Settings

Make Microsoft Dynamics CRM 4.0 client-to-server network communications more secure

Published Date : February 8, 2008

With any network design, it's important to consider the security of your organization's client-to-server communications. When making necessary decisions that can help protect data, we recommend that you understand the following information about Microsoft Dynamics CRM network communication and about the technology options that are available to you that provide more secure data transmissions.

By default, Microsoft Dynamics CRM client-to-server communications are not encrypted. Authentication information from Microsoft Dynamics CRM clients is transmitted in clear text and therefore possibly vulnerable to malicious intent.

On This Page
Microsoft Dynamics CRM client-to-server communication Microsoft Dynamics CRM client-to-server communication
Securing Microsoft Dynamics CRM client-to-server communication Securing Microsoft Dynamics CRM client-to-server communication
Configure Microsoft Dynamics CRM client-to-server communication for internal deployments Configure Microsoft Dynamics CRM client-to-server communication for internal deployments
Configure Microsoft Dynamics CRM client-to-server communication for Internet-facing deployments Configure Microsoft Dynamics CRM client-to-server communication for Internet-facing deployments

Microsoft Dynamics CRM client-to-server communication

Impersonation is a way that someone with malicious intent can gain access to data. Because transmitted data between the Microsoft Dynamics CRM client and Microsoft Dynamics CRM Web-server computers is not encrypted, Microsoft Dynamics CRM electronic keys, which authenticate users and services, can be used to manufacture CRM tickets and thereby impersonate valid users.

Therefore, to better protect your organization's data, we strongly recommend that you enable secure sockets layer (SSL) for communications between Microsoft Dynamics CRM clients and the Microsoft Dynamics CRM Web site.

Top of page

Securing Microsoft Dynamics CRM client-to-server communication

SSL encrypts data transmitted between computers and is implemented between the Transport and Application layers of the Open-Systems Interconnection (OSI) model, a seven-layer method for network-protocol design. SSL enables server authentication, client authentication, data encryption, and data integrity over networks such as the Web.

To enable SSL, you must request, receive, and apply a certificate from a certification authority (CA), and configure SSL on the Microsoft Dynamics CRM Web site.

For more information about CAs, see the following Microsoft TechNet article: What Are Certificates?

For more information about SSL, see the following TechNet article: What Is TLS/SSL?

For more information about enabling SSL, view the following article: How to enable SSL for all customers who interact with your Web site in Internet Information Services

Top of page

Configure Microsoft Dynamics CRM client-to-server communication for internal deployments

For deployments that will not be used by external clients, which connect over the Internet, follow these steps:

  1. Obtain a certificate from a CA. To use certificates you will have set up a public key infrastructure (PKI), which consists of one or more CAs that are linked in a hierarchy. These CAs and the PKI are required to manage certificate issuance, validation, renewal, and revocation in one or more organizations. You can use a third-party PKI with Microsoft Windows Server 2003, or you can establish your own PKI, based on Windows Server 2003 Certificate Services.

  2. Make sure that there are no users accessing Internet Information Services (IIS) where the Microsoft Dynamics CRM Web application is installed. To do this, stop the Microsoft Dynamics CRM Web site: right-click the Web site, and then click Stop.

  3. Configure the Microsoft Dynamics CRM Web site to use SSL. To do this, perform the following steps on the server running IIS where the Microsoft Dynamics CRM Web application is installed:

    1. Start Internet Information Services (IIS) Manager

    2. Right-click the Microsoft Dynamics CRM Web site, and then click Properties.

    3. Click the Directory Security tab, click Server Certificate, and then follow the instructions in the Web Server Certificate Wizard.

    4. If you want clients to only use SSL when they connect to the Microsoft Dynamics CRM application, on the Directory Security tab in the Secure communications area, click Edit.

    5. On the Secure Communications dialog box, click the Require secure channel (SSL) check box.

    6. Close Internet Information Services (IIS) Manager.

    Important: You can apply only a single certificate to the Microsoft Dynamics CRM Web site. Therefore, you if you have configured Microsoft Dynamics CRM Server for both internal and Internet-facing (external) access, you cannot configure SSL for both internal and external connections to the Microsoft Dynamics CRM Web site.

  4. You must manually modify the following values in the configuration database.

    Warning: Incorrectly modifying the configuration database (MSCRM_CONFIG) can cause unexpected behavior in the Microsoft Dynamics CRM system or cause the system to stop working. We recommend that you back up the Microsoft Dynamics CRM system before you complete these steps. For information about how to back up the Microsoft Dynamics CRM system, see the Operating and Maintaining Guide that is part of the Microsoft Dynamics CRM Implementation Guide document set.

    1. On the computer running Microsoft SQL Server, start SQL Server Management Studio.

    2. Expand Databases, expand MSCRM_CONFIG, expand Tables, right-click dbo.DeploymentProperties, and then click Open Table.

    3. In the dbo.DeploymentProperties table under the ColumnName column, in the ADRootDomainScheme row, change the NVarCharColumn column value from http to https. Note that this value must be in lower-case letters.

    4. In the dbo.DeploymentProperties table, under the ColumnName column, in the ADSdkRootDomain row, change the NVarCharColumn column value by using the name of the certificate configured for the Microsoft Dynamics CRM Web site. The name of the certificate can be found, in Internet Information Services (IIS) Manager, on the Directory Security tab of the Microsoft Dynamics CRM Web site properties page.

    5. Click View Certificate.

    6. On the Certificate dialog box, click Details.

    7. Click the Friendly Name field to locate the certificate name. If the certificate name is the same as the computer name, you can use the format ServerName:SSLPortNumber. By default, the TCP port for SSL connections is 443.

    8. In the dbo.DeploymentProperties table, under the ColumnName column, in the ADWebApplicationRootDomain row, change the NVarCharColumn column value by using the name of the certificate configured for the Microsoft Dynamics CRM Web site. If the certificate name is the same as the computer name, you can use the format ServerName:SSLPortNumber. By default, the TCP port for SSL connections is 443.

    9. Make sure your modifications are saved and then close SQL Server Management Studio.

  5. If the Microsoft Dynamics CRM Web site is configured to use the default http (80) and https (443) TCP ports, you do not have to modify the LocalSDKPort registry subkey value, and you can skip this step.

    However, if the Microsoft Dynamics CRM Web site is not configured to use these default TCP ports, you must complete the following steps.

    Warning: Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system and Microsoft Dynamics CRM. We cannot guarantee that these problems can be solved. Modify the registry at your own risk.

    1. Start Registry Editor, and locate the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM subkey.

    2. Right-click LocalSdkPort, click Modify, and then click OK.

    3. In the Base area, click Decimal, and then type the TCP port

    4. Click OK.

    5. Close Registry Editor.

  6. Restart IIS. To do this, at the command line, run the iisreset command.

  7. Start the Microsoft Dynamics CRM Web site. To do this, right-click the Microsoft Dynamics CRM Web site, and then click Start.

  8. Restart the Microsoft Dynamics CRM Asynchronous Processing Service. To do this, click Start, point to Administrative Tools, and then click Services. In the list of services, right-click Microsoft Dynamics CRM Asynchronous Processing Service, and then click Restart.

  9. Verify that you can successfully connect to the Microsoft Dynamics CRM Web site. To do this, you must use a URL that begins with https. For example, in Internet Explorer the URLwill appear similar to the following address: https://ServerName/OrganizationName/loader.aspx

    If the Microsoft Dynamics CRM Web site is not configured to require SSL connections, verify that you can successfully connect to the site by using an http connection, for example, http://ServerName/OrganizationName/loader.aspx.

Top of page

Configure Microsoft Dynamics CRM client-to-server communication for Internet-facing deployments

If you have installed Microsoft Dynamics CRM for client access over the Internet, or Internet-facing deployment (IFD), you must complete the following steps to configure a security connection.

  1. Obtain a certificate from a CA. To use certificates you will have set up a public key infrastructure (PKI), which consists of one or more CAs that are linked in a hierarchy. These CAs and the PKI are required to manage certificate issuance, validation, renewal, and revocation in one or more organizations. You can use a third-party PKI with Windows Server 2003, or you can establish your own PKI based on Windows Server 2003 Certificate Services.

    Important: The CA must support wildcard certificates and the common name for the certificate requested from the Microsoft Dynamics CRM Web site must use a wildcard. This wildcard certificate requirement only applies to Internet-facing Microsoft Dynamics CRM Web sites.

    A wildcard certificate for the Contoso organization might appear similar to the following example: *.contoso.com

    For more information about wildcard certificates, see the following TechNet article: Obtaining and Installing a Wildcard Server Certificate (IIS 6.0)

  2. Make sure that there are no users accessing Internet Information Services (IIS) where the Microsoft Dynamics CRM Web application is installed. To do this, stop the Microsoft Dynamics CRM Web site: right-click the Web site, and then click Stop.

