locked
CRM Services not Accessible after IFD RRS feed

  • Question

  • Hi,

    After setting up IFD on my CRM installation, I am not able to call CRM services from the server side code and getting 401 unauthorized error.

    I am calling CRM services from one of my web service that is residing on the same server and on the same CRM website in a directory. My web services are being called by a silverlight control hosted in an IFrame in on of the entity's form. 

    I have disabled the windows authentication from the Dynamics CRM website so that local machines can access the CRM app. in IFD mode. 
    The strange part is that I have also tried to provide credentials the hard code way i.e. providing user name and password of  domain administrator but still I am getting the error 401 unauthorized.

    Any clue why is this happening.

    Regards,
    Haris Munawar
    Wednesday, May 6, 2009 7:24 AM

Answers

All replies

  • Hi,

    you have change the authentification token from AD-Authentifizierung (0) to IFD(SPLA)-Authentifizierung (2)


    Viele Grüße Michael Sulz axcentro GmbH
    • Proposed as answer by Michael Sulz Wednesday, May 6, 2009 7:28 AM
    • Unproposed as answer by HarisM Wednesday, May 6, 2009 9:50 AM
    Wednesday, May 6, 2009 7:28 AM
  • Hi, Thanks for the reply... Can you tell me in some more detail where I have to change this... 

    Regards,
    Haris
    Wednesday, May 6, 2009 7:29 AM
  • Hi,

    I think I've got what you are talking about.
    Actually I am calling the CrmDiscoveryService which as no CrmAuthenticatioNValue property. This is true for CrmService.

    But what I can do for this ....

    Regards,
    Haris
    Wednesday, May 6, 2009 7:57 AM
  • Hi,

    I have now tried CrmService with CrmAuthenticationtoken to 2 (SPLA). But that too is not working. 
    When calling any method, error is returned ie.. Unauthorized 401.

    Regards,
    Haris
    Wednesday, May 6, 2009 9:30 AM
  • Hi Haris,

    you have restart the Asyncservice from CRM after the changes?

    Viele Grüße Michael Sulz axcentro GmbH
    Wednesday, May 6, 2009 10:57 AM
  • Hi,
    Now I have also tried this, I have restarted it but of no use.
    Let me tell you in detail the scenario I am working on.

    I have enabled IFD on CRM, I have set anonymous access to the Dynamics CRM website, I have disabled the Windows Authentication option on Dynamics CRM website.

    I am accessing CRM app from a client machine. On the client machine I have entered a entry in the host file for the IP address of CRM server and mapped to the orgname.domainname.com,

    The webservices application is residing in the dynamics CRM website in a virtual directory. The directory has anomymous access. The Web.Config file of the web services application has these two lines:

        <authentication mode="Windows" />
        <identity impersonate="true" />

    The webservices are called from a silverlight control hosted in  an IFrame from an entity's form. These web services in turn call CrmServices. So the services and CRM are on the same machine and in same website.

    Now, from the webservice when I am building the CrmService object using either the default credentials or building my own by providing the credentials of network domain  administrator, I get the same error of 401 unauthorized. I am using 2(SPLA) for CrmAuthenticationType for this.


    Regards,
    Haris
    Wednesday, May 6, 2009 11:13 AM
  • this code worked for me when I had the same problem:

    CrmService crm = new CrmService();
    WhoAmIResponse m_objUserIdentity = null;
    CrmAuthenticationToken token = new CrmAuthenticationToken();
    token.AuthenticationType = 0; // Use Active Directory authentication. 
    //token.AuthenticationType = 2; // Use SPLA auth (IFD)
    token.OrganizationName = orgName;
    // Use the global user ID of the system user that is to be impersonated.
    token.CallerId = new Guid("94092D6F-B367-DC11-9C93-0003FFDFCE28");
    crm.Url = "http://localhost/MSCRMServices/2007/CrmService.asmx";
    crm.CrmAuthenticationTokenValue = token;
    crm.Credentials = new NetworkCredential(usr, pwd, dom);
    WhoAmIRequest objRequest = new WhoAmIRequest();
    m_objUserIdentity = (WhoAmIResponse)crm.Execute(objRequest);
    


    You have to change the callerID to the Guid of the user being impersonated,  the URL to your server, and the usr, pwd, dom are variables for the login information of the user.    Once I did this my 401 errors in my IFD went away. Steve
    • Edited by swarnock Thursday, May 7, 2009 1:38 PM formatting
    Thursday, May 7, 2009 1:33 PM
  • Hi,

    Thanks for the reply... I am going to try this solution right now as I am struggling with this issue for last 3 days :)

    But plz if you can tell me that if we are impersonating a user when making a call, then what will be the response of WhoAmIRequest ... 

    Will it be the user who is actually loggin in from a remote machine(client machine) accessing it over the internet or the one being impersonated ?


    Thanks, again.


    Regards,
    Haris
    Thursday, May 7, 2009 1:41 PM
  • Haris,  

    The WhoAmIRequest will be the impersonated user since that is who is actually using the backend services on behalf of the logged in user. 

    Also,  you need to change the orgName field to your organization in my above example.
    Steve
    Thursday, May 7, 2009 1:50 PM
  • Swarnock,

    I understand that WhoAmIRequest will be the impersonated one, but the problem here is :

    If impersonated then the roles or whatever user settings the CRM will check will be those of the impersonated user not of the user actually logging in over the internet, by impersonating the problem gets resolved, I have tried by impersonating using the web.config and without the CallerId property being set, 

    But the question remains the same as what will be roles and user settings used by CRM will be, of the impersonated user or the actuall user.


    Thanks and Regards,
    Haris
    Thursday, May 7, 2009 1:57 PM
  • Haris,

    Just the code you write that uses the CRM service object will be affected by the impersonated user.    CRM itself will still know who the logged in user is and should be unaffected.

    You just need the impersonation to allow your custom services/code to run correct?  I don't know anything about what your Silverlight app does so maybe I am missing something.


    Steve
    Thursday, May 7, 2009 2:21 PM
  • Hi,

    My problem has been solved. Just look at this


    Regards,
    Haris Munawar
    Friday, May 8, 2009 12:58 PM