Discussion:
CRM 4.0 authentication ticket and browser
(too old to reply)
Jose
2010-03-17 11:20:43 UTC
Permalink
Hi,

I am trying to clarify for myself how CRM 4.0 works in terms of
authentication and browsers. I have read through the following
documents which somewhat clear the situation:

http://msdn.microsoft.com/en-us/library/dd979245.aspx
http://blogs.msdn.com/crm/archive/2009/06/10/crm-authentication.aspx

But after reading through these, I still don't understand where on the
client side the user information is stored so that the authentication
is not prompted for every request. On the second document, there is
the following statement:

Microsoft.Crm.Authentication.CookieExistPredicate: This predicate
evaluates if the CRM authentication cookie is present it the current
application request. It checks for a cookie with name “MSCRMSession”
and checks for the presence of value “ticket” inside it.

However when I check my local cookies, I cannot find such a cookie.
But still, the CRM does not prompt me for windows authentication (we
have OnPremise installation of CRM) even though I close the browser
(IE8) window in which I have CRM open, re-open IE and point the URL to
our CRM.

We have CRM 4.0 with Update Rollup 9 installed.

Thanks.
CS ADNT
2010-03-17 11:45:17 UTC
Permalink
Hello Jose,

If your are not using an Internet Facing Deployment, Crm uses windows (ie.
AD) authentication which benefits from Windows signe Signon, and all the
users are already logged, so no cookie is necessary.
Your browser, in its default settings vehiculates the window user identity
from the windows Principal.

When Crm is set to be IFD, or for Crm on-line, it uses a cookie in a derived
version of Form Authentication.

Best regards
CS
Post by Jose
Hi,
I am trying to clarify for myself how CRM 4.0 works in terms of
authentication and browsers. I have read through the following
http://msdn.microsoft.com/en-us/library/dd979245.aspx
http://blogs.msdn.com/crm/archive/2009/06/10/crm-authentication.aspx
But after reading through these, I still don't understand where on the
client side the user information is stored so that the authentication
is not prompted for every request. On the second document, there is
Microsoft.Crm.Authentication.CookieExistPredicate: This predicate
evaluates if the CRM authentication cookie is present it the current
application request. It checks for a cookie with name “MSCRMSession”
and checks for the presence of value “ticket” inside it.
However when I check my local cookies, I cannot find such a cookie.
But still, the CRM does not prompt me for windows authentication (we
have OnPremise installation of CRM) even though I close the browser
(IE8) window in which I have CRM open, re-open IE and point the URL to
our CRM.
We have CRM 4.0 with Update Rollup 9 installed.
Thanks.
Jose
2010-03-18 07:02:04 UTC
Permalink
Thank you for your reply.

Another question, now that it is clear for me that no cookies are
involved in OnPremise installation mode, is there any way to prevent
browser from "saving" the user credentials somewhere so that when I
open a new browser window and point the URL to our CRM, the
authentication popup would be shown and I could use for example a
different user account to login?

This is very beneficial for example in our test environment where I
have several different user accounts (in different roles and BU's)
which I would like to utilize from the same client workstation but I
am unable to do so since the CRM authentication ticket is valid, I
think, for 24 hours. So only after the ticket expiration, I will be
able to login with different user.

So I guess my question really is, is there any way to reset that
24hour ticket expiration?

Thanks.
Post by CS ADNT
Hello Jose,
If your are not using an Internet Facing Deployment, Crm uses windows (ie.
AD) authentication which benefits from Windows signe Signon, and all the
users are already logged, so no cookie is necessary.
Your browser, in its default settings vehiculates the window user identity
from the windows Principal.
When Crm is set to be IFD, or for Crm on-line, it uses a cookie in a derived
version of Form Authentication.
Best regards
Post by Jose
Hi,
I am trying to clarify for myself how CRM 4.0 works in terms of
authentication and browsers. I have read through the following
http://msdn.microsoft.com/en-us/library/dd979245.aspx
http://blogs.msdn.com/crm/archive/2009/06/10/crm-authentication.aspx
But after reading through these, I still don't understand where on the
client side the user information is stored so that the authentication
is not prompted for every request. On the second document, there is
Microsoft.Crm.Authentication.CookieExistPredicate: This predicate
evaluates if the CRM authentication cookie is present it the current
application request. It checks for a cookie with name “MSCRMSession”
and checks for the presence of value “ticket” inside it.
However when I check my local cookies, I cannot find such a cookie.
But still, the CRM does not prompt me for windows authentication (we
have OnPremise installation of CRM) even though I close the browser
(IE8) window in which I have CRM open, re-open IE and point the URL to
our CRM.
We have CRM 4.0 with Update Rollup 9 installed.
Thanks.- Piilota siteerattu teksti -
- Näytä siteerattu teksti -
AdamV
2010-03-18 09:28:05 UTC
Permalink
IE running on Windows will always use single sign on if the computer
belongs to the same domain as the users and the CRM servers. So once you
are logged on to the domain as a valid AD user who is also set up in
CRM, it is all just seemless, and any tickets get re-issued as necessary.

