web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics CRM (Archived) / Impersonation attempt ...
Microsoft Dynamics CRM (Archived)

Impersonation attempt ignored via web api - on prem

(0) ShareShare
ReportReport
Posted on by rduz 105

Hi,

Microsoft Dynamics 365 Version 1612 (8.2.2.112) on premises.

As I understand, in order to impersonate through the web api, one must have authority to impersonate and then merely add the request header MSCRMCallerID to the request, like so:

req.setRequestHeader("MSCRMCallerID", "10A2E81B-EC44-E411-9401-005056B6433E");

I'm logged into our Dynamics implementation as a system administrator and am running the following request:

var entity = {};
entity.bi_name = "test4";

var req = new XMLHttpRequest();
req.open("POST", Xrm.Page.context.getClientUrl() + "/api/data/v8.2/bi_zzzperformancetestingwo6044s", true);
req.setRequestHeader("OData-MaxVersion", "4.0");
req.setRequestHeader("OData-Version", "4.0");
req.setRequestHeader("Accept", "application/json");
req.setRequestHeader("Content-Type", "application/json; charset=utf-8");
req.setRequestHeader("Prefer", "odata.include-annotations=\"*\",return=representation");
req.setRequestHeader("MSCRMCallerID", "10A2E81B-EC44-E411-9401-005056B6433E");
req.onreadystatechange = function() {
    if (this.readyState === 4) {
        req.onreadystatechange = null;
        if (this.status === 201) {
            var uri = this.getResponseHeader("OData-EntityId");
            var regExp = /\(([^)]+)\)/;
            var matches = regExp.exec(uri);
            var newEntityId = matches[1];
            //Handle returned attributes
        } else {
            Xrm.Utility.alertDialog(this.statusText);
        }
    }
};
req.send(JSON.stringify(entity));


The guid associated with the MSCRMCallerID request header is associated with the user that I'd like to create the record on behalf of.  What I find is that the row gets created successfully, but the createdbyname, modifiedbyname, and ownername are not the names associated with the MSCRMCallerID.  Instead, they are simply the values of the logged in user.  In other words, the directive to impersonate is totally ignored.  CreatedOnBehalfByName and ModifiedOnBehalfByName stay null in the database as well.

I've tried using different User ID's, both as the delegator and delagatee.  I've also spelled the MSCRMCallerID header incorrectly and I've used invalid GUID's in some calls in an attempt to have the interface throw an error.  It does not, just ignores the request entirely.

I reviewed the event log and I find no entries related to an impersonation attempt.

Could there be something in our implementation that causes Dynamics to ignore the attempt?  Something related to Active Directory like the app pool settings or the claims setup for IFD?

*This post is locked for comments

I have the same question (0)
  • Goutham A Profile Picture
    Goutham A 2 on at

    Hi,

    I don't think any active directory settings.

    What role that the impersonated user  have?The user account used in "MSCRMCallerID" needs prvActOnBehalfOfAnotherUser privilege and required privileges to create an entity. otherwise, it would be created with logged in user context. It does not throw any error

    Also, there are some scenario's which fail even from plugin and Microsoft is constantly improving "Act on behalf of" feature.

    support.microsoft.com/.../service-update-5-for-microsoft-dynamics-365-8-2-2

    Improvement : User with "act on behalf of" privilege can impersonate an integration user under certain conditions

    <<Please mark my answer as verified if it resolves your query>>

  • Suggested answer
    gdas Profile Picture
    gdas 50,091 Moderator on at

    Hi,

    Can you please try to login into CRM with the user having system administrator role and see if impersonation is working or not.

    You can also try to execute directly from chrome developer tool console after login In CRM Admin user. For more info have a look below reference -

    debajmecrm.com/.../dynamics-crm-web-api-impersonate

  • David Jennaway Profile Picture
    David Jennaway 14,065 on at

    As a test, can try impersonating via the SDK assemblies using OrganizationServiceProxy.CallerId ? This would help determine if the issue is specific to the WebAPI, or if it's a general server configuration issue.

    It's also worth enabling CRM tracing if you can to see if any useful errors are thrown when you impersonate

  • rduz Profile Picture
    rduz 105 on at

    Hi,

    It doesn't make sense to me that the user that is being impersonated needs the right to impersonate other users, but I've tried that.  

    In one of my cases, I attempted to have one system admin impersonate another, and both would be able to impersonate as well as create the entity row.

    I've also had a non-system administration user with the 'delegate' role both attempt to give and receive the impersonation.  

    I've made sure that the user who is being impersonated can create the entity record, as well as the person doing the impersonation.

    Any further ideas?

  • rduz Profile Picture
    rduz 105 on at

    I have done so.  In one attempt, I had one system administrator trying to impersonate another.  Using chrome develper console is a good idea, but I prefer the javascript console in the CRM Rest Builder solution (github.com/.../CRMRESTBuilder)

  • rduz Profile Picture
    rduz 105 on at

    Thank you.  I also thought about using a C# call to test with.  I did enable tracing, ran the create entity javascript code, and then stopped the tracing.  I reviewed the trace and didn't find any obvious errors.  What I did find interesting is that there is no mention in the log of a check for prvActOnBehalfOfAnotherUser.  I would have expected that check to be conducted.  Perhaps if the caller is known to be a system admin then the code wouldn't bother but I am not certain.

  • Ivanjia Profile Picture
    Ivanjia 35 on at

    Have you found any solution to this issue? I have exactly the same issue as yours.

    Appreciated if you can share any idea.

    Thanks!

  • rduz Profile Picture
    rduz 105 on at

    I'm sorry, unfortunately, I didn't find a solution.  

  • Somesh2207 Profile Picture
    Somesh2207 1,563 on at

    Hi Please let me know if you found any solution. We were using MSCRMcallerId at lot of places which was working fine till 19 March, and stopped after this.

    We have Customer Go live in 10 days and this will be a big issue. Kindly let us know

  • Suggested answer
    Dynamics 365 Consultant Profile Picture
    Dynamics 365 Consul... 6 on at

    Did you tried passing CallerObjectId instead of MSCRMCallerID?

    See this reference though it is online:
    https://docs.microsoft.com/en-us/powerapps/developer/common-data-service/webapi/impersonate-another-user-web-api

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics CRM (Archived)

#1
SA-08121319-0 Profile Picture

SA-08121319-0 4

#1
Calum MacFarlane Profile Picture

Calum MacFarlane 4

#3
Alex Fun Wei Jie Profile Picture

Alex Fun Wei Jie 2

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans