473,322 Members | 1,314 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,322 software developers and data experts.

Problerms with iFrames and user identity

WT
Hi,

Working on MS CRM 3, I have created an aspx page using vs2005 and .NET 2.
I am faced with a problem concerning the identity of the running user.
More details:

The CRM application which creates the iFrame is on the same server as the
called aspx page.
CRM is running .NET 1.1, my page .NET 2
They run under IIS6 in différent web sites, different application pools.
The 2 sites are using windows authentication.
the aspx web site listen on port 55505, and the CRM is on default port 80 .

My problem is : the user authenticated in CRM is the connected user, but in
my aspx page instanciated in the iFrame, it is NETWORK SERVICES user, same
as the account used to run the app pool.
and that account has no rights in CRM.

I ask this on this forum because it seems to be a .NET 2 problem, is there
any way to have the same account running CRM and the application called in
the eframe ?

Thanks for help
CS
Mar 8 '06 #1
7 5386
in the web.config, set <identity impersonate="true">, and turn off anonymous
on your website.

-- bruce (sqlwork.com)

"WT" <WT@newsgroups.nospam> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...
Hi,

Working on MS CRM 3, I have created an aspx page using vs2005 and .NET 2.
I am faced with a problem concerning the identity of the running user.
More details:

The CRM application which creates the iFrame is on the same server as the
called aspx page.
CRM is running .NET 1.1, my page .NET 2
They run under IIS6 in différent web sites, different application pools.
The 2 sites are using windows authentication.
the aspx web site listen on port 55505, and the CRM is on default port 80
.

My problem is : the user authenticated in CRM is the connected user, but
in my aspx page instanciated in the iFrame, it is NETWORK SERVICES user,
same as the account used to run the app pool.
and that account has no rights in CRM.

I ask this on this forum because it seems to be a .NET 2 problem, is there
any way to have the same account running CRM and the application called in
the eframe ?

Thanks for help
CS

Mar 8 '06 #2
WT
Thanks Bruce, but I don't want to impersonate, I simply want to use windows
authentication, i.e. to have the connected user as identity.

CS
"Bruce Barker" <br******************@safeco.com> a écrit dans le message de
news: OZ**************@TK2MSFTNGP12.phx.gbl...
in the web.config, set <identity impersonate="true">, and turn off
anonymous on your website.

-- bruce (sqlwork.com)

"WT" <WT@newsgroups.nospam> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...
Hi,

Working on MS CRM 3, I have created an aspx page using vs2005 and .NET 2.
I am faced with a problem concerning the identity of the running user.
More details:

The CRM application which creates the iFrame is on the same server as the
called aspx page.
CRM is running .NET 1.1, my page .NET 2
They run under IIS6 in différent web sites, different application pools.
The 2 sites are using windows authentication.
the aspx web site listen on port 55505, and the CRM is on default port 80
.

My problem is : the user authenticated in CRM is the connected user, but
in my aspx page instanciated in the iFrame, it is NETWORK SERVICES user,
same as the account used to run the app pool.
and that account has no rights in CRM.

I ask this on this forum because it seems to be a .NET 2 problem, is
there any way to have the same account running CRM and the application
called in the eframe ?

Thanks for help
CS


Mar 8 '06 #3
Hi WT,

We can get the client authenticated user's windows identity without
impersonate. Make sure your ASP.NET application's virtual directory is
configured as integrated windows authentication and disable anonymous
access. Also, the ASP.NET applicaiton is using "Windows" authentication,
then in the application's code, we can use HttpContext.Current.User to
access the client authenticated user's principal. Since the iframe page
should be requested by the same client as the container page, your
application should have the same client user identity with the CRM web
application. BTW, without impersonate, we can not access any protected
resource through the identity on the webserver.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)






Mar 9 '06 #4
WT
Hi Steven,

Thanks for help.

I have checked again all your elements and and my code, they are conform.
ASP.NET application uses Windows authentication from web.config
Web Site is configured as integrated windows authentication and anonymous
access is disabled
As I am logged with my account (not administrator), the application code
HttpContext user's Principal is SYSTEM and is authenticated with no
impersonation level.
When I use the CRM call to identify user (WhoAmI) I get SYSTEM NETWORK
account which is the account running the app pool using by default .ASP.NET
2.

Same code not called from CRM iFrame gives normal results with my account
and not SYSTEM NETWORK.

???
To day I will build a small app with an iframe to simulate CRM.