Best bet to run CRM as another user is to run Internet Explorer as
another user. I do this all the time - my normal user account is a
non-admin account (in both the windows and CRM sense). I just do a
right-click runas on IE and run it in the context of my CRM admin user.

You need to do this from a "real" shortcut to Iexplore.exe, not the
pseudo shortcut IE usually places on the desktop. You could of course
configure a permanent shortcut to use runas every time and have a
different name and/or icon for this one.

Incidentally, I have my CRM set as the only homepage for this admin
account, so that comes straight up since it is the primary reason for
using that account. I don't have CRM as a homepage in my normal user
context.

NB: I am doing this on IE8 on Win7 now, used to do it on IE7 on Vista.
It ought to work on IE6 / XP too, but your mileage may vary. I use "run
as different user" and provide credentials for my user account which is
a CRM admin, no need to "run as administrator" since it does not need
local windows admin rights to do this.

Hope this helps

Adam
Post by Jose
Thank you for your reply.
Another question, now that it is clear for me that no cookies are
involved in OnPremise installation mode, is there any way to prevent
browser from "saving" the user credentials somewhere so that when I
open a new browser window and point the URL to our CRM, the
authentication popup would be shown and I could use for example a
different user account to login?
This is very beneficial for example in our test environment where I
have several different user accounts (in different roles and BU's)
which I would like to utilize from the same client workstation but I
am unable to do so since the CRM authentication ticket is valid, I
think, for 24 hours. So only after the ticket expiration, I will be
able to login with different user.
So I guess my question really is, is there any way to reset that
24hour ticket expiration?
Thanks.
Post by CS ADNT
Hello Jose,
If your are not using an Internet Facing Deployment, Crm uses windows (ie.
AD) authentication which benefits from Windows signe Signon, and all the
users are already logged, so no cookie is necessary.
Your browser, in its default settings vehiculates the window user identity
from the windows Principal.
When Crm is set to be IFD, or for Crm on-line, it uses a cookie in a derived
version of Form Authentication.
Best regards
Post by Jose
Hi,
I am trying to clarify for myself how CRM 4.0 works in terms of
authentication and browsers. I have read through the following
http://msdn.microsoft.com/en-us/library/dd979245.aspx
http://blogs.msdn.com/crm/archive/2009/06/10/crm-authentication.aspx
But after reading through these, I still don't understand where on the
client side the user information is stored so that the authentication
is not prompted for every request. On the second document, there is
Microsoft.Crm.Authentication.CookieExistPredicate: This predicate
evaluates if the CRM authentication cookie is present it the current
application request. It checks for a cookie with name “MSCRMSession”
and checks for the presence of value “ticket” inside it.
However when I check my local cookies, I cannot find such a cookie.
But still, the CRM does not prompt me for windows authentication (we
have OnPremise installation of CRM) even though I close the browser
(IE8) window in which I have CRM open, re-open IE and point the URL to
our CRM.
We have CRM 4.0 with Update Rollup 9 installed.
Thanks.- Piilota siteerattu teksti -
- Näytä siteerattu teksti -
Jose
2010-03-18 11:54:39 UTC
Permalink
Adam, thanks for your reply.

I actually have the test environment running on different domain from
our company domain where we login with our workstations. I have
configured this CRM server IP to my workstation hosts file because the
name resolution does not work between these two domains. That CRM
server is actually installed originally in IFD mode but I have
configured the CRM server to give AD authentication for requests
coming from IP address in our network. So that's why I get AD
authentication. I was just wondering is there a trick on the client
side to reset the CRM authentication ticket.

