At PowerObjects, we create many portals for Microsoft Dynamics CRM, including customer service portals, distributor portals, partner portals, and more. A portal is a custom application that allows external users to access and edit data that is stored in Microsoft Dynamics CRM (a.k.a CRUD - Create, Read, Update and Delete operations). A CRM portal application can be developed using the appropriate web development technologies along with the Dynamics CRM Web Services for data access. In this blog, we'll discuss some of the different Dynamics CRM portal authentication methods to use when building a portal.

1. Forms Authentication
   This lets you authenticate users using your own code and then maintains an authentication token in a cookie or in the page URL. When coding this method, you have the option of being able to see and modify the username and password from Microsoft Dynamics CRM, if desired, or users may create, update, and reset their authentication information from the portal itself.
2. Windows Authentication
   Windows Authentication treats the user identity supplied by Microsoft Internet Information Services (IIS) as the authenticated user. This is best used in situations where portal users are employees of your organization, such as an intranet application.
3. Live ID Authentication
   Live ID Authentication allows users to be authenticated using their Live ID to your website without having to create your own security providers.

Forms Authentication

To use forms authentication, you create a login page that collects credentials from the user and that includes code to authenticate the credentials. Typically you configure the application to redirect requests to the login page when users try to access a protected resource, such as a page that requires authentication. If the user's credentials are valid, you can redirect the request back to the originally requested resource with an appropriate authentication ticket (cookie). If you do not want the redirection, you can just get the forms authentication cookie or set it. On subsequent requests, the user's browser passes the authentication cookie with the request, which then bypasses the login page.

You configure forms authentication by using the authentication configuration element as shown in screenshot below.

The form authentication is implemented in CRM portals by maintaining the user credentials for the portal in an entity in CRM. One example of implementing forms authentication in CRM portal will be maintaining the credentials in contact entity in CRM and creating a custom membership provider class using ASP.NET membership, fields created in contact entity for authentication and also using ASP.NET login controls. ASP.NET membership lets you store and manage user information and includes methods to authenticate users. ASP.NET login controls work with ASP.NET membership. They encapsulate the logic to prompt users for credentials, validate users, recover or replace passwords, and so on. In effect, ASP.NET membership and ASP.NET login controls provide a layer of abstraction over forms authentication.

Windows Authentication

IIS provides a number of authentication mechanisms to verify user identity, including anonymous authentication, Windows integrated (NTLM) authentication, Windows integrated (Kerberos) authentication, Basic (base64 encoded) authentication, Digest authentication, and authentication based on client certificates. This authentication method uses Windows accounts for validating users' credentials.You configure windows authentication by using theauthentication configuration element as shown in screenshot below.

The windows authentication is implemented in a CRM portal when the portal is an intranet application by validating the user based on his/her network credentials

Live ID Authentication

The following are the steps needed to implement Live ID authentication.

1. Register Your Website with Windows Live ID
   1. To begin, you need to register your website with Microsoft account:
      https://live.azure.com/
   2. When registering your site, you need to provide your full domain name, for example, "yoursite.yourdomain.com", not just "yourdomain.com".
   3. You also need to provide a URL that directs Microsoft account requests back to when they have finished signing in. This will be to your Handler Service, which you can read about later in this document, but, by default, the URL to enter is: http://yoursite.yourdomain.com/liveid.axd
   4. After you have registered your Website, it provides you with an application ID and a secret that you will use to plug in to your web.config so that the site can be hooked up to the Microsoft account.
   5. Here are some things to note:
   6. Your domain names cannot include strings such as localhost, 127.0.0.1, or anything with the word "live" in it.
   7. You cannot share the management of the Website with other users.
   8. You cannot change your domain name after you have registered it.
2. Add Live ID Information to the web.config
   1. In your web.config, under connection Strings, you will need the following string populated with your Application ID and Secret:
      
3. Add the Membership Provider and Handler Service
   1. The Membership Provider handles the user login information. Using Microsoft account requires the use of the Microsoft account Membership Provider:
      

   2. The Handler Service validates whether the authenticated user has been registered on your Website. If you are running an Internet Information Services (IIS) 7 site in Integrated Mode, you will need to ensure that the following is added in your
      section:

   3. If you are running in Classic Pipeline Mode or IIS6, the Handler Service is configured under the section of your Web.config file.
      

4. Add theLiveIdLoginStatus Control
   1. The last step is to add the LiveIdLoginStatus control, which works like the LoginStatus control. It displays a log in link for users who are not authenticated and a log out link for users who are authenticated.
   2. When anonymous, the link takes the user to Windows Live or optionally (using LoginNavigateUrl) to a specified landing page that lets the user know they are going to Windows Live.
   3. When authenticated, the log out link resets the current user's identity to be an anonymous user.
      <crm:LiveIdLoginStatus runat="server" />
   4. This assumes that the "crm" tag prefix has been registered to "Microsoft.Xrm.Portal.Web.UI.WebControls".
5. Force Registration
   When using windows live ID for authentication, only the Passport Unique Identifier (PUID) is known. If you want additional information about the user (such as a display name or email) you will need to collect this from the user.
   Two common ways to do this are:
   1. Set up a page for them to fill in their information at their own convenience when they are logged in and collect information before they can be authenticated on your site.
6. Set up some special handling with your Microsoft.
7. As part of a user registration, Microsoft Dynamics CRM needs to know the PUID of the user so that it can link this to the user's Microsoft Dynamics CRM contact information. In other words, you need to have the user log in using Microsoft account and then send the user to your registration page. This is done by adding the RegistrationUrl attribute on the LiveIdLoginStatus control.
   <crm:LiveIdLoginStatus runat="server" RegistrationUrl="/CreateUser" />
8. In the code behind your registration page, you need to add code to keep the Microsoft account token and create the new user once you have collected the information you want.

C#

In addition to these authentication methods, you can also authenticate via Active Directory Federated Services and with Windows Azure, or you can also use common authentication methods such as Facebook.

Questions on CRM portal authentication?

We can help.

Happy CRM'ing!