Authorization and impersonation from ASP.NET application to Dynamics CRM web service

Question

I have a problem about IIS configuration, so at least I think.

I have two different servers, in one of them are installed Microsoft Dynamics CRM 2011, on the second server I have ASP.NET application who talks with Microsoft Dynamics CRM 2011 web service. The problem is there, that I can't configure ASP.NET application.

Application has needed to work in the following:

1. I open ASP.NET Application who are enabled windows authorization
2. I login with Active Directory user, which at the same time, is user in Dynamics CRM 2011 system
3. When I am logged in, application start sending requests to Dynamics CRM web service with the same credentials that I am logged in

Now my configuration is that - enabled Windows authorization, enabled ASP.NET impersonation, application pool run as network service.

Problem is that when I open this application on ASP.NET server by adress localhost they automaticali get credentials with what I am logged in to this server, it's ok, but when I try to open application by address some-hostname.com they requre login, that is also ok, but when I logged in and application start send requests to Dynamics CRM web service. CRM web service response with 401 unauthorize,infer from this that there are problems with credentials who came from IIS.

I try to install and configure this ASP.NET application on the same server where hosts CRM server, there everything works fine.

Answer 1

What you're seeing is the double hoprestriction.

The credentials of the client cannot be forwarded from your ASP.NET application web server to CRM Server unless you configure delegation. For this your AD must already be set up for Kerberos authentication.

Your code will be attempting to connect to CRM using the Application Pool identity. You could configure this as a user within CRM and then use CRM impersonation (nothing to do with Kerberos or AD) by setting the CallerID on the proxy to the guid of the originating user (you'd have to make a call into CRM to get this). There's information about how to do this in the SDK docs.

Answer 2

For an ASP.NET app to impersonate a logged in user, especially from a fully-qualified domain name, you'll need to configure two things.

1. The App Pool identity for your ASP.NET application. Is this running as Network Service or as a specific user? The identity running the application must be "enabled for delegation." This is an option in Active Directory for that user account. If your application is running as Network Service, you'll want to enable delegation on the Computer account in AD instead of an user account.

2. The SPN (service principal name) for the application domain. A SPN is kind of like DNS for authentication, and is required for impersonation. If you are just using the machine name (e.g. http://server/app) AND you are using Network Service as the identity, you won't need to configure a SPN because one is set up by default for you when the server joins Active Directory. However, if you use a specific user account for the ASP.NET identity OR you want your users to use a fully qualified domain name (e.g. http://www.server.com), you'll need to tell Active Directory about this, and you do that using a SPN. Your Active Directory administrator should be familiar with SPNs and the setspn.exe command.

Please note that you may need to add a SPN for your CRM server as well, since it is just another ASP.NET application too. You should only need to do this if your internal CRM site is using a user account as the Identity OR you access the internal CRM using a fully-qualified domain name, just like your custom ASP.NET app.

Hope that helps!