By James O'Connor, Senior Consultant, Arbela Technologies
Starting with Dynamics 365 (online) version 9.0, Microsoft will begin requiring connections to customer engagement applications to utilize TLS 1.2 (or better) security. Any connections to Dynamics 365 (online), version 9.x will fail if they do not use TLS 1.2 security protocol. This will impact several Dynamics services including access to the Dynamics 365 Customer Engagement (CRM) web application.
TLS 1.0 deprecation plan may require the following:
How will you be impacted?
Any connections to Dynamics 365 (online), version 9.x will fail if they do not use TLS 1.2 security protocol. This will impact several Dynamics services (listed below), including access to the Dynamics 365 Customer Engagement web application.
A quick way to determine what TLS version will be requested by various clients when connecting to your online services is by referring to the Handshake Simulation at Qualys SSL Labs.
Supported versions of Internet Explorer and Microsoft Edge
Supported non-Internet Explorer web browsers
Supported versions of Microsoft Office
Ensuring support for TLS 1.2 across deployed operating systems
Many operating systems have outdated TLS version defaults or support ceilings that need to be accounted for. Usage of Windows 8/Server 2012 or later means that TLS 1.2 will be the default security protocol version:
Below are some potential connectivity errors you might encounter when non-TLS 1.2 security protocol is used:
Microsoft.Xrm.Tooling.CrmConnectControl Information: 8 : Login Status in Connect is =? Validating connection to Microsoft Dynamics CRM...
Microsoft.Xrm.Tooling.Connector.CrmServiceClient Error: 2 : ERROR REQUESTING Token FROM THE Authentication context
Microsoft.Xrm.Tooling.Connector.CrmServiceClient Error: 2 : Source? : mscorlib
Method?? : ThrowIfExceptional
Error??????? : One or more errors occurred.
Stack Trace????????????? : at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
at Microsoft.Xrm.Tooling.Connector.CrmWebSvc.ExecuteAuthenticateServiceProcess(Uri serviceUrl, ClientCredentials clientCredentials, UserIdentifier user, String clientId, Uri redirectUri, PromptBehavior promptBehavior, String tokenCachePath, Boolean isOnPrem, String authority, Uri& targetServiceUrl, AuthenticationContext& authContext, String& resource)
Inner Exception Level 1:
Error: Object reference not set to an instance of an object.
Stack Trace: at Microsoft.IdentityModel.Clients.ActiveDirectory.HttpWebResponseWrapper.Close()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationParameters.d__8.MoveNext() "
Developer tools error:
Inner Exception Level 1 :
Error?: The underlying connection was closed: An unexpected error occurred on a send.
Stack Trace: at System.Net.HttpWebRequest.GetResponse()
at System.ServiceModel.Description.MetadataExchangeClient.MetadataLocationRetriever.DownloadMetadata(TimeoutHelper timeoutHelper)
at System.ServiceModel.Description.MetadataExchangeClient.MetadataRetriever.Retrieve(TimeoutHelper timeoutHelper)
Inner Exception Level 2 :
Error?: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
Stack Trace: at System.Net.Sockets.NetworkStream.Read(Byte buffer, Int32 offset, Int32 size)
at System.Net.FixedSizeReader.ReadPacket(Byte buffer, Int32 offset, Int32 count)
at System.Net.Security.SslState.StartReceiveBlob(Byte buffer, AsyncProtocolRequest asyncRequest) "
Microsoft recommends customers proactively address weak TLS usage by removing TLS 1.0/1.1 dependencies in their environments and disabling TLS 1.0/1.1 at the operating system level where possible. Given the length of time, TLS 1.0/1.1 has been supported by the software industry, it is highly recommended that any TLS 1.0/1.1 deprecation plan include the following:
To learn more about removing dependencies on TLS 1.0/1.1 and updating to TLS 1.2 please review the following whitepaper: “Solving the TLS 1.0 Problem”