Key management in Microsoft Dynamics CRM

  • Article

 

Applies To: Dynamics CRM 2013

To verify the identity of people and organizations, and to guarantee content integrity, Microsoft Dynamics CRM generates digital certificates. These electronic credentials bind the identity of the certificate owner to a pair of electronic keys (public and private) that can be used to digitally encrypt and sign information. The credentials ensure that the keys actually belong to the person or organization specified.

In This Topic

Key types

Key regeneration and renewal

Key-management logging

Key storage

How to encrypt Microsoft Dynamics CRM keys

Key types

Microsoft Dynamics CRM uses two kinds of private encryption keys for deployments accessed over the Internet:

  • Web remote procedure call (WRPC) token key. This key is used to generate a security token, which helps make sure that the request originated from the user who made the request. This security token decreases the likelihood of certain attacks, such as a cross-site request forgery (one-click) attack.

  • CRM email credentials key. This key encrypts the credentials for the Email Router, an optional component of Microsoft Dynamics CRM.

Key regeneration and renewal

CRM ticket keys are automatically generated and renewed and then distributed, or deployed, to all computers running Microsoft Dynamics CRM or running a specific Microsoft Dynamics CRM Server 2013 role. These keys are regenerated periodically and, in turn, replace the previous keys. By default, key regeneration occurs every 24 hours.

Key-management logging

Microsoft Dynamics CRM records encryption-key events in the Application log. By using the Event Viewer, you can filter on the Source column and look for MSCRMKeyServiceName entries, where ServiceName is the key management service, such as MSCRMKeyArchiveManager or MSCRMKeyGenerator.

Key storage

Cryptographic keys are stored in the Microsoft Dynamics CRM configuration database (MSCRM_CONFIG).

Warning

By default, encryption keys are not stored in the configuration database in an encrypted format. We strongly recommend that you specify encryption when you run Setup as described below.

How to encrypt Microsoft Dynamics CRM keys

Before you run Microsoft Dynamics CRM Setup, you can add the <encryptionkeys> entry in the XML configuration file, and then run Microsoft Dynamics CRM Server Setup at the command prompt. During the installation, Setup creates a server master key and database master key, which are used to encrypt Microsoft Dynamics CRM certificates.

For more information, see the <encryptionkeys> element in the Microsoft Dynamics CRM 2013 Server XML configuration file topic.

See Also

Advanced deployment options for Microsoft Dynamics CRM Server 2013
Multi-organization deployment

© 2016 Microsoft Corporation. All rights reserved. Copyright