locked
Password Management RRS feed

  • Question

  • We're moving our installation to a colo facility with a "production" Active Directory domain.  My first challenge (not the subject of this post) is to create accounts that can JUST use CRM but not do other things on the domain.  But my real concern now is how will users set their own passwords?  Am I correct in assuming you can't set your password in MS CRM (that's kind of insane by the way)?  What's the common solution here, surely not having to sit next to someone and login to the domain controller to change a damn password...
    Thursday, May 7, 2009 2:43 PM

Answers

  • The on premise version of CRM is designed to use Active Directory user accounts. Your users will have to be able to log on to the domain. Perhaps they will do nothing else, but logon they must. CRM does not maintain its own user password database. Your alternative would be to use the CRM Online which uses Windows Live logons.
    Larry Lentz [Microsoft Dynamics CRM MVP]
    Thursday, May 7, 2009 4:21 PM
    Moderator
  • I think you are way off base and are fighting a battle you can't win. Microsoft uses Active Director for Authentication and CRM uses that as well. If you want a system that maintains it's own user name/password database, then you should seek another program such as GoldMine or ACT!. Bad mouthing CRM and Microsoft for its architecture will not resolve your issue.
    Larry Lentz [Microsoft Dynamics CRM MVP]
    Friday, May 8, 2009 3:51 AM
    Moderator
  • Hi djMaxM,

    a CRM Developer can create the same function you mentioned in the context of Outlook Web Access for Dynamics CRM. Should take four hours to implemented such functionality for CRM. There is an appropriate API to change passworts for AD-user.

    Best regards,
    Jürgen
    Jürgen Beck

    Dipl. Kfm./Wirtschaftsinformatik
    MVP, MCSD.NET, MCITP DBA, MCDBA, MCSE
    Microsoft Certified Business Management Solutions Professional
    Microsoft Certified CRM Developer
    Microsoft Certified Trainer

    ComBeck IT Services & Business Solutions
    Microsoft Gold Certified Partner
    Microsoft Small Business Specialist

    Developing & Supporting Business Applications from small business to big enterprises covering scores of sectors

    http://www.combeck.de
    Friday, May 8, 2009 3:55 PM
    Moderator

All replies

  • The on premise version of CRM is designed to use Active Directory user accounts. Your users will have to be able to log on to the domain. Perhaps they will do nothing else, but logon they must. CRM does not maintain its own user password database. Your alternative would be to use the CRM Online which uses Windows Live logons.
    Larry Lentz [Microsoft Dynamics CRM MVP]
    Thursday, May 7, 2009 4:21 PM
    Moderator
  • I understand that it uses AD, it just seems pretty crazy to make it impossible to use CRM without also having "hard access" to a machine.  When passwords expire, what's CRM going to do about it?  Epic fail I'd imagine.
    Thursday, May 7, 2009 7:33 PM
  • If your AD user accounts'passwords are changed CRM will inherit that password automatically when they log on to the domain.
    AD is crucial to CRM authetication
    Tiaan van Niekerk http://crmdelacreme.blogspot.com Skype:tiaan.van.niekerk1
    Friday, May 8, 2009 3:41 AM
  • I think you're missing my point.  Because AD is crucial to CRM authentication, CRM should include a module (optional perhaps) to allow users to.. like.. change their password.  This has to be the only real CRM system where you can't change your password.  It's a glaring feature omission.
    Friday, May 8, 2009 3:47 AM
  • I think you are way off base and are fighting a battle you can't win. Microsoft uses Active Director for Authentication and CRM uses that as well. If you want a system that maintains it's own user name/password database, then you should seek another program such as GoldMine or ACT!. Bad mouthing CRM and Microsoft for its architecture will not resolve your issue.
    Larry Lentz [Microsoft Dynamics CRM MVP]
    Friday, May 8, 2009 3:51 AM
    Moderator
  • I *don't* want a system that has its own user name and password database.  My point is I've got CRM hosted in a production colo center.  I'm making Windows accounts for people SOLELY to use CRM.  They don't and shouldn't know jack about how usernames and passwords are stored, active directories, domains, or any of that.  They want to use CRM.  So how exactly are those people supposed to login, change their password periodically, etc?  CRM has basically punted on that, and I don't know of (but maybe there are) tools that allow this simple thing to be done without a freakin' help desk.

    This is similar to arguments that must've occurred over Outlook Web Access.  And guess what they did... They created change password functionality.  CRM has to do the same sooner or later, either directly or by some plug in architecture.  What's going to happen when a user logs into CRM with a password that has to be changed because of AD policy?  I'm guessing CRM is going to blow up with some error message that means absolutely nothing to the user and that they have no way to fix other than contacting someone else to fix it for them.

    This isn't a confusing issue - it's a clear oversight on MSCRM: it's the standard "its Microsoft, so we assumed everything was setup the same."  The strange thing is in CRM, on several fronts, the team has taken a more modern approach - for example the email router.  But on this I think they just didn't think it through, and I'm saying that they need to.  Doesn't mean they need separate password storage, or an AD management infrastructure - it just means they need to consider use of CRM as a single app for a user.
    Friday, May 8, 2009 3:13 PM
  • Hi djMaxM,

    a CRM Developer can create the same function you mentioned in the context of Outlook Web Access for Dynamics CRM. Should take four hours to implemented such functionality for CRM. There is an appropriate API to change passworts for AD-user.

    Best regards,
    Jürgen
    Jürgen Beck

    Dipl. Kfm./Wirtschaftsinformatik
    MVP, MCSD.NET, MCITP DBA, MCDBA, MCSE
    Microsoft Certified Business Management Solutions Professional
    Microsoft Certified CRM Developer
    Microsoft Certified Trainer

    ComBeck IT Services & Business Solutions
    Microsoft Gold Certified Partner
    Microsoft Small Business Specialist

    Developing & Supporting Business Applications from small business to big enterprises covering scores of sectors

    http://www.combeck.de
    Friday, May 8, 2009 3:55 PM
    Moderator
  • OK, so I had to look up 'colo' but I now understand your issue. The users will be coming in hosted. If AD changes the password and the user doesn't know about it, they will not be able to log in via IFD and will get some kind of 'wrong user name of password' error.

    The simple answer is don't have AD change passwords or if it does, communicate it to the user in a secure fashion.

    Alternatively, create a module which chats to AD and is workable by the user as per Jurgen's response.

    Leon Tribe
    Want to hear me talk about all things CRM? Check out my blog
    • Proposed as answer by Leon TribeMVP Sunday, May 10, 2009 2:46 PM
    Sunday, May 10, 2009 2:45 PM
  • I've implemented this, will be posting the code over the next couple of days.  The one problem is the user has to explicitly go to this tool page, since CRM doesn't know to send them there (e.g. on expired password)
    Monday, May 11, 2009 6:31 PM
  • Hi How did you go in creating a solution? If you were successful any tips? Did you post the code? Can you post the url.

    Thanks
    Tuesday, June 2, 2009 10:53 PM
  • I just posted the code.  Our wiki is having a little trouble displaying the HTML source but:

    http://www.povo.com/Development/Active_Directory_Web_Based_Password_Tool

    The raw source can be cut/pasted from here:

    http://www.povo.com/Development/Active_Directory_Web_Based_Password_Tool?source
    Wednesday, June 3, 2009 10:53 AM