Share via

Windows Live Authentication

banner art

The Microsoft Dynamics CRM Online authentication process is shown in the following figure.  

Windows Live authentication

The Microsoft Dynamics CRM Online authentication process involves the following steps:

  • (1,2) Retrieve a policy and optional organization information from the CrmDiscoveryService Web service. Refer to the Active Directory authentication sample for example code to obtain organization information by using RetrieveOrganizationsRequest.
  • (3,4) Retrieve a Windows Live ticket. See what follows for more information.
  • (5,6) Retrieve a ticket from the CrmDiscoveryService Web service. The ticket applies to a single organization. The ticket contains an organization specific CrmService URL.
  • Create an instance of the CrmAuthenticationToken class that has the CrmTicket and OrganizationName properties set to the correct values.
  • Create an instance of the CrmService class that has the Url property value and the CrmAuthenticationTokenValue property value set.
  • (7) Invoke CrmService Web service methods.

If the ticket expires during application execution, a new ticket must be obtained and assigned to the CrmTicket property of the CrmAuthenticationToken instance. If you try to access the CrmService Web methods with an expired ticket, a SOAP exception is thrown. The SoapException.Detail.Innertext property contains the error code value of "8004A101".

The CrmDiscoveryService Web service is accessed through the global URL of the Microsoft Dynamics CRM Online server:

To access the Windows Live authentication service over the Internet and obtain a Windows Live ticket, you can use the ticket service library (IDCRL) that is provided in the SDK\Bin folder of the SDK samples. A .NET wrapper is provided in the SDK to access the win32 IDCRL library. The source code for the wrapper can be found in the SDK\Server\Helpers\CS\IdCrlWrapper folder of the SDK samples.

Note A future update to the Microsoft Dynamics CRM SDK may use the Windows Live ID Service SDK to obtain the Windows Live ticket. For more information, see


The following code sample shows you how to authenticate in Microsoft Dynamics CRM Online and call a CrmService method.


using System;
using System.Xml;
using System.Text;
using System.Web.Services.Protocols;

// Microsoft Windows Live namespaces
using Microsoft.Crm.Passport.Sample;

// Microsoft Dynamics CRM namespaces
using CrmSdk;
using CrmSdk.Discovery;

public class PassportAuthentication
    public static bool Run()
            // STEP 1,2: Retrieve a policy from the Discovery Web service.
            CrmDiscoveryService discoveryService = new CrmDiscoveryService();
            discoveryService.Url = 
            RetrievePolicyRequest policyRequest = new RetrievePolicyRequest();
            RetrievePolicyResponse policyResponse =

            // STEP 3,4: Retrieve a Windows Live ticket from the Live service.
            LogonManager lm = new LogonManager();
            string passportTicket = lm.Logon("",
                "password", "", policyResponse.Policy, "Production");

            // STEP 5,6: Retrieve a ticket from the Discovery Web service.
            RetrieveCrmTicketRequest crmTicketRequest = 
                new RetrieveCrmTicketRequest();
            crmTicketRequest.OrganizationName = "AdventureWorksCycle";
            crmTicketRequest.PassportTicket = passportTicket;

            RetrieveCrmTicketResponse crmTicketResponse =

            // Create and configure an instance of the CrmService Web service.
            CrmAuthenticationToken token = new CrmAuthenticationToken();
            token.AuthenticationType = AuthenticationType.Passport;
            token.CrmTicket = crmTicketResponse.CrmTicket;
            token.OrganizationName =

            CrmService crmService = new CrmService();
            crmService.Url = crmTicketResponse.OrganizationDetail.CrmServiceUrl;
            crmService.CrmAuthenticationTokenValue = token;

            // STEP 7: Invoke the desired CrmService Web service methods.
            WhoAmIRequest whoRequest = new WhoAmIRequest();
            WhoAmIResponse whoResponse = 

            // Dispose of the LogonManager object to avoid a FileNotOpen exception.

            return true;

       // Handle any Web service exceptions that might be thrown.
        catch (SoapException ex)
            // Handle the exception thrown from an expired ticket condition.
            if (GetErrorCode(ex.Detail) == ExpiredAuthTicket)
                // One possible action is to retrieve a new CrmTicket, set 
                // CrmAuthenticationToken.CrmTicket to the new ticket value,
                // and then call a CrmService Web method again.
                // For this sample, just throw the exception again.
                throw new Exception(
                    "The Microsoft Dynamics CRM Online ticket has expired.", ex);
                // Handle other SOAP exceptions.
                throw new Exception("An error occurred while attempting to authenticate.", ex);
   private static string GetErrorCode(XmlNode errorInfo)
        XmlNode code = errorInfo.SelectSingleNode("//code");

        if (code != null)
            return code.InnerText;
            return "";

Note that, in real-world scenarios, you would never authenticate and then immediately check for an expired ticket as this sample shows. Instead, you would authenticate and make additional Web service method calls. Part of your software design would be to catch Soap exceptions from Microsoft Dynamics CRM Web service calls and check for an expired authentication ticket.

A complete code sample that demonstrates Windows Live authentication can be found in the SDK\Walkthroughs\Authentication\CS|VB\Passport folder of the SDK samples.

See Also




Other Resources

© 2008 Microsoft Corporation. All rights reserved.