cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
prodriguez
New Member

Will my app not work anymore based on WS-Trust removal?

Hi all! 

 

If found the following when trying to determine whether my app will stop working or not based on the WS-Trust deprecation:

https://docs.microsoft.com/en-us/powerapps/developer/data-platform/authenticate-office365-deprecatio...

----

How do I know if my code or application is using WS-Trust?

First and most importantly, this change only impacts client applications that connect to the Microsoft Dataverse. It does not impact custom plug-ins, workflow activities, or on-premises/IFD service connections.

-----


However, my app (that connects against the former Dynamics CRM Online) is using the SOAP API directly (instead with requests like the following one. It's being used by several customers and we need to determine how to proceed. Will it stop working? Thanks!

 

 

URL: https://myOrganization.api.crm.dynamics.com/XRMServices/2011/Organization.svc

 

<?xml version='1.0' encoding='UTF-8'?>
<s:Envelope
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">http://schemas.microsoft.com/xrm/2011/Contracts/Services/IOrganizationService/Execute</a:Action>
<a:MessageID>urn:uuid:messageId</a:MessageID>
<a:ReplyTo>
<a:Address>
http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">https://xxx.api.crm.dynamics.com/XRMServices/2011/Organization.svc</a:To>
<o:Security
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" s:mustUnderstand="1">
<u:Timestamp u:Id="_0">
<u:Created>2022-03-07T19:59:03.933Z</u:Created>
<u:Expires>2022-03-09T19:59:03.933Z</u:Expires>
</u:Timestamp>
<EncryptedData
xmlns="http://www.w3.org/2001/04/xmlenc#" Id="Assertion0" Type="http://www.w3.org/2001/04/xmlenc#Element">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"></EncryptionMethod>
<ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey>
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></EncryptionMethod>
<ds:KeyInfo Id="keyinfo">
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif...">G/YmqJgv2n7dYCBKQO7rXPszews=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<CipherData>
<CipherValue>myValue</CipherValue>
</CipherData>
</EncryptedKey>
</ds:KeyInfo>
<CipherData>
<CipherValue>myValue2</CipherValue>
</CipherData>
</EncryptedData>
</o:Security>
</s:Header>
<s:Body>
<Execute
xmlns="http://schemas.microsoft.com/xrm/2011/Contracts/Services"
xmlns:ns10="http://schemas.microsoft.com/xrm/2011/Metadata/Query"
xmlns:ns11="http://schemas.microsoft.com/crm/2011/Contracts"
xmlns:ns12="http://schemas.microsoft.com/xrm/2012/Contracts"
xmlns:ns13="http://schemas.microsoft.com/2003/10/Serialization/"
xmlns:ns2="http://schemas.datacontract.org/2004/07/System.Collections.Generic"
xmlns:ns3="http://schemas.microsoft.com/xrm/2011/Contracts"
xmlns:ns4="http://schemas.microsoft.com/2003/10/Serialization/Arrays"
xmlns:ns5="http://schemas.datacontract.org/2004/07/Microsoft.Crm.Sdk.Messages"
xmlns:ns6="http://schemas.datacontract.org/2004/07/Microsoft.Xrm.Sdk"
xmlns:ns7="http://schemas.microsoft.com/xrm/2011/Metadata"
xmlns:ns8="http://schemas.microsoft.com/xrm/2013/Metadata"
xmlns:ns9="http://schemas.microsoft.com/xrm/2014/Contracts">
<request>
<ns3:Parameters>
<ns3:KeyValuePairOfstringanyType>
<ns2:key>Target</ns2:key>
<ns2:value
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns3:EntityReference">
<ns3:Id>myId</ns3:Id>
<ns3:LogicalName>account</ns3:LogicalName>
</ns2:value>
</ns3:KeyValuePairOfstringanyType>
<ns3:KeyValuePairOfstringanyType>
<ns2:key>ColumnSet</ns2:key>
<ns2:value
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns3:ColumnSet">
<ns3:AllColumns>true</ns3:AllColumns>
</ns2:value>
</ns3:KeyValuePairOfstringanyType>
</ns3:Parameters>
<ns3:RequestId
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true" />
<ns3:RequestName>Retrieve</ns3:RequestName>
</request>
</Execute>
</s:Body>
</s:Envelope>

12 REPLIES 12
cchannon
Super User
Super User

If your code is using a username and password to connect to dataverse, it is using WSTrust, and it will stop working.

 

You need to have an app registration with either an App User registered in Dataverse or an App User with user impersonation privs to act as a delegate and retrieve a user token from Azure Active Directory.

prodriguez
New Member

Thanks for your response, @cchannon ! Then:
1) Is "Dynamics CRM Online" part of the Dataverse?

2) If that's the case and my app will stop working, is it possible to continue using the SOAP API and inject the token somehow? Any document that explains that is available?

 

I have the exact same Issue. We are using an custom application where the authentication is build the same way and it does the authentication directly with XML WS Trust with SOAP and the following URL https://login.microsoftonline.com/extSTS.srf.

I tried to use the Token from an Azure Application which has enough rights to read and write our Dynamics CRM but it did not work because it is not compatible with https://login.microsoftonline.com/extSTS.srf endpoint. 

In the application it gets a securityToken0, securityToken1 and a keyIdentifier but from the OData Azure Application (https://login.microsoftonline.com/<mytenantid>/oauth2/token) we only get one access_token which seems not compatible with the format I stated above.

Is it somehow possible to get a compatible token for the SOAP API from Azure?

1. Yes. "Dynamics" is the brand name for Microsoft's first-party line of applications built on Dataverse. And, it used to be the case that the whole stack (power automate, dataverse, canvas apps, all of it) was called Dynamics 365. So, often times you will see outdated documentation that refers to Dynamics 365, but really means the same thing as Dataverse.

2. I haven't used the SOAP endpoint in probably 7 years. You really should modernize. But, if you can't update that code, then I think it should still work with modern authentication. You just need to instantiate your client correctly using oauth... I would think.

 

Use OAuth authentication with Microsoft Dataverse (Dataverse) - Power Apps | Microsoft Docs

Thank you for your reply and your explanation regarding the Microsoft Dataverse. 
At the moment I can not update the code sadly and need a short time solution.
I will give it a try with modern authentication for now.

PeterSchlagi
New Member

That is exactly my problem and I'm urgent lookup for a workaround. Actually the Ws-Trust service has been shutdown by Microsoft by April 2022! Now my Customer can't exchange any business data!!! 

We are using SOAP Endpoint OrganizationService Username/Password - Fetch/Upsert/MultipleRetrieve application=soap+xml header. We have requested Azure App registration and are able to get OAuth2.0 Security Token. But we did not figure out how to make SOAP Header/Body - OAuth2.0 enabled?  

I would appreciate any hint or example how this could be fixed.

Thanks for your support

Best regards Peter

Hi @prodriguez 

 

I have written a blog post on WS-Trust Authentication and changes required ..please see this link once to get clarify on what all will are deprecated...

https://ecellorscrm.wordpress.com/2020/06/09/are-you-still-using-ws-trust-auth-and-organizationservi...

 

For your question regarding using SOAP API, you can refer this https://community.dynamics.com/crm/f/microsoft-dynamics-crm-forum/400297/how-to-use-oauth-bearer-tok... 

 

You can test your SOAP requests using SOAP UI..https://www.soapui.org/

 

I hope this should give you a direction firstly and possibly the solution....

 

Cheers,

PMDY

Hi Peter,

We are facing the same issue. I was wondering if you had fixed the issue. If positive, how did you compose SOAP Header/Body for OAuth authorization? Please advise.

Thank you in advance.

Sincerely,

James

floschna
New Member

Hey @rqg0717 Hey @PeterSchlagi ,

I was able to fix this issue with a few changes to the xml structure so the soap /web endpoint was able to process my requests. Please try the following:

1) Delete the whole <s:HeaderXML Header if you have any.

2) Change „xmlns:s=http://www.w3.org/2003/05/soap-envelope“ to -> „xmlns:s=http://schemas.xmlsoap.org/soap/envelope/“ in the <s:Envelope> XML Tag
3) Send the SOAP Action as http header like in the attached picture
4) Add the Azure Bearer Token to the Http Header like "Authorization Bearer {{authToken}}"

floschna_0-1654583910416.png

floschna_1-1654584008940.png

floschna_2-1654584088322.png

 

Cheers, 
Floschna

 

Helpful resources

Announcements
Power Apps News & Annoucements carousel

Power Apps News & Announcements

Keep up to date with current events and community announcements in the Power Apps community.

Community Call Conversations

Introducing the Community Calls Conversations

A great place where you can stay up to date with community calls and interact with the speakers.

Power Apps Community Blog Carousel

Power Apps Community Blog

Check out the latest Community Blog from the community!

Users online (4,712)