使用Web App(Express.js)中的NTLM身份验证与本地(IFD)CRM进行身份验证 [英] Authenticating with on-premise (IFD) CRM using NTLM authentication from Web App (Express.js)

问题描述

我在

I'm asking this question on the back of a previous question I raised, as the scope of the question has changed somewhat but that might be worth reading first for background info.

我正在尝试使用Node Powered Express应用程序中的一组管理员凭据以编程方式从我们的Dynamics CRM实例中获取数据.此Express应用程序托管在托管CRM的网络外部的单独服务器上.然后，该应用程序将向所有有权访问(由应用程序中的角色/权限控制)的登录用户请求，处理和提供CRM数据，这意味着最终用户只需登录Express应用程序即可.

I'm trying to programatically obtain data out of our Dynamics CRM instance, using a single set of admin credentials within a Node powered Express app. This Express app is hosted on a separate server outside of our network where CRM is hosted. The app will then request, process and serve CRM data back to any logged in user who has access (controlled by roles/permissions within the app), meaning an end user only has to login into the Express app.

在Web浏览器中，如果我访问内部CRM终结点:https://my.crm.endpoint，则会提示我输入用户名和密码.

From my web browser, if I visit our on-premise CRM endpoint: https://my.crm.endpoint, I get prompted for a username and password.

如果我提供正确的凭据，则表明我已通过身份验证并拥有对CRM的完全访问权限，从而可以查询API.

If I provide correct credentials, I am authenticated and have full access to the CRM, allowing me to query the API.

示例 https://my.crm.endpoint/api/data/v8.2/联系人?$ select =全名，联系人ID

Example https://my.crm.endpoint/api/data/v8.2/contacts?$select=fullname,contactid

这将返回一个可爱的JSON对象，其中包含我想要的所有数据:)

This returns a lovely JSON object containing all the data I want :)

现在！在幕后，我可以看到它正在使用NTLM进行身份验证，对此我几乎一无所知:/阅读了一点并观看了一些YouTube视频后，我有了 基本 了解挑战/响应机制，但我仍不确定如何进行.

NOW! Under the covers, I can see that it is using NTLM to authenticate, of which I have little knowledge :/ Having read up a little and watched a few YouTube videos, I have a basic understanding of the challenge/response mechanism but I'm still unsure as to how to proceed.

注意:我已阅读这来自Microsoft ，它描述了该机制，但未提供任何具体示例.我什至不知道应该使用哪种哈希算法，或者要设置什么标题等等.

NB: I have read this from Microsoft which describes the mechanism, but doesn't give any specific examples. I don't even know what hashing algorithm should be used, or what headers to set etc.

问题，谁能提供有关我如何使用Web应用程序中的NTLM通过我的CRM进行身份验证的详细信息?

Question Can anyone provide any sort of detail as to how I can authenticate with our CRM using NTLM from a Web App (Express in my case)?

我可以看到浏览器的步骤...

Steps I can see the browser making...

1. 访问https://my.crm.endpoint
2. 302重定向到:https://fs.our.domain/adfs/ls/?wa=wsignin1.0&wtrealm=https%3a%2f%2fmy.crm.endpoint%2f&wctx=rm%3d1%26id%3dfaf0791c-6a3a-4c4e-9e69-9dfa8fd4c2e8%26ru%3d%252fdefault.aspx&wct=2018-04-20T10%3a12%3a37Z&wauth=urn%3afederation%3aauthentication%3awindows
3. 提示输入用户凭据
4. **输入凭据**
5. 这里发生了很多事情，我有点迷失了，但看起来好像得到了401，然后对https://my.crm.endpoint进行了POST.显示了另一个302，最后是GET到实际的default.aspx页面.
6. 然后我就可以使用CRM.

1. Visit https://my.crm.endpoint
2. 302 Redirected to: https://fs.our.domain/adfs/ls/?wa=wsignin1.0&wtrealm=https%3a%2f%2fmy.crm.endpoint%2f&wctx=rm%3d1%26id%3dfaf0791c-6a3a-4c4e-9e69-9dfa8fd4c2e8%26ru%3d%252fdefault.aspx&wct=2018-04-20T10%3a12%3a37Z&wauth=urn%3afederation%3aauthentication%3awindows
3. Prompted for user credentials
4. ** enter credentials**
5. A whole bunch of stuff happens here and I get a little lost but looks like it gets a couple of 401's then a POST is made to the https://my.crm.endpoint. Another 302 is shown, then finally a GET to the actual default.aspx page.
6. I then have access to CRM.

NB:通过身份验证后，在查询上述api示例时，我可以看到已设置并发送了三个cookie.这些cookie是MSISAuth，MSISAuth1和ReClientId.

NB: Once authenticated, I can see three cookies that have been set and which are sent when querying the api example above. These cookies are MSISAuth, MSISAuth1 and ReClientId.

如果我缺少任何重要信息，请告诉我，我会尽力提供！

If I'm missing any crucial info, please let me know and I'll provide what I can!

更新

我刚安装了httpntlm模块，并尝试使用此模块进行身份验证...

I have just installed httpntlm module and attempted to authenticate using this...

let httpntlm = require('httpntlm');
httpntlm.get({
    url: 'https://my.crm.endpoint',
    username: '<my.email@address.com>',
    password: '<mypassword>',
    workstation: '',  // unsure what to put here if anything?
    domain: ''        // unsure what to put here if anything?
}, function (err, res){
    if(err) return err;

    console.log(res.headers);
    console.log(res.body);
});

我得到的答复是这个...

