I've a web application that occasionally calls into a CRM Organization. The web application is just an ASP.NET web app, with some custom SOAP/WCF services and its own application logic. I use CrmSvcUtil to generate strongly-typed classes that can talk to this CRM Organization and the Microsoft.Xrm.Client.CodeGeneration.CodeCustomization style to use a Microsoft.Xrm.Client.CrmOrganizationServiceContext leaf to access the Org, via the Xrm.XrmServiceContext style connection string (e.g. "Url=http://theMachine/theOrg;").
We have a .NET 4.0 Integrated app pool running running our web application. We've assigned the IIS AppPool Identity the web application's AppPool to be the domain account we also used as the identity of the CRMAppPool on the CRMServer.
We have found that if we make OrganizationService requests from SOAP services within this web application that they always succeed without any security issues - even though we've not actually created a user in CRM here -- just using the CRMAppPool identity. The SOAP services do no impersonation - just using basicHttp bindings with Anonymous allowed.
It appears that this is a major elevation-of-privilege gateway to the CRM Organization, and I was sort of surprised it was supported. Am I understanding that this is what is happening?
Thanks in advance.
Regards, Howard Hoffman