CRM-service Active Directory Integration
General
This document describes the high level design of Active Directory integration. The implementation of AD-integration covered in this document does not contain single sign on functionality.
All users that have access to CRM-service also belong to a specific CRM users group in Active Directory. The Active Directory does not contain any roles, user rights or permissions related to CRM-service.
General constraints
The Active Directory server is using Windows Server 2003/2008 Domain Mode. The communication between CRM-service and AD is secured by SSL.
Automatic user creation process
The AD integration will create user base information automatically to CRM-service after the user has been connected to CRM Active Directory group. The automatic user creation is done as a batch that will be run periodically (see the figure below).
Authentication process
The authentication process of CRM-service is described in the figure below.
Users are always authenticated against AD if the user login information stored in CRM-service is originating from the AD user synchronization process. The users that are not created by AD user synchronization process are always authenticated against their CRM-service login and password.
The AD authentication query is done using the UserPrincipalName AD attribute to identify the user. CRM-service user login is assumed to be the UserPrincipalName of user.
The AD credential check consists of two different checks:
1. User login and password must be correct
2. User must belong to the CRM AD Group.
If both conditions are fulfilled, the user can log in.
AD users password are never stored in CRM-service side.
Error handling
If CRM-service is not able to connect to the customer’s AD server, users having AD type of login name in CRM cannot log in to CRM-service.