search

Adoxio / xRM-Portals-Community-Edition

The definitive edition of Microsoft Open Source Portals, supported by the experts in portals.
MIT License
107 stars 60 forks source link

Error Connecting to Portals Online. Appears to be related to TLS 1.2 support. #50

Closed slautebach closed 6 years ago

slautebach commented 6 years ago

Since December likely after a change from Microsoft, I am unable to get xRM Portals Community Edition to connect to a Dynmaics 365 CE Online CRM Instance.

I get the following error:

The Organization Service URL is invalid. Metadata contains a reference that cannot be resolved: 'https://researchportal.crm3.dynamics.com/XRMServices/2011/Organization.svc?wsdl&sdkversion=8.2'. The underlying connection was closed: An unexpected error occurred on a send. Authentication failed because the remote party has closed the transport stream

image

After some research I found these these links that hit to the problem: https://blogs.msdn.microsoft.com/crm/2017/09/28/updates-coming-to-dynamics-365-customer-engagement-connection-security/ https://community.dynamics.com/crm/f/117/t/263162

It appears the MS is now requiring online servers to connect with a minimum of TLS 1.2.

I have a potential fix as recommended from a forum to set 

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11;

I have a fix that works in my branch here: https://github.com/slautebach/xRM-Portals-Community-Edition/tree/fix-TLS-1.2 that I can submit as a PR for if it is appropriate.

amervitz commented 6 years ago

The upgrade to .NET 4.7 in issue #32 was supposed to make TLS 1.2 be used by default. We need to research why that isn't happening before deciding whether to use the change you've implemented. If you're willing to help investigate why the use of .NET 4.7 isn't causing TLS 1.2 to be used that would be appreciated.

amervitz commented 6 years ago

Which version of Windows are you running your site on? I’m finding information that .NET 4.7 uses the OS system default values for TLS/SSL, and you may be using an older system that doesn’t have TLS 1.2 enabled by default. Refer to ServicePointManager.SecurityProtocol remarks and Protocols in TLS/SSL (Schannel SSP) for default disabled/enabled state by OS version.

If this looks relevant we’ll want to find instructions for enabling the newer TLS versions on the older OSs. I would like to avoid hard coding specific TLS versions in the code since newer versions will continue to be released in the future.

slautebach commented 6 years ago

I am running Windows 7. I'll check to see and verify how I can change the OS default. If this is the case, should the readme be updated to cover this scenario?

jayrodmcneil commented 6 years ago

What if it's deployed on Azure App Service?

Also agree if it's OS specific, we should update the documentation to reflect that

slautebach commented 6 years ago

Once deployed to an azure service, it works. The issue seems to be running it from windows 7, where it is not defaulting to use TLS 1.2

slautebach commented 6 years ago

I am running it locally on my dev machine which is a Windows 7 box, running under iis express, so I can try an get more debugging information. I looked at the links, and for Windows 7 TLS 1.2 states it is disabled. I'll look into if I can implement the registry change to enable it. I did try this: https://support.microsoft.com/en-za/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in but it has not worked either.

slautebach commented 6 years ago

I solved the problem. Following the documentation here: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn786418(v=ws.11)

Specifically applying the following registry file:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

and rebooting, allowed me to run the portal locally on my windows 7 development machine.

@amervitz what would your recommendation be on documenting this?

amervitz commented 6 years ago

That's great news!

Please create a new wiki page (I believe you should have access to do this) with the full instructions to enable TLS 1.2 on older operating systems, and send a PR for a modified README with an addition to the system requirements section that says TLS 1.2 needs to be enabled for older operating systems when connecting to Dynamics 365 CE Online, with a link to the wiki page for full instructions.

amervitz commented 6 years ago

Thanks for creating the wiki page, I've added a link to it in the README.