Recent security enhancements require the Microsoft Dynamics CRM Online service to use a new certificate to authenticate against the Microsoft Azure service. Use the steps in this article to change the configuration in your Microsoft Azure namespace. These changes are necessary, and will allow the messages sent from the Microsoft Dynamics CRM Online service to the Microsoft Azure service endpoint to be authenticated with both the current certificate and the newer certificate that will be available soon.
Note: This information also applies to the Dynamics Marketing/Dynamics CRM connector integration.
This configuration change should be made before 1AM UTC, Tuesday, November 1st 2016 globally, to ensure minimal impact.
Note: Do not remove the old certificate until after 1AM UTC, Friday, November 4th 2016, as the new one is not valid until this date. However, both the new and old certificates can exist simultaneously without issues.
Note: If your organization is using Dynamics CRM version 8.1 or later, then we highly suggest configuring your service endpoints to use SAS authentication instead ACS. Please click this link for more information.
Also note that if these changes are not made, any integrations to Microsoft Dynamics CRM Online that use the Microsoft Azure Service bus will stop working. Also, if the PluginRegistration tool is used to verify authentication, an error message may occur similar to the following:
“The token provider was unable to provide a security token. The remote server returned an error: (401) Unauthorized”.
When the procedures in this article have been completed, ACS access control will be configured to allow Microsoft Dynamics CRM Online to continue to send messages with the new certificates.
First, retrieve the list of service endpoints. The steps in this article will need to be performed for each of the service endpoints. To find the service endpoints, in Microsoft Dynamics CRM, navigate to Settings, click Customizations, click Customize the System, and select Service Endpoints.
Note: If the service endpoint connection mode is "Federated," the same steps will need to be repeated in the following instructions for https://.accesscontrol.windows.net/v2/mgmt/web or https://.accesscontrol.usgovcloudapi.net/v2/mgmt/web .
To configure access control for a service namespace:
1. In a web browser, go to https://-sb.accesscontrol.windows.net/v2/mgmt/web or https://-sb.accesscontrol.usgovcloudapi.net/v2/mgmt/web .
Note: If you do not have access, contact the solution developer to perform the steps.
2. Under Service Settings, click Service Identities.
3. Click your Microsoft Dynamics CRM Online service identity to proceed to the Edit Service Identity page. Please note the following items:
· If your organization URL contains “crm9.dynamics.com”, click here to download the public certificate and save it to your disk. Also, select the check box next to “crm9.dynamics.com”.
4. Click Add
5. Under Type, choose X509, and then click Add. In the Add Credential screen (shown below), browse to the public certificate you previously saved to disk, and click Save.
6. You should now see the current (soon to expire) and new certificates in the Credentials list.
Note: This information also applies to the Dynamics Marketing/Dynamics CRM connector integration.
This configuration change should be made before 1AM UTC, Tuesday, November 1st 2016 globally, to ensure minimal impact.
Note: Do not remove the old certificate until after 1AM UTC, Friday, November 4th 2016, as the new one is not valid until this date. However, both the new and old certificates can exist simultaneously without issues.
Note: If your organization is using Dynamics CRM version 8.1 or later, then we highly suggest configuring your service endpoints to use SAS authentication instead ACS. Please click this link for more information.
Also note that if these changes are not made, any integrations to Microsoft Dynamics CRM Online that use the Microsoft Azure Service bus will stop working. Also, if the PluginRegistration tool is used to verify authentication, an error message may occur similar to the following:
“The token provider was unable to provide a security token. The remote server returned an error: (401) Unauthorized”.
When the procedures in this article have been completed, ACS access control will be configured to allow Microsoft Dynamics CRM Online to continue to send messages with the new certificates.
First, retrieve the list of service endpoints. The steps in this article will need to be performed for each of the service endpoints. To find the service endpoints, in Microsoft Dynamics CRM, navigate to Settings, click Customizations, click Customize the System, and select Service Endpoints.
Note: If the service endpoint connection mode is "Federated," the same steps will need to be repeated in the following instructions for https://
To configure access control for a service namespace:
1. In a web browser, go to https://
Note: If you do not have access, contact the solution developer to perform the steps.
2. Under Service Settings, click Service Identities.
3. Click your Microsoft Dynamics CRM Online service identity to proceed to the Edit Service Identity page. Please note the following items:
· If your organization URL contains “crm9.dynamics.com”, click here to download the public certificate and save it to your disk. Also, select the check box next to “crm9.dynamics.com”.
4. Click Add
5. Under Type, choose X509, and then click Add. In the Add Credential screen (shown below), browse to the public certificate you previously saved to disk, and click Save.
6. You should now see the current (soon to expire) and new certificates in the Credentials list.