Active Directory and claims-based authentication

 

Applies To: Dynamics CRM 2013

Claims-based authentication provides an industry standard security protocol to authenticate a user on a host computer. Claims-based authentication is a set of WS-* standards describing the use of a Security Assertion Markup Language (SAML) token in either passive mode (when WS-Federation is used with the Microsoft Dynamics CRM 2013 and Microsoft Dynamics CRM Online web application) or active mode (where WS-Trust in used with Windows Communication Foundation (WCF) clients). This authentication works together with WCF to provide secure user authentication and a communication channel with a Microsoft Dynamics CRM server. All Microsoft Dynamics CRM editions support claims-based authentication.

Claims-based authentication requires the availability of a security token service (STS) running on a server. An STS server can be based on Active Directory Federation Services (AD FS) V2, or any platform that provides the official STS protocol. For more information, see the following topics in theMicrosoft Dynamics CRM 2013 Implementation Guide:

To access a claims configured Microsoft Dynamics CRM 2013 or Microsoft Dynamics CRM Online server by using the Microsoft Dynamics CRM SDK methods, Windows Identity Foundation must be installed on your development computer. For more information, see Install Windows Identity Foundation (WIF) 3.5.

In This Topic

Supported authentication scenarios

Unsupported authentication scenarios

Authentication classes

Authentication by using the client proxy classes

Handling channel exceptions and faults

Additional information about the security (SAML) token

Supported authentication scenarios

Microsoft Dynamics CRM supports the following authentication scenarios for each deployment type.

Deployment

Authentication model

Microsoft Dynamics CRM Online

Claims-based or Active Directory (through federation) authentication

Microsoft Dynamics CRM 2013 on-premises

Claims-based or Active Directory authentication

Microsoft Dynamics CRM 2013 Internet-facing deployment (IFD)

Claims-based or Active Directory authentication

How claims-based authentication works

A request to authenticate a user is sent from Microsoft Dynamics CRM 2013 or Microsoft Dynamics CRM Online or a custom application to the STS server. The STS server determines whether the user should be authenticated, and if so, issues a signed and encrypted SAML token that contains user authentication information. The token has a finite life span and may have to be periodically refreshed depending on how long your application is using the token. This is discussed in more detail later in this topic.

How Active Directory authentication works

A request to authenticate a user is sent from Microsoft Dynamics CRM or a custom application to Active Directory. The WCF stack manages the authentication process for Microsoft Dynamics CRM SDK API calls from an application, whereas Internet Information Services (IIS) manages authentication for a web application.

Unsupported authentication scenarios

Use of client certificates is not supported by the Microsoft Dynamics CRM SDK. If you configure the Microsoft Dynamics CRM website to require IIS client certificates, you will get authentication failures for any applications that were built using the SDK.

For more information about additional unsupported programming methods see Unsupported customizations.

Authentication classes

The following table lists the primary authentication classes available in the SDK, describes when to use them, and provides links to additional relevant documentation.

Classes

Usage

Related Documentation

IServiceConfiguration<TService>, IServiceManagement<TService>

All deployment types: on-premises/IFD, online (Microsoft account and Office 365/MOS*)

Best choice for multi-threaded applications

Authenticate Office 365 users with Microsoft Dynamics CRM Online web services

Sample: Authenticate users with Microsoft Dynamics CRM 2013 web services

Improve service channel allocation performance

DiscoveryServiceProxy, OrganizationServiceProxy

All deployment types: on-premises/IFD, online (Microsoft account and Office 365/MOS*)

Authentication by using the client proxy classes

Sample: Access the Discovery service

Improve service channel allocation performance

CrmConnection

All deployment types: on-premises/IFD, online (Microsoft account and Office 365/MOS*)

Simplified connection to Microsoft Dynamics CRM 2013

Sample: Simplified connection quick start using Microsoft Dynamics CRM 2013

ServerConnection

All deployment types: on-premises/IFD, online (Microsoft account and Office 365/MOS*)

Use for console test applications and sample code.

Designed to improve usability when running SDK sample code and to demonstrate use of the authentication classes. Contains console output code.

Helper code: ServerConnection class

Sample: Quick start for Microsoft Dynamics CRM 2013

*Microsoft Online Services environment

Authentication by using the client proxy classes

One way to authenticate with the Microsoft Dynamics CRM web services is by using the OrganizationServiceProxy and DiscoveryServiceProxy classes in the applications that you write. The four-parameter constructor of these classes supports Microsoft Dynamics CRM 2013 and Microsoft Dynamics CRM Online deployments. These proxy classes automatically handle claims or Active Directory authentication and also manage resource limits on the WCF channel endpoint.

