I am trying to retrieve data from Microsoft Dynamics CRM database. In order to have LINQ functionality, I applied crmsvcutil to generate data context class. The following is the command line I used
crmsvcutil /connectionString:"Authentication Type=SPLA; Server= http://our-crm.com; User ID=user; Password=pass" /namespace:Stub.Xrm /dataContextPrefix:MyCorp /out:Xrm.cs
When running the command, I got
Unhandled Exception: System.Net.WebException: The request failed with HTTP status 401: Unauthorized.
Error. I was able to access http://our-crm.com by using user/pass to assess the CRM. I am suspecting that the URL of serer was the problem, but don't know exactly which one I should use.
The CRM version I used is 4.0
UPDATE On May 19, 2011:
I changed the connection string to
crmsvcutil /connectionString:"Authentication Type=AD; Server= http://our-crm.com/CRM; User ID=domain\user; Password=pass" /namespace:Stub.Xrm /dataContextPrefix:MyCorp /out:Xrm.cs
Now I am getting
Unhandled Exception: System.ApplicationException: 0x80040220
SecLib::CheckPrivilege failed. Returned hr = -2147220960, User: f26255aa-997a-e011-b1ff-0050569e0924, PrivilegeId: a33
11f47-2134-44ee-a258-6774018d4bc3
Does it mean I do not have enough privilege to retrieve WSDL information? But I was able to use browser to get http://our-crm.com/mscrmservices/2007/CrmServiceWsdl.aspx and I was able to add webreference to the WebService using same credential.
If you are accessing Dynamics CRM OnPremise with the credentials of the current user, you have to specify Integratedas authentication type.
Therefore your connection string should be
/connectionString:"Authentication Type=Integrated; Server= http://our-crm.com;
If you have to specify a specific user, you have to use AD
/connectionString:"Authentication Type=AD; Server= http://our-crm.com; User ID=user-domain\user-name; Password=user-password
See Connect to the Microsoft Dynamics CRM Server
Related
I use Office.js's getCallbackTokenAsync to load the token to pass to the backend.
In the backend, I use EWS to retrieve the email data. Here is how I perform the authentication.
ExchangeService service = new ExchangeService();
service.Url = new Uri(ewsUrl); //retrieved from getCallbackTokenAsync
service.Credentials = new OAuthCredentials(ewsToken);// retrieved from getCallbackTokenAsync
It works well in exchange online enviroment. However when tested in on-premise exchange server, I got this authentication error:
Error Message: The remote server returned an error: (401) Unauthorized.
Stack Trace: at System.Net.HttpWebRequest.GetResponse() at Microsoft.Exchange.WebServices.Data.EwsHttpWebRequest.Microsoft.Exchange.WebServices.Data.IEwsHttpWebRequest.GetResponse() at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.GetEwsHttpWebResponse(IEwsHttpWebRequest request)
I then found this doc says the Oauth2 authentication is only for exchange online. I guess I need to use this NTLM (Exchange on-premises only).
The major reason I use EWS instead of Graph or Rest is it supports on-premise server more naturally. So should I change the authentication here? I certainly do not want to ask user for username and password.
I am trying to integrate a Shibboleth IDPV3.4.1 with my SP which is a server called as ClearPass. I am using the Linux platform of the Shibboleth IDP. I configured the relyingparty.xml, attribute-filter.xml, attribute-resolver.xml,ldap.properties, and also the and uploaded the metadata to the /metadata/sp-metadata.xml also updating the metadata-providers.
I am trying to use the password authentication flow with LDAP, however the issue is that I never get the login page when I initiate the SAML transaction from my SP. I get an error saying "Web Login Service -Stale Request". I have attached the screenshot of the error
Stale Request
I attempt to do a resolver test using the
http://shib.nslab.com:8080/idp/profile/admin/resolvertest?requester=https://chandracppm.nslab.com/networkservices/saml2/sp&principal=chandu
requester "https://chandracppm.nslab.com/networkservices/saml2/sp"
principal "chandu"
attributes
0
name "sAMAccountName"
values
0 "chandu"
and I get the attributes from AD in return, which shows the connection to AD is working.
