How to Authenticate to CRM 2011?

5
votes

I would like to build a simple web site where a customer can place orders and view products. This data is my Microsoft Dynamics CRM 2011 Environment.

This data is customer specific, so i need information about the user which is logged in. User credentials are stored in CRM 2011. With these credentials users may login to this new custom website. They should not have access to the crm environment itself.

How should i setup authentication for this web site? Can i just query the user information in crm 2011, should I setup a ADFS application or something else?

2
dynamics-crm-2011
Is the CRM on-line or on-premise? What do you mean by the user being prohibited from logging into CRM? How are they suppose to authorize themselves to get the data?Konrad Viltersten
The CRM is on-premise. I mean that the users should only be allowed to login in the custom website that I would like to build, not to the CRM 2011 application itself.Richard Mosselveld
Will the site keep a secret credentials to get to the CRM server? Or will it reside on the same machine and use the default Windows credentials? One way or the other, you'll have to specify the access rights for the web server in a different manner than for the users?Konrad Viltersten
Well, actually, that was my question. What is the best practice for this? Should i keep secret credentials or should i use impersonation for example? I don't know what is possible, because I am quite new to CRM 2011. It will be just a simple website for just 10 to 100 users.Richard Mosselveld
You need to be clear what you mean by a "User" here. If the "users" of the portal / web site are employees then you need licences and they will need to authenticate to AD / ADFS. If the "users" are in fact "customers" (eg Contacts in CRM) then you need to use a single Connector licence rather than pay for a user licence for each one, and use whatever authentication mechanism makes sense to you. Have a look at the free Customer Portal accelerator from MS for a starting point, ideas etc.AdamV

2 Answers

5
votes

We just implemented something similar for a client of mine. We had around 5000 users that needed to be able to view and edit CRM data, but we didn't want to pay for the full CRM user licenses since the data they needed to update / view was rather small. All of the users were already in Active Directory, so we purchased Employee Self Service Client Access License (ESS CAL) licenses for each of the users. This type of user license doesn't have access to the CRM UI, so they could never actually log into CRM itself.

We used AD authentication on the website, with an app pool user that was a CRM super user account. On the initial load of the users's session, we grabbed the username from the context, and looked up the SystemUserId of the user in CRM, then used impersonation with the Service Proxy to only access and update the data that the user was allowed to. It worked really well.

1
votes

One approach would be to create a set of system users (potentially, a single one might suffice) with access rights to the information that a certain set of web site users are supposed to have accessible.

Then, on your server hosting the web application, you could assign a role to each of the logged in visitors (that way, a certain system user instance in CRM will correspond to a role for a set of your visitors).

The login procedure against the web site is really up to you. The connection between the application and the CRM servers is, I believe, most securely set if you keep them on the same physical machine, if that works for your particular set up.