Anybody able to explain clearly the difference between CallerId and Credentials in MS CRM 3.0
Hello,
Anybody able to explain clearly the difference between CallerId and
Credentials in MS CRM 3.0
I was thinking that credentials was used to fix the exucuting user for
calling the web services and Callerid was to fix the access rights according
a specific user inside the CRM.
Following this interpretation, it was not necessary to have a CRM user in
credentials, but it is not true, I tested this with a domain admin account
in credentials and it failed, web service was refusing the access.
I don't understand the logic. Any explanation welcome from MS or CRM dev
expert.
You've got the logic more or less correct. The only thing you're overlooking
is the possibility for a spoofing attack. That is, imagine I could connect
to the web service as any domain-authenticated user, and I could supply any
CRM identity as the "operating" user. Now, assume I'm a disgruntled employee
(or I want to "steal" all of my competing sales person's contacts). All I
need to do is connect to CRM over the web service and supply the operating
user credentials (the CallerId). If I was able to do this it would mean I
could, for example, send a "bad" email to all of the company's customers on
behalf of the user specified in CallerId.
Now, there is a way to allow this "bad" behavior to happen. You can put the
calling user (the user's whose credentials you used in the proxy) in a
special NT group that the platform trusts. Members of that group can then
play the "operate on behalf of" game. At least that's the way I remember it
working. I might be slightly off in the exact details... the product is too
big for me to remember all the bits any more.
That's the group. I'll leave it to our support team to chime in on
the supportability of adding users to PrivUserGroup and relying on that functionality.