Azure到Dynamics CRM 2011：如何實施AD身份驗證？

Question

為了在CRM安裝中更好地顯示數據，我們有一個Azure網站，該網站基本上會讀取我們要處理的CRM數據（員工的工作計划時間），並使用Telerik（計划程序）將其轉換為更易於閱讀的格式使用定期約會）。 Telerik約會從不轉換回，因此它是與CRM的只讀連接。

我們已經使用固定用戶進行身份驗證，該產品運行良好，但是當我們要使用當前登錄的用戶進行身份驗證時，遇到了涉及AD的問題。 下面代碼中的currentUserId是通過表單中的querystring傳遞的。

private OrganizationServiceProxy CreateOrganizationService(String serverAddress, String organizationName, Guid currentUserId)
{
    var discoveryServiceUri = serverAddress.Contains("http") ? new Uri(String.Format("{0}/XRMServices/2011/Discovery.svc", serverAddress)) : new Uri(String.Format("http://{0}/XRMServices/2011/Discovery.svc", serverAddress));
    System.Diagnostics.Trace.TraceInformation("current discoveryUri: " + discoveryServiceUri);
    var credentials = new ClientCredentials();
    // Get the user's logon credentials.
    credentials.Windows.ClientCredential = CredentialCache.DefaultNetworkCredentials;
    System.Diagnostics.Trace.TraceInformation("current user: " + CredentialCache.DefaultNetworkCredentials.UserName);
    // Get the target organization.
    var organizationUri = GetOrganizationAddress(organizationName, discoveryServiceUri, credentials, null);
    System.Diagnostics.Trace.TraceInformation("current organization: " + organizationUri);
    var serviceProxy = new OrganizationServiceProxy(organizationUri, null, credentials, null);
    // This statement is required to enable early-bound type support.
    serviceProxy.EnableProxyTypes();
    if (currentUserId == Guid.Empty)
    {
       currentUserId = GetUserId(serviceProxy);
    }
    if (currentUserId != Guid.Empty)
       serviceProxy.CallerId = currentUserId;
    return serviceProxy;
}

上面的代碼用於在服務器端創建CRM連接。

private Uri GetOrganizationAddress(String organizationName, Uri discoveryServiceUri, ClientCredentials credentials, ClientCredentials deviceCredentials)
    {
        if (discoveryServiceUri == null)
            throw new Exception("DiscoveryServiceUri is null. Please specify a valid configuration details to connect crm server.");
        using (var serviceProxy = new DiscoveryServiceProxy(discoveryServiceUri, null, credentials, deviceCredentials))
        {
            // Obtain organization information from the Discovery service.
            {
                // Obtain information about the organizations that the system user belongs to.
                System.Diagnostics.Trace.TraceInformation("getting organizationss now");
                OrganizationDetailCollection orgs = DiscoverOrganizations(serviceProxy);
                System.Diagnostics.Trace.TraceInformation(orgs.Count + " organizations discovered");
                if (orgs.Count > 0)
                {
                    int orgNumber = 0;
                    for (int n = 0; n < orgs.Count; n++)
                    {
                        if (orgs[n].UniqueName == organizationName || orgs[n].FriendlyName == organizationName)
                        {
                            orgNumber = n + 1;
                            System.Diagnostics.Trace.TraceInformation("orgs[n].UniqueName: " + orgs[n].UniqueName);
                            System.Diagnostics.Trace.TraceInformation("orgs[n].friendlyName: " + orgs[n].FriendlyName);
                            break;
                        }
                    }
                    if (orgNumber > 0 && orgNumber <= orgs.Count)
                    {
                        Version version = new Version(orgs[orgNumber - 1].OrganizationVersion);
                        System.Diagnostics.Trace.TraceInformation("version: " + version.Build);
                        // Return the organization Uri.
                        Uri uri =  new Uri(orgs[orgNumber - 1].Endpoints[EndpointType.OrganizationService]);
                        System.Diagnostics.Trace.TraceInformation("uri:" + uri);
                        return uri;
                    }
                    throw new Exception(string.Format("The specified organization '{0}' does not exist.", organizationName));
                }
                throw new Exception(string.Format("You do not belong to any organizations on the specified server. DiscoveryServiceUri '{0}'", discoveryServiceUri.AbsoluteUri));
            }
        }
    }

下面的代碼出了問題：

private OrganizationDetailCollection DiscoverOrganizations(IDiscoveryService service)
    {
        var orgRequest = new RetrieveOrganizationsRequest();
        System.Diagnostics.Trace.TraceInformation("orgrequest made");
        var orgResponse = (RetrieveOrganizationsResponse)service.Execute(orgRequest);
        System.Diagnostics.Trace.TraceInformation("orgresponse retrieved: " + orgResponse);

        System.Diagnostics.Trace.TraceInformation("orgResponse.details: " + orgResponse.Details);
        return orgResponse.Details;
    }

在Execute（orgRequest）命令上出錯。 我已將此問題歸結為AD身份驗證的問題，即我的憑據似乎是錯誤的。 我想將當前正在使用CRM的AD用戶帳戶（而非CRM用戶帳戶）使用的AD憑據傳遞給第一種方法中的憑據對象。

目的是僅在Dynamics CRM 2011內部使用此應用程序，但從理論上講，它也應在平台之外工作以進行測試。

編輯：剛剛意識到我忘記了我的堆棧跟蹤：

System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed.
   at System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message message, EndpointAddress target)
   at System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState)The caller was not authenticated by the service.
Server stack trace: 
   at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
   at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Security.CommunicationObjectSecurityTokenProvider.Open(TimeSpan timeout)
   at System.ServiceModel.Security.SecurityProtocol.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.SecurityChannelFactory`1.ClientSecurityChannel`1.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel channel, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Answer 1

我的一位同事幫助了我。 事實證明，Azure只能讀取AD的DefaultNetworkCredentials。 但是，Dynamics CRM 2011不接受這些憑據進行身份驗證。 我們正在尋找替代解決方案。