Key management in Microsoft Dynamics CRM

To verify the identity of people and organizations, and to guarantee content integrity, Microsoft Dynamics CRM generates digital certificates. These electronic credentials bind the identity of the certificate owner to a pair of electronic keys (public and private) that can be used to digitally encrypt and sign information. The credentials ensure that the keys actually belong to the person or organization specified.

Key types

Microsoft Dynamics CRM uses three kinds of private encryption keys for deployments accessed over the Internet:

  • CRM ticket key (Microsoft Dynamics CRM 4.0 clients only) . This key creates CRM tickets, which are generated when a Microsoft Dynamics CRM user logs on to the system. In addition, every time that a request is made to the Microsoft Dynamics CRM Server 2011, the CRM ticket key decrypts the CRM ticket to validate users without forcing the user to re-enter credentials.
  • Web remote procedure call (WRPC) token key . This key is used to generate a security token, which helps make sure that the request originated from the user who made the request. This security token decreases the likelihood of certain attacks, such as a cross-site request forgery (one-click) attack.
  • CRM e-mail credentials key . This key encrypts the credentials for the E-mail Router, an optional component of Microsoft Dynamics CRM.

Key regeneration and renewal

CRM ticket keys are automatically generated and renewed and then distributed, or deployed, to all computers running Microsoft Dynamics CRM or running a specific Microsoft Dynamics CRM Server 2011 role. These keys are regenerated periodically and, in turn, replace the previous keys. By default, key regeneration occurs every 24 hours.

Key-management logging

Microsoft Dynamics CRM records encryption-key events in the Application log. By using the Event Viewer, you can filter on the Source column and look for MSCRMKeyServiceName entries, where ServiceName is the key management service, such as MSCRMKeyArchiveManager or MSCRMKeyGenerator.

Key storage

Cryptographic keys are stored in the Microsoft Dynamics CRM configuration database (MSCRM_CONFIG).


By default, encryption keys are not stored in the configuration database in an encrypted format. We strongly recommend that you specify encryption when you run Setup.

How to encrypt Microsoft Dynamics CRM keys

Before you run Microsoft Dynamics CRM Setup, you can add the <encryptionkeys> entry in the XML configuration file, and then run Microsoft Dynamics CRM Server Setup at the command prompt. During the installation, Setup creates a server master key and database master key, which are used to encrypt Microsoft Dynamics CRM certificates.

For more information see Use the Command Prompt to Install Microsoft Dynamics CRM.