Personalized Community is here!
Quickly customize your community to find the content you seek.
Choose your path Increase your proficiency with the Dynamics 365 applications that you already use and learn more about the apps that interest you. Up your game with a learning path tailored to today's Dynamics 365 masterminds and designed to prepare you for industry-recognized Microsoft certifications.
Visit Microsoft Learn
2020 Release Wave 2Discover the latest updates and new features to Dynamics 365 planned through March 2021.
Release overview guides and videos Release Plan | Preview 2020 Release Wave 2 TimelineWatch the 2020 Release Wave 1 virtual launch event
Ace your Dynamics 365 deployment with packaged services delivered by expert consultants. | Explore service offerings
Connect with the ISV success team on the latest roadmap, developer tool for AppSource certification, and ISV community engagements | ISV self-service portal
The FastTrack program is designed to help you accelerate your Dynamics 365 deployment with confidence.
FastTrack Program | Finance TechTalks | Customer Engagement TechTalks | Upcoming TechTalks
I am getting familiar with the concept of hashing passwords and different algorithms, because I want to find out if the passwords which are used by users are safe enough. In order to do so as far as I understand I should perform a dictionary attack specifying the hashing algorithm.
The hashes look like the following: 0BXADEU0D076DU
I cannot find similar hashes in the table (https://hashcat.net/wiki/doku.php?id=example_hashes) or elsewhere on the internet, so I cannot determine the hashing algorithm. Does someone know which algorithm is used in AX? Is there any other way to assure that users are not choosing such weak passwords as "Password1" or "P@ssword1", which could be allowed by relatively strict password policy rules.
I am unsure what you refer to as AX passwords, since the user authentication happens via the Windows Active Directory, so no password hash is involved here when talking about AX.
Since a hash is just a checksum of the original values generated via a set of steps, it is very unlikely you could guess what process was used in order to produce the outcome value.
In AX there are some fields which have password data, that are encrypted/decrypted via the AOT > Classes > WinAPIServer > cryptProtectData and cryptUnProtectData, which are essentially just doing a .Net call to the System.Security.Cryptography namespace. If I remember correctly those cryptkeys are shared between the AOS machines.
Once we had to encrypt user information for an eCommerce portal, where the login credentials were stored in AX, for which we have done a custom implementation of AES with machine-independent keys and salt ourselves, so nothing stops you to extend AX with custom hashing and encryption.
Maybe you're using a very old version of AX that doesn't authenticate against Active Directory.
Please never forget to specify your AX version; differences between versions can be huge.
You are very correct. The version is very old, it is 3.0. Authentication is not integrated with Active Directory.
I used to work with Axapta 3.0, but it's ancient history. A newer version, Dynamics AX 4.0, was released ten years ago and we've got a plenty of new versions and great new features since then.
If I was you, I wouldn't invest my time to trying to decrypt those passwords. As I remember, Axapta 3.0 supported Active Directory as an optional feature, therefore consider activating it; then you can manage password policies in Active Directory. And seriously consider upgrading to a newer version, ideally to something with active support.
In my point of view you can do following things to achieve your Goal.
1. For Hashing Purpose, you can use DimensionAttributeSetStorage Class methods DimensionAttributeSetStorage::getHash Method and you should explore this class to perform more functionality.
2. As far as your concern related to weak user password, you can write X++ code in which you can check that user should input atleast one upper char letter, one number, one special char and password letter must be greater than 8. Notify user if above category does not meet.
Please mark all helpful answers as Verified.
The information provided reflects in my personal view without any warranty.
Business Applications communities