Microsoft Dynamics 365 | Integration, Dataverse...

The requested upgrade is not supported by 'net.tcp://myserver/CrmSandboxHost'. This could be due to mismatched bindings

(1) Share

Report

Posted on by Leon Bouquiet

Hi all,

I'm running an on-premise instance of Dynamics 365 Customer Engagement (version 9.1.7.5), and my Dynamics' w3wp trace log kept logging the following error:

[2022-03-11 12:59:36.648] Process: w3wp |Organization:00000000-0000-0000-0000-000000000000 |Thread:   37 |Category: Platform.Sdk |User: 00000000-0000-0000-0000-000000000000 |Level: Error |ReqId: 00000000-0000-0000-0000-000000000000 |ActivityId: 32c0a4b3-d5b4-4f1f-9eac-eff8d1ccc03d | ServiceModelTraceRedirector.TraceData  ilOffset = 0x5B
>
https://docs.microsoft.com/dotnet/framework/wcf/diagnostics/tracing/System-ServiceModel-Diagnostics-ThrowingException
Throwing an exception.
/LM/W3SVC/2/ROOT-1-132914735122544941

System.InvalidOperationException, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
The client certificate is not provided. Specify a client certificate in ClientCredentials. 
   at System.ServiceModel.ClientCredentialsSecurityTokenManager.CreateSecurityTokenProvider(SecurityTokenRequirement tokenRequirement, Boolean disableInfoCard)
...

In order to get rid of this error, I tried setting the AppFabricIssuer certificate as described in this blog post: https://kyledoestech.com/service-integration-issuer-information-not-found-dynamics-365/

This seems to have partially worked, as there is now a different error that's being logged:

[2022-03-14 23:59:58.432] Process: w3wp |Organization:00000000-0000-0000-0000-000000000000 |Thread:   13 |Category: Platform.Sdk |User: 00000000-0000-0000-0000-000000000000 |Level: Error |ReqId: 00000000-0000-0000-0000-000000000000 |ActivityId: 9e27ecbf-c072-4f7b-bbaa-d5ec39b87319 | ServiceModelTraceRedirector.TraceData  ilOffset = 0x5B
>
https://docs.microsoft.com/dotnet/framework/wcf/diagnostics/tracing/System-ServiceModel-Diagnostics-ThrowingException
Throwing an exception.
/LM/W3SVC/2/ROOT-1-132917478165603579

System.ServiceModel.ProtocolException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
The requested upgrade is not supported by 'net.tcp://myserver/CrmSandboxHost'. This could be due to mismatched bindings (for example security enabled on the client and not on the server).
   at System.ServiceModel.Channels.ConnectionUpgradeHelper.DecodeFramingFault(ClientFramingDecoder decoder, IConnection connection, Uri via, String contentType, TimeoutHelper& timeoutHelper)
>   at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.SendPreamble(IConnection connection, ArraySegment`1 preamble, TimeoutHelper& timeoutHelper)
>   at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.DuplexConnectionPoolHelper.AcceptPooledConnection(IConnection connection, TimeoutHelper& timeoutHelper)
>   at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
>   at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
>   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
>   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
>   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
>   at System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel channel, TimeSpan timeout)
>   at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
>   at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
>   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
>   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
>   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
>   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
>   at Microsoft.Crm.Sandbox.ISandboxHost.Ping(SandboxCallInfo callInfo, SandboxHostConfiguration hostConfigurationInfo, SandboxWorkerConfiguration workerConfigurationInfo, Dictionary`2 sandboxAdditionalInfo, CrmTraceRemoteSettings remoteSettings, SandboxWorkerExecutionRecord& workerExecutionRecord, String& hostSidSddlForm)
>   at Microsoft.Xrm.RemotePlugin.Wcf.Client.WcfHostClient.Ping(IsolationType isolationType)
>   at Microsoft.Xrm.RemotePlugin.Client.SandboxHostHealthChecker.TryGetAuthMode(IIndex`2 channelByAuthMode, IsolationType isolationType, RemoteHost remoteHost, ILogger logger, ServiceStatus& status, AuthMode& validAuthMode)
>   at Microsoft.Xrm.RemotePlugin.Client.SandboxHostHealthChecker.<>c__DisplayClass16_1.<BackgroundHealthMonitorInternal>b__2()
>   at Microsoft.PowerApps.CoreFramework.ActivityLoggerExtensions.Execute(ILogger logger, EventId eventId, ActivityType activityType, Action action, IEnumerable`1 additionalCustomProperties)
>   at Microsoft.Xrm.Telemetry.XrmTelemetryExtensions.Execute(ILogger logger, XrmTelemetryActivityType activityType, Action action)
>   at Microsoft.Xrm.RemotePlugin.Client.SandboxHostHealthChecker.<>c__DisplayClass16_0.<BackgroundHealthMonitorInternal>b__0()
>   at System.Threading.Tasks.Task.Execute()
>   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
>   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
>   at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot)
>   at System.Threading.Tasks.Task.ExecuteEntry(Boolean bPreventDoubleExecution)
>   at System.Threading.ThreadPoolWorkQueue.Dispatch()
>
System.ServiceModel.ProtocolException: The requested upgrade is not supported by 'net.tcp://myserver/CrmSandboxHost'. This could be due to mismatched bindings (for example security enabled on the client and not on the server).

