Microsoft Dynamics CRM Team Blog: Trust for Delegation in List Web Part for Microsoft Dynamics CRM 4.0
This article pertains to Trust for Delegation issues encountered in on-premise installations of Microsoft Dynamics CRM 4.0 (MS CRM) when CRM server and SharePoint Server exist on different physical machines. If you have List Web Part (LWP) deployed for IFD version of MS CRM, or both Microsoft Dynamics CRM and SharePoint Server are on same machine then your deployment is not affected by the trust for delegations issue.
In scenarios, where MS CRM on-premise and SharePoint are setup on separate machines, Microsoft Dynamics users of LWP face issues during authentication. If the SharePoint Server is not setup for Trust for Delegation then the user's Active Directory credentials are not passed to the MS CRM server. The LWP deployed on SharePoint does not receive the CRM authentication ticket from SharePoint and displays the sign on form used with an IFD installation. The screen below shows the configuration pane of LWP and sign on form. This form appears when a Trust For Delegation ( also known as Double-Hop impersonation ) is not present.
Figure 1 : IFD login from configuration pane
What is Double Hop issue?
In situations where SharePoint Server and MS CRM server are on different machines, the first hop is from the LWP user’s IE browser to the SharePoint server, and then from the SharePoint server to the MS CRM Server. This is the second hop. Windows credentials cannot be passed in second hop, due to security issues. To enable the SharePoint Server to pass the user credentials, the SharePoint server must be configured for Trust for Delegation.
Setting up 'Trust for Delegation'
To make it easier to understand the configuration settings, consider the following topology:
Figure 2: Independent CRM and SharePoint Server topology
1. First, configure IIS and IE for delegation using the steps in following KB Article http://support.microsoft.com/default...b;en-us;810572
Note: To perform remaining steps , the user must be a member of the Domain Adminstrators group or the Enterprise Adminstrators group in Active Directory, or user must have been delegated the appropriate authority.
As a security best practice, consider using Run as to perform this procedure.
2. Click Start >> Control Panel >> Administrative Tools >> Active Directory Users and Computers.
3. In the console tree, click Computers.
4. In the details pane, right-click the computer you want to trust for delegation and then click Properties. In our case its Windows SharePoint Services 3.0 server or MOSS 2007 server (machine # 4 in figure 2) .
5. On the Delegation tab, click Trust this computer for delegation to specified services only.
Figure 3 : Trust for delegation to specific service
6. Depending upon the IIS authentication type in WSS/MOSS Web application, do one of the following:
8. In Enter the object names to select (examples), type the name of the computer that the computer will be trusted to delegate for example, Dynamics CRM 4.0computer (Server no 3 in figure 2) , and then click OK.
Figure 4 : Select User and Computers
If the machine name does not resolve,Click Advanced
Figure 5 : Select User and Computers using advanced dialog
9. In Add Services, click the Http service that will be trusted for delegation and click OK.
Figure 6 : Set trust for specified service
The following steps are necessary if you want to use Kerberos in WSS/MOSS.
10. In SharePoint Central administrator site, In Application Management, Select Authentication Providers
11. In Authentication Provider select Window Membership Provider from default zone and Check IIS Authentication Settings.
a. Integrated Windows authentication check box should be selected
Figure 7 : SharePoint Central Admin - Edit Authentication
You should now be able to login to List Web Part and view the configuration page.
Figure 8 : Successful Login in List Web Part
Расскажите о новых и интересных блогах по Microsoft Dynamics, напишите личное сообщение администратору.
|Microsoft Dynamics CRM Team Blog: Building Rich-Client Dashboards for Microsoft Dynamics CRM with Windows Presentation Foundation||Blog bot||Dynamics CRM: Blogs||1||31.03.2009 13:24|
|Microsoft Dynamics CRM Team Blog: List Web Part for Microsoft Dynamics CRM 4.0 Deployment Scenarios||Blog bot||Dynamics CRM: Blogs||0||30.01.2009 22:05|
|Microsoft Dynamics CRM Team Blog: Microsoft Dynamics CRM 4.0 Bookshelf||Blog bot||Dynamics CRM: Blogs||1||22.01.2009 04:46|
|Microsoft Dynamics CRM Team Blog: List Web Part for Microsoft Dynamics CRM 4.0: Understanding Connections||Blog bot||Dynamics CRM: Blogs||0||20.01.2009 02:07|
|Microsoft Dynamics CRM Team Blog: Announcing List Web Part for Microsoft Dynamics CRM 4.0||Blog bot||Dynamics CRM: Blogs||0||18.12.2008 06:06|
|Опции темы||Поиск в этой теме|