I have the following assumption / conclusion from your explanation:
1) The CRM user repository and the portal user repository have different users
2) CRM users should not know portal users passwords
I do not think you need to use RunAsManager. (When you use RunAsManager it mean you first authenticate as a CRM user in the portal and then replace the authentication by a portal user authentication. I do not think you can authenticate a CRM user against the portal user repository.)
I suggest to create your own “AuthenticateAs” functionality: when a CRM user press on a link in a CRM page of a portal user it will be authenticated in the portal as a portal user without providing a password.
How it works?
1) When a CRM user presses a link the parameter with an encrypted portal user name is added to URL.
2) When the request with an encrypted portal user name access to the portal application, a new created PreAuthenticatedProcessingFilter decrypt the user name and authenticate the user
That’s it :)
Couple of comments:
1) Please use AES-258 algorithm to encrypt / decrypt the user name
2) Please ensure that the key for encrypt / decrypt can not be accessed by HTTTP
3) You can extend AbstractPreAuthenticatedProcessingFilter for your PreAuthenticatedProcessingFilter
4) I strongly suggest to create two roles in the portal application: USER_WRITE_ROLE and USER_READ_ROLE. When a CRM user access using “AuthenticateAs” authentication - it should get USER_READ_ROLE. When a portal user access using regular authentication - it should get USER_ WRITE_ROLE.
5) You should think how a CRM user will perform the logout for a portal user (otherwise he always will work on the first user). The simplest way I can think about it - PreAuthenticatedProcessingFilter should process each request (even it authenticated) and if it contains the parameter with the user name to clean the portal user session and to perform the new authentication.
Please tell me what you think about the suggestion and tell me if you need any additional clarifications.
Best regards,
Michael
P.S. Added after the question was edited. The simplest way to track CRM users on the portal is to add the additional encrypted parameter to the URL with the CRM user name