When new users join my organization, they may need to have their manager request access to CRM for them. I want to gather information from them in a form before handling the request.
When unauthorized users attempt to access CRM, they see an error message that says: "No Microsoft Dynamics CRM user exists with the specified domain name and user ID"
How can I redirect them from that error message to a form of my own design?
There is no supported way to redirect them. The only way you could do it would be to give your users a custom url that points to another webpage with Windows Authentication. Then you could query CRM to see if the user exists, if it does, then you could redirect them, if it doesn't then you can display / do whatever you'd like.
I wouldn't recommend this because users that navigate to it via Office 365 would not hit your custom website.
Related
An APEX email error is received when trying to utilize the "Send With DocuSign" URL button on the contract object in Salesforce. This button was just created to meet the requirements to move from a JavaScript button. The button does not trigger an error in Sandbox, works as expected. But I can not replicate in production without getting the error shown below. Any idea on how to get this resolved?
Developer script exception from Franklin Madison Group : DocuSignAPICredentials : Please verify that you have been granted access to DocuSign, your account settings are correct and that you have responded to all activation emails.
Apex script unhandled exception by user/organization: 0053n000007GFbq/00D70000000Je65
Visualforce Page: /apex/dsfs__docusign_editenvelope
caused by: dsfs.UnauthorizedException: Please verify that you have been granted access to DocuSign, your account settings are correct and that you have responded to all activation emails.
Class.dsfs.DocuSignAPICredentials.getInstance: line 71, column 1
Class.dsfs.DocuSignAPICredentials.getInstance: line 56, column 1
Class.dsfs.AccountFeatures.getInstance: line 139, column 1
Class.dsfs.EnvelopeController.loadEnvelope: line 164, column 1
Cause
Common causes for the issue are listed below,
The DocuSign user associated with the Salesforce user sending the envelope is not active
The Salesforce user has not been added to the DocuSign users list in DocuSign Setup settings (in Salesforce)
You are attempting to use Salesforce Login Access on behalf of a user "not yet Authorized DocuSign eSignature for Salesforce (DAL)"
Note: If the user hasn't authorized already, please refer to Step 4 in this article
Solution
Before continuing, ensure that you are on the most recent version of DocuSign eSignature for Salesforce (DAL). If you are on an outdated version, some of these steps will be unavailable.
To resolve this error, you’ll need to verify both issues that cause this error has been addressed.
First, you’ll need to verify that this Salesforce user has been added to DocuSign.
To verify if a Salesforce user has been added properly:
Navigate to DocuSign Setup.
Select User Management, then select Add User.
Enter the name of the user in the Value box. When they appear in the search results, select the checkbox next to their name and select Continue.
Assign the appropriate permissions to the user and select Apply. If your package is up to date and a DocuSign user already exists for this user, the Salesforce user will be mapped to their existing DocuSign user.
Click Done to finish.
Second, verify that the DocuSign user associated with this Salesforce account is active.
To check if a user is active in DocuSign:
Navigate to the DocuSign web app and select Settings.
Navigate to Users and search for the user in question.
If the user is not active, select Actions > Resend Invitation to send the invite to the user again.
To activate a user:
The User will need to navigate to their email client and open the invitation email.
Click the link in the email to activate.
Create a password and security question.
Once the user is active, have the user attempt to send an envelope from Salesforce to confirm the issue is resolved.
Additional Troubleshooting
If the DAL Admin and all users are noticing the same error, try to disconnect and reconnect.
Steps to Disconnect [Note: Disconnecting accounts will remove the DocuSign Gen and DocuSign Negotiate permissions for the Salesforce users that were given access under the old connection. You have to re-add DocuSign users and permissions in your organization.]
Steps to Reconnect
If the Salesforce Administrator attempting to make this change is unable to access the DocuSign Setup object, ensure that they have the correct permission set assignment to access the object.
To view permission set assignments in Salesforce:
Navigate to Setup, select Users.
Navigate to the user in question and open their profile.
Navigate to Permission Set Assignments, if the DocuSign permissions are missing, edit the section and add DocuSign Administrator.
Note: If you are running both DocuSign Apps Launcher and legacy DocuSign eSignature for Salesforce, you will see duplicate permission sets with similar names. Add both to ensure correct permissions are applied to the user.
Retest to see if the user can access DocuSign Setup. If it’s still failing, follow the steps in this article to navigate to the DocuSign Troubleshooting page and select Delete DocuSign Credentials. You should then be able to navigate to DocuSign Setup and reestablish the connection between DocuSign and Salesforce.
We are doing Office 365 with asp.net mvc , in this example working fine for local system,(we are using VS2015), when i publish to azure web application its successfully published.
After open the URL click the Email button go to login page and enter the credentials its successfully logged and redirect to mail page now it showing some error message, but local working fine everything.
Please let me know anything required after publish.
Oops you've reached an error!
We weren't able to process the action you requested. This was caused by an exception in the below table:
Exception Cause Action
AdalException This exception is thrown when either you have a stale O365 access token that can cause authentication errors, or you attempted to access a resource that you don't have permissions to access.
You'll may need to refresh the access token. Try signing out and signing back in to the app again, or refreshing the session Click here.
Make sure the app is configured with the correct service permissions in the Services Manager menu. If any of these permissions are not configured, or configured incorrectly, some parts of the app may throw an error. For example Right click the project, select Connected Service..., and ensure the following permissions are set for this app:
(Calendar) – Have full access to users’ calendar and Read users' calendar
(Contacts) – Have full access to users’ contacts and Read users' contacts
(Mail) - Send mail as a user, Read and write access to users' mail, and Read users' mail
(Users and Groups) – Enable sign-on and read users’ profiles.
