We have three servers that all share the same database. One server is internet facing.
I have a web page in an IFRAME in CRM that talks to the CRM web service using the standard method of connecting for on-premise. When this IFRAME is displayed through the IFD with users logged in through the forms authentication element, you are asked for login credentials.
How do I get around this?
EDIT
The IFRAME that targets the CRM service is on four servers. Two of the servers are used for IFD and On-premise use. The other two are for on-premise only. They are all in the same domain. All of the users are internal users that can log in through the web if they are using a customer's computer or a machine in an Internet cafe and therefore can't use the VPN.
A few questions to better understand you issue. Is the iframe which targets CrmService on the same IFD server? Is the IFD server on the same domain as the rest of the servers? When you say users are logged in are you refereeing to local domain users or external users?
I suspect the problem is not the services, but the IFrame. When you authenticate to MSCRM via on-premise you are doing Windows Authentication, and when you should the IFrame that authentication request is done again. Since the browser knows everything it needs this is all handled transparently.
When using IFD, you are not using authentication on the web server level - you are doing it using forms based which is on the application level. You IFrame though is still wanting authentication, and thus the iframe prompts for authentication.
If you were having a service problem, the IFrame would display and what ever action triggers the service call would fail with a 400 or 500 error.
So the question comes in how do you build a web page that can cater for windows authentication and forms based? Well that is easy in MSCRM, first make sure you are not running authentication on the web page - set it to anonymous. That ensures no more popups, then make sure you use the CrmAuthenticationToken code to get the token and use that for all calls. You should not be setting the .Credentials property of the service itself.
Assuming you're deploying your page within the CRM website (and not its own virtual directory) then here is pointing you at the SDK article for what Robert mentioned:
See the SDK topic titled: Authentication from an ASPX Page.
In my experience you should always use the CRMImpersonator in your web pages within the CRM website.
Now if you've got your own page running on its own website:
You'll want to see the Discovery service and obtaining a CRM Ticket for accessing the services.
Related
We have built a portal in PHP(Laravel) + Angular for a client. User Authentication is done through LDAP.
Client also has a SAS solution for Analytics and it also has LDAP Authentication (SAS Viya).
We need to redirect the user from our portal to SAS portal and the user should get logged in automatically as both portals are authenticating the users through same LDAP.
We tried a few things, but it didn't help.
I am looking for some guidance on how to implement this and if there is any programming/configuration required on our side or on SAS side.
Hard to be specific without fully understanding your use case, but you could look to handle authentication to Viya using the SASjs Adapter (disclaimer - my team built it)
https://github.com/sasjs/adapter
Just set the LoginMechanism to REDIRECTED in the config object to support SSO or alternative login flows. If you need help, my team can be contact on https://sasapps.io/contact-us, else just raise an issue on the github.
We have an implementation on Angular that may help: https://github.com/sasjs/angular-seed-app
We have integrated a VIYA Visual Analytics report into a corporate web application, using the SDK (so not realy a redirect) with single sign on.
(I don't know all the details about how we did it. my roll was in the personalization of the report, where we went further than ordinary row level security.)
I am trying to auto login for specific url like webdav url for document.
We want to modify documents uploaded to document library.
We are passing webdav url to ms office to open document. It is our intranet project and we are using ntlm.
I am unable to pass credentials from ms office to our liferay server.
When we click webdav url from our browser where I logged in already then it redirect to office and when office tries to open that document from liferay server then it is asking credentials, as I am already logged in then it should not ask credentials at the time of opening documents using ms office.
I am thinking if we do autologin for webdav url like url="/webdav/*" and able to do autologin then my issue would resolve.
Please help me on this.
I am using liferay 7.2 CE.
Windows
This is a long-standing issue that is not quite related to Liferay. The fact is that when you authenticate in Liferay from the browser it stores a session cookie inside that browser. When you open the webdav url, it's actually ms office that contacts the server and then it doesn't know about your browser cookies. So it does ask authentication on its own.
Now you are using NTLM which is Microsoft own SSO protocol, would it be nice that it does authenticate you on a Microsoft product. It's been a very long time since I had this exact same issue (2014, Liferay 6.1) but I believe NTLM info is only sent in network trusted sites and by default any site is not. You have to make change to your domain controller to allow them.
