CRM 2011, authenticating form javascript requests to an external WCF service

Question

We have an on-premise deployment of MS CRM 2011 and some of the forms run custom javascript to pre-populate certain fields. The data comes from a WCF RESTful web service we've developed that runs on the same physical server as CRM. The service is hosted in IIS as an app in the CRM website to avoid cross-domain scripting issues. Javascript makes an ajax request (using jQuery), gets back a JSON-formatted reply, and populates the fields.

Everything's working fine so far, but I'm now starting to think about security and authentication. Specifically, I want our web service to reply only to valid CRM users, because some of the data may be sensitive. There need not be individual authentication, all CRM users will have the same level of access to this web service, so a single service account of some sort would work.

So far I'm considering doing windows authentication, with the custom web service querying CRM to see if the (already domain-authenticated) user exists in CRM before fulfilling the request. I have fairly little experience with security, so even general tips would be welcome.

Answer 1

Egor, I think you're headed in the right direction. You can either do custom windows authentication or an other simple way to solve this would be to send the the current user's user id (guid) to the custom application and let the webservice query CRM to get the correct access.

Since, you already mentioned that all user's have the same level of access, you can send the user's access level to the web service to determine what to return.