Active Directory and claims-based authentication

 

Applies To: Dynamics 365 (online), Dynamics 365 (on-premises), Dynamics CRM 2016, Dynamics CRM Online

Claims-based authentication provides an industry standard security protocol to authenticate a user on a host computer. Claims-based authentication is a set of WS-* standards describing the use of a Security Assertion Markup Language (SAML) token in either passive mode (when WS-Federation is used with the Microsoft Dynamics 365 (online & on-premises) web application) or active mode (where WS-Trust in used with Windows Communication Foundation (WCF) clients). This authentication works together with WCF to provide secure user authentication and a communication channel with a Microsoft Dynamics 365 server. All Microsoft Dynamics 365 editions support claims-based authentication.

Claims-based authentication requires the availability of a security token service (STS) running on a server. An STS server can be based on Active Directory Federation Services (AD FS) V2, or any platform that provides the official STS protocol. For more information, see the following topic in the Dynamics 365 Deployment & Administration documentation: TechNet: Configure IFD for Microsoft Dynamics CRM 2015.

In This Topic

Supported authentication scenarios

Unsupported authentication scenarios

Authentication classes

Authentication by using the client proxy classes

Handling channel exceptions and faults

Additional information about the security (SAML) token

Supported authentication scenarios

Microsoft Dynamics 365 supports the following authentication scenarios for each deployment type.

Deployment

Authentication model

Microsoft Dynamics 365 (online)

Claims-based or Active Directory (through federation) authentication

Microsoft Dynamics 365 on-premises

Claims-based or Active Directory authentication

Microsoft Dynamics 365 Internet-facing deployment (IFD)

Claims-based or Active Directory authentication

How claims-based authentication works

A request to authenticate a user is sent from Microsoft Dynamics 365 or Microsoft Dynamics 365 (online) or a custom application to the STS server. The STS server determines whether the user should be authenticated, and if so, issues a signed and encrypted SAML token that contains user authentication information. The token has a finite life span and may have to be periodically refreshed depending on how long your application is using the token. This is discussed in more detail later in this topic.

How Active Directory authentication works

A request to authenticate a user is sent from Microsoft Dynamics 365 or a custom application to Active Directory. The WCF stack manages the authentication process for Organization Service calls from an application, whereas Internet Information Services (IIS) manages authentication for a web application.

Unsupported authentication scenarios

Use of client certificates is not supported by the Microsoft Dynamics 365 SDK. If you configure the Microsoft Dynamics 365 website to require IIS client certificates, you will get authentication failures for any applications that were built using the SDK.

For more information about additional unsupported programming methods see Unsupported customizations.

Authentication classes

The following table lists the primary authentication classes available in the SDK, describes when to use them, and provides links to additional relevant documentation.

Classes

Usage

Related Documentation

IServiceConfiguration<TService>, IServiceManagement<TService>

All deployment types: on-premises/IFD, online (Microsoft account and Office 365/MOS*)

Best choice for multi-threaded applications

Authenticate Office 365 users with Microsoft Dynamics 365 (online) web services

Sample: Authenticate users with Microsoft Dynamics 365 web services

Improve service channel allocation performance

DiscoveryServiceProxy, OrganizationServiceProxy

All deployment types: on-premises/IFD, online (Microsoft account and Office 365/MOS*)

Authentication by using the client proxy classes

Sample: Access the Discovery service

Improve service channel allocation performance

CrmConnection Class

All deployment types: on-premises/IFD, online (Microsoft account and Office 365/MOS*)

Simplified Connection to Microsoft Dynamics CRM

Sample: Simplified connection quick start using Microsoft Dynamics 365

ServerConnection

All deployment types: on-premises/IFD, online (Microsoft account and Office 365/MOS*)

Use for console test applications and sample code.

Designed to improve usability when running SDK sample code and to demonstrate use of the authentication classes. Contains console output code.

Helper code: ServerConnection class

Sample: Quick start for Microsoft Dynamics 365

*Microsoft Online Services environment

Authentication by using the client proxy classes

One way to authenticate with the Microsoft Dynamics 365 web services is by using the OrganizationServiceProxy and DiscoveryServiceProxy classes in the applications that you write. The four-parameter constructor of these classes supports Microsoft Dynamics 365 (online & on-premises) deployments. These proxy classes automatically handle claims or Active Directory authentication and also manage resource limits on the WCF channel endpoint.

