IFD, Web Services and Authentification

Source
Problem:
Creating a custom aspx page to generate Activities by adding to existing form (say account) within an IFRAME.
– Used MSCRM SDK 4.0.7 for development of page.
– Could not directly access web services due to IFD implementation (If I could then would not have this problem) thus had to use SDK components for implementation
– Created a Virtual Directory within the CRM core application website to reference the new web application
– Added reference link to the page so when account form is loaded, page is pulled and it attempt to pull the current user info (see code sample below).
– Receive dreaded “The request failed with HTTP status 401: Unauthorized.” error and associated Application Event error (see error info below)Item 1 – Get access to CRM IFD application on the local Server

– using http://localhost would allow me to access the application but could not access via IFD for our clients unique name (URL)
– Added URLs to host file (could have set DNS as well to resolve name internally) – Still could not access. NTLM authentification window would popup but no matter what account I tried, got unauthorized access. Checked Event log and noticed Kerberos error wich drove me to the Sonoma Partners article…
http://blog.sonomapartners.com/2007/04/kerberos_and_de.html
– reviewed the spn settings and added client urls and voila, could now access the sites locally with logins
Item 2 – Custom application authentification
– Once I was able to login through clients accounts locally, I could now look at my applications issues.
– Copied website to CRM server and referenced as a virtual directory under the CRM root web
Aside: I have receievd feedback that custom apps should be placed in the ISV folder to be directly accessed. I haven’t done my homework on this and I should since it is what the job of the ISV folder is, I’m assuming, but references I’ve found only mention single files vs. web sites/apps…if someone could point me in direction for such implementations, would be appreciated.
– Added the application to a CRM form via an IFRAME element.
– published and no luck, 401 error
– Tried web.config impersonation (set to true, hard coding username and password) within custom app -> No joy
– Removed “Anonymous access” from website and Virtual Directory -> no joy
– Adding “NT Authority\Network Service” permissions to the website -> no joy
– CRMImpersonation within code -> no joy
– Used CRM4DiagTool to trace but didn’t provide concrete direction to follow.
– I actually had an implementation work via web services referencing as localhost BUT this implementation only worked if I logged in as admin…so back to square 1.
– Experimented with other various code implemetations and then went back to review items from CRM SDK. Tried impersonation, no luck until I stumbled on the SDK walkthrough authentification sample. I ported the code to a test website and ran. Still got 401 errors but made changes (used NetworkCredential vs. UseDefaultCredentials, Active Driectory Authentification (AD)  vs. SPLA, etc…see sample code) and got it working
– I kept looking and also found IFD based code implementation for authentification which, after adjusting, got to work as well (See sample code)
So Happy, Happy, Joy, Joy…got it done. Here are steps, references and code sample I used.
NOTE: This is still a work in progress as I know there are holes to fix (One that is eating me is that the NetworkCredential has to use admin access which I don’t like) but it worked for me. Currently using the IFD based code sample (IFDConnection) for my applications and not the SDK “Run” version. that the NetworkCredential has to use admin access which I don’t like) but it worked for me. Currently using the IFD based code sample (IFDConnection) for my applications and not the SDK “Run” version.
Steps:
– Get CRM 4 SDK (I used version 4.0.7)
http://www.microsoft.com/downloads/details.aspx?familyid=82e632a7-faf9-41e0-8ec1-a2662aae9dfb&displaylang=en
– Use SDK components (sdk\bin\) and also generate CRMDiscoveryService proxy component using the supplied wsdl from SDK (sdk\wsdl\)
https://community.dynamics.com/blogs/crmteam/comments/2373.aspx – Used the section reference on “Building CrmDiscoveryService DLL”
– Fix SPN issues if any
http://blog.sonomapartners.com/2007/04/kerberos_and_de.html
– Ported code from SDK “\sdk\walkthroughs\authentication\cs\activedirectory” to an aspx page for testing. Made changes to get operational.
– Continued to look at IFD code samples
http://msdn.microsoft.com/en-us/library/cc151049.aspx
http://msdn.microsoft.com/en-us/library/cc151054.aspx
– Added IFD code section to existing aspx page for additional testing. Worked once converted for AD authentification.
– Added Metadata call as well to code
– tested (referenced aspx page from within CRM form IFRAME) and confirmed code (service execute operations) were operational and ported to my appliction code base
– tested code and worked :o)

Shan McArthur

CEO / CTO, Adxstudio Inc.

You should never touch the authentication settings in the IIS website for CRM. Please review the implementation and planning guide to plan your authentication configuration. You have options of Active Directory or claims-based authentication. When you turn on claims-based authentication you can also configure internet facing deployment (IFD). These topics are all covered in the implementation guide. Again, never touch any settings on the IIS website directly – with the one exception of enabling a particular SSL certificate for the site. Also note that all of the urls that you are going to use have to be registered properly in the deployment manager tool too.

Advertisements

2 Comments (+add yours?)

  1. Swen
    Feb 20, 2013 @ 06:33:01

    Ur blog, “IFD, Web Services and Authentification
    Roman’s Blog” was indeed truly worth commenting on! Merely desired to announce you truly did a wonderful work. Thank you -Kian

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: