Headless Authentication with Dynamics CRM online and External Web App which requires Client Secret

As promised, I am back to my second post on this topic. In my previous post, I showed you on how to generate Authorization token of D365 online from Native Console App using the Client_ID.

https://debajmecrm.com/2018/04/29/headless-authentication-with-dynamics-crm-online-web-api-without-user-login-screen-without-using-adal-part-i/

We did that using simple HttpWebRequest and Response and did not use the ADAL (Active directory authentication library) as well.

Well, let’s dive deep here. Nothing big in my previous topic as the same thing can be done using ADAL and in a clean way as well. Then why use that construct?

We are talking of headless authentication here which means authentication without user intervention. Using ADAL, it was fine to generate the token from a Native console APP using the Client ID. However situations become complex when we try to do the same from an external Web Application which required the Client_Secret as well for generating the token.

So I created a ASP.NET web application and registered in Azure. I got the client id and client secret after registering the Web App. How to do that? Well you have many wonderful blogs out there and I am not going to repeat the same.

Now comes the code part. Below is the code for the same. Look at highlighted line to check how I am passing the client id and client secret

My CRM URL is – https://xrm4u1.crm.dynamics.com

 

public string GetCRMToken()
{

var azureTenantId= “xrm4u1.onmicrosoft.com”;
var clientId = “<client id of the Web app after registering in azure>”;

var clientSecret = “<client secret of the Web App after registering in azure>”;
var requestUrl = string.Format(@”
https://login.microsoftonline.com/{0}/oauth2/token”,
azureTenantId);

var url = “https://xrm4u1.crm.dynamics.com”;
            var userName = “<username>”;
var password = “<password>”;

            // Connect to the authentication server

            var request = (HttpWebRequest)WebRequest.Create(requestUrl);
request.Method = “POST”;

            using (var reqStream = request.GetRequestStream())
{
var postData = string.Format(@”client_id={0}&client_secret={1}&resource={2}&username={3}&password={4}&grant_type=password”,
clientId, clientSecret,url, userName, password);

var postBytes = Encoding.ASCII.GetBytes(postData);
reqStream.Write(postBytes, 0, postBytes.Length);
reqStream.Close();
}

            var accessToken = default(string);
using (var response = (HttpWebResponse)request.GetResponse())
{

var stream= response.GetResponseStream();
if (stream!= null)
{
var reader = new StreamReader(stream);
var json = reader.ReadToEnd();

              // Here I am using Newtonsoft.json

                    var dict = JsonConvert.DeserializeObject<Dictionary<string, object>>(json);
accessToken = (string)dict[“access_token”];

                }
}

            return accessToken;

        }

And delight is when you get the access token back. Now with the access token in your hand, you have the trump card. You can query Web API and what not.

Great isn’t it? To be honest with my readers, after this method without using ADAL worked out in my previous post, I just tried out sending the client secret in exactly the same way and it worked like a charm. Serendipity you can say!

Hope this helps.

Debajit Dutta

(Dynamics MVP)

For corporate training/ consulting please write to us at info@xrmforyou.com

Advertisements

Headless Authentication with Dynamics CRM online Web API – Without using ADAL {Part-I}

Well this topic has been discussed again over multiple times. And I myself has written a blog on how to do a headless authentication (without user intervention) between Dynamics CRM Online Web API and Native APP (console APP) – https://debajmecrm.com/2016/06/21/dynamics-crm-web-api-login-authentication-screen/

If you go through the above post, I have used ADAL (active directory authentication library) to query the authorization token and then use the authorization token to query the Dynamics CRM Web API. However there is a catch to this.

This headless authentication was only possible with Native APPs (console APPs) since they just required Client ID’s and does not require the Client Secret to actually generate the token. And hence I was not able to use this method to get the token from a Web Application which would require the Client_Secret.

And while I was doing a training session on this recently, I was asked the question. Is there really no way? Is ADAL absolutely necessary?

Well that sparked me. I decided to spend some time and dig deep. I tried to extend the AcquireToken method of ADAL but to no use. A lot of digging and finally came up with this.

This is Part-I of this blog. Here I will first show you how to get the token from D365 online from a Native App like C# console APP. In the next blog I will show you how we can extend this to use for client_secret as well.