The following code shows how to instantiate the organization service proxy:

using (OrganizationServiceProxy _serviceProxy = 
   new OrganizationServiceProxy(organizationUri, homeRealmUri, userCredentials, deviceCredentials))

The following code shows how to instantiate the discovery service proxy:

using (DiscoveryServiceProxy _discProxy = 
   new DiscoveryServiceProxy(organizationUri, homeRealmUri, userCredentials, deviceCredentials))

It is important to properly dispose of the service proxy instance in your application before the application terminates. The using statement makes sure that the service proxy is correctly disposed by automatically calling Dispose on the service proxy when it goes out of scope. However, for improved application performance, it is a best practice to keep the service proxy instance available in your application for the entire application session instead of disposing it and allocating it again somewhere else in the application code when needed. The reason being that creating and authenticating a service channel is an expensive operation (in time). In this case, when you are done with the service proxy instance, you must directly call the Dispose method on the proxy before the application terminates.

The device credentials of the registered computing device are only used when authenticating with Microsoft Dynamics CRM Online through the Microsoft account identity provider. For sample code that shows how to populate the proxy constructor parameters, see Sample: Access the Discovery service.

Important

For an on-premises or an Internet-facing deployment (IFD) installation of Microsoft Dynamics CRM 2013, the client proxy classes use claims-based authentication if an STS server is available. Otherwise, Active Directory authentication is used.

If you want to use Microsoft Dynamics CRM early-bound entity types in your code, you must add the following line of code after the organization service proxy is instantiated, but before you make web service method calls:

_serviceProxy.EnableProxyTypes()
System_CAPS_security Security Note

WCF supports a feature where it can interactively prompt the user for logon credentials when it is necessary. This feature is enabled by setting the SupportInteractive property of the ClientCredentials class. These credentials are used in the userCredentials parameter shown in the previous code snippet.

When making SDK calls to the Microsoft Dynamics CRM web services, the ownership of the operation and entity data changes performed by the SDK call can be changed by this WCF feature independent of your code.

Microsoft Dynamics CRM handles supplied credentials in web service calls as follows:

  • If credentials are not supplied in the web service call, the WCF stack determines which credentials to use. In that case, the SupportInteractive property value is automatically set to false.

  • If credentials are explicitly supplied by your code, the current SupportInteractive value is passed to the WCF channel factory. SupportInteractive is set to true by default unless you explicitly change it.

  • If SupportInteractive is set to true and the provided credentials fail, a WCF dialog box may be displayed. Any credentials entered by the user into the dialog box will be used instead of those supplied in the web service calls that your application invokes.

Handling channel exceptions and faults

Your code should catch the following exceptions and faults. See the C# or Microsoft Visual Basic .NET samples in the Microsoft Dynamics CRM SDK for a list of additional exceptions to catch:

For more information, see the .NET Framework WCF documentation about how to handle WCF faults and exceptions. See Use the sample and helper code for additional sample code.

Additional information about the security (SAML) token

The SAML token used during user authentication is described below.

Contents of the SAML token

The XML-based SAML 2.0 token contains an identity that defines one or more claims about a user. This token is passed between an identity provider (STS) server and Microsoft Dynamics CRM for claims-based authentication. The claims in the identity have been defined as follows.

Claim

Use

Universal Principal Name (UPN)

Contains the user’s ID in domain\alias format on the target Microsoft Dynamics CRM server.

Name

If the authenticated user is also a Deployment Administrator in Microsoft Dynamics CRM, this claim contains the deployment administrator’s ID in domain\alias format on the target Microsoft Dynamics CRM server. Windows Identity Foundation maps the Name claim to the Identity.name property.

Any other claims

Not used by Microsoft Dynamics CRM.

Supported security token types

Microsoft Dynamics CRM 2013 and Microsoft Dynamics CRM Online support two types of SAML tokens:

  • Web application - The Microsoft Dynamics CRM web application receives a bearer token from STS. This token is missing some required information so a Secure Sockets Layer (SSL)-based URL (https://) is used for security protection when you access the WCF endpoint.

  • SDK - A custom application receives an active token with a proof key that contains the required information.

Lifecycle of the security token

A SecurityToken has a life span identified by its ValidFrom and ValidTo properties. Your application design should consider the possibility that the token could expire, resulting in an ExpiredSecurityTokenException being thrown by the Microsoft Dynamics CRM web services when the next message request from your application is processed.

See Also

Authenticate users with Microsoft Dynamics CRM 2013 web services
Connect with Microsoft Office 365 and Microsoft Dynamics CRM Online
Simplified connection to Microsoft Dynamics CRM 2013
Discover the URL for your organization with IDiscoveryService web service
Use the IOrganizationService web service to read and write data or metadata
Use the early bound entity classes in code
Sample: Create, retrieve, update, and delete records (early bound)
Helper code: ServerConnection class
Helper code: DeviceIdManager class
Blog: Building clients for Windows Phone and Windows 8 RT