Next in that time, I think the Liferay NTLM filter was not called on a webdav path, we did have to create a hook to apply it. I don't know if it has been changed since then.
Additional info asked in the comments:
filter hook mapping documentation:
https://portal.liferay.dev/docs/7-1/tutorials/-/knowledge_base/t/servlet-filters#step-2-map-urls-to-your-servlet-filter
The ootb ntlm filter is here: https://github.com/liferay/liferay-portal/blob/7.2.x/modules/apps/portal-security-sso-ntlm/portal-security-sso-ntlm-impl/src/main/java/com/liferay/portal/security/sso/ntlm/internal/servlet/filter/NtlmFilter.java
I have the below problem I try to solve:
There is an MVC web application (AppA) in domain DomA that is configured to use a CUSTOM STS for authentication/authorization.
On the other hand we have a CRM installation in another domain, the MyCRM domain, that is configured to use ADFS (ADFS is in the same domain as the CRM).
What we want to achieve is the AppA to be able to POST data to the Dynamics CRM Web API but we don’t want the users of AppA to re-enter credentials or have any other kind of interaction regarding authentication/authorization with ADFS.
The AppA should be able to POST data from both Javascript (client side) and the backend (MVC controller)
How could we achieve the above?
What kind of Trust should we establish between the Custom STS of DomA domain and the ADFS of MyCRM domain?
You don't need federated identity for back-end (server-to-server) connections. You might want to use Impersonation which permits you to setup a user account that can act on behalf of another user in the system.
I have asp.net mvc3 application with forms authentication. But the our client request AD authentication as well. But the mvc3 app is hosted outside the clients network. What are the possible solutions for this.
Get permission to access the clients network from remote server.
Get an API to access the active directory data from webserver.
If we choose opt one how could we access active directory for authentication from outside the client network. I anybody have any idea or better options please let me know. Thanks in advance.
My guess is that the Microsoft security products can support this out of the box but I'm not sure how so I suggest that you direct your question to whoever supplies your client with their Microsoft product support.
If you'd rather build a solution so that you've got more control over how it works a quick search found an interesting approach at https://support.freshservice.com/support/solutions/articles/169196-setting-up-active-directory-single-sign-on-sso-for-remote-authentication where they created a simple ASP.Net web site that used AD authentication for sign-on. MVC 5 can build a WebApi site that does that just by creating a new project in Visual Studio with the right options.
That site wouldn't have to do anything except confirm that the credentials supplied were valid or not. Your application would ask the user to enter login / password details, then send a (properly secured) web request to the authentication site to determine whether they're valid. As long as you keep the communication between your server and the client web service tightly secured this should do what you need without much fuss. That approach removes the need for your server to communicate directly with the client's AD server.
So I have CRM Online and SharePoint Online as document storage. I have the list component installed and everything is working there. I have a plugin I have built which generates emails, and as part of the process, grabs documents from various SharePoint folders and attaches the to the email before sending.
To do this in a SharePoint online environment, I have to go out, grab a SAML token from MS's login STS service, pass the token to SharePoint, receive a couple of authentication cookies back, and pass those cookies along with any requests I make to SharePoint. All of this is working. The bad news is I have to have a username and password hardcoded in (or prompt the user). Is there any way from inside CRM Online to grab the current user's credentials and pass that to get the SAML token? I mean there has to be since CRM does it when you create the document libraries when you turn on Document Management, right?
I can't use the SharePoint dlls inside CRM Online plugins, it is security restricted. I cannot access the CredentialCache, security restricted. Hell, I even looked at trying to intercept the cookies somehow with Javascript, but it looks like they are HTTPOnly and pretty much inaccessible.
Tried putting in a Microsoft ticket and got some low level guy who immediately passed the buck and called it unsupported.
You can't get user's password in CRM. If you are developing a plugin, the plugin can run in the user context and the code will execute based on the logged in user. Therefore you don't need to pass any creds for adding a document in CRM.
Check out this url, it helps you understanding how impersonating works in CRM.
https://msdn.microsoft.com/en-us/library/gg309416.aspx
Hope this helps.