Announced late last week on docs.microsoft.com was the deprecation of the WS-Trust authentication type as well as
OrganizationServiceProxy. Both are connected to the same thing of the WS-Trust authentication being moved away from for a long time now in other Microsoft SDKs and the CDS/CRM SDK is catching up as they modernize the authentication for the SDK. How does this effect you? Does it even effect you?
It really depends on how you have been using the SDK previously in writing your client applications. If you are using a username and password type connection string to connect to your CDS/CRM instance then you will be effected. If you strictly implement
OrganizationServiceProxy and not the more generic interface
IOrganizationService then you will also be effected.
If you have been using Server-to-Server (S2S) authentication which has been available now for quiet a while with a client Id and either a client secret or certificate then you are good, you won’t be effected.
If you use
OrganizationWebProxyClient instead of
OrganizationServiceProxy or are using
CrmServiceClient or using either (service client or web proxy client) as
IOrganizationService then you are good, you won’t be effected.
Now you might be thinking, well I just won’t update my SDK and can still keep using WS-Trust authentication as well as
OrganizationServiceProxy. Sorry but this change is not just the SDK bits that you include in your client applications but also on the server end as well. There is some key text at the end of the announcement.
Effective April 2021, we intend to retire this authentication protocol for all new environments.
Effective April 2022, the authentication protocol will be retired for all new and existing environments.docs.microsoft.com – Deprecation of Office365 authentication type and OrganizationServiceProxy class for connecting to Common Data Service
April 2021 new environments that don’t use new the proper
IOrganizationService or a non WS-Trust based authentication are going to be broken. April 2022 ALL environments using deprecated WS-Trust based authentication will be broken.
That is a lot of time and honestly the proper implementation methods of S2S (Server-to-Server) with client Id and secret/certification as well as properly using
IOrganizationService instead of directly
OrganizationServiceProxy have been long available so this shouldn’t be a large impact…however…there are known to be A LOT of WS-Trust calls occurring still today so the impact actually does have the potential to be huge if those applications aren’t corrected.
If you have any custom applications using the SDK, if you have a partner application you purchased or something a partner has implemented for you, or you are using an open source technology then start reviewing those applications right away and find ways to get them using the proper authentication methods.
On docs.microsoft.com there is a good article giving you the how do you know your effected and what to do if you are effected. Be sure to carefully review it.
Use of Office365 authentication with the WS-Trust security protocol
While the article does provide an out to allow the continued use of username and password authentication, as well if you update your SDK to 9.2.x when it is available they will auto re-route your Office365 auth type to OAuth but I still wouldn’t recommend it. Switch to Server-to-Server authentication. Your applications very likely are service based applications and shouldn’t be running in the context of a user account. Take this opportunity to switch to proper authentication for the application type you have.
References for Server-to-Server Authentication:
One thought on “CDS/CRM SDK – WS-Trust auth and OrganizationServiceProxy Deprecated, what does it mean?”