CRM Online 2015 API via PHP - securityToken issue

983 views Asked by At

I have to implement some code dealing with Microsoft Dynamics CRM 2015 usin PHP language and, since I'm totally new to dynamics CRM and microsoft services, it's pretty tricky for me since there's not a great documentation for non .NET languages.

What I need to do is creating PHP APIs reading and adding rows to Dynamic CRM 2015's "contacts" and "account" tables.

By googling I found out that the main part of the auth part should be done in four main steps (taken from Girish Raja's Blog):

1 - Pass in the device credentials and get a PUID. The device credentials is a randomly generated string that satisfies Live ID schema. You can generate one from this tool: Create CRM 2011 Beta Device
    POST login.live.com/ppsecure/DeviceAddCredential.srf
    Get the PUID from response   

2- Pass the device credentials
    POST login.live.com/liveidSTS.srf
    Get the device CiperData (BinaryDAToken)  

3- Pass the WLID username, password and device BinaryDAToken
    POST login.live.com/liveidSTS.srf
    Get the security tokens (2 CipherValues) & X509SubjectKeyIdentifier 

4- Do CRUD with the web service by passing X509SubjectKeyIdentifier, 2 CipherValues and the SOAP request (with data payload)
    POST yourorganization.api.crm.dynamics.com/XRMServices/2011/Organization.svc
    Get the result from the CRUD response and parse XML to get the data you need 

I successfully got through the first point and obtain from DeviceAddCredential.srf a puid, but seems there's no way to afford the second point. I keep getting the "The entered and stored passwords do not match".

I'm actually using Ben Speakman's dynamicsClient class and, since it's a 2011 class, my guess is that maybe there's something wrong with its login procedure (for example I had to fix another issue in the code upgrading CURLOPT_SSLVERSION).

Here's the getBinaryDAToken function that tries to obtain device credentials. What I'm not sure about is the url is using, https://login.live.com/liveidSTS.srf. My guess is that maybe auth services moved from login.live.com and there's a similar service for office 365 products I should call instead of login.live.com.

Some other script around use the login.microsoftonline.com/extSTS.srf but looks an even older URL.

Can you please help me with this auth procedure? Thanx a lot!

private function getBinaryDAToken(){

        $deviceCredentialsSoapTemplate = '
        <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <s:Header>
                <a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</a:Action>
                <a:MessageID>
                    urn:uuid:'.$this->messageid.'
                </a:MessageID>
                <a:ReplyTo><a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address></a:ReplyTo>
                <VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDPoy9Ez+P/wJdOhoN2XNauvYcAAAAAK0Y6fOjvMEqbgs9ivCmFPaZlxcAnCJ1GiX+Rpi09nSYACQAA</VsDebuggerCausalityData>
                <a:To s:mustUnderstand="1">https://login.live.com/liveidSTS.srf</a:To>
                <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                    <u:Timestamp u:Id="_0">
                        <u:Created>'.$this->currentTime.'Z</u:Created>
                        <u:Expires>'.$this->nextDayTime.'Z</u:Expires>
                    </u:Timestamp>
                    <o:UsernameToken u:Id="devicesoftware">
                        <o:Username>'.$this->deviceUserName.'</o:Username>
                        <o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">
                            '.$this->devicePassword.'
                        </o:Password>
                    </o:UsernameToken>
                </o:Security>
            </s:Header>
            <s:Body>
                <t:RequestSecurityToken xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
                    <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
                        <a:EndpointReference>
                            <a:Address>http://passport.net/tb</a:Address>
                        </a:EndpointReference>
                    </wsp:AppliesTo>
                    <t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
                </t:RequestSecurityToken>
            </s:Body>
        </s:Envelope>';

        return $this->doCurl("/liveidSTS.srf" , "login.live.com" , "https://login.live.com/liveidSTS.srf", $deviceCredentialsSoapTemplate);



    }

UPDATE: thanx to Campey new login url is https://login.microsoftonline.com/RST2.srf solved the second step problem

1

There are 1 answers

1
Campey On BEST ANSWER

CRM Online has changed from the old authentication method (Windows Live) which required the Device Credentials and now uses Office 365 instead which (in my opinion) makes things easier and its definitely faster.

I have written a blog about this:- http://crmtroubleshoot.blogspot.com.au/2013/07/dynamics-crm-2011-php-and-soap-using.html http://crmtroubleshoot.blogspot.com.au/2013/07/dynamics-crm-2011-php-and-soap-calls.html

Also Jason Lattimer wrote a blog more recently which will provide a library you can try and implement and would work with on-premise (mine does not) http://jlattimer.blogspot.com.au/2015/02/soap-only-authentication-using-php.html