Need to impersonate the Calling user in CRM 2011 plugin to access an external WCF service


  • I need to create a plugin that will access WCF services on different server but inside the same domain as the on premise version of CRM. I am not working in a sandbox, I am using a SSL certificate on the external services. (self-signed and imported into the Trusted Root Certification Authorities store on the CRM server)

        public partial class LoginWindowsServiceClient 
            private const string SERVICE = "Microsoft.Dynamics.SL.WebServices.Session.LoginWindows.svc";
            public static LoginWindowsServiceClient Init(string serverAddress)
                if (!serverAddress.Trim().EndsWith("/"))
                    serverAddress += "/";
                BasicHttpBinding binding = new BasicHttpBinding
                    MaxReceivedMessageSize = int.MaxValue,
                    MaxBufferSize = int.MaxValue
                binding.ReaderQuotas.MaxArrayLength = binding.ReaderQuotas.MaxBytesPerRead =
                    binding.ReaderQuotas.MaxDepth =
                    binding.ReaderQuotas.MaxNameTableCharCount =
                    binding.ReaderQuotas.MaxStringContentLength = 0x7fffffff;
                binding.SendTimeout = new TimeSpan(0, 300, 0);
                if (serverAddress.StartsWith("https://", true, CultureInfo.CurrentCulture))
                    binding.Security.Mode = BasicHttpSecurityMode.Transport;
                //serviceAddress = "https://devserver.domain.local/"
                binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;
                EndpointAddress remoteAddress = new EndpointAddress(serverAddress + SERVICE);
                //this gets the identity from the CRM application pool
                LoginWindowsServiceClient client = new LoginWindowsServiceClient(binding, remoteAddress);
                // I have used this with success in web applications. Does not work in plugin
                using (((System.Security.Principal.WindowsIdentity)System.Web.HttpContext.Current.Request.LogonUserIdentity).Impersonate())
                    LoginWindowsServiceClient clientImpersonated = new LoginWindowsServiceClient(binding, remoteAddress);    
                return client;
    Any thoughts about how to make this happen?
    Monday, July 15, 2013 10:38 PM

All replies

  • Hi,

    The problem is that the CRM Server isn't actually running under the user's identity - it is running as the CRM System user. Also, this could be that you are running your plugin in isolated sandbox mode in which case you can't access the current HttpContext anyway. You will need to provide some way of providing authentication using the current user UserId rather than their Windows Identity.


    Scott Durow
    Blog www.develop1.net    Follow Me
    If this post answers your question, please click "Mark As Answer" on the post and "Mark as Helpful"

    Tuesday, July 16, 2013 7:10 AM
  • yrt:-

    IOrganizationService service = Factory.CreateOrganizationService(CurrentContext.UserId);

    IOrganizationService superService = Factory.CreateOrganizationService(Guid.Parse("D33DB756-1991-487E-815A-5FFFD4E5C9CB"));

    also explore:-


    Regards Faisal

    Tuesday, July 16, 2013 7:15 AM