It looks like something isn't configured properly with the CrmSandbox, but I have no idea how to fix this...

Any help would be greatly appreciated.

All responses (11)

Answers (0)

JVE 213 on at

Like (0)

Report
RE: The requested upgrade is not supported by 'net.tcp://myserver/CrmSandboxHost'. This could be due to mismatched bindings

@Philip Küsel I appreciate your feedback.

So the solution for this are these powershell commands:

New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\MSCRM -Name SandboxEnableSSLSecurity -Value 1 -PropertyType DWORD New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\MSCRM -Name SandboxSSLCertificateThumbprint -Value (gci Cert:\LocalMachine\My -SSLServerAuthentication -DnsName "*.example.com").thumbprint -PropertyType String New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\MSCRM -Name SandboxSSLCertificateDNSName -Value ".example.com" -PropertyType String

That is for wildcard cert. If you have *.example.com, .example.com (dot prefix, no wildcard char) must be provided for SandboxSSLCertificateDNSName

I did also assign read pemissions for particular cert for service account running MSCRMSandboxService service.

Well when certificate expires, it must be changed obviously.

Some additional info:

I'm noob in WCF, but what I gathered:

When SandboxEnableSSLSecurity = 0 (default)
Uses TcpClientCredentialType.Windows NetTcpBinding with SecurityMode.Transport. It then uses endpoint identity SPN: MSCRMSandboxService\crm.example.com. Endpoint address net.tcp://crm:808/CrmSandboxHost (notice no FQDN)

When SandboxEnableSSLSecurity = 1
Uses TcpClientCredentialType.Certificate. NetTcpBinding with SecurityMode.Transport. It then uses endpoint identity WildcardIdentity(<value from SandboxSSLCertificateDNSName>) (Custom implemtation of EndpointIdentity Class (System.ServiceModel)). Endpoint address was also non-FQDN. If you wonder why cert works then, because it is client auth cert not server auth cert.

Even tho I had this SPN MSCRMSandboxService\crm.example.com (and MSCRMSandboxService\crm) added to MSCRMSandboxService account, I did had those errors in log. I'd rather have this working without using client certificate authentication, if someone can sort out how to make Kerberos work. I have single machine install, so all connections happen locally.
Suggested answer

PhilipK 611 on at

Like (1)

Report

RE: The requested upgrade is not supported by 'net.tcp://myserver/CrmSandboxHost'. This could be due to mismatched bindings

Hi Leon.

I had to do a little but of catching up on this as it's been a while.
So first of, yes the registry keys are being used, even the "SandboxSSLCertificateDNSName" :).
I haven't seen your specific issue but I do notice you are using ipv6 which I don't thing should be an issue here but an observation(btw, you might want to mask those in your reply..)

So by going back and looking at my own notes and configuration here are some updates, answers and things to check.
1. I ended up configuring my certficiate(SandboxSSLCertificateThumbprint) for the Sandbox Service with a generic CN and DNS SAN with name eg. "sb.dynamics.local.dom"
The reason for this is that in a deployment with multiple sandbox services(roles) it will need the same certificate on installed on all servers hosting it.
Also, it can only have one DNS name, adding multiple SAN DNS, like. sbserver1.dynamics.local.dom, sbserver2.. and so forth doesn't work as It it will only use the first DNS SAN name.

2. Verify that your service accounts for all Dynamics services have at least Read access to the MSCRM registry hive, e.g. Logon for AsyncService, Sandbox, Dynamics Web(w3wp).
I've personally set full access for all the service accounts used by these services in my current dev. environment but MS have an article on minimal permissions needed.

