Dynamics CRM in the Field

Information from the Microsoft Dynamics CRM PFE team working in the field

Tips : Dynamics CRM 2013 Field Level Data Encryption Management

Tips : Dynamics CRM 2013 Field Level Data Encryption Management

Rate This
  • Comments 2

Microsoft Dynamics CRM 2013 (on premise and online) introduces Field-Level Data Encryption, which encrypts several out of the box password fields – it does not apply to custom fields or any non-password fields. You can find more details here. This is great feature, yet you may encounter an issue when you use Import Organization.

1. This feature is enabled by default.

Microsoft Dynamics CRM generates strong random password during creating new organization/upgrading existing organization and use it as an encryption key.

2. The encryption key will not be re-generated during the Import of a CRM Organization.

The key is not re-generated on import as you may have changed the encryption key since creating you’re the CRM Organization, After import you will need to manually re-active the feature by using correct encryption key. However, if you haven’t changed the encryption key, you will not know what the original key value was.

3. You may encounter errors if you don’t activate the feature.

Whether or not you have password data for password fields, CRM always tries to decrypt the field when it needs to. For example, if you open a mailbox record, then CRM tries to decrypt the password field. Therefore, if you didn’t active the feature, CRM fails to decrypt the field and display following error message.

 clip_image002

In case you see the error message, you can resolve the issue by activating the feature. However to active the feature, you need to use HTTPS by default as you put encryption key via browser.

 clip_image004

If your On-Premise environment does not have HTTPS enabled you have 2 options:

[Option 1]
Enable HTTPS by using a certificate, changing IIS bindings, change deployment manager’s properties, etc. This is not a bad thing (and is highly recommended), but it can take time to test and implement.

[Option 2]
Change CRM settings so that you can activate the feature without using HTTPS. To do this, follow the steps below.

a. Download SDK from http://www.microsoft.com/en-us/download/details.aspx?id=40321 and extract it.
b. Open PowerShell on CRM Server.
c. Change directory to SDK folder you extracted and move to SampleCode\PS directory.
d. Run the following command.
> ./setadvancedsettings.ps1 -ConfigurationEntityName Deployment -SettingName DisableSSLCheckForEncryption -SettingValue 1
"If you encounter an error saying you need to change execution policy, please follow the instruction in the error.

SetAdvancedSettings.ps1 is a sample script which lets you update CRM settings easily.

[Option 3]
If you cannot use powershell for any reason, you may need to change the setting by directly updating SQL (not recommended)

a. Open SQL Server Management Studio.
b. Click New Query and select MSCRM_CONFIG database.
c Run the command : UPDATE DeploymentProperties SET BitColumn = 1 WHERE ColumnName = 'DisableSSLCheckForEncryption'
d. IISRESET
e. Put the CRM user who will activate the feature to PrivUserGroup. (You need to remove the user form the group after you active the feature.)
Please refer to following article regarding how to find correct PrivUserGroup in your Active Directory.
http://blogs.msdn.com/b/crminthefield/archive/2013/04/08/how-to-find-which-active-directory-security-groups-belong-to-your-crm-deployment.aspx

After you have done the steps, log into CRM and navigate to: Settings | Data Management | Data Encryption, and activate the feature. If you are not using HTTPS, the encryption key will be sent over the wire in plain text and unencrypted. For this reason we strongly recommend you to change the key on CRM server or use SSL. Please note that if you already have data stored in any password fields and activate the feature using a new encryption key, you will lose that data and will need to re-enter the data in the password fields.

You won't have any issues if you do not have any data stored for encryption enabled fields, but as best practice, and to avoid having to reset the key, we strongly recommend you to create/backup encryption key in every deployment. Please also refer to following article which explains how to backup the encryption key.

Post-installation and configuration guidelines for Microsoft Dynamics CRM 2013
http://msdn.microsoft.com/en-us/library/hh699726.aspx

Copy your organization data encryption key
http://msdn.microsoft.com/en-us/library/f88f7c87-2ee2-42f3-8101-7271f6731cf9#BKMK_copy_your_org_enc_key
 

Thanks for reading!

Ken

Premier Field Engineer
Microsoft Japan

  • great post!

  • Outstanding, Nakamura-san- thank you!

Page 1 of 1 (2 items)
Leave a Comment
  • Please add 3 and 1 and type the answer here:
  • Post