Monthly Archives: February 2020

Running WebAPI in IIS Express ASP.NET Core 3.0

26 Wednesday Feb 2020

Posted by in ASP.NET Core, WebAPI

Leave a comment

Tags

,

While creating Web API project targeting ASP.NET Core 3.0 using the template the following the settings in launchSetting.json file

IISExpress

Given iisExpress was selected as hosting platform the expectation is that the end point is accessible in the browser, but instead received the following:

IISExpress1

The error is referring to a setting in IIS even though the WebApi is configured to run under IIS Express within Visual Studio IDE. The solution will be to open Configuration Editor in IIS and set Impersonate t= False as indicated below

IISExpress2

 

Navigate to system.web/identity and set impersonate = false and restart IIS

IISExpress3

The WebApi should now be accessible in the browser

IISExpress4

 

 

 

 

Illustrative sample of Authentication using JSON Web Token(JWT)

22 Saturday Feb 2020

Posted by in ASP.NET Core, WebAPI

1 Comment

Tags

, ,

In the article we looked a aspects of authentication/authorization frameworks that can be used in COTS and bespoke applications. This article will look at Web API authentication using JWT. The sample source code can be obtained from here

The sample code will demonstrate the following scenario

JWTSample1

The User data-model used in the sample application has the attributes as per table below

JWTSample

 

  1. Console App will invoke a post request with username and password to Gateway Api based on Ocelot api gateway and works well for Microservices architecture.  In architecture pattern consisting of several microservices, ocelot provides a simple configurable end point to communicate with each microservice.

JWTSample2

 

“/authentication/authenticate” > pointer to authentication controller and authenticate method within the microservice Web API. 

The JSON file for Ocelot API will consists of ReRoutes specified as a combination of DownstreamPathTemplate and UpstreamPathTemplate.

JWTSample3

The output of the Console App will be as per below, the returned JWT token will be in the format [Header].[Payload].[Signature]

JWTSample4

If we decode the JWT token in the debugger at jwt.io we will get the user information.

JWTSample5

JWTSample6

 

A Comparison of Authentication and Authorization Frameworks

20 Thursday Feb 2020

Posted by in ADFS 4.0, ASP.NET Core, Dynamics 365, WebAPI

3 Comments

Tags

, ,

To provide Single Sign On (SSO) mechanism for users different authentication frameworks are in place viz., WS-Federation (WS-Fed), SAML, OAuth, Open ID and OpenID Connect.

WS-Fed and SAML (Security Assertion Mark-up Language) are still in use in corporate networks to allow users to connect to COTS (Commercial off the Shelf) products and bespoke applications. Federation (aka delegating authentication/authorization) is achieved using Active Directory Federation Services (ADFS) installed and configured on Windows Server OS.

The three essential components of federation are:

  • Sign-in protocol > What is the mechanism to access the application
  • Authentication protocol > How the user is verified
  • Token Type > Once the user validated what is returned back to the user after successful identification

In the article configuring Dynamics CRM platform for Claims Based Authentication was discussed. Let us look at capture of traffic in Fiddler to see what information gets passed on in Request and Response.

Request

Fiddler

As highlighted accessing https://crm.idynamics.dev/seis will route the request to https://adfs.idynamics.dev containing the following parameter(s)

wa=wsignin1.0 > Indicates ADFS service to invoke login

wtrealm=https%3a%2f%2fcrm.idynamics.dev%2f > Client application using ADFS service

wctx=rm%3d1%26id%3da33a2f6c-768e-48aa-9c3c-b594ef0f60b5%26ru%3d%252fseis%252fdefault.aspx%26crmorgid%3dfa61533b-ea52-ea11-83b5-0017fb000002 > Session data sent back

wct=2020-02-20T09%3a53%3a23Z > Time the application is accessed

wauth=urn%3afederation%3aauthentication%3awindows > Mode of Authentication

Response

Fiddler1

The response will confirm to SAML 1.1 as per specification and the following will be included as part of the “wresult” urn:oasis:names:tc:SAML:1.0:assertion

OAuth/Open ID/ OpenId Connect essentially use JWT (JSON Web Token).

JSON web token stores user information viz., id, permission set (aka claim rules) etc., in a compact format so information can be transmitted securely between client and server. The token will in the form of a string will be digitally signed using HMAC algorithm or RSA.
Available security algorithms are defined as constant string values in SecurityAlgorithms class of Microsoft.IdentityModel.Tokens namespace and in the sample project demonstrating Authentication using JWT we will be using HMAC algorithm.
JWT structure will consists of three parts [Header].[Payload].[Signature] represented as Base64-URL string
Header: A combination of token type + signing algorithm identified by claim set
typ (for token type) and alg (for signing algorithm) represented in JSON format this would look like the one below:

{
“alg”: “HS256”,
“typ:”JWT”
}
Payload: Consisting of claims about the user. A claim is represented as key/value pair combination. There are three types of claims Registered, Public and Private. The key part of the claim is limited to 3 characters
Registered: Predefined claims and can be viewed here

Public: Custom defined claims but need to be registered in public registry at

Private: Agreed custom claims between to applications.

