locked
Claims Based Authentication in CRM 2013 for Iframes RRS feed

  • Question

  • Hello Everybody

    I am having a Problem Setting up Claims Based Authentication for content shown via an Iframe, hope somebody can clarify a few things for me.

    Let me explain what we got.

    Scenario is to migrate from CRM4 to CRM2013.

    As most of you know ISV Directory Support ended with CRM2013 so we decided to Setup a second Website on the same IIS (Version 8) as CRM is running and place our asp.net applications there to finally "call" them from an Iframe when the Quote form is opened.

    To do this we quickly recognized that we need to configure Claims based authentication (and therefore https) for crm.

    We created a certificate (Wildcard) , switched from http to https, configured Claims-Based Authentication and IFD via the Deployment Manager and ADFS.

    After the whole configuration process was done accessing the crm Server with Claims-Based authentication worked (for a short moment the SAML URL is visible in the Addressbar and then Redirects to the crm site).

    So far so good.

    After this was done we created a second Website on the same IIS and also configured it for https using the same certificate since it is a Wildcard one.

    Then we deployed our ASP.net Application and configured the iframe to Point to the URL on the second Website.

    When we now open the quote form with the iframe just an error message (Server Error in '/' Application.) is shown.

    Since we have a Wildcard certificate and both URL's don't differ a lot we we think that the encryption isn't the Problem.

    Wildcard certificate for *.Domain.com

    CRM URL = crmserver.Domain.com

    Second Website for ASP.NET Appliactions = crmserver-apps.Domain.com

    When we take a look into the Application Log of the CRM-Server/IIS we repeately receive the following error message.

    Event code: 3005

    Event message: An unhandled exception has occurred.

    Event time: 21.08.2014 16:07:30

    Event time (UTC): 21.08.2014 14:07:30

    Event ID: 103da670d4434f6bb671dec8aee71651

    Event sequence: 16

    Event occurrence: 5

    Event detail code: 0

    Application information:

        Application domain: /LM/W3SVC/2/ROOT-1-584974949849866

        Trust level: Full

        Application Virtual Path: /

        Application Path: C:\inetpub\apps\

        Machine name: crmservername

    Process information:

        Process ID: 5508

        Process name: w3wp.exe

        Account name: Domain\username (this is the application Pool ID)

    Exception information:

        Exception type: InvalidOperationException

        Exception message: The user authentication failed!

       at Microsoft.Xrm.Sdk.Client.ServiceProxy`1.AuthenticateCore()

       at Microsoft.Xrm.Sdk.Client.ServiceProxy`1.ValidateAuthentication()

       at Microsoft.Xrm.Sdk.Client.ServiceContextInitializer`1.Initialize(ServiceProxy`1 proxy)

       at Microsoft.Xrm.Sdk.Client.OrganizationServiceContextInitializer..ctor(OrganizationServiceProxy proxy)

       at Microsoft.Xrm.Sdk.Client.OrganizationServiceProxy.ExecuteCore(OrganizationRequest request)

       at Viz_QuotationTool.qFunctions.createMyCrmService()

       at Viz_QuotationTool._Default.Page_Load(Object sender, EventArgs e)

       at System.Web.UI.Control.LoadRecursive()

       at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

    Request information:

        Request URL: 

    https:// crmserver-apps.domain.com:443/Default.aspx?orglcid=1033&orgname=ORG&userlcid=1033&type=1084&typename=quote&id={A151BF61-13A4-E111-A720-0050569E0002}

        Request path: /Default.aspx

        User host address: 10.21.1.81

        User: 

        Is authenticated: False

        Authentication Type: 

        Thread account name: Domain\username (this is the application pool id)

    Thread information:

        Thread ID: 23

        Thread account name: Domain\username (this is the application pool id)

        Is impersonating: False

        Stack trace:    at Microsoft.Xrm.Sdk.Client.ServiceProxy`1.AuthenticateCore()

       at Microsoft.Xrm.Sdk.Client.ServiceProxy`1.ValidateAuthentication()

       at Microsoft.Xrm.Sdk.Client.ServiceContextInitializer`1.Initialize(ServiceProxy`1 proxy)

       at Microsoft.Xrm.Sdk.Client.OrganizationServiceContextInitializer..ctor(OrganizationServiceProxy proxy)

       at Microsoft.Xrm.Sdk.Client.OrganizationServiceProxy.ExecuteCore(OrganizationRequest request)

       at QuotationTool.qFunctions.createMyCrmService()

       at QuotationTool._Default.Page_Load(Object sender, EventArgs e)

       at System.Web.UI.Control.LoadRecursive()

       at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

    Custom event details:

     

    What strange is that my user never appears in those error Messages, just the application pool ID Account, although imporsinating is disabled on IIS.

    I know this is just the short Version of our error description but I gladly would provide more if you can tell me what you want to know.

    I also would highly appriciate if somebody could tell me how they dealed with the drop of ISV Support in CRM2013.

    Thanks in advance for everyone who reads this or can even help!

    best regards

    Patrick


    • Edited by bmo0815 Friday, August 22, 2014 11:27 AM
    Thursday, August 21, 2014 2:29 PM

All replies

  • Do you want your Iframe to access CRM under the context of the user accessing CRM (i.e. using impersonation), or do you want the CRM access via the application pool account ?

    If you want to use impersonation, you will need to configure the relying party trusts for your application with ADFS (it's not sufficient to just use the same certificate).

    If you want access via the application pool account, then you should not need any more configuration in ADFS, however you do need to explicitly specify the username and password when your code connects to CRM. This can either be stored securely in %appdata%\CrmServer\Credentials.xml (based on helper code in the SDK), or you could hard-code it into your application, and pass it in the ClientCredentials.UserName property of the OrganizationServiceClient


    Microsoft CRM MVP - http://mscrmuk.blogspot.com/ http://www.excitation.co.uk

    Thursday, August 21, 2014 3:13 PM
    Moderator
  • Yes I want my Iframe to Access CRM under the context of the logged on user via webservice.

    ADFS is already configured and working for the CRM Website. When I Access CRM I can see the saml URL in the address bar for a short moment. Also when I remove the CRM URL from the List of Relying Party Identifiers, the CRM website stops working.

    It is not understandable for me why the error message from my first post says Impersonating=false and shows no user.

    On the “Applciation-Website” we have enabled Windows Authentication and ASP.Net Impersonation also.

    Am I missing an impersonate setting somewhere else?

    Thanks in advance!

    Friday, August 22, 2014 11:27 AM