Active Directory and claims-based authentication
Claims-based authentication provides an industry standard security protocol to authenticate a user on a host computer. Claims-based authentication is a set of WS-* standards describing the use of a Security Assertion Markup Language (SAML) token in either passive mode (when WS-Federation is used with the Dynamics 365 for Customer Engagement web application) or active mode (where WS-Trust in used with Windows Communication Foundation (WCF) clients). This authentication works together with WCF to provide secure user authentication and a communication channel with a Dynamics 365 Server. All Dynamics 365 Customer Engagement (on-premises) edition support claims-based authentication.
Claims-based authentication requires the availability of a security token service (STS) running on a server. An STS server can be based on Active Directory Federation Services (AD FS) V2, or any platform that provides the official STS protocol. More information: TechNet: Configure IFD for Dynamics 365 Customer Engagement (on-premises).
Supported authentication scenarios
Dynamics 365 Customer Engagement (on-premises) support the following authentication scenarios for each deployment type.
| Deployment | Authentication model |
|---|---|
| Dynamics 365 for Customer Engagement (on-premises) | Claims-based or Active Directory authentication |
| Dynamics 365 for Customer Engagement Internet-facing deployment (IFD) | Claims-based or Active Directory authentication |
How claims-based authentication works
A request to authenticate a user is sent from Dynamics 365 for Customer Engagement or a custom application to the STS server. The STS server determines whether the user should be authenticated, and if so, issues a signed and encrypted SAML token that contains user authentication information. The token has a finite life span and may have to be periodically refreshed depending on how long your application is using the token. This is discussed in more detail later in this topic.
How Active Directory authentication works
A request to authenticate a user is sent from Dynamics 365 Customer Engagement (on-premises) or a custom application to Active Directory. The WCF stack manages the authentication process for Organization Service calls from an application, whereas Internet Information Services (IIS) manages authentication for a web application.
Unsupported authentication scenarios
Use of client certificates is not supported. If you configure the Dynamics 365 Customer Engagement website to require IIS client certificates, you will get authentication failures for any applications that were built using the SDK.
For more information about additional unsupported programming methods see Unsupported Customizations.
Authentication classes
The following table lists the primary authentication classes available in the SDK, describes when to use them, and provides links to additional relevant documentation.
| Classes | Usage | Related Documentation |
|---|---|---|
| IServiceConfiguration<TService>, IServiceManagement<TService> | All deployment types: on-premises/IFD, online (Microsoft account and Office 365/MOS*) Best choice for multi-threaded applications |
Authenticate Office 365 Users with Dynamics 365 Customer Engagement Web Services Sample: Authenticate Users with Dynamics 365 Customer Engagement Web Services Improve service channel allocation performance |
| DiscoveryServiceProxy, OrganizationServiceProxy | All deployment types: on-premises/IFD, online (Microsoft account and Office 365/MOS*) | Authentication by Using the Client Proxy Classes Improve service channel allocation performance |
| XRM Tooling classes | All deployment types: on-premises/IFD, online (Microsoft account and Office 365/MOS*) | Build Windows client applications using the XRM tools |
| CrmServiceClient | All deployment types: on-premises/IFD, online (Microsoft account and Office 365/MOS*) | Sample: Simplified connection quick start using Microsoft Dataverse |
* Microsoft Online Services environment
Tip
Depending on your application scenario, the recommended method to authenticate a .NET Framework client application with any deployment of Dynamics 365 Customer Engagement (on-premises) is to use the CrmServiceClient class.
Do not use the ServiceClient class if you are using ADFS for on-premise authentication.
Authentication by using the client proxy classes
One way to authenticate with the Dynamics 365 Customer Engagement (on-premises) web services is by using the OrganizationServiceProxy and DiscoveryServiceProxy classes in the applications that you write. The four-parameter constructor of these classes supports Dynamics 365 for Customer Engagement deployment. These proxy classes automatically handle claims or Active Directory authentication and also manage resource limits on the WCF channel endpoint.