3. And regarding the SandboxSSLCertificateDNSName
I discovered this is used as the WCF DNS identity check which is used by the WCF Client and Service(Sandbox) and this is used by the WCF client verifying the identity(DNS/CN name of the certificate on the thumbprint for regkey: SandboxSSLCertificateThumbprint) .
Read more about this here: https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/service-identity-and-authentication
My key is configured with value: sb.dynamics.local.dom
Removing this key I'll get the following error in EvtLog-Application when e.g. AsyncService started and trying to establish a connection with Sandbox Service:

A Sandbox Host is not available.
Source: CrmAsyncService.exe (7752)
Sandbox Host: DYN1
Reason: System.ServiceModel.Security.MessageSecurityException: Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was '.sandboxhost.dynamics.com' but the remote endpoint provided DNS claim 'sb.dynamics.local.dom'. If this is a legitimate remote endpoint, you can fix the problem by explicitly specifying DNS identity 'sb.dynamics.local.dom' as the Identity property of EndpointAddress when creating channel proxy.

As we can see from the error, the '.sandboxhost.dynamics.com" which is Microsoft Dynamics "Online" default value in this configuration, and I would assume there is another configuration/key as how they specify their sandbox "farm" as the prefix e.g. "sbfarm1.sandboxhost.dynamics.com" and they will probably have a bunch for every datacenter/scalegroup "online" so a deployment configurable value somehwere makes sense.
But how and where this configuration value resides is irrelevant for us in on-premise.
So the "SandboxSSLCertificateDNSName" basically overrides this setting all together and whatever specified for the WCF Client call.

Hope this helps.

Best regards.
Philip

Leon Bouquiet

5 on at

Like (0)

Report

RE: The requested upgrade is not supported by 'net.tcp://myserver/CrmSandboxHost'. This could be due to mismatched bindings

Hi Philip,

Thanks for your answer. I performed the steps you described, but unfortunately its still not working - I'm getting different error messages though, so that's something :)

To recap:
- When the Sandbox is not running, the CrmAsyncService logs says:
System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at net.tcp://myserver-fqdn/CrmSandboxHost that could accept the message.
This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.
- When the Sandbox is running without SSL (SandboxEnableSSLSecurity = 0), it says:
System.ServiceModel.ProtocolException: The requested upgrade is not supported by 'net.tcp://myserver-fqdn/CrmSandboxHost'.
This could be due to mismatched bindings (for example security enabled on the client and not on the server).
- When the Sandbox is running with SSL (SandboxEnableSSLSecurity = 1 with the thumbprint and host name configured), it says:
System.ServiceModel.CommunicationException: The socket connection was aborted.
This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:01:00'.

When I look at the stack trace of the last error (see below), it seems that I got a little further, since it contains a call to "System.Net.Security._SslStream.StartWriting", which tells me that it attempts to write something through SSL, right?
So next question is: why is the socket connection being closed?

Also, another thing I noticed:
When I misconfigure the SandboxSSLCertificateThumbprint, the Sandbox service refuses to start (so it actually uses this registry setting).
However, when I misconfigure the SandboxSSLCertificateDNSName it doesn't seem to care, it starts normally, and in the Windows Event Log viewer, I always see it listening to localhost:

The Sandbox Host service has started.
Source: Microsoft.Crm.Sandbox.HostService.exe (12060)
Endpoint: net.tcp://localhost/CrmSandboxHost

The Sandbox Host service has started.
Source: Microsoft.Crm.Sandbox.HostService.exe (12060)
Endpoint: localhost/CDSSandboxHostStatus

The complete stacktrace of the last error is:

