Key management in Microsoft Dynamics CRM


Applies To: Dynamics CRM 2013

To verify the identity of people and organizations, and to guarantee content integrity, Microsoft Dynamics CRM generates digital certificates. These electronic credentials bind the identity of the certificate owner to a pair of electronic keys (public and private) that can be used to digitally encrypt and sign information. The credentials ensure that the keys actually belong to the person or organization specified.

Microsoft Dynamics CRM uses two kinds of private encryption keys for deployments accessed over the Internet:

  • Web remote procedure call (WRPC) token key. This key is used to generate a security token, which helps make sure that the request originated from the user who made the request. This security token decreases the likelihood of certain attacks, such as a cross-site request forgery (one-click) attack.

  • CRM email credentials key. This key encrypts the credentials for the Email Router, an optional component of Microsoft Dynamics CRM.

CRM ticket keys are automatically generated and renewed and then distributed, or deployed, to all computers running Microsoft Dynamics CRM or running a specific Microsoft Dynamics CRM Server 2013 role. These keys are regenerated periodically and, in turn, replace the previous keys. By default, key regeneration occurs every 24 hours.

Microsoft Dynamics CRM records encryption-key events in the Application log. By using the Event Viewer, you can filter on the Source column and look for MSCRMKeyServiceName entries, where ServiceName is the key management service, such as MSCRMKeyArchiveManager or MSCRMKeyGenerator.

Cryptographic keys are stored in the Microsoft Dynamics CRM configuration database (MSCRM_CONFIG).


By default, encryption keys are not stored in the configuration database in an encrypted format. We strongly recommend that you specify encryption when you run Setup as described below.

Before you run Microsoft Dynamics CRM Setup, you can add the <encryptionkeys> entry in the XML configuration file, and then run Microsoft Dynamics CRM Server Setup at the command prompt. During the installation, Setup creates a server master key and database master key, which are used to encrypt Microsoft Dynamics CRM certificates.

For more information, see the <encryptionkeys> element in the Microsoft Dynamics CRM 2013 Server XML configuration file topic.

© 2016 Microsoft Corporation. All rights reserved. Copyright