Signature: Verifies that the message is not tampered during transmission.

Multiserver topology for Dynamics/SharePoint Setup

16 Sunday Feb 2020

Posted by in Dynamics 365, SharePoint 2019, Windows Server 2016

Leave a comment

Tags

,

In this article we looked at how quickly trial labs can be setup with the use of AutomatedLab PS modules. In this tutorial we will use the Automated Lab PS modules to set up the CRM Farm topology

CRMFarmTopology

The Git repository here has a PS script DynamicsCEFarm.ps1  and a output file ScriptOutputCRMFarm.txt that details the results of script run note that AutomatedLab PS module by default will assign a password and this can the changed. Total elapsed time for initial server configuration was about 30 mintues.

AutomatedLab PS modules can also be used to install SQL Server and other products but for purposes of setting up test lab after initial server configuration I followed through the articles as per below to install and configure other services on Windows 2016 OS

 

 

 

Spkl Task Runner connecting to CRM Instance

15 Saturday Feb 2020

Posted by in Dynamics 365, Spkl

1 Comment

In the article Spkl Task runner was used to unpack the CRM solution components. If you have to connect to a new instance and save the configuration information before unpacking the solution components then follow the steps below:

In the example I am connecting CRM 365 on-premise

spklTaskRunner3

In Dynamics 365 CE online an organization is very much an Instance but in on-premise we will have multiple organizations and this will be listed once successfully authenticated

spklTaskRunner4

The settings are saved under AppData\Roaming… in Credentials.xml

Untitled

If the file Credentials.xml is deleted then you will be prompted to enter CRM Server,Port again.

 

 

 

 

 

 

 

Custom Web Roles and Entity Permissions

13 Thursday Feb 2020

Posted by in Dynamics 365 Portals, Power Platform, Uncategorized

Leave a comment

Tags

,

In the article we looked at out-of-the-box roles available and how they can be associated to a user. Entity Permissions basically allow user to perform operations on the data depending on the scope.

In this article we will define custom web roles and entity permissions for a users listed in the Contact entity.

PortalAccess9

Requirements definition for highlighted users are as per table below:

PortalAccess10

Defining Custom Web Role for Administrator and User

Navigate to Web Roles and click on New

PortalAccess11

PortalAccess12

Once Roles are defined add Contact records as the requirements table.

PortalAccess13

PortalAccess14

PortalAccess15

Now that Web Role is associated to a contact next we proceed with creating Entity Permission. Navigate to Entity Permissions > New 

PortalAccess16

Entities choosen Event and Event Registration having 1:N relationship

Create two entity permission(s) Entity User Role Permission and Administrator User Role Permission

PortalAccess17

PortalAccess18

PortalAccess19

PortalAccess20

 

PortalAccess21

Associate the newly created entity permission to Management User Role

PortalAccess22

PortalAccess23

 

PortalAccess24

 

Now associate the contact with the Web Role 

 

PortalAccess25

 

PortalAccess26

PortalAccess27

 

 

 

 

Portal Access Control

12 Wednesday Feb 2020

Posted by in Dynamics 365 Portals, Power Platform

Leave a comment

Tags

, ,

Once a user is granted access to Portal as either using a local or  external account permissions must be applied to different types of resources for the user.  Similar to conventional Web Portals, a Dynamics 365 CE Portal user typically will perform the following function(s):

  • View/Edit data
  • Read static content and other resources like images, documents etc.

The Security section of the portal provides the options to have fine grained control to resources and can be accessed from Power Apps portal > Settings > Site Settings. 

PortalAccess1

Navigate to Site Settings

PortalAccess2

PortalAccess3

An Authenticated user to the portal can get as far as only seeing the home page but to proceed beyond that the user must have Roles and Permissions in order to be able to perform functions.

The default Web Roles  available include Administrators, Anonymous Users, Authenticated Users. In this article we will look at how to go about assigning Roles and Permissions that are available OOTB (out-of-the box).

PortalAccess4

Noting that every portal user is a Contact record let us proceed with assigning with Roles and Permissions

  • Select Web Role and bring up the context menu under Related > Contacts to add a Contact record

PortalAccess5

 

PortalAccess6

Once a Web Role is assigned the next level of security hierarchy includes assigning permissions at the Entity level so that the user has access to the records. Record level permissions are dealt within Entity Permissions section under Security.

PortalAccess7

PortalAccess8

In the above screen snap shot a new permission is defined on Lead entity with permissions for Write/Create permissions. The privileges/actions that can be performed on Entity records include Read,Write,Create,Delete, Append and Append To. The Scope defines the boundary within which an authenticated user can perform actions on entity more information about scope can be found here

With the above basic introduction about access controls in the next article we will define custom roles and assign permissions.