The response I get is this...

{ location: 'https://fs.our.domain/adfs/ls/?wa=wsignin1.0&wtrealm=https%3a%2f%2fmy.crm.endpoint%2f&wctx=rm%3d1%26id%3d93a4c6fd-5b17-4a2b-965f-07af5e96b08f%26ru%3d%252fdefault.aspx&wct=2018-04-20T14%3a08%3a00Z&wauth=urn%3afederation%3aauthentication%3awindows',
  server: 'Microsoft-IIS/8.5',
  req_id: '298acefc-53aa-46fa-96c4-e5d8762b1fd2',
  'x-powered-by': 'ASP.NET',
  date: 'Fri, 20 Apr 2018 14:08:00 GMT',
  connection: 'close',
  'content-length': '397' }
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="https://fs.our.domain/adfs/ls/?wa=wsignin1.0&wtrealm=https%3a%2f%2fmy.crm.endpoint%2f&wctx=rm%3d1%26id%3d93a4c6fd-5b17-4a2b-965f-07af5e96b08f%26ru%3d%252fdefault.aspx&wct=2018-04-20T14%3a08%3a00Z&wauth=urn%3afederation%3aauthentication%3awindows">here</a>.</h2>
</body></html>

任何人都可以弄清我实际上需要做什么?！ :-/

Anyone able to shed any light on what I actually need to be doing?! :-/

更新2

在@markgamache注释之后，并阅读了建议的文档，我们确实在使用WS-Fed！当Wa=signin1.0参数通知浏览器弹出一个登录框时，这是否使得在没有其他用户交互的情况下无法以编程方式实现此目的?

Following @markgamache comment, and having read the suggested docs, we are indeed using WS-Fed! As the Wa=signin1.0 parameter informs the browser to pop up a login box, does this make it impossible to achieve this programmatically, without additional user interaction?

推荐答案

基于我的以下理解:

• 您在带有声明身份验证(ADFS)的前提下使用CRM.这意味着，当用户访问CRM时，会将用户重定向到ADFS进行身份验证(如果用户位于内部网络中，则默认情况下，ADFS使用集成的Windows身份验证)，然后将用户重定向回CRM.
• 您必须从外部(node.js)应用程序调用CRM端点.该调用不是客户端"(即通过浏览器/javascript)，而是服务器端"(即来自托管应用程序的网络服务器)

理想的解决方案是在此应用S2S(服务器到服务器)方案，该方案涉及

The ideal solution would be to apply here the S2S (server to server) scenario which involves an application user in CRM which in turn is used to call a CRM API using the OAuth client credentials flow (client id + secret). Problem is, as far as I know, currently the application user concept is only supported in CRM online, not on premises.

因此，您可以尝试以下3个选项之一:

So then you can try one of these 3 options:

1. 尽管您在CRM中使用声明身份验证，您仍然可以使用集成Windows身份验证(IWA).如何?如果检查CRM IIS站点，则必须具有HTTPS绑定.如果添加HTTP绑定(即端口80没有主机头)，则可以访问 http://使用IWA的CRM_Server_Name/api/data/v8.2/contacts .因此，在这种情况下，您已经尝试过的httpntlm模块可以工作.请注意，CRM支持一个HTTPS IIS绑定和一个HTTP IIS绑定-因此请确保不要为每种类型添加更多的一个绑定.
2. (当然，以编程方式)模拟您在浏览器中观察到的身份验证流程.这是什么意思?生成对 https://my发出后续请求.crm.endpoint/api/data/v8.2/contacts .这不是一个很好的解决方案，但应该可以.
3. 使用OAuth.问题是，正如我在开始时所描述的，据我所知，此方案的理想OAuth流(客户端凭据)不适用于CRM上的CRM.因此，您必须使用注册ADFS应用程序，然后再次，您将需要进行多个HTTPS调用(其中一个将是对ADFS IWA身份验证端点的调用)，以最终获得可用于对CRM端点进行调用的令牌.

1. Despite the fact that you are using claims authentication in CRM, you can still use integrated Windows authentication (IWA). How? If you check the CRM IIS site, you must have an HTTPS binding. If you add an HTTP binding (i.e. port 80 no host header), you can access http://CRM_Server_Name/api/data/v8.2/contacts using IWA. So in this scenario, the httpntlm module you already tried could work. Please note that CRM supports one HTTPS IIS binding and one HTTP IIS binding - so make sure to not to add more of one binding of each type.
2. Mimic (programmatically of course) the authentication flow you observed in the browser. What does this mean? Generate an IWA authenticated request to https://fs.our.domain/adfs/ls/?wa=wsignin1.0&wtrealm=https%3a%2f%2fmy.crm.endpoint%2f&wauth=urn%3afederation%3aauthentication%3awindows. ADFS will authenticate you and will give you some cookies. You will need to store those cookies to make a subsequent request to https://my.crm.endpoint/api/data/v8.2/contacts. Not a great solution but should work.
3. Use OAuth. Problem is that as I described at the beginning, the ideal OAuth flow for this scenario (client credentials) is not available for CRM on prem as far as I know. So then you must use the Authorization Code Grant flow, described here. First you will need to register an ADFS application and then again, you will need to make several HTTPS calls (one of them will be a call to the ADFS IWA authentication endpoint) to finally obtain a token that you can use to make calls to the CRM endpoint.

这篇关于使用Web App(Express.js)中的NTLM身份验证与本地(IFD)CRM进行身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！