我是微软Dynamics 365 & Power Platform方面的工程师/顾问罗勇,也是2015年7月到2018年6月连续三年Dynamics CRM/Business Solutions方面的微软最有价值专家(Microsoft MVP),欢迎关注我的微信公众号 MSFTDynamics365erLuoYong ,回复430或者20201220可方便获取本文,同时可以在第一间得到我发布的最新博文信息,follow me!
最近在通过 CrmServiceClient 获取Dynamics 365的组织服务时候发现开始报错,并获取失败,报错信息如下:
Unable to connect to CRM: An error occurred when processing the security tokens in the message:
You are using Ws-Tust authentication which has been deprecated and no longer supported in your environment.
Please use oAuth2.0 authentication.
咋回事,找了下,找到官方文档了: Important changes (deprecations) coming in Power Apps, Power Automate, and customer engagement apps . 文档原文如下,值得注意的是2022年4月之前要全部改动下,否则就会出问题,连接不上组织服务了。
Deprecation of Office365 authentication type and OrganizationServiceProxy class for connecting to Dataverse
Effective February 4, 2020, the WS-Trust authentication type that is used by custom clients to connect to Dataverse is deprecated. This change affects applications that utilize Microsoft.Xrm.Sdk.Client.OrganizationServiceProxy and Microsoft.Xrm.Tooling.Connector.CrmServiceClient classes for the authentication type of "Office365".
We are making this change to remove a security protocol (WS-Trust) that is inherently insecure by current encryption standards. While Microsoft has worked hard to protect users who choose to use this authentication type for the convenience of login process, it has become an increasing source of concern for Microsoft security and identity protection systems. The WS-Trust security protocol, when used in conjunction with a user account and password, implements an authentication flow that presents both the user ID and password to the authenticating resource in 'clear text' form, relying solely on the transport encryption to provide security for the initial leg of the authentication, until such point as the token service returns an authentication token to use. Additionally, the WS-Trust protocol does not support modern forms of Multi-Factor Authentication and conditional access controls to customer data.
With this change, the intent is to guide developers away from this authentication flow and help application developers to utilize the capabilities of Azure Active Directory to secure and protect access to their applications and customers in Dataverse.
To allow for transition of customers and partner applications:
- Effective October 2020, the authentication protocol will be retired for all new tenants.
- Effective October 2020, the authentication protocol will not be available in all new regions.
- Effective April 2021, the authentication protocol will be retired for all new environments within a tenant.
- Effective April 2022, the authentication protocol will be retired for all new and existing environments within a tenant.
More information: Use of Office365 authentication with the WS-Trust security protocol
我以前是如下这么连的:
CrmServiceClient crmSvc = new CrmServiceClient(@"AuthType=Office365;Url=https://luoyong.crm5.dynamics.com;UserName=admin@CRM942120.onmicrosoft.com;Password=lssw***#$%@ff");
那有那些链接方式是这种要退休的连接方式,又如何解决呢?请参考官方文档 Use of Microsoft 365 authentication with the WS-Trust security protocol 。
从这个文档来看,以前常用的几种连接方式都是用的WS-Trust 协议,要被取消的。
-
If your code employs user account and password credentials for authentication with Dataverse or an application, you are likely using the WS-Trust security protocol. Some examples are shown below, though this list is not fully inclusive.
-
When using the CrmServiceClient class with a connection string:
connectionString="AuthType=Office365; Username=jsmith@contoso.onmicrosoft.com;Password=passcode;Url=https://contoso.crm.dynamics.com" -
When using OrganizationServiceProxy class constructors:
-
using (OrganizationServiceProxy organizationServiceProxy = new OrganizationServiceProxy(serviceManagement, clientCredentials) { ... }
-
If you are using the
OrganizationServiceProxyclass at all in your code, you are using WS-Trust. -
If you are using CrmServiceClient.
OrganizationServiceProxyin your code, you are using WS-Trust.
更多的解决方法不讲了,我就参考官方文档用最简单的方法解决我常用的这个方法,其实,我们现在做项目,连接Dynamcis 365/Dataverse都不怎么用组织服务了,而用Web API了。
简单来说就是在链接字符串串中修改一个元素,将AuthType这个元素的值从 Office365 改成 OAuth ,然后添加三个元素,元素名和值分别如下:
| 元素名称 | 元素值 |
| AppId | 51f81489-12ee-4a9e-aaae-a2591f45987d |
| RedirectUri | app://58145B91-0C36-4500-8554-080854F2AC97 |
| LoginPrompt | Auto 或者 never |
比如我使用的新的连接串就是,然后问题就解决了,还是比较简单的。
AuthType=OAuth;Url=https://luoyong.crm5.dynamics.com;UserName=admin@CRM942120.onmicrosoft.com;Password=lssw***#$%@ff;AppId=51f81489-12ee-4a9e-aaae-a2591f45987d;RedirectUri=app://58145B91-0C36-4500-8554-080854F2AC97;LoginPrompt=Auto