On premise support

[sribalakumar]

Does this gem support on premise, I get 401 unauthorised response.

This is the verbose response I get :1:
< HTTP/1.1 100 Continue
< HTTP/1.1 401 Unauthorized
< Cache-Control: private
< Transfer-Encoding: chunked
< Content-Type: text/plain

• Server Microsoft-IIS/8.5 is not blacklisted
  < Server: Microsoft-IIS/8.5
  < X-AspNet-Version: 4.0.30319
  < WWW-Authenticate: NTLM
  < WWW-Authenticate: Negotiate
  < X-Powered-By: ASP.NET
  < Date: Thu, 12 Mar 2015 00:55:32 GMT
• HTTP error before end of send, stop sending
  <

• Closing connection 0
  HTTP Error 401 - Unauthorized: Access is denied

RuntimeError: HTTP Error 401 - Unauthorized: Access is denied

[jheth]

Yes, the work in #18 adds on-premise support. We use it for a client of ours. Can you provide any other setup details?

[sribalakumar]

Thanks for the commit link jheth. Just a basic question with regard to config[:login_url] in client.rb file. The OCP login url is clear https://login.microsoftonline.com/RST2.srf for On Demand versions, I am wondering what would be equivalent in on-premise versions.

[jheth]

I think the On-Premise URLs will be different based on the version and configuration with ADFS. Do you know what version is being run?

[sribalakumar]

Windows Server 2012 R2 with ADFS 3.0 and CRM 2013.

[jheth]

I have seen this type of URL format before but have not tested the login process myself:
https://{ADFS-FQDN}/adfs/ls

[sribalakumar]

@jheth

client = DynamicsCRM::Client.new({organization_name: "fdcrm", hostname: "internal.int.com:5556"})

gives an object of the form

<DynamicsCRM::Client:0x007f871be0ad90 @organization_name="fdcrm", @hostname="internal.int.com:5556", @organization_endpoint="https://internal.int.com:5556/XRMServices/2011/Organization.svc", @caller_id=nil, @login_url="https://login.microsoftonline.com/RST2.srf", @region="urn:crmna:dynamics.com">

guess the login_url and the region is wrong here, when I open https://internal.int.com:5556/fdcrm/XRMServices/2011/Organization.svc?wsdl=wsdl0 and tried to look up for
// Login URL: Policy -> Issuer -> Address (as described in the gem client.rb)
// Region: SecureTokenService -> AppliesTo (as described in the gem client.rb)
XML snippet for login url goes like

<wsp:Policy>
<sp:IssuedToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<Issuer xmlns="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<Address xmlns="http://www.w3.org/2005/08/addressing">http://www.w3.org/2005/08/addressing/anonymous</Address>
<Metadata xmlns="http://www.w3.org/2005/08/addressing">
<Metadata xmlns="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<wsx:MetadataSection xmlns="">
<wsx:MetadataReference>
<Address xmlns="http://www.w3.org/2005/08/addressing">https://adfs.int.com/adfs/services/trust/mex</Address>
</wsx:MetadataReference>
</wsx:MetadataSection>
</Metadata>
</Metadata>
</Issuer>
<sp:RequestSecurityTokenTemplate>
<trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey
</trust:KeyType>
<trust:KeySize xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">256</trust:KeySize>
<trust:Claims xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512" Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity">
<wsid:ClaimType xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"/>
</trust:Claims>
<trust:KeyWrapAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</trust:KeyWrapAlgorithm>
<trust:EncryptWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptWith>
<trust:SignWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2000/09/xmldsig#hmac-sha1</trust:SignWith>
<trust:CanonicalizationAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/10/xml-exc-c14n#</trust:CanonicalizationAlgorithm>
<trust:EncryptionAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptionAlgorithm>
</sp:RequestSecurityTokenTemplate>
<wsp:Policy>
<sp:RequireInternalReference/>
</wsp:Policy>
</sp:IssuedToken>
</wsp:Policy>

and the snippet for SecureTokenService

<ms-xrm:SecureTokenService>
<ms-xrm:Identifier>http://adfs.int.com/adfs/services/trust</ms-xrm:Identifier>
</ms-xrm:SecureTokenService>

can you help me with constructing a proper client object please.

[vasko]

Does this gem only support Dynamics CRM 2015 On Premise using ADFS?

I'm getting an error using this gem with our internal only setup that is using just plain Active Directory authentication.

[przemad]

Any progress?

[jheth]

It supports both cloud and on-premise ADFS authentication. I don't know differences between plan AD and ADFS authentication. I figure that would be the same.

[mkweick]

Looking for help with On-Premise Dynamics 2013 authentication issues. We have Windows 2012 R2 ADFS. I can't seem to generate the correct client string to get it to work.

client = DynamicsCRM::Client.new({organization_name: "exampleName", hostname: "crm.exampledomain.com"})

@sribalakumar - any luck figuring out the correct connection string for on-premise?

[mkweick]

Is there anyway to see a sample connection string for On-Premise CRM deployments with ADFS?

[sribalakumar]

@mkweick Nope, we never got this working for On-Premise or IFD.