  3. Configure the Microsoft Dynamics CRM Web site to use SSL. To do this, perform the following steps on the server running IIS where the Microsoft Dynamics CRM Web application is installed:

    1. Start Internet Information Services (IIS) Manager

    2. Right-click the Microsoft Dynamics CRM Web site, and then click Properties.

    3. Click the Directory Security tab, click Server Certificate, and then follow the instructions in the Web Server Certificate Wizard.

    4. If you want clients to use only SSL when connecting to the Microsoft Dynamics CRM application, on the Directory Security tab, in the Secure communications area, click Edit. On the Secure Communications dialog box, select the Require secure channel (SSL) check box.

    5. Close Internet Information Services (IIS) Manager.

    Important: You can apply only a single certificate to the Microsoft Dynamics CRM Web site. Therefore, you if you have configured Microsoft Dynamics CRM Server for both internal and Internet-facing (external) access, you cannot configure SSL for both internal and external connections to the Microsoft Dynamics CRM Web site.

  4. You must manually modify the following values in the configuration database.

    Warning: Incorrectly modifying the configuration database (MSCRM_CONFIG) can cause unexpected behavior in the Microsoft Dynamics CRM system or cause the system to stop working. We recommend that you back up the Microsoft Dynamics CRM system before you complete these steps. For information about how to back up the Microsoft Dynamics CRM system, see the Operating and Maintaining Guide that is part of the Microsoft Dynamics CRM Implementation Guide document set.

    1. On the computer running Microsoft SQL Server, start SQL Server Management Studio.

    2. Expand Databases, expand MSCRM_CONFIG, expand Tables, right-click dbo.DeploymentProperties, and then click Open Table.

    3. In the dbo.DeploymentProperties table under the ColumnName column, in the IFDRootDomainScheme row, change the NVarCharColumn column value from http to https. Note that this value must be in lower-case letters.

    4. In the dbo.DeploymentProperties table, under the ColumnName column, in the IFDSdkRootDomain row, change the NVarCharColumn column value by using the name of the certificate configured for the Microsoft Dynamics CRM Web site.

    5. In the dbo.DeploymentProperties table, under the ColumnName column, in the IFDWebApplicationRootDomain row, change the NVarCharColumn column value by using the name of the certificate configured for the Microsoft Dynamics CRM Web site. The name of the certificate can be found in Internet Information Services (IIS) Manager on the Directory Security tab of the Microsoft Dynamics CRM Web site properties page. Click View Certificate, on the Certificate dialog box, click Details. Click the Friendly Name field to locate the certificate name.

    6. Make sure your modifications are saved and then close SQL Server Management Studio.

  5. If the Microsoft Dynamics CRM Web site is configured to use the default http (80) and https (443) TCP ports, you do not have to modify the LocalSDKPort registry subkey value, and you can skip this step.

    However, if the Microsoft Dynamics CRM Web site is not configured to use these default TCP ports, you must complete the following steps.

    Warning: Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system and Microsoft Dynamics CRM. We cannot guarantee that these problems can be solved. Modify the registry at your own risk.

    1. Start Registry Editor, and locate the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM subkey.

    2. Right-click LocalSdkPort, click Modify, and then click OK.

    3. In the Base area, click Decimal, and then type the TCP port.

    4. Click OK.

    5. Close Registry Editor.

  6. Restart IIS. To do this, at the command line, run the iisreset command.

  7. Start the Microsoft Dynamics CRM Web site. To do this, right-click the Microsoft Dynamics CRM Web site, and then click Start.

  8. Restart the Microsoft Dynamics CRM Asynchronous Processing Service. To do this, click Start, point to Administrative Tools, and then click Services. In the list of services, right-click Microsoft Dynamics CRM Asynchronous Processing Service, and then click Restart.

  9. Verify that you can successfully connect to the Microsoft Dynamics CRM Web site over the Internet by using an external URL that begins with https. For example, in Internet Explorer the URL will appear similar to the following address: https://ServerName.DomainName.com/OrganizationName/

By following the steps to enable SSL you can make client-to-Web server connections more private, which can help protect sensitive CRM data, as well as reduce the likelihood of an invalid user gaining access to the system.

Related Links

Microsoft Dynamics CRM 4.0 Implementation Guide
Microsoft TechNet: Internet Authentication Service
Did you find the information that you need?
Yes     No 
If not, what information do you need? (optional)

© 2008 Microsoft Corporation. All rights reserved.