2

It is not a typo. My problem is that I can log in. Our CRM server is accessible via VPN, which I log into. Then, I run the following code.

ClientCredentials credentials = new ClientCredentials();
String orgUrl = "http://server/konrad01/XRMServices/2011/Organization.svc";
OrganizationServiceProxy _serviceProxy = new OrganizationServiceProxy(
  new Uri(orgUrl), null, credentials, null);

It's a brand new organization with nothing in it. When I list e.g. system users, I get hits, so apparently I am able to connect to it. But how?!

I've went through everything I could think of. I removed all the internet history, including but not limited to, cookies. I removed all references to the server from the Credential Manager in Control Panel. I disabled the storage of credentials for log in on the RDP where the server resides. Nada! The persistent duck (type intended) still connects. How do I make it not to connect?! (Unless I provide credentials, that is.)

Konrad Viltersten
  • 36,151
  • 76
  • 250
  • 438
  • 3
    This sounds like it's a server configuration issue, not a code issue... – Jon Skeet Feb 12 '13 at 16:41
  • Does the user running the application, have permissions in CRM? – James Wood Feb 12 '13 at 17:01
  • 3
    Are there other organisations on the same box? Could you be picking up one of them instead (would suggest the other one is set as default) – glosrob Feb 12 '13 at 17:22
  • @JamesWood Not sure which user that actually logs in. I haven't assigned any special permissions to anybody in the new organization. But it was I who created it. Perhaps I could ask a co-worked to create an organization to see if he's the only system user and I can still log in. – Konrad Viltersten Feb 12 '13 at 21:42
  • 1
    @glosrob There's a huge bunch of other organizations, most of which are mine because I like to play with stuff trying to see what can be broken in some cool way. In fact, once, I broke our server so bad, it took two guys (one has 6 certificates the other is a MVP) over a day to fix it. :) This is actually a very plausible reason - I'll give it a whack first thing tomorrow. – Konrad Viltersten Feb 12 '13 at 21:45
  • @KonradViltersten one thing CRM is definitely good for - getting broken :) – glosrob Feb 12 '13 at 23:06
  • Don't know why this was closed, back to the question. What authentication model are you using? E.g. Active directory? – James Wood Feb 12 '13 at 23:25
  • @JamesWood Me neither. Ask two more friends to reopen so someone can answer the question and get rep. As for the authentication, it's not AD. I'm just using the default credentials - `.Net.DefaultNetworkCredentials`, I belive. When I browse to the organization, I log in using remote desktop and VPN. However, I can access the organization from my code without connecting to the RDP. It suffice to be logged in on our VPN. Thoughts? – Konrad Viltersten Feb 13 '13 at 00:28
  • @glosrob Then I'm a CRM expert. I'm really good at finding out new ways to help it get broken. Good thing I don't work with nuclear power. -> PROUD <- – Konrad Viltersten Feb 13 '13 at 00:30
  • @KonradViltersten, but what are the default network credentials being checked against? I'm going to assume this is an on-premise deployment with simple active directory (e.g. nothing like ADFS, CRM Online or IFD). I'm pretty sure its because you are not supplying any specific credentials, its using the credentials of the user running the program, that user has permissions in CRM so everything works. Try running the program as a user that does not have permissions in CRM, I believe then it will not work (fingers crossed). – James Wood Feb 13 '13 at 08:52
  • I concur with James - if you setup the organisation then you will by definition be added as a user in that org with a system administrator role, and mus be a deployment admin to have added the org in the first place. So when you try to connect, the site will ask (silently, SSO-style) for credentials, which your OS provides (ie it replies with the token you were granted when you logged on to the domain). Log on as a user who did not set up the org and try again. – AdamV Feb 13 '13 at 09:48
  • This is highly unexpected. When I specify the credentials to just a `new ClientCredentials()` or even when I send in `null` to my service proxy, it seems to check out who's logged in onto the computer and use **that** credentials. Weird. And unexpected. – Konrad Viltersten Feb 13 '13 at 16:09

2 Answers2

1

Assumptions:

  • You have a simple on-premise deployment.
  • You are using simple active directory authentication.
  • The user running the application has permissions in CRM.

As you didnt specify any particular user in the ClientCredentials when the application connects to CRM it provides the credentials of the user who is running the application.

That user has permissions in CRM so they are allowed to authenticate and do things.

To test this try running the application as a user who does not have permissions in CRM and see if they are still able to connect.

Further reading:

Community
  • 1
  • 1
James Wood
  • 17,286
  • 4
  • 46
  • 89
  • Hi James! How do you define **simple** deployment and **simple** AD? Also, what do you refer to as *user who is running the application*? Is it `Net.CredentialChache.DefaultNetworkCredentials` or `Environment.UserName` or something entirely different? – Konrad Viltersten Feb 13 '13 at 13:24
  • I suppose simple might be the wrong word, I meant you havn't changed any default settings and it's not using ADFS or anything like that. The 'user who is running the application' is generally the user who is logged on when the application is run, e.g. if you have a console application and you run the .exe, the user running the application is you. If your running the code from visual studio the user is the person who opened VS, e.g. you. – James Wood Feb 13 '13 at 13:44
  • Well, it seems that I don't need to enter any credentials att all. I'm sending in the URL the the organization along with three *null* for credentials and what not. CRM seems to recognize the currently logged in user and goes with those credentials. Unexpected! +1 for links. – Konrad Viltersten Feb 13 '13 at 21:22
1

If you are a user in CRM you'll still be able to create a _serviceProxy even if your user is disabled but you'll get an error when trying to retrieve or execute anything.

If your user does not exist in CRM then you won't even be able to create the proxy.

Juan Stoppa
  • 460
  • 1
  • 4
  • 15