When a user runs an on-demand workflow in Microsoft CRM 2011, is it possible to access their credentials?
I am creating a custom workflow activity designed to access a sharepoint server with shared Active Directory accounts. I would like to be able to use the user who runs the on-demand workflow's credentials for Sharepoint authentication. Is it possible to access these credentials in custom code? If so, how (C# if possible)?
Unfortunately it is possible to get the credentials but you won't be able to use them to authenticate to the Sharepoint Server, at least in the online versions.
We had a similar scenario but in the end we had to use a special user to do all the work in sharepoint, we were triggering the code with a plugin and using the REST Endpoint to do the work.
You can access the the User Credentials from the localContext, but you won't be able to retrieve the password.
Is your environment onpremise or online?/
Related
I want to have a windows service that can received unread mail from my O365 account every 3 minutes and have different action depends on Mail subject. I choose EWS managed API instead of Graph is because maybe I would use this program on Exchange Server in the future. I'm following this tutorial Authenticate an EWS application by using OAuth and I have some question about permission control, in this case I use Application permissions which run without a signed-in user present. for example, apps that run as background services or daemons and can access multiple mailboxes.
Now I can access my mailbox with the applicationID, tennatID and Client-secret. But I have to inpersonate someone within my tennat(domain) and than I can send mail by the Mail Account. My question is Is it have any permission control can set that this application only can access or inpersonate part of tennat user rather than all user within my tennat? (in Azure AD Api permission setting I only seen full_access_as_app - Allows the app to have full access via Exchange Web Services to all mailboxes without a signed-in user.) I think its not make sense if this application have permission that can impersonate ALL user of my organization, that would be a big deal if this application client-secret exposes.
Sorry for my poor English.
You can use Application access policies to scope your application so it only has access the mailboxes it needs. see https://learn.microsoft.com/en-gb/graph/auth-limit-mailbox-access.
I'm trying to create an ASP.NET application to access files store on a Office 365 sharepoint site. The files are public and anybody can download them. I look at the Office 365 api but from what I can tell, you need to be able to login before the application can call the api.
Is there no way to set the credential in the web config and make it so that the application can get the file for everybody? Since the files are public, most users will not have an account.
I cant be categorical, but Office 365 uses Federated Identity which requires a user to be present; you dont pass credentials to it - you pass a callback "pointer" URL which it calls you back with. The user types their credentials into Office 365 not into your application - so you cant pass credentials to Office 365/OneDrive.
I'm trying to use the Office 365 api inside a Windows Service to link e-mails to in-house projects.
I've been able to authenticate myself using the Office 365 API documentation
Although I have some problems/questions.
First problem:
await outlookClient.Me.Folders["inbox"].Messages.ExecuteAsync();
Isn't working for me, I don't get any response, even after 5 min...
Another question is:
Is it possible to never ask for the office365 credentials when starting the program?
Because this is running in a windows Service.
Did anybody successfully implement this?
If so: Is it possible to get a full working example?
I've been trying different things now, but much examples are for asp.net of other where an authentication is always required.
I haven't done a service specifically, but it should work if you use the client credential auth flow.
That flow would give you the unattended scenario you want for a service. However, there does have to be consent at some point. The way it works with client credential flow is you would have a signup web page. An administrator from the Office 365 org would go that page and login and grant consent to your app. This would be a onetime thing. Your app would then be able to get a token silently that grants access to all mailboxes in the organization.
I have made a webform that inserts work items to a tfs 2010server. On the tfs server I need to be able to see which user created the work item. If I run the webform code locally on my machine this works, because my machine is logged in to my user on the tfs server. But after deploying the code on a server I get a (401) unauthorized error message if I don't hardcode in my credentials like this
TfsConfigurationServer configurationServer = new TfsConfigurationServer(configurationServerUri, new NetworkCredential(user, pwd, domain));
(Locally the code below works)
TfsConfigurationServer configurationServer = new TfsConfigurationServer(configurationServerUri);
Is it possible to tell the webserver which user is logged into the machine accessing the webform, or is it any way I can prompt the user for username/password when he/she submits the webform?
thx for any help!
There are several things you need to do and approach this issue
First most likely you have anonymous authentication allowed for your website. Meaning users can access your site without any restrictions and wont need to provide any information. Webserver doesn't know who they are. This will need to be disabled as by your question you need their info. You web app will try to connect to tfs under the webservers identity - either the dedicated account running the application pool or computer account.
http://technet.microsoft.com/en-us/library/cc770966(v=ws.10).aspx
The most simplest method is to enable basic authentication for your website, this will request users to provide username and password, downside is this method transmits data in base64 plain text, as such you channel must be secure
http://technet.microsoft.com/en-us/library/cc772009(v=ws.10).aspx
Forms authentication will allow you to use custom form to collect login info from users, and validate it yourself but works much like basic authentication
http://technet.microsoft.com/en-us/library/cc753252(v=ws.10).aspx
If clients are users in your domain and application is used in intranet the best option is to use Windows authentication, it will try to automatically get users identity from domain, and will issue popup if that fails. Depending how your servers are setup getting this to work may be as easy as enabling it (tfs and your app on the same server) or require configuring your domain controllers for kerberous.
http://technet.microsoft.com/en-us/library/cc754628(v=ws.10).aspx
Once users are in have been authenticated you must make the webserver impersonate them when your code calls tfs. Complexity again depends on your setup.
http://technet.microsoft.com/en-us/library/cc730708(v=ws.10).aspx
Alternativly you can use tfs impersonation to get similar result, this can be also used if for example you dont have users in tfs for each user connecting but instead want to impersonate and ClientCompany, Project or Team account
http://blogs.msdn.com/b/paulking/archive/2010/11/04/using-the-new-tfs-2010-impersonation-apis.aspx
It is not a typo. My problem is that I can log in. Our CRM server is accessible via VPN, which I log into. Then, I run the following code.
ClientCredentials credentials = new ClientCredentials();
String orgUrl = "http://server/konrad01/XRMServices/2011/Organization.svc";
OrganizationServiceProxy _serviceProxy = new OrganizationServiceProxy(
new Uri(orgUrl), null, credentials, null);
It's a brand new organization with nothing in it. When I list e.g. system users, I get hits, so apparently I am able to connect to it. But how?!
I've went through everything I could think of. I removed all the internet history, including but not limited to, cookies. I removed all references to the server from the Credential Manager in Control Panel. I disabled the storage of credentials for log in on the RDP where the server resides. Nada! The persistent duck (type intended) still connects. How do I make it not to connect?! (Unless I provide credentials, that is.)
Assumptions:
You have a simple on-premise deployment.
You are using simple active directory authentication.
The user running the application has permissions in CRM.
As you didnt specify any particular user in the ClientCredentials when the application connects to CRM it provides the credentials of the user who is running the application.
That user has permissions in CRM so they are allowed to authenticate and do things.
To test this try running the application as a user who does not have permissions in CRM and see if they are still able to connect.
Further reading:
CRM 2011 – Authentication Model
Authenticate Users with Microsoft Dynamics CRM Web Services
How can I set ClientCredentials?
If you are a user in CRM you'll still be able to create a _serviceProxy even if your user is disabled but you'll get an error when trying to retrieve or execute anything.
If your user does not exist in CRM then you won't even be able to create the proxy.