locked
CrmAuthenticationTokenValue.CallerId property is not Impersonating in On-premise Deployment RRS feed

  • Question

  • Hi,

    I am unable to impersonate CRMService Web Service with some user other than the logged in user by using the

    CrmAuthenticationTokenValue.CallerId Property.  Its taking logged in user context or credentials only for execution.

    Following is the code snippet for the Impersonation.

    CrmService

     

    service = new CrmService();

    service.Url = GetCrmServiceUrl();

     

    service.CrmAuthenticationTokenValue = GetCrmAuthenticationToken(orgName);

     

    service.Credentials = System.Net.

    CredentialCache.DefaultNetworkCredentials;


    service.CrmAuthenticationTokenValue.CallerId = new Guid("<<Impersonating User GUID>>");



    Please help me in getting this working.
    Wednesday, August 5, 2009 9:16 PM

Answers

  • I think your problem is because you're trying to do something that requires Deployment Administrator rights. The authorisation of Deployment Administrators works differently from other CRM privileges, and I think that setting CallerId only works against CRM privileges.

    So, I don't think CallerId impersonation will work for what you're trying. The easiest alternative would be to not use ASP .Net impersonation. I'm not sure if the code will work if running under Network Service; if not you could run the code in a different application pool with an identity that is a Deployment Administrator (though be aware that there can be problems with Kerberos authentication if you have application pools with different identities)
    Microsoft CRM MVP - http://mscrmuk.blogspot.com  http://www.excitation.co.uk
    Thursday, August 6, 2009 9:18 AM
    Moderator

All replies

  • The first thing to check is whether your code is running under the AD context of a user that is a member of the PrivUserGroup AD group. This is necessary for impersonation to work
    Microsoft CRM MVP - http://mscrmuk.blogspot.com  http://www.excitation.co.uk
    Thursday, August 6, 2009 4:57 AM
    Moderator
  • Hi,


    If the user account under which the code executes has been added to the PrivUserGroup then the default network credentials can be used. Otherwise instead of default credentials you would need to use

    crmService.Credentials = new NetworkCredential("PrivUserName","PrivUserPassword","PrivUserDomain")

    Hope this helps !

    Regards,
    Nishant Rana
    http://nishantrana.wordpress.com
    Thursday, August 6, 2009 4:59 AM
  • The Caller Id set for Impersonation is a member of PrivUserGroup in AD. Thats why i have taken DefaultNetworkCredentials.

    But the code is not considering the callerid at the time of execution of any common operation of CrmService, its taking current logged in user credentials.

    The Application which i have written is a Web Application placed in ISV folder and deployed as a Seperate Application having same AppPool of MIcrosoft Dyamics CRM i.e. CRMAppPool. And the CRMAppPool identity is running under Network Service account.

    This web application registers a Plugin Dynamically to the CRM Platform, creates steps, enables or disables steps. I have taken Guid of the User having following roles for impersonation because all the user won't be having Deployment Administrator privilages.

    1. Deployment Administrator
    2. System Administrator of Microsoft Dynamics CRM Application
    3. Member of PrivUserGroup of CRM in AD
    4. Web Server local system Administrator

    Logged in users will have the following privilages

    1. System Administrator of Microsoft Dynamics CRM Application
    2. Member of PrivUserGroup of CRM in AD


    Since the logged in users won't be having Deployment Administrator Privileges , hence the crmService.execute() method for Plugin Steps SetState Operation its throwing the following exception.

    "Not have enough privilege to complete SetState operation for an Sdk entity."

    If the logged in user is not a member of PrivUserGroup then for normal CrmService methods like Create/update its throwing "Invalid User Auth" and CrmService is not taking the Impersonating user credentials.

    It everything is working fine if we provide the following but we can not hardcode/store the User credentials of the Deployment Administrator/System Administrator as per the Security Policy.

    crmService.Credentials = new NetworkCredential("PrivUserName","PrivUserPassword","PrivUserDomain")

    Hence i dont have any option to pass Network Credentials as above.

    Please suggest me with the quick workaround.

    Thursday, August 6, 2009 5:53 AM
  • I think your problem is because you're trying to do something that requires Deployment Administrator rights. The authorisation of Deployment Administrators works differently from other CRM privileges, and I think that setting CallerId only works against CRM privileges.

    So, I don't think CallerId impersonation will work for what you're trying. The easiest alternative would be to not use ASP .Net impersonation. I'm not sure if the code will work if running under Network Service; if not you could run the code in a different application pool with an identity that is a Deployment Administrator (though be aware that there can be problems with Kerberos authentication if you have application pools with different identities)
    Microsoft CRM MVP - http://mscrmuk.blogspot.com  http://www.excitation.co.uk
    Thursday, August 6, 2009 9:18 AM
    Moderator