It is not a typo. My problem is that I can log in. Our CRM server is accessible via VPN, which I log into. Then, I run the following code.
ClientCredentials credentials = new ClientCredentials();
String orgUrl = "http://server/konrad01/XRMServices/2011/Organization.svc";
OrganizationServiceProxy _serviceProxy = new OrganizationServiceProxy(
new Uri(orgUrl), null, credentials, null);
It's a brand new organization with nothing in it. When I list e.g. system users, I get hits, so apparently I am able to connect to it. But how?!
I've went through everything I could think of. I removed all the internet history, including but not limited to, cookies. I removed all references to the server from the Credential Manager in Control Panel. I disabled the storage of credentials for log in on the RDP where the server resides. Nada! The persistent duck (type intended) still connects. How do I make it not to connect?! (Unless I provide credentials, that is.)
Assumptions:
You have a simple on-premise deployment.
You are using simple active directory authentication.
The user running the application has permissions in CRM.
As you didnt specify any particular user in the ClientCredentials when the application connects to CRM it provides the credentials of the user who is running the application.
That user has permissions in CRM so they are allowed to authenticate and do things.
To test this try running the application as a user who does not have permissions in CRM and see if they are still able to connect.
Further reading:
CRM 2011 – Authentication Model
Authenticate Users with Microsoft Dynamics CRM Web Services
How can I set ClientCredentials?
If you are a user in CRM you'll still be able to create a _serviceProxy even if your user is disabled but you'll get an error when trying to retrieve or execute anything.
If your user does not exist in CRM then you won't even be able to create the proxy.
Related
I am creating a friendly web page to get data on azure devops or logic like deploy depending on user permissions.
The problem is that in my web i have diferent users with diferent Azure PATs associated and i want to check the permissions first to control the access or to alert that the user can't do something...but i don't know how to check those PAT permissions before making the requests.
Other problem is that the connection to azure on localhost is using my machine windows indentity (the same that azure) and not the PAT access so i can't test logic with diferents permissions. The web page published on the server don't have that error and uses PAT access succesfully.
For the connection i use:
var connection = new VssConnection(url, new VssBasicCredential(String.Empty, tokenPAT));
and if i do:
await connection.ConnectAsync()
The connection is using my machine user and nevermind if the token is correct or not so i can't test and control that errors.
Thanks so much, i am new in azure world :D
We have developed a product which is a web application. While configuring it in IIS, we disable all the authentication modes except Windows authentication (app works on Windows authentication only).
We create a service account and provide admin access to that account on all the servers, and on database servers.
We configure the connection string in web.config with username and password of that service account. Everything was working fine till now.
We received a new requirement which says, no service account will be created and individual users will be granted database access. We have to configure our application in such a way that Windows credentials are used to access the app gets passed to SQL Server. Reason for this change: we can log the user accessing the database.
I set Integrated Security=SSPI in the connection string and tried with different App Pool Identity but to no avail.
We are even ready to change the code if same is required to achieve the functionality.
Can someone please help me what am I missing, or how it can be achieved? Please let me know if more information is required and I will be happy to provide the same.
App server and database server are on the same domain and network but different machines. Users accessing the application will be on the same domain and network. This is a intranet based application.
You need to enable and configure constrained delegation. Follow this document: How to Implement Kerberos Constrained Delegation with SQL Server. Your app pool need to be configured to impersonate, see Using IIS Authentication with ASP.NET Impersonation.
Also this will be a hop scenario so you will have to enable delegation for the IIS server and if you intend to pass user credentials then you need to enable delegation for the user accounts too. You can use the tool delegconfig to troubleshoot this.
I am a little new to IIS and am not 100% sure that this is possible. I am writing a C# application that needs to get the users network credentials and then connect to TFS using those credentials. I am able to do one or the other, but never both at the same time.
To obtain the users credentials that is accessing the site I have to use NetworkService as the AppPool's Identity with a call to credentials = System.Web.HttpContext.Current.User.Identity.Name. The reason i need to get the users username is to find out which items they have permission to access in TFS later using item.VersionControlServer.GetEffectivePermissions(credentials, item.ServerItem).
