Back to Blog Index

Transport layer security (TLS) 1.2 connectivity requirements for Dynamics 365 (online), V9

By James O'Connor, Senior Consultant, Arbela Technologies

Starting with Dynamics 365 (online) version 9.0, Microsoft will begin requiring connections to customer engagement applications to utilize TLS 1.2 (or better) security. Any connections to Dynamics 365 (online), version 9.x will fail if they do not use TLS 1.2 security protocol. This will impact several Dynamics services including access to the Dynamics 365 Customer Engagement (CRM) web application.

TLS 1.0 deprecation plan may require the following:

  • Code analysis to find/fix hardcoded instances of TLS 1.0 (or instances of older TLS/SSL versions).
  • Network endpoint scanning and traffic analysis to identify operating systems using TLS 1.0 or older protocols.
  • Full regression testing through your entire application stack with TLS 1.0 disabled.
  • Migration of legacy operating systems and development libraries/frameworks to versions capable of negotiating TLS 1.2.
  • Compatibility testing across operating systems used by your business to identify any TLS 1.2 support issues.
  • Coordination with your own business partners and customers to notify them of your move to deprecate TLS 1.0.
  • Understanding which clients may not interoperate by disabling TLS 1.0

How will you be impacted?

Any connections to Dynamics 365 (online), version 9.x will fail if they do not use TLS 1.2 security protocol. This will impact several Dynamics services (listed below), including access to the Dynamics 365 Customer Engagement web application.

A quick way to determine what TLS version will be requested by various clients when connecting to your online services is by referring to the Handshake Simulation at Qualys SSL Labs.

Supported versions of Internet Explorer and Microsoft Edge

Supported non-Internet Explorer web browsers

  • Mozilla Firefox (latest publicly-released version) running on Windows 10, Windows 8.1, Windows 8, or Windows 7
  • Google Chrome
  • Google Chrome (latest publicly-released version) running on Windows 10, Windows 8.1, Windows 8, Windows 7, and Android 10 tablet
  • Google Chrome (latest publicly-released version) running on Mac OS X 10.8 (Mountain Lion), 10.9 (Mavericks), or 10.10 (Yosemite)
  • Apple Safari (latest publicly-released version) running on Mac OS X 10.8 (Mountain Lion), 10.9 (Mavericks), 10.10 (Yosemite), or Apple iPad

Supported versions of Microsoft Office

  • Microsoft Office 365
  • Microsoft Office 2016
  • Microsoft Office 2013
  • Microsoft Office 2010

Ensuring support for TLS 1.2 across deployed operating systems
Many operating systems have outdated TLS version defaults or support ceilings that need to be accounted for.  Usage of Windows 8/Server 2012 or later means that TLS 1.2 will be the default security protocol version:

Error Examples
Below are some potential connectivity errors you might encounter when non-TLS 1.2 security protocol is used:

Browser error:

  • Can't connect securely to this page
  • This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening, try contacting the website's owner.

Connector error:

Microsoft.Xrm.Tooling.CrmConnectControl Information: 8 : Login Status in Connect is =  Validating connection to Microsoft Dynamics CRM...
Microsoft.Xrm.Tooling.Connector.CrmServiceClient Error: 2 : ERROR REQUESTING Token FROM THE Authentication context
Microsoft.Xrm.Tooling.Connector.CrmServiceClient Error: 2 : Source  : mscorlib
Method   : ThrowIfExceptional
Error        : One or more errors occurred.
Stack Trace              : at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
at System.Threading.Tasks.Task`1.get_Result()
at Microsoft.Xrm.Tooling.Connector.CrmWebSvc.ExecuteAuthenticateServiceProcess(Uri serviceUrl, ClientCredentials clientCredentials, UserIdentifier user, String clientId, Uri redirectUri, PromptBehavior promptBehavior, String tokenCachePath, Boolean isOnPrem, String authority, Uri& targetServiceUrl, AuthenticationContext& authContext, String& resource)

Inner Exception Level 1:

Source: Microsoft.IdentityModel.Clients.ActiveDirectory
Method: Close
Error: Object reference not set to an instance of an object.

Stack Trace: at Microsoft.IdentityModel.Clients.ActiveDirectory.HttpWebResponseWrapper.Close()
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationParameters.d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationParameters.d__8.MoveNext() "

Developer tools error:

Inner Exception Level 1 :

Error : The underlying connection was closed: An unexpected error occurred on a send.
Stack Trace: at System.Net.HttpWebRequest.GetResponse()

at System.ServiceModel.Description.MetadataExchangeClient.MetadataLocationRetriever.DownloadMetadata(TimeoutHelper timeoutHelper)
at System.ServiceModel.Description.MetadataExchangeClient.MetadataRetriever.Retrieve(TimeoutHelper timeoutHelper)

Inner Exception Level 2 :

Error : Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
Stack Trace: at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)

at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) "

How to be Proactive

Microsoft recommends customers proactively address weak TLS usage by removing TLS 1.0/1.1 dependencies in their environments and disabling TLS 1.0/1.1 at the operating system level where possible. Given the length of time, TLS 1.0/1.1 has been supported by the software industry, it is highly recommended that any TLS 1.0/1.1 deprecation plan include the following:

  • Application code analysis to find/fix hardcoded instances of TLS 1.0/1.1.
  • Network endpoint scanning and traffic analysis to identify operating systems using TLS 1.0/1.1 or older protocols.
  • Full regression testing through your entire application stack with TLS 1.0/1.1 and all older security protocols disabled.
  • Migration of legacy operating systems and development libraries/frameworks to versions capable of negotiating TLS 1.2.
  • Compatibility testing across operating systems used by your business to identify any TLS 1.2 support issues.

To learn more about removing dependencies on TLS 1.0/1.1 and updating to TLS 1.2 please review the following whitepaper: Solving the TLS 1.0 Problem