IT tutorials
 
Applications Server
 

Microsoft Dynamic CRM 4.0 : Authentication (part 2)

11/26/2011 5:33:42 PM
- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

Kerberos Authentication

In the Windows environment, authentication delegation is possible only with the Kerberos protocol. Therefore, all systems involved in delegation scenarios must use the Kerberos protocol. There are two main delegation scenarios:

  • Basic Kerberos delegation

  • Kerberos authentication using constrained delegation

Basic Kerberos Delegation

As illustrated in Figure 4, when using the basic Kerberos authentication, the user authenticates to the front-end server; the server requests data from the back-end server using the user’s account.

Figure 4. Basic Kerberos delegation.

Delegation enables the user’s credentials to be passed from one server to another and preserves the user identity. This will allow you to have multiple front-end servers. This enables you to scale the middle tier for growth.

  • Pro

    • Security controlled at the data layer, so there is no way security can be compromised.

  • Con

    • Big security management overhead because all security is managed on the back-end systems.

    • The middle tier is allowed to access any back-end data source based on the user credentials.

Note

Kerberos authentication passes a Kerberos token provided by the Kerberos Ticket Granting service only after the initial authentication. At no point are the user’s credentials passed within the server farms.
Kerberos Authentication Using Constrained Delegation

This can allow you to enforce a limit that applies to which network resources an account trusted for delegation can access. This feature is supported in Windows 2003 domain functional level and up. Figure 5 shows Kerberos authentication using constrained delegation.

Figure 5. Kerberos authentication constrained to a service.

To limit the resources that services can access on behalf of a user, you can configure constrained delegation by listing services to which account can present delegated credentials. This list is in the form of SPNs (service principle names). Impersonating to any nontrusted back end will fail authentication.

This is the most common deployment of Kerberos authentication.

Setting Up Kerberos

To use Kerberos completely, you must configure a number of things, including the following:

  • Client settings

  • Front-end tier, typically an IIS server

  • Back end

  • Active Directory

Figure 6 shows the Kerberos flow.

Figure 6. Kerberos flow.
Client Configuration

Before setting up or debugging Kerberos, client settings need to be verified.

Note

To ensure consistency with the client settings, it is recommended to use Group Policy (GPO) to enforce the settings on client machines.

The following steps ensure that integrated authentication is enabled on the client:

  1. In Internet Explorer, click Tools, Internet Options, Advanced, and scroll to Security.

    Figure 7. Enable integrated Windows authentication.

  2. Ensure Automatic Logon is enabled in the appropriate zone on the client. (In Internet Explorer, click Tools, Internet Options, Security.)

    Figure 8. Enable the Automatic Logon Only in the Intranet Zone option.

Note

  • Client needs to be a member of a trusted domain.

  • Ensure the URL is part of the client’s local intranet sites.

  • The domain user must have the Account Is Sensitive and Cannot Be Delegated option unselected in Active Directory.
 
Others
 
- Microsoft Dynamic CRM 4.0 : Authentication (part 1)
- Implementing with Microsoft Dynamics Sure Step 2010 : Setting up a program for solution rollout
- Implementing with Microsoft Dynamics Sure Step 2010 : Waterfall-based implementation project types
- Microsoft Dynamics AX 2009 : Design and Implementation Patterns (part 2) - Table-Level Patterns
- Microsoft Dynamics AX 2009 : Design and Implementation Patterns (part 1) - Class-Level Patterns
- BizTalk 2009 : Creating More Complex Pipeline Components (part 4) - Custom Disassemblers
- BizTalk 2009 : Creating More Complex Pipeline Components (part 3) - Validating and Storing Properties in the Designer
- BizTalk 2009 : Creating More Complex Pipeline Components (part 2) - Schema Selection in VS .NET Designer
- BizTalk 2009 : Creating More Complex Pipeline Components (part 1) - Dynamically Promoting Properties and Manipulating the Message Context
- Microsoft Dynamics GP 2010 : Tailoring SmartLists by adding Fields
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Technology FAQ
- Is possible to just to use a wireless router to extend wireless access to wireless access points?
- Ruby - Insert Struct to MySql
- how to find my Symantec pcAnywhere serial number
- About direct X / Open GL issue
- How to determine eclipse version?
- What SAN cert Exchange 2010 for UM, OA?
- How do I populate a SQL Express table from Excel file?
- code for express check out with Paypal.
- Problem with Templated User Control
- ShellExecute SW_HIDE
programming4us programming4us