Home > CRM, Javista, Microsoft, Microsoft Dynamics, Microsoft Dynamics CRM Online > Trust for Delegation in List Web Part for Microsoft Dynamics CRM 4.0

Trust for Delegation in List Web Part for Microsoft Dynamics CRM 4.0

This article pertains to Trust for Delegation issues encountered in on-premise installations of Microsoft Dynamics CRM 4.0 (MS CRM) when CRM server and SharePoint Server exist on different physical machines. If you have List Web Part (LWP) deployed for IFD version of MS CRM, or both Microsoft Dynamics CRM and SharePoint Server are on same machine then your deployment is not affected by the trust for delegations issue.

In scenarios, where MS CRM on-premise and SharePoint are setup on separate machines, Microsoft Dynamics users of LWP face issues during authentication. If the SharePoint Server is not setup for Trust for Delegation then the user’s Active Directory credentials are not passed to the MS CRM server. The LWP deployed on SharePoint does not receive the CRM authentication ticket from SharePoint and displays the sign on form used with an IFD installation. The screen below shows the configuration pane of LWP and sign on form. This form appears when a Trust For Delegation ( also known as Double-Hop impersonation ) is not present.

clip_image002

Figure 1 : IFD login from configuration pane

What is Double Hop issue?

In situations where SharePoint Server and MS CRM server are on different machines, the first hop is from the LWP user’s IE browser to the SharePoint server, and then from the SharePoint server to the MS CRM Server. This is the second hop. Windows credentials cannot be passed in second hop, due to security issues. To enable the SharePoint Server to pass the user credentials, the SharePoint server must be configured for Trust for Delegation.

Setting up ‘Trust for Delegation’

To make it easier to understand the configuration settings, consider the following topology:

  • Machine #1 Active Directory
  • Machine #2 SQL Server
  • Machine #3 Microsoft Dynamics CRM 4.0 Server
  • Machine #4 Windows SharePoint Services 3.0/Microsoft Office SharePoint Server 2007
  • Machine #5 User accessing SP using IE

 

clip_image004

Figure 2: Independent CRM and SharePoint Server topology

1. First, configure IIS and IE for delegation using the steps in following KB Article http://support.microsoft.com/default.aspx?scid=kb;en-us;810572

Note: To perform remaining steps , the user must be a member of the Domain Adminstrators group or the Enterprise Adminstrators group in Active Directory, or user must have been delegated the appropriate authority.

As a security best practice, consider using Run as to perform this procedure.

2. Click Start >> Control Panel >> Administrative Tools >> Active Directory Users and Computers.

3. In the console tree, click Computers.

4. In the details pane, right-click the computer you want to trust for delegation and then click Properties. In our case its Windows SharePoint Services 3.0 server or MOSS 2007 server (machine # 4 in figure 2) .

5. On the Delegation tab, click Trust this computer for delegation to specified services only.

clip_image005

Figure 3 : Trust for delegation to specific service

6. Depending upon the IIS authentication type in WSS/MOSS Web application, do one of the following:

  • If IIS authentication type is NTLM , Click Use any authentication protocol .

OR

  • If IIS authentication Setting is Integrated Windows authentication with Negotiate (Kerberos), click Use Kerberos only ( see figure 7 ).

7. Click Add and, in Add Services, click Users and Computers.

8. In Enter the object names to select (examples), type the name of the computer that the computer will be trusted to delegate for example, Dynamics CRM 4.0 computer (Server no 3 in figure 2) , and then click OK.

clip_image007

Figure 4 : Select User and Computers

If the machine name does not resolve, Click Advanced

  1.  
    •  
      • After opening Select Users or Computer dialog , click Find Now
      • Select CRM server computer from list and then click OK. In Select Users or Computer dialog , CRM server machine name will appear, Click OK.

clip_image009

Figure 5 : Select User and Computers using advanced dialog

9. In Add Services, click the Http service that will be trusted for delegation and click OK.

clip_image010

Figure 6 : Set trust for specified service

Notes

  • If you cannot see the Delegation tab as shown in Figure 3, do one or both of the following:
  •  
    • Register a Service Principal Name (SPN) for the computer account using the Setspn utility in the support tools that are on your CD. Delegation is only intended to be used by service accounts, which should have registered SPNs, as opposed to a regular user account which typically does not have SPNs.
    • Raise the functional level of your domain to Windows Server 2003 .
  • Constrained delegation, delegation of authentication for only specified services, can only be enabled on a member of the Windows Server 2003 family.

The following steps are necessary if you want to use Kerberos in WSS/MOSS.

10. In SharePoint Central administrator site, In Application Management, Select Authentication Providers

11. In Authentication Provider select Window Membership Provider from default zone and Check IIS Authentication Settings.

a. Integrated Windows authentication check box should be selected

b. Select Negotiate (Kerberos) option

clip_image012

Figure 7 : SharePoint Central Admin – Edit Authentication

You should now be able to login to List Web Part and view the configuration page.

clip_image014

Figure 8 : Successful Login in List Web Part

Cheers,

Suraj Supekar

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: