19

我们在 2016 年成功使用 odata v8.1 端点来模拟用户。

请注意,预期的请求流程是:Postman-->LocalHost Microservice-->CRM

来自Postman-->CRM的工作请求示例 (直接,无需通过微服务)

Accept:application/json
Content-Type:application/json; charset=utf-8
OData-MaxVersion:4.0
OData-Version:4.0
MSCRMCallerID:d994d6ff-5531-e711-9422-00155dc0d345
Cache-Control:no-cache

针对 odata 端点:..../api/data/v8.1/leads

请注意,这仅在通过postman直接针对 odata v8.1 端点发出时才成功。

当尝试做同样的事情时,让服务在本地运行(Postman-->LocalHost Service-->CRM),这会失败,只是忽略???MSCRMCallerID 标头。

在检查从 Postman 传递给 LocalHost 微服务的标头后,VS 2017 中的调试器检查了请求:

{Method: POST, RequestUri: 'https://.../api/data/v8.1/leads', Version: 1.1, Content: System.Net.Http.StringContent, Headers:
{
  OData-Version: 4.0
  OData-MaxVersion: 4.0
  MSCRMCallerID: D994D6FF-5531-E711-9422-00155DC0D345
  Cache-Control: no-cache
  Accept: application/json
  Content-Type: application/json; charset=utf-8
}}

记录已成功创建,但在 CreatedBy 字段上是服务用户名而不是 MSCRMCallerID 用户名 (d994d6ff-5531-e711-9422-00155dc0d345),并且 CreatedOnBehalf 字段为空。

我们做错了什么?

我们如何让这种模拟在我们的服务中发挥作用?

编辑+更多信息

请注意,我确实相信我已经包含了所有相关信息,但如果我没有,请让我知道我应该在这个问题上提供哪些其他输入。

我尝试了什么?

  1. 改变了标题的顺序
  2. 玩了标题的情况
  3. 确保模拟用户的 guid 是正确的
  4. 确保用户同时具有委托和系统管理员角色(尽管这无关紧要,因为这在直接针对 crm odata 端点而不是我们的服务公开的端点执行请求时有效
  5. 已尝试针对 https 和 http 执行请求
  6. 提琴手跟踪如下图

请注意,此提琴手跟踪是显示Postman --> 微服务请求的跟踪。它没有显示从 localhost 微服务到 CRM 的通信。(我不知道为什么,也许是因为它是加密的)

POST https://localhost:19081/.....Leads/API/leads HTTP/1.1
Host: localhost:19081
Connection: keep-alive
Content-Length: 84
Cache-Control: no-cache
Origin: chrome-extension://aicmkgpgakddgnaphhhpliifpcfhicfo
MSCRMCallerID: D994D6FF-5531-E711-9422-00155DC0D345
X-Postman-Interceptor-Id: d79b1d2e-2155-f2ec-4ad7-e9b63e7fb90d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
Content-Type: application/json; charset=UTF-8
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8
Cookie: ai_user=Ka2Xn|2017-05-25T17:30:57.941Z

{
    "subject": "created by mscrmcaller user2: d994d6ff-5531-e711-9422-00155dc0d345"
}

@Ram 建议我们使用组织服务进行身份验证,考虑到我们正在针对 Web API 执行,这是一个选项吗?请求的令牌是否仍然有效。(请注意,这可能是一个愚蠢的问题,原因是我不了解身份验证的工作原理)。

以下是我们当前如何在每次通话中进行身份验证的代码片段:

//check headers to see if we got a redirect to the new location
            var shouldAuthenticate = redirectUri.AbsoluteUri.Contains("adfs/ls");

            if (!shouldAuthenticate)
            {
                return;
            }

            var adfsServerName = redirectUri.Authority;
            var queryParams = HttpUtility.ParseQueryString(redirectUri.Query);

            ServicePointManager.ServerCertificateValidationCallback +=
                (sender, cert, chain, sslPolicyErrors) => true;

            WSTrustChannelFactory factory = null;
            try
            {
                // use a UserName Trust Binding for username authentication
                factory = new WSTrustChannelFactory(
                    new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential),
                    $"https://{adfsServerName}/adfs/services/trust/13/usernamemixed")
                {
                    Credentials =
                    {
                        UserName =
                        {
                            UserName = $"{credential.Domain}\\{credential.UserName}",
                            Password = credential.Password
                        }
                    },
                    TrustVersion = TrustVersion.WSTrust13
                };

                var rst = new RequestSecurityToken
                {
                    RequestType = RequestTypes.Issue,
                    AppliesTo = new EndpointReference(_client.BaseAddress.AbsoluteUri),
                    TokenType = "urn:oasis:names:tc:SAML:1.0:assertion",
                    KeyType = KeyTypes.Bearer
                };

                var channel = factory.CreateChannel();
                channel.Issue(rst, out RequestSecurityTokenResponse rstr);

                var fedSerializer = new WSFederationSerializer();
                var rstrContent = fedSerializer.GetResponseAsString(rstr, new WSTrustSerializationContext());

