I am struggling to access the Dynamics 2016 CRM OData Web APIs from a console application.
We have Dynamics CRM 2016 installed, configured with Claims-based authentication, and using AD FS v3.0.
My understanding is that a console app (or web app) should be able to access the Web APIs using Windows integrated authentication (i.e. NTML or Kerberos) without any special treatment ... or maybe the OAuth flow should work when enabled.
For a regular user accessing Dynamics "pages", the authentication works fine (redirection to AD FS log in page), but accessing the OData APIs does not seem to work (for instance : https://crm.domain.org/api/discovery/v8.0/ ) :
- in a browser I get a Windows login prompt and typing valid credentials always results in a HTTP 401 unauthorized error
- in a brower, if I navigate to a Web API url after having logged on on the pages , then I can access the Web APIs (i.e. some cookies must be set and I am already implicitly authorized)
- from code, using an HttpClient with specific valid credentials (or current credentials) , I also get a 401
Things I have tried :
- if I disable Claims-based authentication completely , HttpClient works fine and I can access the OData APIs
if I leave Claims-based authentication enabled, and activate OAuth via PowerShell
Add-PSSnapin Microsoft.Crm.PowerShell ; $ClaimsSettings = Get-CrmSetting -SettingType OAuthClaimsSettings; $ClaimsSettings.Enabled = $true ; Set-CrmSetting -Setting $ClaimsSettings ;.Windows integrated authentication still does not work, but using Bearer authentication is now possible. I can use this snippet to retrieve the OAuth Endpoint for token generation, and use
AuthenticationContext.AcquireTokenAsyncto issue a token, and then pass it in theAuthorizationHTTP Header ... but then, no matter what, I get this error :Bearer error=invalid_token, error_description =Error during token validation!, authorization_uri=our.adfs.domain.org/.../authorize, resource_id=https://crm.domain.org/
Am I missing something ? is that possibly a configuration issue ?
Note : I have posted this question on Stack Overflow as well, do not hesisate to post your answers there as well : stackoverflow.com/.../401-when-accessing-dynamics-crm-2016-web-apis