Keep user credentials secure

  • Article

If your organization uses the E-mail Router to send and receive messages on behalf of users or queues, you should increase security. You can do this either by using the HTTPS protocol or by enabling IPSec.

Note

This issue applies only to users of Microsoft Dynamics CRM (On-Premises Edition).

HTTPS option

In processing e-mail for a user or queue, the E-mail Router requires credentials for the user or queue. Those credentials can be entered in the Microsoft Dynamics CRM Web application in the Set Personal Options dialog box (for users) and in the Queues form (for queues). Microsoft Dynamics CRM stores these credentials in encrypted form in the CRM database. The E-mail Router uses a key stored in the CRM database to decrypt these credentials. The call that the E-mail Router makes to obtain this key enforces HTTPS. In Microsoft Dynamics CRM 2011, the E-mail Router functions this way by default, which means that you need not take any action to retain this behavior. However, if you do not want to use HTTPS, you must set a particular Windows registry key, as described in the following section.

HTTP option

If you do not want to use HTTPS, you must set a Windows registry key, as follows:

  1. On the Microsoft Dynamics CRM Server 2011, check the value of the registry key DisableSecureDecryptionKey at the path HKLM\Software\Microsoft\MSCRM. If this registry key is present, set its value to 1. (If the key is not present or set to 0, calls from the E-mail Router to the Microsoft Dynamics CRM Server 2011 are made using HTTPS.) Setting the value of this key to 1 allows the E-mail Router to obtain information from the CRM database over the HTTP protocol.
  2. If you changed the value of DisableSecureDecryptionKey, do the following on the Microsoft Dynamics CRM Server 2011: Restart Internet Information Services (IIS). To do this, click Start, click Run, type IISRESET, and then click OK.
  3. (Recommended) Enable IPSec for all communications between the Microsoft Dynamics CRM Server 2011 and the E-mail Router computer. For more information about enabling IPSec, see IPSec.

Managing certificates to use the E-mail Router with HTTPS

If you are running Dynamics CRM on HTTPS and one or more certificates is not signed by a certificate authority, do the following on the computer on which the E-mail Router is installed:

For the Dynamics CRM certificate

  1. If the E-mail Router Service is configured to use the "LocalSystem" account, import the Dynamics CRM certificate into the trusted store of the local machine account of the computer on which the E-mail Router is installed.
  2. If the E-mail Router service is configured to use any other specific user account, import the Dynamics CRM certificate into the trusted store of that user's account on the computer on which the E-mail Router is installed.

For any Exchange Server certificates

  1. If the E-mail Router Service is configured to use the "LocalSystem" account, import the Exchange Server certificate into the trusted store of the local machine account of the computer on which the E-mail Router is installed.
  2. If the E-mail Router service is configured to use any other specific user account, import the Exchange Server certificate into the trusted store of that user's account on the computer on which the E-mail Router is installed.