Settings

Key management in Microsoft Dynamics CRM

Published: March 6, 2008

To verify the identity of people and organizations, and to guarantee content integrity, Microsoft Dynamics CRM generates digital certificates. These electronic credentials bind the identity of the certificate owner to a pair of electronic keys (public and private) that can be used to digitally encrypt and sign information. The credentials ensure that the keys actually belong to the person or organization specified. To learn more about increasing security with keys, read the following article about key-management features in Microsoft Dynamics CRM.

On This Page
Key types Key types
Key regeneration and renewal Key regeneration and renewal
Key-management logging Key-management logging
Key storage Key storage
How to encrypt Microsoft Dynamics CRM keys How to encrypt Microsoft Dynamics CRM keys

Key types

Microsoft Dynamics CRM uses three types of private encryption keys for deployments accessed via the Internet.

  • CRM-ticket key. This key creates CRM tickets, which are generated each time a Microsoft Dynamics CRM user logs on to the system. In addition, the CRM-ticket key decrypts the CRM ticket, each time a request is made to the Microsoft Dynamics CRM server, to validate users without forcing the user to reenter credentials.

  • Web Remote Procedure Call (WRPC)-token key. This is used to generate a security token, which helps make sure that the request originated from the user who made the request. This security token decreases the likelihood of certain attacks, such as a cross-site request forgery (one-click) attack.

  • CRM e-mail credentials key. This key encrypts the credentials for the E-mail Router, an optional component of Microsoft Dynamics CRM.

Top of page

Key regeneration and renewal

CRM-ticket keys are automatically generated and renewed and then distributed, or deployed, to all computers running Microsoft Dynamics CRM or running a specific Microsoft Dynamics CRM server role. These keys are regenerated periodically and, in turn, replace the previous keys. By default, key regeneration occurs every 24 hours.

Top of page

Key-management logging

Microsoft Dynamics CRM records encryption key events in the Application log in Event Viewer. You can filter on the Source column and look for MSCRMKeyServiceName entries, where ServiceName is the key management service such as MSCRMKeyArchiveManager or MSCRMKeyGenerator.

Top of page

Key storage

Cryptographic keys are stored in the Microsoft Dynamics CRM configuration database (MSCRM_CONFIG).

Warning

By default, encryption keys are not stored in the configuration database in an encrypted format. We strongly recommend that you specify encryption when you run Setup. For more information about how to encrypt the Microsoft Dynamics CRM keys, see the following section How to encrypt Microsoft Dynamics CRM keys.

Top of page

How to encrypt Microsoft Dynamics CRM keys

Before you run Microsoft Dynamics CRM Setup, you can add the encryptionkeys entry in the XML configuration file. Also, this must be the first Microsoft Dynamics CRM server role installed and you must run Microsoft Dynamics CRM Setup at the command line. During the installation, Setup creates a server master key and database master key, which are used to encrypt Microsoft Dynamics CRM certificates.

Important

For detailed instructions about how to install Microsoft Dynamics CRM at the command line, see the Use the Command Line to Install Microsoft Dynamics CRM chapter in the Installing Guide that is part of the Microsoft Dynamics CRM Implementation Guide.

<configdb> is the parent for the following encryption key elements:

<encryptionkeys certificate="CrmEncryptionCertificate" generate="true"/"False" password="SCpassword" keysource="uniqueID">

The encryptionkeys element specifies how, and whether, to encrypt the keys that are stored in the Microsoft Dynamics CRM system. Use generate="true" to enable the system-generated keys that are encrypted. The keysource may be any value, but must be different from other keysource values. SCpassword is the password that will be used to create the symmetric certificate.

Warning

Maintaining a configuration file that has password and keysource values specified is a security risk because you are storing a password and key information in plain text. We recommend that you save the password to a secure location from where it can be retrieved later for recovery purposes. For more information about best practices for password storage, see the Microsoft Knowledge Base article Information about Passwords and Missing or Incorrect Passwords. Then, delete these elements as soon as the configuration file is used to install Microsoft Dynamics CRM.

<encryptionkey physicalname="CrmSymmetricKey" virtualname="CrmKeyEncryptionKey"/>
Each encryptionkeys element specifies a mapping between a symmetric key store in the Microsoft SQL Server database to a virtual key name, hard coded in Microsoft Dynamics CRM for encrypting data in the configuration database.

</encryptionkeys>

</configdb>

Example

Notice that the following XML is a subset of the XML required to successfully run Setup. For complete instructions view the Microsoft Dynamics CRM Implementation Guide. 

...
<configdb>
<encryptionkeys certificate=”CrmEncryptionCertificate” generate=”true” password=”password” keysource=”UniqueValue123!”>
<encryptionkey physicalname=”CrmSymmetricKey” virtualname=”CrmKeyEncryptionKey”/>
</encryptionkeys>
</configdb>
...

Related Links

Microsoft Dynamics CRM 4.0 Implementation Guide
Make Microsoft Dynamics CRM 4.0 client-to-server network communications more secure
Did you find the information that you need?
Yes     No 
If not, what information do you need? (optional)

© 2008 Microsoft Corporation. All rights reserved.