>https://docs.microsoft.com/dotnet/framework/wcf/diagnostics/tracing/System-ServiceModel-Channels-TcpConnectionResetErrorThe socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:01:00'. The local IP address and port is [fe80::4525:4189:339a:5825%7]:53493. The remote IP address and port is [fe80::4525:4189:339a:5825%7]:808.CrmAsyncService.exeSystem.ServiceModel.CommunicationException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:01:00'.   at System.ServiceModel.Channels.SocketConnection.ConvertTransferException(SocketException socketException, TimeSpan timeout, Exception originalException, TransferOperation transferOperation, Boolean aborted, String timeoutErrorString, TransferOperation timeoutErrorTransferOperation, SocketConnection socketConnection, TimeSpan remainingTime)
>   at System.ServiceModel.Channels.SocketConnection.ConvertSendException(SocketException socketException, TimeSpan remainingTime, TimeSpan timeout)
>   at System.ServiceModel.Channels.SocketConnection.Write(Byte[] buffer, Int32 offset, Int32 size, Boolean immediate, TimeSpan timeout)
>   at System.ServiceModel.Channels.BufferedConnection.WriteNow(Byte[] buffer, Int32 offset, Int32 size, TimeSpan timeout, BufferManager bufferManager)
>   at System.ServiceModel.Channels.BufferedConnection.Write(Byte[] buffer, Int32 offset, Int32 size, Boolean immediate, TimeSpan timeout)
>   at System.ServiceModel.Channels.ConnectionStream.Write(Byte[] buffer, Int32 offset, Int32 count)
>   at System.Net.Security._SslStream.StartWriting(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest)
>   at System.Net.Security._SslStream.ProcessWrite(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest)
>   at System.Net.Security.SslStream.Write(Byte[] buffer, Int32 offset, Int32 count)
>   at System.ServiceModel.Channels.StreamConnection.Write(Byte[] buffer, Int32 offset, Int32 size, Boolean immediate, TimeSpan timeout)
>   at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.SendPreamble(IConnection connection, ArraySegment`1 preamble, TimeoutHelper& timeoutHelper)
>   at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.DuplexConnectionPoolHelper.AcceptPooledConnection(IConnection connection, TimeoutHelper& timeoutHelper)
>   at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
>   at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
>   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
>   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
>   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
>   at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
>   at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
>   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
>   at System.ServiceModel.Channels.ServiceChannelProxy.ExecuteMessage(Object target, IMethodCallMessage methodCall)
>   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeChannel(IMethodCallMessage methodCall)
>   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
>   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
>   at System.ServiceModel.ICommunicationObject.Open()
>   at Microsoft.Crm.Sandbox.SandboxClientBase`1.Open()
>   at Microsoft.Crm.Sandbox.SandboxClientBase`1.get_Proxy()
>   at Microsoft.Crm.Sandbox.SandboxHostManager.<>c__DisplayClass27_3.b__3()
>   at Microsoft.PowerApps.CoreFramework.ActivityLoggerExtensions.Execute[TResult](ILogger logger, EventId eventId, ActivityType activityType, Func`1 func, IEnumerable`1 additionalCustomProperties)
>   at Microsoft.Xrm.Telemetry.XrmTelemetryExtensions.Execute[TResult](ILogger logger, XrmTelemetryActivityType activityType, Func`1 func)
>   at Microsoft.Crm.Sandbox.SandboxHostManager.<>c__DisplayClass27_0.b__0()
>   at Microsoft.PowerApps.CoreFramework.ActivityLoggerExtensions.Execute(ILogger logger, EventId eventId, ActivityType activityType, Action action, IEnumerable`1 additionalCustomProperties)
>   at Microsoft.Xrm.Telemetry.XrmTelemetryExtensions.Execute(ILogger logger, XrmTelemetryActivityType activityType, Action action)
>   at Microsoft.Crm.Sandbox.SandboxHostManager.PingSingleClient(SandboxClient pingClient, SandboxHostInfo info, Boolean useDrawbridgeEnabled)
>   at Microsoft.Crm.Sandbox.SandboxHostManager.CreateClientAndPing(SandboxHostInfo info, Boolean useDrawbridgeEnabled)
>   at Microsoft.Crm.Sandbox.SandboxHostManager.d__34.MoveNext()
>   at System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.Start[TStateMachine](TStateMachine& stateMachine)
>   at Microsoft.Crm.Sandbox.SandboxHostManager.CheckHostStatus(SandboxHostInfo info, ConcurrentDictionary`2 readyClients, ConcurrentDictionary`2 pendingClients, Boolean useDrawbridgeEnabled)
>   at Microsoft.Crm.Sandbox.SandboxHostManager.d__31.MoveNext()
>   at System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start[TStateMachine](TStateMachine& stateMachine)
>   at Microsoft.Crm.Sandbox.SandboxHostManager.PingHostsInternal(Object stateObject)
>   at System.Threading.Tasks.Task`1.InnerInvoke()
>   at System.Threading.Tasks.Task.Execute()
>   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
>   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
>   at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot)
>   at System.Threading.Tasks.Task.ExecuteEntry(Boolean bPreventDoubleExecution)
>   at System.Threading.ThreadPoolWorkQueue.Dispatch()
>System.ServiceModel.CommunicationException: The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:01:00'. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
>   at System.ServiceModel.Channels.SocketConnection.Write(Byte[] buffer, Int32 offset, Int32 size, Boolean immediate, TimeSpan timeout)
>   --- End of inner exception stack trace ---System.Net.Sockets.SocketException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089An existing connection was forcibly closed by the remote host   at System.ServiceModel.Channels.SocketConnection.Write(Byte[] buffer, Int32 offset, Int32 size, Boolean immediate, TimeSpan timeout)System.Net.Sockets.SocketException (0x80004005): An existing connection was forcibly closed by the remote host
>   at System.ServiceModel.Channels.SocketConnection.Write(Byte[] buffer, Int32 offset, Int32 size, Boolean immediate, TimeSpan timeout)2746

PhilipK 611 on at

Like (0)

Report

RE: The requested upgrade is not supported by 'net.tcp://myserver/CrmSandboxHost'. This could be due to mismatched bindings

Hi Angel A.