The following code shows how to instantiate the organization service proxy:

using (OrganizationServiceProxy _serviceProxy =    new OrganizationServiceProxy(organizationUri, homeRealmUri, userCredentials, deviceCredentials))

The following code shows how to instantiate the discovery service proxy:

using (DiscoveryServiceProxy _discProxy =    new DiscoveryServiceProxy(organizationUri, homeRealmUri, userCredentials, deviceCredentials))

It is important to properly dispose of the service proxy instance in your application before the application terminates. The using statement makes sure that the service proxy is correctly disposed by automatically calling Dispose on the service proxy when it goes out of scope. However, for improved application performance, it is a best practice to keep the service proxy instance available in your application for the entire application session instead of disposing it and allocating it again somewhere else in the application code when needed. The reason being that creating and authenticating a service channel is an expensive operation (in time). In this case, when you are done with the service proxy instance, you must directly call the Dispose method on the proxy before the application terminates.

The device credentials of the registered computing device are only used when authenticating with Microsoft Dynamics 365 (online) through the Microsoft account identity provider. For sample code that shows how to populate the proxy constructor parameters, see Sample: Access the Discovery service.

Important

For an on-premises or an Internet-facing deployment (IFD) installation of Microsoft Dynamics 365, the client proxy classes use claims-based authentication if an STS server is available. Otherwise, Active Directory authentication is used.

If you want to use Microsoft Dynamics 365 early-bound entity types in your code, you must add the following line of code after the organization service proxy is instantiated, but before you make web service method calls:

_serviceProxy.EnableProxyTypes()
System_CAPS_security Security Note

WCF supports a feature where it can interactively prompt the user for logon credentials when it is necessary. This feature is enabled by setting the SupportInteractive property of the ClientCredentials class. These credentials are used in the userCredentials parameter shown in the previous code snippet.

When making SDK calls to the Microsoft Dynamics 365 web services, the ownership of the operation and entity data changes performed by the SDK call can be changed by this WCF feature independent of your code.

Microsoft Dynamics 365 handles supplied credentials in web service calls as follows:

  • If credentials are not supplied in the web service call, the WCF stack determines which credentials to use. In that case, the SupportInteractive property value is automatically set to false.

  • If credentials are explicitly supplied by your code, the current SupportInteractive value is passed to the WCF channel factory. SupportInteractive is set to true by default unless you explicitly change it.

  • If SupportInteractive is set to true and the provided credentials fail, a WCF dialog box may be displayed. Any credentials entered by the user into the dialog box will be used instead of those supplied in the web service calls that your application invokes.

Handling channel exceptions and faults

Your code should catch the following exceptions and faults. See the C# samples in the Microsoft Dynamics 365 SDK for a list of additional exceptions to catch:

For more information, see the .NET FrameworkWCF documentation about how to handle WCF faults and exceptions. See Use the sample and helper code for additional sample code.

Additional information about the security (SAML) token

The SAML token used during user authentication is described below.

Contents of the SAML token

The XML-based SAML 2.0 token contains an identity that defines one or more claims about a user. This token is passed between an identity provider (STS) server and Microsoft Dynamics 365 for claims-based authentication. The claims in the identity have been defined as follows.

Claim

Use

Universal Principal Name (UPN)

Contains the user’s ID in domain\alias format on the target Microsoft Dynamics 365 server.

Name

If the authenticated user is also a Deployment Administrator in Microsoft Dynamics 365, this claim contains the deployment administrator’s ID in domain\alias format on the target Microsoft Dynamics 365 server. Windows Identity Foundation maps the Name claim to the Identity.name property.

Any other claims

Not used by Microsoft Dynamics 365.

Supported security token types

Microsoft Dynamics 365 (online & on-premises) support two types of SAML tokens:

  • Web application - The Microsoft Dynamics 365 web application receives a bearer token from STS. This token is missing some required information so a Transport Layer Security (TLS) or Secure Sockets Layer (SSL)-based URL (https://) is used for security protection when you access the WCF endpoint.

  • SDK - A custom application receives an active token with a proof key that contains the required information.

Lifecycle of the security token

A SecurityToken has a life span identified by its ValidFrom and ValidTo properties. Your application design should consider the possibility that the token could expire, resulting in an ExpiredSecurityTokenException being thrown by the Microsoft Dynamics 365 web services when the next message request from your application is processed.

See Also

Walkthrough: Register a Dynamics 365 app with Active Directory
Connect with Microsoft Office 365 and Microsoft Dynamics 365 (online)
Implement single sign-on from an ASPX webpage or IFRAME
Sample: Authenticate users with Microsoft Dynamics 365 web services

Microsoft Dynamics 365

© 2016 Microsoft. All rights reserved. Copyright