CS

"Steven Cheng[MSFT]" <st*****@online.microsoft.com> a écrit dans le message
de news: $u**************@TK2MSFTNGXA03.phx.gbl...
Hi WT,

We can get the client authenticated user's windows identity without
impersonate. Make sure your ASP.NET application's virtual directory is
configured as integrated windows authentication and disable anonymous
access. Also, the ASP.NET applicaiton is using "Windows" authentication,
then in the application's code, we can use HttpContext.Current.User to
access the client authenticated user's principal. Since the iframe page
should be requested by the same client as the container page, your
application should have the same client user identity with the CRM web
application. BTW, without impersonate, we can not access any protected
resource through the identity on the webserver.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)





Mar 9 '06 #5
Thanks for the quick response CS,

Seems strange. Anyway, you can get the username from the raw IIS Server
Variables, if this also shows "NetworkService", then the request does be
requested from the NetworkService account context. And if so, there should
exists some customization in the CRM server page's code.

#IIS Server Variables
http://msdn.microsoft.com/library/en...4ed-4059-8e21-
6cba2c253006.asp?frame=true

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Mar 9 '06 #6
WT
Hello Steven,

Many thanks, your answer make me find the solution, here is an extract of my
post on MS CRM dev forum

After hours of testing I dicovered that the information in sdk for v3 is not
complete.

It is said that, to gain access to the Guid of the user, we should call
WhoAmI with the
System.Net.CredentialCache.DefaultCredentials

this is Ok when your application is running directly under IE6, but when the
same application is called from an iFrame defined in a custom entity form,
this object doesn't contain the credentials for the running user but
credentials for the user running the application pool of the web site, often
NETWORK SERVICES.

So, if you write code for iframes, don't try to call whoAmI, if you do so
you don't get your real user id and will have troubles with next webservices
calls.

MS should provide a call to get correct credentials when under CRM iFrame,
as is is the prefered method to customize, these credential could be derived
from request identity that seems to be correct.

May be a bug from DefaultCredentials, or another call must be used.
CS


"Steven Cheng[MSFT]" <st*****@online.microsoft.com> a écrit dans le message
de news: $u**************@TK2MSFTNGXA03.phx.gbl...
Hi WT,

We can get the client authenticated user's windows identity without
impersonate. Make sure your ASP.NET application's virtual directory is
configured as integrated windows authentication and disable anonymous
access. Also, the ASP.NET applicaiton is using "Windows" authentication,
then in the application's code, we can use HttpContext.Current.User to
access the client authenticated user's principal. Since the iframe page
should be requested by the same client as the container page, your
application should have the same client user identity with the CRM web
application. BTW, without impersonate, we can not access any protected
resource through the identity on the webserver.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)





Mar 10 '06 #7
Thanks for your followup.

Glad that you've found the solution. When you meet any further problem need
our help, please feel free to post here.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Mar 13 '06 #8

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

5
by: Frances | last post by:
I need to replace iframes acc. to what option user chooses in a sel obj.. but figured have to load a blank iframe when pg loads so I can replace it.. (iframe gets put in a pre-existing div..) this...
2
by: Jesper Stocholm | last post by:
I have implemented role-based security within my ASP.Net application. However, it seems the role is not passed to the authentication ticket I create. I want to use it to display/hide some...
8
by: Razak | last post by:
Hi, I have a class which basically do Impersonation in my web application. From MS KB sample:- ++++++++++++++++++++code starts Dim impersonationContext As...
3
by: Patrick Olurotimi Ige | last post by:
How can i send LOGON_USER or User.Identity.Name to the Database? I'm working on a survey which is intranet based with Windows Authentication. I can get the current user by calling LOGON_USER or...
2
by: Joris De Groote | last post by:
Hi, I am looking for a javascript that can open a link in an iframe. However, the link on wich the user clicks, is from another iframe. So I have 2 Iframes and want to get a html page open in I2...
19
by: wmanzo | last post by:
I have a really professional conspiracy movie site and I use tons of layers and an external scroll bar assembly. I would like to put the various sections into MS Iframes and in order to clean up...
3
by: =?Utf-8?B?Q2hhcmxlc0E=?= | last post by:
hi folks, I've got XP pro service pack 2 VS 2005 TSE with ASP.net 2.0 and C# I'm doing an example from Stephen Walther's so far excellent book and he has a whole load of stuff to add the...
0
Screaming Eagle
by: Screaming Eagle | last post by:
I haven't recieved any information that I could use, and researching this issue hasn't turned up any worthy results. Hence my reposting. Since I have had no reply, and my associates wish to move...
2
by: ericisjusteric | last post by:
I have a page with multiple iframes and need to have the user (ie6) be able to click a button to refresh any one of the iframes - but also to click another button at the top of the page to refresh...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.