Archive

Archive for the ‘Security’ Category

Transport Layer Security (TLS) 1.2 Connectivity Requirements for Dynamics 365 (Online), version 9.0

February 7th, 2018 DynamicsMSCRM No comments

Summary
Starting with Dynamics 365 (online) version 9.0, Microsoft will begin requiring connections to customer engagement applications to utilize TLS 1.2 (or better) security. Any connections to Dynamics 365 (online), version 9.x will fail if they do not use TLS 1.2 security protocol. This will impact several Dynamics services including access to the Dynamics 365 Customer Engagement (CRM) web application.

More Information

TLS 1.0 deprecation plan may require the following:

  • Code analysis to find/fix hardcoded instances of TLS 1.0 (or instances of older TLS/SSL versions).
  • Network endpoint scanning and traffic analysis to identify operating systems using TLS 1.0 or older protocols.
  • Full regression testing through your entire application stack with TLS 1.0 disabled.
  • Migration of legacy operating systems and development libraries/frameworks to versions capable of negotiating TLS 1.2.
  • Compatibility testing across operating systems used by your business to identify any TLS 1.2 support issues.
  • Coordination with your own business partners and customers to notify them of your move to deprecate TLS 1.0.
  • Understanding which clients may not interoperate by disabling TLS 1.0

How will you or your customers be impacted?

Any connections to Dynamics 365 (online), version 9.x will fail if they do not use TLS 1.2 security protocol. This will impact several Dynamics services (listed below), including access to the Dynamics 365 Customer Engagement web application.

A quick way to determine what TLS version will be requested by various clients when connecting to your online services is by referring to the Handshake Simulation at Qualys SSL Labs.

Supported versions of Internet Explorer and Microsoft Edge

Supported non-Internet Explorer web browsers

  • Mozilla Firefox (latest publicly-released version) running on Windows 10, Windows 8.1, Windows 8, or Windows 7
  • Google Chrome
  • Google Chrome (latest publicly-released version) running on Windows 10, Windows 8.1, Windows 8, Windows 7, and Android 10 tablet
  • Google Chrome (latest publicly-released version) running on Mac OS X 10.8 (Mountain Lion), 10.9 (Mavericks), or 10.10 (Yosemite)
  • Apple Safari (latest publicly-released version) running on Mac OS X 10.8 (Mountain Lion), 10.9 (Mavericks), 10.10 (Yosemite), or Apple iPad

Supported versions of Microsoft Office

  • Microsoft Office 365
  • Microsoft Office 2016
  • Microsoft Office 2013
  • Microsoft Office 2010

Ensuring support for TLS 1.2 across deployed operating systems
Many operating systems have outdated TLS version defaults or support ceilings that need to be accounted for.  Usage of Windows 8/Server 2012 or later means that TLS 1.2 will be the default security protocol version:

Error Examples
Below are some potential connectivity errors you might encounter when non-TLS 1.2 security protocol is used:

Browser error:

  • Can’t connect securely to this page
  • This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening, try contacting the website’s owner.

Connector error:

Microsoft.Xrm.Tooling.CrmConnectControl Information: 8 : Login Status in Connect is =  Validating connection to Microsoft Dynamics CRM…
Microsoft.Xrm.Tooling.Connector.CrmServiceClient Error: 2 : ERROR REQUESTING Token FROM THE Authentication context
Microsoft.Xrm.Tooling.Connector.CrmServiceClient Error: 2 : Source  : mscorlib
Method   : ThrowIfExceptional
Error        : One or more errors occurred.
Stack Trace              : at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
at System.Threading.Tasks.Task`1.get_Result()
at Microsoft.Xrm.Tooling.Connector.CrmWebSvc.ExecuteAuthenticateServiceProcess(Uri serviceUrl, ClientCredentials clientCredentials, UserIdentifier user, String clientId, Uri redirectUri, PromptBehavior promptBehavior, String tokenCachePath, Boolean isOnPrem, String authority, Uri& targetServiceUrl, AuthenticationContext& authContext, String& resource)

Inner Exception Level 1:

Source: Microsoft.IdentityModel.Clients.ActiveDirectory
Method: Close
Error: Object reference not set to an instance of an object.

Stack Trace: at Microsoft.IdentityModel.Clients.ActiveDirectory.HttpWebResponseWrapper.Close()
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationParameters.d__0.MoveNext()
— End of stack trace from previous location where exception was thrown —
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationParameters.d__8.MoveNext() ”

Developer tools error:

Inner Exception Level 1 :

Error : The underlying connection was closed: An unexpected error occurred on a send.
Stack Trace: at System.Net.HttpWebRequest.GetResponse()

at System.ServiceModel.Description.MetadataExchangeClient.MetadataLocationRetriever.DownloadMetadata(TimeoutHelper timeoutHelper)
at System.ServiceModel.Description.MetadataExchangeClient.MetadataRetriever.Retrieve(TimeoutHelper timeoutHelper)

Inner Exception Level 2 :

Error : Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
Stack Trace: at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)

at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) ”

How to be Proactive
Microsoft recommends customers proactively address weak TLS usage by removing TLS 1.0/1.1 dependencies in their environments and disabling TLS 1.0/1.1 at the operating system level where possible. Given the length of time TLS 1.0/1.1 has been supported by the software industry, it is highly recommended that any TLS 1.0/1.1 deprecation plan include the following:

  • Application code analysis to find/fix hardcoded instances of TLS 1.0/1.1.
  • Network endpoint scanning and traffic analysis to identify operating systems using TLS 1.0/1.1 or older protocols.
  • Full regression testing through your entire application stack with TLS 1.0/1.1 and all older security protocols disabled.
  • Migration of legacy operating systems and development libraries/frameworks to versions capable of negotiating TLS 1.2.
  • Compatibility testing across operating systems used by your business to identify any TLS 1.2 support issues.

How you or your customers can avoid being impacted.

  • Custom Windows clients built utilizing .NET 4.5.2 (web and native client applications)
    • Custom Windows clients built utilizing .NET 4.5.2 can be fixed by recompiling on .NET 4.6.2. Versions of .NET 4.6.2 and higher implement a process that will seek the highest possible security transport that the host operating system supports.
    • If you are unable to do this, you can utilize a registry setting on Windows that will force .NET to utilize the highest possible security standard. Please Note: This is a machine-wide setting and may have undesired affects. It is recommended that you or your customer utilize the method of recompiling to .NET 4.6.2 or higher. The registry settings that will force .NET 4.5.2 to prefer TLS 1.2 machine-wide are documented in the article Microsoft Security Advisory 2960358 in the section “Suggested Actions” under “Manually disable RC4 in TLS on systems running .NET Framework 4.5/4.5.1/4.5.2″
  • Non .NET Clients (web and client applications)
    • Please check with the framework or language provider to determine how to configure your application to utilize TLS 1.2
  • Dynamics 365 for Microsoft Outlook
    • Download and install Version 8.2.2.137. This is required to connect Dynamics 365 for Outlook with Dynamics 365 (online), version 9.0.
  • Developer Tools
    • Download latest version of tools, used in development, from NuGet. This is required to connect to Dynamics 365 (online), version 9.0.
  • Unified Service Desk

To learn more about removing dependencies on TLS 1.0/1.1 and updating to TLS 1.2 please review the following whitepaper: “Solving the TLS 1.0 Problem

  • Share/Bookmark
Categories: Security, TLS 1.2 Tags: