Issue with onsite (non dynamics.com url) installations.

[moinerus]

Onsite installations (non dynamics.com url's) are not supported but look like they could be with some work.

For example with an onsite installation with the url 'subdomain.domain.ac.uk' the organizationUrl gets built out as;
https://subdomain.api.domain.dynamics.com/XRMServices/2011/Organization.svc
Here as it should be;
https://subdomain.domain.ac.uk/XrmServices/2011/Organization.svc

And the discoveryUrl gets built as;
https://disco.domain.dynamics.com/XRMServices/2011/Discovery.svc
Where it should be;
https://subdomain.domain.ac.uk/XrmServices/2011/Discovery.svc

See alexacrm/php-crm-toolkit/src/Settings.php around line 256 for url parsing.

[wizardist]

Hi @AndyMain

Have you set authMode to Federation? It is needed to tell the toolkit you're connecting to an IFD instance. We don't support (at the moment) AD authentication but IFD deployments are fully supported.

[moinerus]

Ok I double checked, and we had an issue where the Federation authMode was not being picked up. With Federation now being used we get further but are still having issues; now getting "Could not find EndorsingSupportingTokens/Policy/IssuedToken tag in provided security policy XML vendor/alexacrm/php-crm-toolkit/src/Client.php:386"

[georged]

@AndyMain cam you give us a code fragment (after removing any sensitive info from your url)?
The error still smells that the wrong claims are being used.

[moinerus]

Hopefully, this helps though I'm not sure, as you suggest it may be incorrect setup. I might be able to have a chat with the systems admin if anything needs to be adjusted. Let me know if you need more info.

  public function connect()
    {
        $this->clientOptions = [
            'serverUrl' => $this->url,
            'username'  => $this->username,
            'password'  => $this->password, 
            //'authMode'  => 'OnlineFederation',
            'authMode'  => 'Federation',


        ];
        $this->clientSettings = new Settings($this->clientOptions);
        $this->client = new Client($this->clientSettings);
        $this->metadata = MetadataCollection::instance($this->client);

        if ($this->clientSettings->hasOrganizationData()) {

        } else {
            Log::info('There was an error retrieving organization data for the CRM. Please check connection settings.');
            die('There was an error retrieving organization data for the CRM. Please check connection settings.');
        }
    }

[2016-10-26 14:47:05] local.ERROR: Exception: Could not find EndorsingSupportingTokens/Policy/IssuedToken tag in provided security policy XML in /home/vagrant/git/Gecko-API/vendor/alexacrm/php-crm-toolkit/src/Client.php:386
Stack trace:
#0 /home/vagrant/git/Gecko-API/vendor/alexacrm/php-crm-toolkit/src/Client.php(317): AlexaCRM\CRMToolkit\Client::getSecurityAddress(Object(DOMElement), 'Federation')
#1 /home/vagrant/git/Gecko-API/vendor/alexacrm/php-crm-toolkit/src/Client.php(691): AlexaCRM\CRMToolkit\Client->getOrganizationAuthenticationAddress()
#2 /home/vagrant/git/Gecko-API/vendor/alexacrm/php-crm-toolkit/src/Client.php(168): AlexaCRM\CRMToolkit\Client->getFederationSecurityURI('organization')
#3 /home/vagrant/git/Gecko-API/app/Integrations/NewDynamics.php(103): AlexaCRM\CRMToolkit\Client->__construct(Object(AlexaCRM\CRMToolkit\Settings))
#4 /home/vagrant/git/Gecko-API/app/Integrations/NewDynamics.php(208): Gecko\Integrations\NewDynamics->connect()
#5 /home/vagrant/git/Gecko-API/app/Console/Commands/Test.php(75): Gecko\Integrations\NewDynamics->test()
#6 [internal function]: Gecko\Console\Commands\Test->fire()
#7 /home/vagrant/git/Gecko-API/vendor/laravel/framework/src/Illuminate/Container/Container.php(507): call_user_func_array(Array, Array)
#8 /home/vagrant/git/Gecko-API/vendor/laravel/framework/src/Illuminate/Console/Command.php(169): Illuminate\Container\Container->call(Array)
#9 /home/vagrant/git/Gecko-API/vendor/symfony/console/Command/Command.php(256): Illuminate\Console\Command->execute(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#10 /home/vagrant/git/Gecko-API/vendor/laravel/framework/src/Illuminate/Console/Command.php(155): Symfony\Component\Console\Command\Command->run(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#11 /home/vagrant/git/Gecko-API/vendor/symfony/console/Application.php(794): Illuminate\Console\Command->run(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#12 /home/vagrant/git/Gecko-API/vendor/symfony/console/Application.php(186): Symfony\Component\Console\Application->doRunCommand(Object(Gecko\Console\Commands\Test), Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#13 /home/vagrant/git/Gecko-API/vendor/symfony/console/Application.php(117): Symfony\Component\Console\Application->doRun(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#14 /home/vagrant/git/Gecko-API/vendor/laravel/framework/src/Illuminate/Foundation/Console/Kernel.php(107): Symfony\Component\Console\Application->run(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#15 /home/vagrant/git/Gecko-API/artisan(35): Illuminate\Foundation\Console\Kernel->handle(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#16 {main}

Code Block thats erroring

Area where Exception is thrown

[georged]

@AndyMain Can you modify Client.php and dump $securityPolicyNode variable right at the beginning? Or just copy it's content when program breaks and paste it here (check it for sensitive info, of course).

Looks like assertion from ADFS is not what we expect but I wonder what it could be considering that your CRM is working just fine.

[wizardist]

@georged @AndyMain no need to tamper with the toolkit for that. We need a piece of OrganizationService WSDL, <wsp:Policy /> specifically.

[moinerus]

Ok I'll get this info for you when I can, most likely next week now.

[georged]

@wizardist that would tell us what to expect but not necessarily what's coming back. But agree, it'd be useful. @AndyMain easiest way to get it is to put organization service endpoint into the browser and add ?singlewsdl parameter.

[moinerus]

Here you go hope this helps, noticed you mentioned AD (ActiveDirectory) and this is mentioned prominently at the top...

Organization.svc.xml.zip

[wizardist]

@AndyMain yep, that's what I suspected - your instance uses a different authentication method, and WS-SP specifies SpnegoContextToken assertion which we don't support yet. More details later.

[georged]

@AndyMain I'm going to close this issue, for further information, please refer to the enhancement ticket created