal.js to get token directly using username & password without clientid.
I have asp.net mvc3 application with forms authentication. But the our client request AD authentication as well. But the mvc3 app is hosted outside the clients network. What are the possible solutions for this.
Get permission to access the clients network from remote server.
Get an API to access the active directory data from webserver.
If we choose opt one how could we access active directory for authentication from outside the client network. I anybody have any idea or better options please let me know. Thanks in advance.
My guess is that the Microsoft security products can support this out of the box but I'm not sure how so I suggest that you direct your question to whoever supplies your client with their Microsoft product support.
If you'd rather build a solution so that you've got more control over how it works a quick search found an interesting approach at https://support.freshservice.com/support/solutions/articles/169196-setting-up-active-directory-single-sign-on-sso-for-remote-authentication where they created a simple ASP.Net web site that used AD authentication for sign-on. MVC 5 can build a WebApi site that does that just by creating a new project in Visual Studio with the right options.
That site wouldn't have to do anything except confirm that the credentials supplied were valid or not. Your application would ask the user to enter login / password details, then send a (properly secured) web request to the authentication site to determine whether they're valid. As long as you keep the communication between your server and the client web service tightly secured this should do what you need without much fuss. That approach removes the need for your server to communicate directly with the client's AD server.
So I have CRM Online and SharePoint Online as document storage. I have the list component installed and everything is working there. I have a plugin I have built which generates emails, and as part of the process, grabs documents from various SharePoint folders and attaches the to the email before sending.
To do this in a SharePoint online environment, I have to go out, grab a SAML token from MS's login STS service, pass the token to SharePoint, receive a couple of authentication cookies back, and pass those cookies along with any requests I make to SharePoint. All of this is working. The bad news is I have to have a username and password hardcoded in (or prompt the user). Is there any way from inside CRM Online to grab the current user's credentials and pass that to get the SAML token? I mean there has to be since CRM does it when you create the document libraries when you turn on Document Management, right?
I can't use the SharePoint dlls inside CRM Online plugins, it is security restricted. I cannot access the CredentialCache, security restricted. Hell, I even looked at trying to intercept the cookies somehow with Javascript, but it looks like they are HTTPOnly and pretty much inaccessible.
Tried putting in a Microsoft ticket and got some low level guy who immediately passed the buck and called it unsupported.
You can't get user's password in CRM. If you are developing a plugin, the plugin can run in the user context and the code will execute based on the logged in user. Therefore you don't need to pass any creds for adding a document in CRM.
Check out this url, it helps you understanding how impersonating works in CRM.
https://msdn.microsoft.com/en-us/library/gg309416.aspx
Hope this helps.
I have a simple ISV page (using 2007 service endpoints, 4.0 SDK) that only shows the Identity of a user who has opened it.
System.Security.Principal.WindowsIdentity.GetCurrent().Name
This page in CRM 4.0 shows a valid user DOMAIN\USERNAME
When this page is deployed to CRM 2011 it only shows NT AUTHORITY\NETWORK SERVICE
The CRM 2011 has a Claims Based authentication configured together with IFD. There is a STS server and Credentials. All connections seem work fine. The page is accessed via: https://servername.domain.com/organization/main.aspx and in an intranet environment.
It just looks that the page can not pickup the identity of a user who has opened it.
Have you experienced this before? Is there something not configured correctly?
Thank you for your help.
To be sure what user is logged on you can use WhoAmI message. In that way you are able retrieve full information about the user.
Also ASP.Net provide a way to retrieve currently logged in user HttpContext.User Property. But it could contains different values, depending on Authentication Type. In case of IFD with claims-based authentication, HttpContext.User will contains id of SystemUser entity.
We have three servers that all share the same database. One server is internet facing.
I have a web page in an IFRAME in CRM that talks to the CRM web service using the standard method of connecting for on-premise. When this IFRAME is displayed through the IFD with users logged in through the forms authentication element, you are asked for login credentials.
How do I get around this?
EDIT
The IFRAME that targets the CRM service is on four servers. Two of the servers are used for IFD and On-premise use. The other two are for on-premise only. They are all in the same domain. All of the users are internal users that can log in through the web if they are using a customer's computer or a machine in an Internet cafe and therefore can't use the VPN.
A few questions to better understand you issue. Is the iframe which targets CrmService on the same IFD server? Is the IFD server on the same domain as the rest of the servers? When you say users are logged in are you refereeing to local domain users or external users?
I suspect the problem is not the services, but the IFrame. When you authenticate to MSCRM via on-premise you are doing Windows Authentication, and when you should the IFrame that authentication request is done again. Since the browser knows everything it needs this is all handled transparently.
When using IFD, you are not using authentication on the web server level - you are doing it using forms based which is on the application level. You IFrame though is still wanting authentication, and thus the iframe prompts for authentication.
If you were having a service problem, the IFrame would display and what ever action triggers the service call would fail with a 400 or 500 error.
So the question comes in how do you build a web page that can cater for windows authentication and forms based? Well that is easy in MSCRM, first make sure you are not running authentication on the web page - set it to anonymous. That ensures no more popups, then make sure you use the CrmAuthenticationToken code to get the token and use that for all calls. You should not be setting the .Credentials property of the service itself.
Assuming you're deploying your page within the CRM website (and not its own virtual directory) then here is pointing you at the SDK article for what Robert mentioned:
See the SDK topic titled: Authentication from an ASPX Page.
In my experience you should always use the CRMImpersonator in your web pages within the CRM website.
Now if you've got your own page running on its own website:
You'll want to see the Discovery service and obtaining a CRM Ticket for accessing the services.