Problerms with iFrames and user identity

W

WT

Hi,

Working on MS CRM 3, I have created an aspx page using vs2005 and .NET 2.
I am faced with a problem concerning the identity of the running user.
More details:

The CRM application which creates the iFrame is on the same server as the
called aspx page.
CRM is running .NET 1.1, my page .NET 2
They run under IIS6 in différent web sites, different application pools.
The 2 sites are using windows authentication.
the aspx web site listen on port 55505, and the CRM is on default port 80 .

My problem is : the user authenticated in CRM is the connected user, but in
my aspx page instanciated in the iFrame, it is NETWORK SERVICES user, same
as the account used to run the app pool.
and that account has no rights in CRM.

I ask this on this forum because it seems to be a .NET 2 problem, is there
any way to have the same account running CRM and the application called in
the eframe ?

Thanks for help
CS
 
B

Bruce Barker

in the web.config, set <identity impersonate="true">, and turn off anonymous
on your website.

-- bruce (sqlwork.com)
 
W

WT

Thanks Bruce, but I don't want to impersonate, I simply want to use windows
authentication, i.e. to have the connected user as identity.

CS
 
S

Steven Cheng[MSFT]

Hi WT,

We can get the client authenticated user's windows identity without
impersonate. Make sure your ASP.NET application's virtual directory is
configured as integrated windows authentication and disable anonymous
access. Also, the ASP.NET applicaiton is using "Windows" authentication,
then in the application's code, we can use HttpContext.Current.User to
access the client authenticated user's principal. Since the iframe page
should be requested by the same client as the container page, your
application should have the same client user identity with the CRM web
application. BTW, without impersonate, we can not access any protected
resource through the identity on the webserver.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
W

WT

Hi Steven,

Thanks for help.

I have checked again all your elements and and my code, they are conform.
ASP.NET application uses Windows authentication from web.config
Web Site is configured as integrated windows authentication and anonymous
access is disabled
As I am logged with my account (not administrator), the application code
HttpContext user's Principal is SYSTEM and is authenticated with no
impersonation level.
When I use the CRM call to identify user (WhoAmI) I get SYSTEM NETWORK
account which is the account running the app pool using by default .ASP.NET
2.

Same code not called from CRM iFrame gives normal results with my account
and not SYSTEM NETWORK.

???
To day I will build a small app with an iframe to simulate CRM.

CS
 
S

Steven Cheng[MSFT]

Thanks for the quick response CS,

Seems strange. Anyway, you can get the username from the raw IIS Server
Variables, if this also shows "NetworkService", then the request does be
requested from the NetworkService account context. And if so, there should
exists some customization in the CRM server page's code.

#IIS Server Variables
http://msdn.microsoft.com/library/en-us/iissdk/html/21b3be8f-d4ed-4059-8e21-
6cba2c253006.asp?frame=true

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
W

WT

Hello Steven,

Many thanks, your answer make me find the solution, here is an extract of my
post on MS CRM dev forum

After hours of testing I dicovered that the information in sdk for v3 is not
complete.

It is said that, to gain access to the Guid of the user, we should call
WhoAmI with the
System.Net.CredentialCache.DefaultCredentials

this is Ok when your application is running directly under IE6, but when the
same application is called from an iFrame defined in a custom entity form,
this object doesn't contain the credentials for the running user but
credentials for the user running the application pool of the web site, often
NETWORK SERVICES.

So, if you write code for iframes, don't try to call whoAmI, if you do so
you don't get your real user id and will have troubles with next webservices
calls.

MS should provide a call to get correct credentials when under CRM iFrame,
as is is the prefered method to customize, these credential could be derived
from request identity that seems to be correct.

May be a bug from DefaultCredentials, or another call must be used.


CS
 
S

Steven Cheng[MSFT]

Thanks for your followup.

Glad that you've found the solution. When you meet any further problem need
our help, please feel free to post here.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Problem with a login script, SESSION user rights and put this together so it works with the other pages and MySQL. Code examples. 2
Windows identity getting confused between users 0
User identity 2
Dynamic GUI in ASP.NET and AJAX? 1
Iframes 3
Nested IFrames disappears 4
Identity Impersonate in ASP.NET 2
URGENT:ASP.Net and IFrames 1

Members online

No members online now.
Total: 30 (members: 0, guests: 30)
Robots: 466

Forum statistics

Threads
473,770
Messages
2,569,583
Members
45,073
Latest member
DarinCeden

Latest Threads

Top