locked
CRM 4.0 and Sharepoint 2010 integration security query RRS feed

  • Question

  • Hi All,

    One of my customer has the below requirement.

     

    The customer  has CRM 4.0 and SharePoint 2010 deployments which we have written customizations to integrate (auto-generating document libraries displayed on iFrames within CRM).  This is working well internally but the customer also needs it to work externally when they are accessing their CRM and SharePoint externally through their internet facing deployments (IFDs) of each.  The customer would like single sign-on functionality so that security credentials need only be entered one time, giving the user access to both CRM and SharePoint, allowing the SharePoint iFrame to be properly displayed within CRM.  We are unsure how to accomplish this since the sites are using forms based authentication externally and are residing on separate sub-domains.

     

    Please let  me know the feasibility option.

    Regards,

    VP

    Thursday, August 26, 2010 11:55 PM

Answers

  • Maybe too late for the original poster, but Dave Berry's answer is a good summary. The only alternative is to use AD authentication in both CRM and SharePoint (instead of IFD and Forms, respectively), with a server 'in front' of the CRM and SharePoint servers that handle the single sign-on to an AD account, and make the connection to CRM and SharePoint using the authenticated AD account. One candidate for the server 'in front' would be Microsoft's IAG / UAG, but I think there are alternative providers 


    Microsoft CRM MVP - http://mscrmuk.blogspot.com  http://www.excitation.co.uk
    Thursday, October 7, 2010 3:45 PM
    Moderator

All replies

  • I don't think there's a way to merge or mesh the Forms-based authentication between WSS and CRM.  It's a long-shot, but I know WSS allows configurable authentication providers (whereas CRM does not).  Maybe if WSS was somehow developed to take a CrmTicket as an authentication parameter, you could *maybe* do it.  However, CRM's IFD does not operate in a security context belonging to the AD user which has logged in.  It seems to configure a temporary security context for the session that executes threads pseudo-anonymously.  Therefore, I imagine it would be a significant headache trying to reconcile the "user" of an IFD session and a user of WSS without relying on CRM's SystemUser construct.

    Best of luck.  I'd like to know if anybody gives you an actual solution.  The results would be interesting to say the least.  I just didn't want your thread to fall by the wayside.


    Dave Berry - MVP Dynamics CRM - http:\\crmentropy.blogspot.com
    Friday, August 27, 2010 10:07 PM
    Moderator
  • Once your in CRM and you view the SharePoint IFRAME, do you receive a login screen with the option of Save UserName and Password?


    MSCRM Bing'd - http://bingsoft.wordpress.com
    Sunday, August 29, 2010 10:31 AM
    Moderator
  • Maybe too late for the original poster, but Dave Berry's answer is a good summary. The only alternative is to use AD authentication in both CRM and SharePoint (instead of IFD and Forms, respectively), with a server 'in front' of the CRM and SharePoint servers that handle the single sign-on to an AD account, and make the connection to CRM and SharePoint using the authenticated AD account. One candidate for the server 'in front' would be Microsoft's IAG / UAG, but I think there are alternative providers 


    Microsoft CRM MVP - http://mscrmuk.blogspot.com  http://www.excitation.co.uk
    Thursday, October 7, 2010 3:45 PM
    Moderator
  • I've never worked with it, but would ISA make a good "front" server for unifying the systems' FBA?
    Dave Berry - MVP Dynamics CRM - http:\\crmentropy.blogspot.com
    Thursday, October 7, 2010 7:03 PM
    Moderator
  • Dave. The simple answer is 'No'. ISA is designed to assist outgoing connections (by providing http proxy functionality, for example), whereas IAG / UAG (UAG supersedes IAG) is designed for incoming connections to servers and applications, such as this scenario
    Microsoft CRM MVP - http://mscrmuk.blogspot.com  http://www.excitation.co.uk
    Friday, October 8, 2010 6:25 AM
    Moderator
  • Hi, Sorry for late question.

    But If I use UAG to publish Internal CRM (w/SSL enable), I have to use and set also IFD for CRM ?

    Thx,

    Brahim. 


    BrahimH
    Tuesday, January 25, 2011 3:12 AM
  • I do not believe IFD is required by that scenario.  Hopefully, somebody who's actually worked with UAG (like Mr. Jennaway) will come provide a definitive answer.  However, knowing Microsoft, I would say that UAG likely abstracts authenticated sessions by performing a direct AD-impersonation to accommodate Intergrated-authentication more naturally.  This may be ideal, since I would also expect UAG to utilize the session credentials across multiple sites deployed behind it, such as CRM and Sharepoint.  It may not, however, because this is all pure speculation on my part.
    Dave Berry - MVP Dynamics CRM - http:\\crmentropy.blogspot.com Please follow the forum guidelines when inquiring of the dedicated CRM community for assistance.
    Tuesday, January 25, 2011 3:33 AM
    Moderator
  • Hi zancanelli,

          We are in the process of "CRM 4.0 and Sharepoint 2010 integration"

    Our requirement exatly as you mentioned in the above need to generate document libraries for custom entity.

    Below is my exact requirement. Please post u r suggestion hw u did this?

    "customer  has CRM 4.0 and SharePoint 2010 deployments which we have written customizations to integrate (auto-generating document libraries displayed on iFrames within CRM). "

    Thanks in advance


    Natarajan.V

    Monday, March 5, 2012 10:11 AM