Sunday, October 8, 2017

CRM Web API and Certificates Issues

I have not written a blog in last 8 months as I have been travelling nonstop for work. In this blog, I am going to share some behavior I came across a few weeks ago.

So here is the story. We are using CRM Web API for integration between the on-premise system and CRM online. We are calling the CRM Web API from JavaScript running on the on-premise server using OAuth authentication. We used a process very similar to what is described in the following article: https://msdn.microsoft.com/en-us/library/mt595797.aspx.

Generally, we don’t need to manually install SSL certificates of public sites on our personal machines, as most browsers and operating systems have already installed the root CA certificate of well known certificate authorities like Symantec, Digicert, Microsoft, etc.

For security reasons, in an enterprise environment most of the root CA certificates/trusted public authorities are removed from the integration servers.

To make the successful calls to CRM Web APIs, you have to install the following certificates onto your integration severs.
  1. Certificate to communicate with https://login.microsoft.com
  2. Dynamics CRM 365 Certificate
Now the real story. We installed the certificates, and everything was working as expected for a couple of months, when suddenly it stopped working. After some investigation, we found out that we are not getting the authentication token from https://login.microsoft.com. A bit more investigation, and we found out that the issue is related to the certificate. The server certificate presented by https://login.microsoft.com was different than the certificate we installed on our integration server. The old certificate was not expired, but still replaced by a new one. We replaced the certificates and everything is back to normal. I have attached the screen shots of both the certificates.

Old Certificate

2017-10-09_11-53-51

New Certificate

2017-10-09_11-55-44

If you look at the certificates, the original certificate was issued by Symantec and was expiring on March 18th 2018, while the new certificate is issued by Microsoft itself. I hope this won’t happen again. So if your calls to CRM Web APIs stop working, check your certificates.

No comments:

Post a Comment