Assuming you're getting the exact same error as prior to configuring this according to your environment, could you share information on your Dynamics 365 server configuration, e.g. multiple servers, split roles or full server such?
Have you configured any other registry keys related to the Sandbox service?

Best regards.
Philip
Angel A. Rodriguez 25 on at

Like (0)

Report

RE: The requested upgrade is not supported by 'net.tcp://myserver/CrmSandboxHost'. This could be due to mismatched bindings

Hi Phillips,

Thanks. This doesn't work for us. We are missing something here.

br.

Angel A.
Suggested answer

PhilipK 611 on at

Like (0)

Report

RE: The requested upgrade is not supported by 'net.tcp://myserver/CrmSandboxHost'. This could be due to mismatched bindings

Hi.

One of the many out-of-the box error messages seen in the current version of Dynamics 365 on-premise(9.1.9.8).
I've been on a mission to try to address all of the ones and make a post(mainly to MS staff) here with hope that we in the future can have Trace logs that isn't full of errors, regardless if they actually is affecting the operation or not, but I just haven't gotten around to it yet.

However, my conclusion on this specific error is that it shouldn't affect the operation of Dynamics as it's caused due to a "Ping" operation initiated from the Asyncservice to the Sandbox host.
The issue is that this Ping call is failing due to the WCF Client and the WCF Service cannot communicate due to the SandboxHost hasn't been configured to use a certificate so SSL-TLS is failing.

To resolve this:
1. Create/Issue a certificate(Private key Exportable) on the server hosting the Sandbox service with a DNS SAN = "your SB server fqdn"
2. Open MMC - Certificates (Computer) - Personal - Certificates, assign read permissions to the Private Key for the serviceaccount your running your Sandbox service.
3. Copy the Certificate thumbprint.
4. Open Registry and under [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM] create the following keys, ofc you need to replace <> with your own values:
"SandboxEnableSSLSecurity" = 1 (DWORD)
"SandboxSSLCertificateThumbprint"="<YourThumbprint>" (String Value)
"SandboxSSLCertificateDNSName"="<YourSandboxHostName.yourdomain.com>" (String Value)
5. Restart your Sandbox and Asyncservice.

Do note that if you have configured any of these values incorrect your Sandbox Service may not start.
Here is an image from my test env. on how it should look like as reference.

Best regards. Philip
Leon Bouquiet 5 on at

Like (0)

Report

RE: The requested upgrade is not supported by 'net.tcp://myserver/CrmSandboxHost'. This could be due to mismatched bindings

Hi Angel,

No unfortunately not. It's still my intention to try and figure this out, but there are some other things that need my attention more at the moment.
Angel A. Rodriguez 25 on at

Like (0)

Report

RE: The requested upgrade is not supported by 'net.tcp://myserver/CrmSandboxHost'. This could be due to mismatched bindings

Hi Leon,

I'm having the same problem. Did you find any solution?

Thanks.
Ken Hubbard on at

Like (0)

Report

RE: The requested upgrade is not supported by 'net.tcp://myserver/CrmSandboxHost'. This could be due to mismatched bindings

Hi Leon,

I did not find any work in support's history about tackling this message. You might be amused to know that even when searching around on the web about this, this forum post is in the top results.

Generally I would recommend a case like this to a support ticket since log analysis and research is probably needed. However, in this case, I would actually recommend you to open a ticket with our Windows Server IIS team to see if they can provide feedback about this exception, but we can also leave this thread open to see if anyone in the community has any further feedback.

Thanks,
Ken
Leon Bouquiet 5 on at

Like (0)

Report

RE: The requested upgrade is not supported by 'net.tcp://myserver/CrmSandboxHost'. This could be due to mismatched bindings

Hi Ken,

Thanks for your reply. No, not so much a malfunction of Dynamics CRM (at least at this moment - that I'm aware of), but the trace log gets swamped with this message making it harder to see other, potentially more serious problems.

Also, it seemed to me that something is simply misconfigured which should be easy enough to fix. But gathering from the (lack of) responses so far, this might not be the case... :)