DefaultCredentials in Accessing CRM / Sharepoint Web Services

Question

Hi everyone,

I made an application that access CRM's web service. The problem is, when I deployed the dll into Sharepoint server, it returned error 401 unauthorized. Apparently the System.Net.CredentialCache.DefaultCredentials didn't work (my suspicion). Here's the code.

CrmSdk.CrmAuthenticationToken token = new CrmSdk.CrmAuthenticationToken();
token.AuthenticationType = AuthenticationType.AD;
token.OrganizationName = ORGANIZATION_NAME;

CrmService service = new CrmService();
service.Url = "http://crmserver:5555/mscrmservices/2007/crmservice.asmx";
service.CrmAuthenticationTokenValue = token;
service.PreAuthenticate = true;
service.Credentials = System.Net.CredentialCache.DefaultCredentials;

It goes vice-versa.

When I made application that access Sharepoint's webservice (coding the plugin) and deployed it to CRM server. It couldn't access the Sharepoint's web service. Unauthorized error. Here is the code:

Lists listService = new Lists();
listService.PreAuthenticate = true;
listService.Credentials = System.Net.CredentialCache.DefaultCredentials;
listService.Url = "http://sharepointserver/webname/_vti_bin/Lists.asmx";

My CRM server and Sharepoint server are in the same domain.

For both code, if I changed the credentials part into something like this then deploy it on server, it can run.

service.Credentials = new NetworkCredential("username", "password", "domain");

Still, I don't want to do this because it reveals user's password in the code. May anyone help me?

The IIS in both server doesn't allow Anonymous Access and it uses Integrated Windows Authentication.

Thank you

Answer 1

Could be that you need to be running Kerberos for authentication, but cannot be sure and it is a pain to setup just to check.

Answer 2

Have you verified that the default credentials are the same as those when you explicitly state them? It could be that the default credentails are those of another account that you wouldn't expect.

EDIT #1: Per the remarks for the DefaultCredentials property on MSDN:

DefaultCredentials represents the system credentials for the current security context in which the application is running. For a client-side application, these are usually the Windows credentials (user name, password, and domain) of the user running the application. For ASP.NET applications, the default credentials are the user credentials of the logged-in user, or the user being impersonated.

You'll also want to ensure that the user accessing the CRM page (making the call to the SharePoint web service) can access the web service with their credentials and vice versa. If they can then it would seem more likely that some kind of impersonation is happening.

Edit #2: Assuming that you have access to both the CRM and SharePoint server you might take a peak into both the application and system logs. One or both should likely indicate a failed login and indicate which account attempted to access the resource (in this case the web services).

Answer 3

From my local computer, I can access the CRM web services or Sharepoint web services. I guess I'm authorized because the DefaultCredentials sent my credentials that its password is saved in the "Stored Username and Password" (Control Panel > User Accounts > tab Advanced > Manage Passwords) This way, I don't have to type:

service.Credentials = new NetworkCredential("username", "password", "domain");

and my DefaultCredentials from my local comp is authorized to access the web services.

I tried to implement this on the Sharepoint server that access CRM web services. and..tadaa..it won't work. hahaha..

can we inject credentials to DefaultCredentials in server?

the last thing I want to do is to hardcode the useraccount (like the code above)

Answer 4

service.Credentials = System.Net.CredentialsCache.DefaultNetworkCredentials;

Try that.

Answer 5

Not familiar with Sharepoint, but can't you just store the connection information in a configuration and use built in tools for securing your web.config? Thats what I do.

http://aspnet.4guysfromrolla.com/articles/021506-1.aspx

Answer 6

to be able use defaultcredentials, the user in active directory must be defined both in SharePoint and CRM and have enough privileges to do what you are doing with code.

And try to use sdk (crm have helper classes) instead of service definitions.

Answer 7

Hi,

By using DefaultCredentials means the ASP.NET worker process or IIS worker process will take the credential of the user who run the IIS Application Pool.

so if your Dynamics CRM Application Pool is run under a user account Custom-CRM-Domain\JohnDoe, that means it will take the privileges under user account Custom-CRM-Domain\JohnDoe.

Please check the user account who run the application pool of the CRM\Sharepoint Application IIS Web application.

These are the steps to check the Application Pool:

1. Open the website -> Right Click -> Choose Properties
2. Select the Home Directory tab
3. Notice the Application Pool name at the dropdownlist below
4. Now, go to the Application Pools folder
5. Try to find the Application Pool name which has been listed in the step 3 -> Right Click and choose Properties
6. Select the "Identity" tab and you will find the user account who run the application pool

Hope this helps.