Impersonation in Dynamics CRM

Sometimes it is essential for the business to identify and authenticate users when they try to reach sensitive data and security is the most important issue. This is especially important when the logged-in user for a particular application is a system user, and you need to authenticate the user that is using the application. In this blogpost I want to tell you how to impersonate a user on behalf of a system user that is connecting to Dynamics CRM.

In this example we have an MVC .NET Framework Web Application which is running on an IIS server. The application itself will have Windows Authentication and the application pool is being used by a system account, and inside the application we will be connecting to Dynamics CRM on-prem solution and the user who connects to dynamics will impersonate himself on behalf of the system account.

First things first, so let’s look at the IIS configuration of the website application that we try to reach. The first thing we need to setup is the web sites authentication method. In the Connections pane in the left select the server and then the sites and then the site that the web application is running on. In the middle pane under the section Authentication double click and make sure that both Windows Authentication and ASP.NET Impersonation are enabled.

When creating the datetime field, you need to consider what the business requirements are for that particular After selecting Windows Authentication, you can choose the Providers on the right pane and move NTLM provider up on Negotiate.

In the Application Pools section in the left pane, you should select your application and change the user to the system user that will connect to the application. For example, in the below picture the “ApplicationPoolIdentity” user needs to be changed.

To do that, you need to go Advanced Settings in the right pane and then select the user at the Identity variable under the Process Model section. You also need to define the domain name and username with the credentials.. 

Now IIS seems to be set for the Windows Authentication and ASP.NET Impersonation. The next thing we need to do is to make the application code ready for the impersonation. The impersonation is simple; we are going to use the Microsoft.Xrm.Sdk to connect to Dynamics 365.  So, the only thing we need to do is to set the value CallerId under the OrganizationService’s proxy, with the user connected to Dynamics. An example code for this can be seen below.

Also, for the application to recognize that we need impersonation we need to add these following lines in the web.config file. These lines should be directly under the <configuration> tag.

Another thing to consider is that your web application should be enabled for windows authentication. You can set this on Visual Studio by clicking the project name and under the Project Properties pane just set the Windows Authentication to true and Anonymous Authentication to false.

After you publish your code and deploy it to the server you can check the login URL of the web application. At first run, the user can be prompted with a pop-up window to enter their credentials towards Dynamics CRM and when they do so, the application will impersonate them instead of the system user and they will get access to Dynamics CRM.

Hope this guide helps you through the impersonation process. Happy Coding!

Mirac Kocaturk
Senior Software Developer

So where do you start?

As your long-term partner for sustainable success, Sirocco is here to help you achieve your business goals. Contact us today to discuss your specific needs and book a free consultation or workshop to get started!