My CRM URL – https://xrm4u1.crm.dynamics.com

I am not going into detail on how to register an APP in azure and give it access to Dynamics CRM. There are so many wonderful blogs which explains in detail. Below is the code to just obtain the token with using any external libraries (ADAL or anything)

public string GetCRMToken()
{

var azureTenantId= “xrm4u1.onmicrosoft.com”;
var clientId = “<client id of the console app after registering in azure>”;
var requestUrl = string.Format(@”
https://login.microsoftonline.com/{0}/oauth2/token”,
azureTenantId);

var url = “https://xrm4u1.crm.dynamics.com”;
            var userName = “<username>”;
var password = “<password>”;

            // Connect to the authentication server

            var request = (HttpWebRequest)WebRequest.Create(requestUrl);
request.Method = “POST”;


            using (var reqStream = request.GetRequestStream())
{
var postData = string.Format(@”client_id={0}&resource={1}&username={2}&password={3}&grant_type=password”,
clientId, url, userName, password);
var postBytes = Encoding.ASCII.GetBytes(postData);
reqStream.Write(postBytes, 0, postBytes.Length);
reqStream.Close();
}

 

            var accessToken = default(string);
using (var response = (HttpWebResponse)request.GetResponse())
{

var stream= response.GetResponseStream();
if (stream!= null)
{
var reader = new StreamReader(stream);
var json = reader.ReadToEnd();

              // Here I am using Newtonsoft.json

 

                    var dict = JsonConvert.DeserializeObject<Dictionary<string, object>>(json);
accessToken = (string)dict[“access_token”];

                  

                }
}

            return accessToken;

        }

 

Smooth isn’t it? No reference to ADAL. Just simple HttpWebRequest and response.

Hope you liked this.

In the next blog I will show you how to extend this to even include client secret and get the token even from a Web application, which so many has been longing for sometime now.

 

Debajit Dutta

(Dynamics MVP)

For corporate training/ consulting please write to us at info@xrmforyou.com

{Quick Tip} Certificate disappearing in IIS of CRM server even after successful import.

Before I proceed with the post. let me clear this out. There is nothing special about IIS server where CRM is installed. It applies to all IIS servers. However being a devotee of Dynamics for quite sometime now, can’t write any post without tagging CRM to it. Smile

So here I was working for a client with on-premise 2016 version. And their certificate is about to expire. They needed to generate a CSR for a SAN Certificate as wildcard certificates are not allowed by most of company policies.

So they used Open SSL to generate the CSR. For reader’s who might be interested in knowing how to generate SAN Certificate using Open SSL, https://geekflare.com/san-ssl-certificate/ provides a good example. And they got the certificate back from the Network team.

Now the D-day. They imported the certificate in Personal store and  also imported the certificate in IIS using ‘Complete Certificate Request’ option. All set and good.

But the moment they try to bind the certificate to dynamics CRM site, they could not find the certificate. Repeated this process. However the same behavior every time.

A bit of research and this is what comes up – “Certificate without private Key Information in it, cannot be binded to a IIS website.”

But how to do it?

When you generate a CSR request using Open SSL, the private key is output to a file. Usually the name is “Private.Key”, unless you specified something else.

So you have the private key and the certificate separately. But how to bind the certificate with the Private key?

Follow the below steps

  • Copy the Private Key file and the certificate to the Open SSL bin folder. Usually is it C:\OpenSSL-Win64 for 64 bit machines and C:\OpenSSL-Win32 for 32 bit machines
  • Open command prompt as administrator and navigate to the bin folder in the command prompt.
  • Run the below command

openssl pkcs12 -export -out certificate.pfx –inkey private.key -in certificate.crt –certfile

Here Certificate.pfx in the output certificate with the private key information and certificate.crt is the certificate you received from Network team.

Once the command completed successfully, you should be able to view Certificate.pfx in the bin folder.

Now all set and done. You will now just need to import this certificate to the IIS. But remember to use the “Import” option in the certificate window.

image

 

A rather off topic but hope it makes an interesting read.

 

Debajit Dutta

(Business Solutions MVP)

For corportate training/ consulting, please drop a note to info@xrmforyou.com or visit our website – www.xrmforyou.com

{Quick Tip} Why is my workflow not showing up in Workflow Profiler in Plugin Registration Tool

Recently I was conducting a training where I was demoing on how to debug a Custom Workflow activity step using the profiler in plugin registration tool. So here I was explaining to them to first click on “Profile Workflow” button on the plugin registration tool. For starters, here it is in the screenshot below

image

image

And as I said – “Select your workflow”, I suddenly see a hand raised informing me that he is not able to view the workflow created by him.

Verified with all other’s and they are able to see the their respective workflows.

I just thought – “Must be some silly error.” But I was soon to be proved wrong.

Situations like this could be tough when asked all of a sudden. But my memory didn’t reach came to my rescue this time. I realized that while playing with the workflow, he has changed the owner of the workflow to someone else. And hence the workflow is not showing up in the workflow profiler.

So remember, if you are profiling a workflow, make sure the user with whom you have logged in to Plugin Registration Tool and the the owner of the workflow, should be the same person. Otherwise the workflow won’t simply appear in the ‘Profile Workflow’ list.

Hope this helps and saves you some time before you waste couple of hours in this.

 

-Debajit Dutta (Dynamics MVP)

For corporate training/ consulting, visit www.xrmforyou.com or write to us at info@xrmforyou.com