Thanks,
hemanth
I am using the following project: https://github.com/OfficeDev/O365-ASPNETMVC-Start
I set the configurations as requested in the documentation but I am receiving an error after sign in.
Cause Action
AdalException This exception is thrown when either you have a stale O365 access token that can cause authentication errors, or you attempted to access a resource that you don't have permissions to access.
Make sure the app is configured with the correct service permissions in the Services Manager menu. If any of these permissions are not configured, or configured incorrectly, some parts of the app may throw an error. For example Right click the project, select Connected Service..., and ensure the following permissions are set for this app:
(Calendar) – Have full access to users’ calendar and Read users' calendar
(Contacts) – Have full access to users’ contacts and Read users' contacts
(Mail) - Send mail as a user, Read and write access to users' mail, and Read users' mail
(Users and Groups) – Enable sign-on and read users’ profiles.
The permissions are set correctly:
How can I solve this problem?
You are missing the Send permission under the Mail API.
I fixed the problem...I was logging with the developers account without an assigned license. You have to create a new user and ensure that it has the Microsoft Office 365 Developer set as Assigned license.
If not this error would occur:
When making a request as an account that does not have a mailbox, you must specify the mailbox primary SMTP address for any distinguished folder Ids.
The context:
A client environment: SharePoint Foundation 2010
He wants to have a timerjob to update users profiles with data in active directory. Everything OK, I developed the timerjob that gets a catalog from active directory & updates selected fields for every user in the SharePoint hidden users list, that way I can keep a daily update for every user.
The problem: the client has used (as i should have thought) an active directory group that he have to manage permissions in SharePoint something like "All authenticated users".
Now i have no clue on how to update the profiles inside that group because they don't exist in the list.
Any ideas on where to update those profiles ?
Is it possible that the SP site was upgraded from an earlier flavor - specifically 2007 - and this is an artifact of that- NT Authority All Authenticated Users..... This is a catch-all reference sometimes dropped into a group or a listing pointing towards the SP site admin for user access requests. You can control access on it by having it in one group and then setting the permissions of that group as low as possible. But as for reading anything back into your scheme from Active Directory - there's nothing to grab. It's only a flag that tells SharePoint that an ID authenticated within the windows domain and nothing more. It's a default gateway of sorts to allow domain users into the SharePoint site, usually, for read only access or access to request SharePoint unique permissions, or, on some sites, access at a basic visitor level.
I've 2 distinct webapp:
a CRM webapp which show customer resume to office users
a portal webapp for customer users
my CRM webapp use a combination of LDAPManager and InMemoryManager with a BasicAuthenticationFilter and BasicAuthenticationEntryPoint
my portal use a classic JDBC Manager with a standard UsernamePasswordAuthenticationFilter
Now, I need access transparently to my portal from my CRM webapp.
For example, I work in office on the CRM webapp. A customer call me and ask explanations about what is mentionned in Portal.
I would be possible for office user to access Portal as a customer from a http link in the CRM customer account page.
So I would bypass my LoginUrlAuthenticationEntryPoint and access directly to the customer account.
EDIT after Michael help, I realize that I need to keep a trace of which CRM user access to which portal account :
My questions are :
- should I use PreAuthenticatedManager or RunAsManager?
- do I need declare a 2nd EntryPoint?
- what about AuthenticationFilters?
- Is to possible to recover a user BASIC authenticated from my CRM webapp in my new portal AbstractPreAuthenticatedProcessingFilter ?
I have the following assumption / conclusion from your explanation:
1) The CRM user repository and the portal user repository have different users
2) CRM users should not know portal users passwords
I do not think you need to use RunAsManager.
(When you use RunAsManager it mean you first authenticate as a CRM user in the portal and then replace the authentication by a portal user authentication. I do not think you can authenticate a CRM user against the portal user repository.)
I suggest to create your own “AuthenticateAs” functionality: when a CRM user press on a link in a CRM page of a portal user it will be authenticated in the portal as a portal user without providing a password.
How it works?
1) When a CRM user presses a link the parameter with an encrypted portal user name is added to URL.
2) When the request with an encrypted portal user name access to the portal application, a new created PreAuthenticatedProcessingFilter decrypt the user name and authenticate the user
That’s it :)
Couple of comments:
1) Please use AES-258 algorithm to encrypt / decrypt the user name
2) Please ensure that the key for encrypt / decrypt can not be accessed by HTTTP
3) You can extend AbstractPreAuthenticatedProcessingFilter for your
PreAuthenticatedProcessingFilter
4) I strongly suggest to create two roles in the portal application: USER_WRITE_ROLE and USER_READ_ROLE. When a CRM user access using “AuthenticateAs” authentication - it should get USER_READ_ROLE. When a portal user access using regular authentication - it should get USER_ WRITE_ROLE.
5) You should think how a CRM user will perform the logout for a portal user (otherwise he always will work on the first user). The simplest way I can think about it - PreAuthenticatedProcessingFilter should process each request (even it authenticated) and if it contains the parameter with the user name to clean the portal user session and to perform the new authentication.
Please tell me what you think about the suggestion and tell me if you need any additional clarifications.
Best regards,
Michael
P.S. Added after the question was edited.
The simplest way to track CRM users on the portal is to add the additional encrypted parameter to the URL with the CRM user name