locked
Effect of using Identity of CRMAppPool to connect via OrganizationService (CRM 2011, on Premise) RRS feed

  • Question

  • I've a web application that occasionally calls into a CRM Organization.  The web application is just an ASP.NET web app, with some custom SOAP/WCF services and its own application logic.  I use CrmSvcUtil to generate strongly-typed classes that can talk to this CRM Organization and the Microsoft.Xrm.Client.CodeGeneration.CodeCustomization style to use a Microsoft.Xrm.Client.CrmOrganizationServiceContext leaf to access the Org, via the Xrm.XrmServiceContext style connection string (e.g. "Url=http://theMachine/theOrg;").

    We have a .NET 4.0 Integrated app pool running running our web application.  We've assigned the IIS AppPool Identity the web application's AppPool to be the domain account we also used as the identity of the CRMAppPool on the CRMServer.

    We have found that if we make OrganizationService requests from SOAP services within this web application that they always succeed without any security issues - even though we've not actually created a user in CRM here -- just using the CRMAppPool identity.  The SOAP services do no impersonation - just using basicHttp bindings with Anonymous allowed.

    It appears that this is a major elevation-of-privilege gateway to the CRM Organization, and I was sort of surprised it was supported.  Am I understanding that this is what is happening?

    Thanks in advance.


    Regards, Howard Hoffman

    Friday, May 2, 2014 11:26 PM

All replies

  • Hello Howard;

    It honestly sounds like some dreadful kerbos authentication issue happening here. It sounds like it's defaulting to one of your Deployment Administrator accounts. I'd start with maybe adding a line in your application to display who it thinks is calling the webservice. I know in javascript it's a Xrm.Page.context.getUserId() which would provide the current user but for a .net application I'm possible there's a similar method for this.

    I've seen examples of it impersonating a Deployment Administrator as the user calling the web service; in this case the Deployment Administrator has full access to everything. There's many things that could be causing a Kerbos authentication issue from (incorrect Service Provider Names) etc etc...

    I hope this helps certainly please post any feedback or any other questions. If I get a chance I'll look for some XRM code to retrieve the current user.

    Good Luck!


    Jason Cosman

    • Proposed as answer by Jason CosmanMVP Tuesday, July 15, 2014 11:52 AM
    • Unproposed as answer by HowardH Tuesday, July 15, 2014 12:56 PM
    Wednesday, May 14, 2014 7:30 PM
  • Thanks Jason.

    We got Microsoft involved.  The behavior I documented above is "working as designed."  The issue is described somewhat here:  http://support.microsoft.com/kb/2593042.

    The CRMAppPool run-as becomes a special account, with very high privilege.  Almost as high as the LocalSystem run-as in Windows Services - which itself has the 'act as part of the operating system' privilege. 

    This article points a way forward that we'll explore:  http://msdn.microsoft.com/en-us/library/gg334744(v=crm.5).aspx

    The take away is to never have a Web Application, or another IIS App Pool, as the AD identity of the CRMAppPool.  Such an application will have rights to do pretty much anything in your CRM organizations.

    Howard


    Regards, Howard Hoffman

    Tuesday, July 15, 2014 1:00 PM