Hi,
Is there any way to use Xrm.Tooling to do a silent login using only an org URL and not the service URL of a specific service (i.e. the web api or ye olde org service). There's been talk that the tooling should smoothly transition to the web api for connecting to the CR... eehh.. CE.
I've successfully authenticated to AAD with an application user and a certificate, the thing I'd like to do is to use the Xrm.Tooling for the integration since it's what Microsoft seems to be promoting at the moment. At the same time I don't want to point to a specific service endpoint but rather to the CRM instance since we don't know which endpoint will be here next week.
Is this possible?
Regards
*This post is locked for comments
Thanks Matt! Yes, we will be using the .Net ADAL library to generate the JWT token as shown in the previous responses by calling the AcquireTokenAsync method.
It is safe to use this, Yes.
I will see about updating the doc's when I have time...
Note: you must hand back a JWT Token that AAD will recognize.
MattB-MSFT
docs.microsoft.com/.../microsoft.xrm.tooling.connector.crmserviceclient.authoverridehook
The document states Internal Use only. Is it safe to use this approach?
Hi Matt,
Thank you for your quick reply. It would be nice if this will be available, together with the AppId & Client Secret auth. As a side question, I know the goal is to deprecate the SOAP endpoints and use the Web API. How will this impact the CrmServiceClient? Will it be shifted to the REST endpoint or will it be deprecated with the Organization Service? Will we still be able to use it after the SOAP endpoint is removed?
Thanks,
Radu
It is not a “bug”, though there is an issue in the nuget package that allows you to update to the 3.x version of ADAL that we have fixed.
In the spirit of full disclosure
We rely on ADAL assemblies to provide authentication support. ADAL’s policy is that they target various major versions of ADAL at different feature sets. In this case, ADAL 2.x is not compatible at all with ADAL 3.x. ( IE rework several parts of your code to use the new methods and approaches to solving problems )
Given that we support a large number of clients and use these assemblies in our own platform, moving to ADAL 3.x is a fairly large, customer breaking, endeavor that we are trying to determine how to support.
We have resisted creating 2 versions of the SDK, one using 2.x and one using 3.x to this point that differ only in the version of ADAL used, and we have resisted creating our own ‘interpretation layer’ to allow dynamic loading / injection of the ADAL assembly as they differ significantly enough that it’s a could become a maintenance issue.
So short of it is that we support ADAL 2.x, if your project requires 3.x then you should box us into our own appdomain ( because the 2 versions of ADAL are completely incompatible ) and use the External Auth call back to support it.
We will address this in the future, but we do not have anything to say on it just yet
MattB
Hi Matt,
This seems to work only if you have the Microsoft.IdentityModel.Clients.ActiveDirectory build 2.22.302111727 nuget package installed. If you upgrade that then the CrmServiceClient fails to connect. I tried with build 3.19.8 Is this a known bug?
[quote][/quote]
As a point...
the Xrm.Tooling.Connector natively support Certificate based Auth.
You don't need to use the externalAuth mode to do it.
Example:
string ConnectionStr = "AuthType=Certificate;url=<url>;thumbprint=<CertThumbPrint>;AppId=<appID>;RequireNewInstance=true;SkipDiscovery=true";
CrmServiceClient cli1 = new CrmServiceClient(ConnectionStr);
if you don't want to use a connection string, you can also do it with a constructor .
CrmServiceClient client = new CrmServiceClient(null, StoreName.My, "<CertThumbPrint>", new Uri("<ServiceURLBase>/XRMServices/2011/Organization.svc"), false, null, <appID>, null, null);
if (client.IsReady) { ... }
MattB.
Thanks,
Radu
Thanks Matt.
Thar you're not using the entire URL is actually quite funny :)
/Rickard
We actually do not use the "/XRMServices/2011/Organization.svc" part of the URI :) We generate the actually connect using the given config of the CrmServiceClient and the Schema and SafeDNSHost name of the URL. You should be fine passing just the InstanceURL to it.
Our docs and examples provide the full link as that is what most folks are familiar with.
Right now, CrmServiceClient uses both the OData Endpoint and the SOAP endpoint depending on what its doing.
MattB
Thanks again Matt. One question though, why do we need to add the "/XRMServices/2011/Organization.svc"-part in the connection? How long will that endpoint be the one that is used, I would feel a bit more at peace if I only had to provide the instance URL.
Regards
Not yet, We are planning to add AppID / Client Secret support in the future... we just have not sorted out how we want to do it yet frankly as its just another form of user acct / pw at the end of the day and certificate auth is much more secure and safer. also rollover is innately supported and such.
That said, I would expect us to add support toward the fall for Client Secret login ( No promises though )
MattB.
André Arnaud de Cal...
291,996
Super User 2025 Season 1
Martin Dráb
230,853
Most Valuable Professional
nmaenpaa
101,156