However the authentication page does not appear from the IDP when I try to access the resource in my SP, I only get the Stale request Error.
The error that I see in the logs/idp-process.log is as follows
2018-12-10 19:26:08,222 - 10.23.20.81 - ERROR [org.opensaml.profile.action.impl.DecodeMessage:73] - Profile Action DecodeMessage: Unable to decode incoming request
org.opensaml.messaging.decoder.MessageDecodingException: Shibboleth Authentication Request message did not contain the providerId query parameter.
at net.shibboleth.idp.saml.profile.impl.BaseIdPInitiatedSSORequestMessageDecoder.getEntityId(BaseIdPInitiatedSSORequestMessageDecoder.java:128)
2018-12-10 19:26:08,223 - 10.23.20.81 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: UnableToDecode
2018-12-10 19:26:08,224 - 10.23.20.81 - DEBUG [org.opensaml.saml.common.profile.logic.DefaultLocalErrorPredicate:143] - No SAMLBindingContext or binding URI available, error must be handled locally
I am new to setting up Shibboleth IDP, not sure what I am missing.
Any inputs would be appreciated
Shibboleth fails to decode the message. This behavior is to be seen if the AuthnReq is being sent to POST endpoint instead of Redirect or vice versa or if any of both endpoints are not configured properly. On UI, the error you will notice for this is "StaleRequest". I got a similar error in idp-process.log file "org.opensaml.messaging.decoder.MessageDecodingException: This message decoder only supports the HTTP GET method". The issue is pertaining to incorrect or misconfigured endpoints.
I was able to get this working by installing an IDP docker image from here
https://docs.google.com/document/d/1qb5XTde1nulCdA_8QUei48CxDj0lQs7ShD622Ze_4II/edit
The authentication flow is working now
Environment:
Oracle 11g database
Weblogic 11.3.6
Webgate 3
Forms&reports 11 g (11.1.2.0)
WebTier 11.1.1.9.0
Problem :
When trying to access form with :
http://localhost:7777/forms/frmservlet
i have this error:
Error 500--Internal Server Error
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.5.1 500 Internal Server Error
The server encountered an unexpected condition which prevented it from fulfilling the request.
but when i set ssoMode = false in formsweb.cfg froms's config file, the forms welcome page displays well.
Any idea?
Thank you.
ssoMode (Single Sign-On parameter) indicates whether the URL is
protected in which case mod_osso, which is Oracle Single Sign-On
Module, will be given control for authentication or continue in the
FormsServlet if not.
It is false by default. It may be set to true in an
application-specific section to enable Single Sign-On for that application.
formsweb.cfg,in which ssoMode parameter may also be overridden , defines parameter values used by the FormsServlet (frmservlet)
The mod_osso component is a module that plugs into Oracle HTTP
Server. It enables the HTTP listener as a partner application that can
use the Single Sign-On server to authenticate users. Once mod_osso is
installed and configured, Web applications can register URLs that
require SSO authentication with the module. Then when URL requests are
received by the HTTP server, mod_osso detects which requests require
SSO authentication and redirects them to the Single Sign-On server.
After the Single Sign-On server authenticates the user, it passes the
user's authenticated identity back to mod_osso in a secure token, or
cookie. The module retrieves the user's identity from the cookie and
propagates the user's identity information to applications running in
the HTTP server instance. The module can propagate the user's identity
information to applications running in the CGI, those running in
Oracle9iAS Containers for J2EE, and it can also authenticate users for
access to static files.
Oracle Forms Services applications can be run in a single sign-on
(SSO) environment using Oracle Login Server (Single Sign-On Server)
and Oracle Internet Directory (OID) to store user name and password
information. For Single Sign-On implementation Oracle Forms is
considered as an 'External Application'.
In Forms, it is possible to obtain the Single Sign-On username via :
GET_APPLICATION_PROPERTY(sso_userid);
This returns a string containing the Single Sign On user ID if the user has been authenticated via the Login Server. A NULL value is returned if SSO was not used.
It is possible to also obtain the user distinguished name (dn) and the subscriber distinguished name (subscriber dn) e.g.
