15.01.2009, 03:13 | #1 |
Участник
|
Microsoft Dynamics CRM Team Blog: Trust for Delegation in List Web Part for Microsoft Dynamics CRM 4.0
Источник: http://blogs.msdn.com/crm/archive/20...s-crm-4-0.aspx
============== This article pertains to Trust for Delegation issues encountered in on-premise installations of Microsoft Dynamics CRM 4.0 (MS CRM) when CRM server and SharePoint Server exist on different physical machines. If you have List Web Part (LWP) deployed for IFD version of MS CRM, or both Microsoft Dynamics CRM and SharePoint Server are on same machine then your deployment is not affected by the trust for delegations issue. In scenarios, where MS CRM on-premise and SharePoint are setup on separate machines, Microsoft Dynamics users of LWP face issues during authentication. If the SharePoint Server is not setup for Trust for Delegation then the user's Active Directory credentials are not passed to the MS CRM server. The LWP deployed on SharePoint does not receive the CRM authentication ticket from SharePoint and displays the sign on form used with an IFD installation. The screen below shows the configuration pane of LWP and sign on form. This form appears when a Trust For Delegation ( also known as Double-Hop impersonation ) is not present. Figure 1 : IFD login from configuration pane What is Double Hop issue? In situations where SharePoint Server and MS CRM server are on different machines, the first hop is from the LWP user’s IE browser to the SharePoint server, and then from the SharePoint server to the MS CRM Server. This is the second hop. Windows credentials cannot be passed in second hop, due to security issues. To enable the SharePoint Server to pass the user credentials, the SharePoint server must be configured for Trust for Delegation. Setting up 'Trust for Delegation' To make it easier to understand the configuration settings, consider the following topology:
Figure 2: Independent CRM and SharePoint Server topology 1. First, configure IIS and IE for delegation using the steps in following KB Article http://support.microsoft.com/default...b;en-us;810572 Note: To perform remaining steps , the user must be a member of the Domain Adminstrators group or the Enterprise Adminstrators group in Active Directory, or user must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. 2. Click Start >> Control Panel >> Administrative Tools >> Active Directory Users and Computers. 3. In the console tree, click Computers. 4. In the details pane, right-click the computer you want to trust for delegation and then click Properties. In our case its Windows SharePoint Services 3.0 server or MOSS 2007 server (machine # 4 in figure 2) . 5. On the Delegation tab, click Trust this computer for delegation to specified services only. Figure 3 : Trust for delegation to specific service 6. Depending upon the IIS authentication type in WSS/MOSS Web application, do one of the following:
8. In Enter the object names to select (examples), type the name of the computer that the computer will be trusted to delegate for example, Dynamics CRM 4.0computer (Server no 3 in figure 2) , and then click OK. Figure 4 : Select User and Computers If the machine name does not resolve,Click Advanced
Figure 5 : Select User and Computers using advanced dialog 9. In Add Services, click the Http service that will be trusted for delegation and click OK. Figure 6 : Set trust for specified service Notes
The following steps are necessary if you want to use Kerberos in WSS/MOSS. 10. In SharePoint Central administrator site, In Application Management, Select Authentication Providers 11. In Authentication Provider select Window Membership Provider from default zone and Check IIS Authentication Settings. a. Integrated Windows authentication check box should be selected Figure 7 : SharePoint Central Admin - Edit Authentication You should now be able to login to List Web Part and view the configuration page. Figure 8 : Successful Login in List Web Part Cheers, Suraj Supekar Источник: http://blogs.msdn.com/crm/archive/20...s-crm-4-0.aspx
__________________
Расскажите о новых и интересных блогах по Microsoft Dynamics, напишите личное сообщение администратору. |
|
|
|