                // construct a authentication form
                var crmauthenticaionPostDictionary = new Dictionary<string, string>
                {
                    {"wa", queryParams["wa"]},
                    {"wresult", rstrContent},
                    {"wctx", queryParams["wctx"]}
                };

                // post the authentication form to the website. 
                var crmAuthorizationPostResponse = _client.PostAsync(_client.BaseAddress.AbsoluteUri, new FormUrlEncodedContent(crmauthenticaionPostDictionary)).Result;

                var crmAuthorizationPostResponseString = crmAuthorizationPostResponse.Content.ReadAsStringAsync().Result;
                //we  should be authenticated here
                if (
                    !(
                        // we are correctly authorized if we got redirected to the correct address that we
                        // were trying to reach in the first place.
                        crmAuthorizationPostResponse.StatusCode == HttpStatusCode.Redirect
                        && crmAuthorizationPostResponse.Headers.Location == authenticationTestUri
                    )
                )
                {
                    throw new Exception("ADFS Authentication to CRM failed.");
                }
4

2 回答 2

3

当您对 CRM 请求执行 Postman 时,它的直接呼叫和 CRM 会以预期的方式处理它。

但是在 Postman -> Microservice -> CRM 中,标题在 Microservice 到 CRM 之间丢失了。

在您的微服务中,您必须手动处理 Header 转发到 CRM SDK 调用。

HttpWebRequest myHttpWebRequest1= (HttpWebRequest)WebRequest.Create(uri);
myHttpWebRequest1.Headers.Add("MSCRMCallerID", "D994D6FF-5531-E711-9422-00155DC0D345");

HTTP 标头转发(抱歉,我找不到适用于 Azure/C# 的标头)

在此处输入图像描述

更新:

我假设您正在按照此MSDN 示例在 c# 微服务中执行您的 CRM Web api 调用。我已经包含了我们需要的标题 - MSCRMCallerID。看看对你有没有帮助。

public async Task BasicCreateAndUpdatesAsync()
{
   Console.WriteLine("--Section 1 started--");
   string queryOptions;  //select, expand and filter clauses
                         //First create a new contact instance,  then add additional property values and update 
                         // several properties.
                         //Local representation of CRM Contact instance
   contact1.Add("firstname", "Peter");
   contact1.Add("lastname", "Cambel");

   HttpRequestMessage createRequest1 =
       new HttpRequestMessage(HttpMethod.Post, getVersionedWebAPIPath() + "contacts");
   createRequest1.Content = new StringContent(contact1.ToString(),
       Encoding.UTF8, "application/json");

createRequest1.Headers.Add("MSCRMCallerID", "D994D6FF-5531-E711-9422-00155DC0D345");

   HttpResponseMessage createResponse1 =
       await httpClient.SendAsync(createRequest1);

   if (createResponse1.StatusCode == HttpStatusCode.NoContent)  //204
   {
    Console.WriteLine("Contact '{0} {1}' created.",
        contact1.GetValue("firstname"), contact1.GetValue("lastname"));
    contact1Uri = createResponse1.Headers.
        GetValues("OData-EntityId").FirstOrDefault();
    entityUris.Add(contact1Uri);
    Console.WriteLine("Contact URI: {0}", contact1Uri);
   }
   else
   {
    Console.WriteLine("Failed to create contact for reason: {0}",
        createResponse1.ReasonPhrase);
    throw new CrmHttpResponseException(createResponse1.Content);
   }
}
于 2017-09-15T16:57:18.333 回答
2

冒充时有几件事需要注意

1. 要模拟用户,请在调用服务的 Web 方法之前在 OrganizationServiceProxy 的实例上设置 CallerId 属性。

2. 用户(模仿者)必须具有 ActOnBehalfOf 权限或者是 Active Directory 中 PrivUserGroup 组的成员

代码示例

 SystemUser user = null;
 user = new SystemUser(systemUser);
 OrganizationServiceProxy service = CrmService.Proxy;
 service.CallerID = user.Id;

由于您的代码不可用,请确保上述所有字段均已正确设置

如需详细了解,请使用链接 https://crmbusiness.wordpress.com/2015/07/21/crm-2015-understanding-impersonation-in-plugins-and-knowing-when-to-use-it/

于 2017-10-04T09:31:10.227 回答