Legacy Settings Power platform Admin

09 Sunday Feb 2020

Posted by in Dynamics 365 CE Online, Power Platform

Leave a comment

Tags

,

I was hoping to import a solution into Dynamics 365 CE online instance by easily navigating to Settings > Solutions > Import Solution, very easily done in On-premise. Turns out with all things being centralized in Power Platform Admin portal it look a while to figure out where to find the UI to do the solution import/export and the screen snap shots I present here is a guide and will change as Dynamics 365 CE Online platform keeps evolving.

ImportSolution1

  • Click on Dynamics 365 as highlighted and should bring up the following home page

ImportSolution2

  • Click on Dynamics 365 -custom and it should take you to the Organization/Instance home page. Settings > Advanced Settings menu option now takes us to the Power Platform admin center home page

ImportSolution3

ImportSolution4

Resources > All legacy settings will bring up the UI that we are traditionally used to in performing tasks on CRM solutions.

 

 

 

Dynamics 365 CE Portal Login using Google

07 Friday Feb 2020

Posted by in Dynamics 365 Portals

1 Comment

Tags

In the previous article we looked at how to set up a trust between Dynamics 365 CE portal and third-party identity provider with Google as an example. Now we will look at registering a user having a Google account for access to Dynamics 365 CE portal.

Example Scenario:

Portal URL: https://spaceflight.powerappsportals.com

Google Account: girishsrini40@gmail.com

  • Access the Portal URL and click on Register tab and select “Google” under Register using an external account.

ExternalIDP19

ExternalIDP20

  • Once registered a new record in the Contact entity will be created as long as the email address is unique noting that one of the requirement for Dynamics 365 CE portal is that every e-mail address has to be unique. The view of the Contacts list in CRM will be as below:

ExternalIDP21

  • Complete other fields under Profile to complete the registration and save the information

ExternalIDP22

  • The updated profile information will be visible under Contacts in CRM

ExternalIDP23

  • The External Identities entity will map the created Contact record with third-party identity provider “Google”

ExternalIDP24

Once the user is registered authentication to portal can now be done through Google as identity provider.

ExternalIDP25

ExternalIDP26

ExternalIDP27

Will be redirected back to portal home page

ExternalIDP28

 

 

Portal Authentication using External Identity Provider

06 Thursday Feb 2020

Posted by in Dynamics 365 CE Online, Dynamics 365 Portals, Power Platform, PowerApps, Uncategorized

1 Comment

Tags

In the article we looked at aspects of Portal Authentication in the following section explains use of third-party identity providers for Portal Authentication.

External authentication using third-party identity providers use OAuth 2.0 protocol to grant access. First we briefly look at underlying concepts of OAuth 2.0.

OAuth 2.0 is a protocol that provides a user with limited access to resources on site. Access Tokens in string format hold the permissions granted to a user to access the resource.  The access tokens are generated in JSON Web Token (JWT) format the three parts of JWT include:

  • Header: Containing metadata about token and cryptographic algorithm
  • Payload: Set of claims, expiration time
  • Signature: Used for token validation

More information about OAuth 2.0 can be obtained from  here. In the context of Dynamics 365 CE portals (power apps portals) the supported Identity Providers (IDP’s) that use OAuth 2.0 are listed here

For demonstration the portal url that will be used is https://spaceflight.powerappsportals.com this is portal provisioned on Dynamics 365 CE Instance.

Consider we want to use Google as third-party identity provider the high level the steps are:

  • Register application
  • Obtain “Client ID” and “Client Secret” pair after registration
  • Configure Client ID and Client Secret in portal site settings to establish secure connection

Registering Application

Logon on GoogleDeveloperConsole here and create a new project

ExternalIDP1

ExternalIDP2

ExternalIDP3

Once the project is successfully created click on “Create Credentials” and choose OAuth client ID as we require “Client ID” & “Client Secret” that are to be used in portal settings

ExternalIDP4

You will be prompted to set a product name on consent screen

ExternalIDP6

ExternalIDP7

In the OAuth consent screen enter the application details

ExternalIDP8

After OAuth consent details are set (this step is kind of similar to what one would do while setting up ADFS Relying Party Trust) select Application Type > Web application

ExternalIDP9

At this stage Client ID and Client Secret will be generated

ExternalIDP10

The above two can always be retrieved from:

ExternalIDP11

ExternalIDP12

There is an option to download the settings as a JSON file.

After the preceding steps above we have essentially set up our portal as a Relying Party and got a reference to Client ID and Client Secret that OAuth 2.0 generates and these now need to be referenced in Portal settings.

ExternalIDP13

ExternalIDP14

The existing OAuth 2.0 providers will be listed as per below

ExternalIDP15

For Google to be used as identity provider add the following OpenIdConnect settings more information can be found here

ExternalIDP16

As a final step Restart the portal from PowerApps Portals admin center

ExternalIDP17

 

Once restart is complete accessing the portal should display Google as the external identity provider

ExternalIDP18

In the next article we will register a external user and login into portal using Google as identity provider.