The following code shows how to instantiate the organization service proxy:
using (OrganizationServiceProxy _serviceProxy = new OrganizationServiceProxy(organizationUri, homeRealmUri, userCredentials, deviceCredentials))
The following code shows how to instantiate the discovery service proxy:
using (DiscoveryServiceProxy _discProxy = new DiscoveryServiceProxy(organizationUri, homeRealmUri, userCredentials, deviceCredentials))
It is important to properly dispose of the service proxy instance in your application before the application terminates. The using statement makes sure that the service proxy is correctly disposed by automatically calling Dispose on the service proxy when it goes out of scope. However, for improved application performance, it is a best practice to keep the service proxy instance available in your application for the entire application session instead of disposing it and allocating it again somewhere else in the application code when needed. The reason being that creating and authenticating a service channel is an expensive operation (in time). In this case, when you are done with the service proxy instance, you must directly call the Dispose method on the proxy before the application terminates.
The device credentials of the registered computing device are only used when authenticating with Dynamics 365 for Customer Engagement through the Microsoft account identity provider. For sample code that shows how to populate the proxy constructor parameters, see Sample: Access the Discovery Service.
Important
For an on-premises or an Internet-facing deployment (IFD) installation of Dynamics 365 for Customer Engagement, the client proxy classes use claims-based authentication if an STS server is available. Otherwise, Active Directory authentication is used.
If you want to use Dynamics 365 Customer Engagement (on-premises) early-bound entity types in your code, you must add the following line of code after the organization service proxy is instantiated, but before you make web service method calls:
_serviceProxy.EnableProxyTypes()
Important
WCF supports a feature where it can interactively prompt the user for logon credentials when it is necessary. This feature is enabled by setting the SupportInteractive property of the ClientCredentials class. These credentials are used in the userCredentials parameter shown in the previous code snippet.
When making SDK calls to the Dynamics 365 Customer Engagement (on-premises) web services, the ownership of the operation and entity data changes performed by the SDK call can be changed by this WCF feature independent of your code.
Dynamics 365 Customer Engagement (on-premises) handle supplied credentials in web service calls as follows:
- If credentials are not supplied in the web service call, the WCF stack determines which credentials to use. In that case, the
SupportInteractiveproperty value is automatically set tofalse.- If credentials are explicitly supplied by your code, the current
SupportInteractivevalue is passed to the WCF channel factory.SupportInteractiveis set totrueby default unless you explicitly change it. - If
SupportInteractiveis set totrueand the provided credentials fail, a WCF dialog box may be displayed. Any credentials entered by the user into the dialog box will be used instead of those supplied in the web service calls that your application invokes.
- If credentials are explicitly supplied by your code, the current
Handling channel exceptions and faults
Your code should catch the following exceptions and faults. See the C# samples in the developer documentation for a list of additional exceptions to catch:
FaultException <DiscoveryServiceFault>
For more information, see the .NET Framework WCF documentation about how to handle WCF faults and exceptions.
Additional information about the security (SAML) token
The SAML token used during user authentication is described below.
Contents of the SAML token
The XML-based SAML 2.0 token contains an identity that defines one or more claims about a user. This token is passed between an identity provider (STS) server and Dynamics 365 Customer Engagement (on-premises) for claims-based authentication. The claims in the identity have been defined as follows.
| Claim | Use |
|---|---|
| Universal Principal Name (UPN) | Contains the user’s ID in domain\alias format on the target Dynamics 365 Server. |
| Name | If the authenticated user is also a Deployment Administrator in Dynamics 365 Customer Engagement (on-premises), this claim contains the deployment administrator’s ID in domain\alias format on the target Dynamics 365 Server. Windows Identity Foundation maps the Name claim to the Identity.name property. |
| Any other claims | Not used by Dynamics 365 Customer Engagement (on-premises). |
Supported security token types
Dynamics 365 for Customer Engagement support two types of SAML tokens:
Web application - The Dynamics 365 Customer Engagement (on-premises) web application receives a bearer token from STS. This token is missing some required information so a Transport Layer Security (TLS) or Secure Sockets Layer (SSL)-based URL (https://) is used for security protection when you access the WCF endpoint.
SDK - A custom application receives an active token with a proof key that contains the required information.
Lifecycle of the security token
A SecurityToken has a life span identified by its ValidFrom and ValidTo properties. Your application design should consider the possibility that the token could expire, resulting in an ExpiredSecurityTokenException being thrown by the Dynamics 365 Customer Engagement (on-premises) web services when the next message request from your application is processed.
See also
Walkthrough: Register a Dynamics 365 Customer Engagement (on-premises) with Active Directory
Connect with Microsoft Office 365 and Dynamics 365 Customer Engagement (on-premises)
Implement Single Sign-on from an ASPX Webpage or IFRAME
Sample: Authenticate Users with Dynamics 365 Customer Engagement Web Services
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for