To connect to TFS I have to put the users credentials as the AppPool's Identity or give NetworkService access to TFS (not something that is going to happen) with a call to RegisteredTfsConnections.GetConfigurationServer("server");
I either need a way to use the credentials obtained by the application to access TFS, or I need a way to create a new user that has "Network Service like" abilities to get the user's credentials and then give this user access to TFS.
You are essentially hitting something called 'double hop authentication' and you will not be able to proceed without making sure that you have a Kerberos token.
Its quite complicated to configure Kerberos but once you have it up and running your code will just start working. The only other way to achieve this is to actually have the users username and password.
What I didn't know and recently found out is that if you set IIS to run as a user, you can enable Windows Authentication in the IIS > (Select Site) > Authentication settings and use HttpContext.Current.User.Identity.Name to obtain the current logged in user.
I have made a webform that inserts work items to a tfs 2010server. On the tfs server I need to be able to see which user created the work item. If I run the webform code locally on my machine this works, because my machine is logged in to my user on the tfs server. But after deploying the code on a server I get a (401) unauthorized error message if I don't hardcode in my credentials like this
TfsConfigurationServer configurationServer = new TfsConfigurationServer(configurationServerUri, new NetworkCredential(user, pwd, domain));
(Locally the code below works)
TfsConfigurationServer configurationServer = new TfsConfigurationServer(configurationServerUri);
Is it possible to tell the webserver which user is logged into the machine accessing the webform, or is it any way I can prompt the user for username/password when he/she submits the webform?
thx for any help!
There are several things you need to do and approach this issue
First most likely you have anonymous authentication allowed for your website. Meaning users can access your site without any restrictions and wont need to provide any information. Webserver doesn't know who they are. This will need to be disabled as by your question you need their info. You web app will try to connect to tfs under the webservers identity - either the dedicated account running the application pool or computer account.
http://technet.microsoft.com/en-us/library/cc770966(v=ws.10).aspx
The most simplest method is to enable basic authentication for your website, this will request users to provide username and password, downside is this method transmits data in base64 plain text, as such you channel must be secure
http://technet.microsoft.com/en-us/library/cc772009(v=ws.10).aspx
Forms authentication will allow you to use custom form to collect login info from users, and validate it yourself but works much like basic authentication
http://technet.microsoft.com/en-us/library/cc753252(v=ws.10).aspx
If clients are users in your domain and application is used in intranet the best option is to use Windows authentication, it will try to automatically get users identity from domain, and will issue popup if that fails. Depending how your servers are setup getting this to work may be as easy as enabling it (tfs and your app on the same server) or require configuring your domain controllers for kerberous.
http://technet.microsoft.com/en-us/library/cc754628(v=ws.10).aspx
Once users are in have been authenticated you must make the webserver impersonate them when your code calls tfs. Complexity again depends on your setup.
http://technet.microsoft.com/en-us/library/cc730708(v=ws.10).aspx
Alternativly you can use tfs impersonation to get similar result, this can be also used if for example you dont have users in tfs for each user connecting but instead want to impersonate and ClientCompany, Project or Team account
http://blogs.msdn.com/b/paulking/archive/2010/11/04/using-the-new-tfs-2010-impersonation-apis.aspx
When a user runs an on-demand workflow in Microsoft CRM 2011, is it possible to access their credentials?
I am creating a custom workflow activity designed to access a sharepoint server with shared Active Directory accounts. I would like to be able to use the user who runs the on-demand workflow's credentials for Sharepoint authentication. Is it possible to access these credentials in custom code? If so, how (C# if possible)?
Unfortunately it is possible to get the credentials but you won't be able to use them to authenticate to the Sharepoint Server, at least in the online versions.
We had a similar scenario but in the end we had to use a special user to do all the work in sharepoint, we were triggering the code with a plugin and using the REST Endpoint to do the work.
You can access the the User Credentials from the localContext, but you won't be able to retrieve the password.
Is your environment onpremise or online?/