I used have win2003 running on my old laptop and I used IE7 on that. I
am not sure now but I think back then, the browser did not "remember"
the CRM authentication similarly to what it does now when I am using
Win7 and IE8 (what I mean here is that when I now use CRM with browser
with some user account, then close the browser, re-open browser and
point to that same CRM server URL, I don't get AD authentication popup
but I get authenticated and logged in to CRM automatically with the
same user I used earlier). This might be sometype of browser security
configuration also that I have now set differently than in my old
workstation but I am not sure. If you have any ideas of browser
settings that might affect to this, I would really appreciate it if
you could share those.

I think your tip of "run as different user" does not work in my
scenario because the CRM server is in different domain and that domain
user's don't have any privileges to run browser on my workstation.

Thanks.
Post by AdamV
IE running on Windows will always use single sign on if the computer
belongs to the same domain as the users and the CRM servers. So once you
are logged on to the domain as a valid AD user who is also set up in
CRM, it is all just seemless, and any tickets get re-issued as necessary.
Best bet to run CRM as another user is to run Internet Explorer as
another user. I do this all the time - my normal user account is a
non-admin account (in both the windows and CRM sense). I just do a
right-click runas on IE and run it in the context of my CRM admin user.
You need to do this from a "real" shortcut to Iexplore.exe, not the
pseudo shortcut IE usually places on the desktop. You could of course
configure a permanent shortcut to use runas every time and have a
different name and/or icon for this one.
Incidentally, I have my CRM set as the only homepage for this admin
account, so that comes straight up since it is the primary reason for
using that account. I don't have CRM as a homepage in my normal user
context.
NB: I am doing this on IE8 on Win7 now, used to do it on IE7 on Vista.
It ought to work on IE6 / XP too, but your mileage may vary. I use "run
as different user" and provide credentials for my user account which is
a CRM admin, no need to "run as administrator" since it does not need
local windows admin rights to do this.
Hope this helps
Adam
Post by Jose
Thank you for your reply.
Another question, now that it is clear for me that no cookies are
involved in OnPremise installation mode, is there any way to prevent
browser from "saving" the user credentials somewhere so that when I
open a new browser window and point the URL to our CRM, the
authentication popup would be shown and I could use for example a
different user account to login?
This is very beneficial for example in our test environment where I
have several different user accounts (in different roles and BU's)
which I would like to utilize from the same client workstation but I
am unable to do so since the CRM authentication ticket is valid, I
think, for 24 hours. So only after the ticket expiration, I will be
able to login with different user.
So I guess my question really is, is there any way to reset that
24hour ticket expiration?
Thanks.
Post by CS ADNT
Hello Jose,
If your are not using an Internet Facing Deployment, Crm uses windows (ie.
AD) authentication which benefits from Windows signe Signon, and all the
users are already logged, so no cookie is necessary.
Your browser, in its default settings vehiculates the window user identity
from the windows Principal.
When Crm is set to be IFD, or for Crm on-line, it uses a cookie in a derived
version of Form Authentication.
Best regards
Post by Jose
Hi,
I am trying to clarify for myself how CRM 4.0 works in terms of
authentication and browsers. I have read through the following
http://msdn.microsoft.com/en-us/library/dd979245.aspx
http://blogs.msdn.com/crm/archive/2009/06/10/crm-authentication.aspx
But after reading through these, I still don't understand where on the
client side the user information is stored so that the authentication
is not prompted for every request. On the second document, there is
Microsoft.Crm.Authentication.CookieExistPredicate: This predicate
evaluates if the CRM authentication cookie is present it the current
application request. It checks for a cookie with name “MSCRMSession”
and checks for the presence of value “ticket” inside it.
However when I check my local cookies, I cannot find such a cookie.
But still, the CRM does not prompt me for windows authentication (we
have OnPremise installation of CRM) even though I close the browser
(IE8) window in which I have CRM open, re-open IE and point the URL to
our CRM.
We have CRM 4.0 with Update Rollup 9 installed.
Thanks.- Piilota siteerattu teksti -
- Näytä siteerattu teksti -- Piilota siteerattu teksti -
- Näytä siteerattu teksti -
Loading...