GET_APPLICATION_PROPERTY(sso_usrdn);
GET_APPLICATION_PROPERTY(sso_subdn);
I am trying to implement server-to-server integration with Dynamics CRM Online 2016 and BizTalk 2013 R2. I am using the WebHttpBinding to call the CRM web API, which requires a bearer token supplied as an http header:
Authorization: Bearer [base64string]
I have written a client message inspector which calls Azure AD using ADAL to acquire an access token. This is secured with a client assertion certificate, which is assigned to the registered app in our AD tenant:
var token = context.AcquireTokenAsync(this.ResourceUri, assertionCert).Result;
ResourceUri is https://[myorganisation].crm4.dynamics.com
assertionCert is a ClientAssertionCertificate created using the app registration application ID and an x509 certificate in the machine certificate store that is registered to the app as a KeyCredential
This 'works' in that it returns a token and I can decode this token to inspect the claims - there are a fair number of them, I have no way of telling whether this is the set of claims that CRM requires.
The AD app registration is configured with delegated permissions to the CRM instance.
I have set the application ID in the CRM local user to that of the app registration.
Upon calling the webAPI and supplying this token, CRM responds with 401 unauthorized.
I have repeated the same process in a powershell script and in PostMan, all of which appear to show the same behaviour.
What else am I supposed to do to make CRM accept my access token?
edit #1: Tried hardcoding the authority URI to https://login.windows.net/[my-tenant-id]/oauth2/token rather than what comes out of dynamically acquiring the authority through AuthenticationParameters - this is the same value except ending with /authorization instead of /token. This makes zero difference.
edit #2: An administrator I am working with pointed out to me that the application user I am expecting to use had no user roles assigned - this has been amended to have a role which should allow API access, but this also made no difference.
edit #3: Set oauth2AllowImplicitFlow to true in the manifest for the app registration. This doesn't make any difference.
edit #4: Made some progress by creating a new app registration, this time as a Native app rather than a web app. I managed to get a token using a client secret, and this was accepted - BUT when assigning a certificate to the app, and presenting a ClientAssertionCertificate as before, I get the response from the authority:
Error validating credentials. AADSTS50012: Client is public so a client_assertion' should not be presented.
WHY? What does 'Client is public' mean? Just work!
Hrrrmph!
Turns out that the original situation I had tried and failed with, now works.
Web application registration with delegated permissions to CRM Online
Install a client certificate on the client machine, and register this same certificate to the app using New-AzureADApplicationKeyCredential
Link the app registration to a CRM Application User created for this purpose (they are fundamentally different to interactive users) - n.b. this screen is not easy to find
Call AcquireTokenAsync() from ADAL
Just works
I am at a loss to explain why this didn't work the first time I tried it, as CRM doesn't supply any information as to why token validation failed.
Background:
Trying to find and use a library in Ruby which will enable access to an OData feed from MS Project Online. The purpose is to be able to read the information about what projects and resources have been stored in the Project management system.
Problem:
Have located two main Ruby gems for ODATA access
Ruby-Odata: OData Client Library
Odata: OData
The service which is trying to be accessed is via HTTPS; typically like https://mysite.sharepoint.com/sites/pwa/_api/ProjectData/Projects This will also have a username and password due to it being an authenticated service. But the problem is that the authentication fails, although when using this same service via an Excel data connection I'm able to access the list of Projects
Tests:
The code attempt, using Odata, looks like:
# https://github.com/visoft/ruby_odata
require 'ruby_odata'
svc = OData::Service.new "https://blogfodder.sharepoint.com/sites/pwa/_api/ProjectData/Projects/",{:username => "blah", :password => "xxxxxx"}
svc.Projects
Running this code produces the following error:
/Users/grantsayer/.rvm/gems/ruby-2.2.0#odata/gems/rest-client-1.8.0/lib/restclient/abstract_response.rb:74:in `return!': 403 Forbidden (RestClient::Forbidden)
This of course shows that authentication is a problem. The issue is that I'm able to execute this connection via Excel, and also in a web browser, just not over the API.
The alternative library (Odata) whilst not producing an authentication error ends up with no data being returned.
Suggestions are welcome.