The End of xRM Portals Community Edition with WS-Trust / OrganizationServiceProxy Deprecation?

Deprecation of WS-Trust authentication and OrganizationServiceProxy spells the end of Adxstudio Portals with online instances if you were somehow still using it. xRM Portals Community Edition using username/password authentication with online instances of Dynamics 365 will also be dead in the water but xRM Portals does support Server-to-Server (S2S) auth. But I doubt anyone is actually using S2S in xRM Portals.

Ever since xRM Portals Community Edition was announced, the lifespan was always limited as the reliance of portals on a key library Microsoft.Xrm.Client was no longer being maintained and something in the online architecture would eventually change that caused that library to no longer function. There was a major bump in the road when Access Control Service (ACS) was deprecated and removed, another authentication mechanism. Now we face WS-Trust authentication being deprecated and being removed, and this time Microsoft is not going to come to the rescue with a patch of some sort.

If you trace down how the portals makes its connection to an environment within Microsoft.Xrm.Client you will find this core reliance on a method called ToOrganizationServiceProxy which returns an OrganizationServiceProxy. Adxstudio Portals used it, as does xRM Portals. So that effectively kills Adxstudio Portals if you still somehow were using it with an online instance. xRM Portals also uses this when you are using username and password authentication as the connection.

Somewhat hidden or and undocumented, but visible if you go through the portals code is Server-to-Server authentication which constructs an OrganizationWebProxyClient. You are saved…maybe. Looking at CrmOnlineOrganizationService class within the Adxstudio.Xrm library you can find this comment // check if S2S connection is enabled. If you dig into it further it expects a bunch of settings from an adxstudio.xrm section in the web.config that will give it a client id and certificate thumbprint allowing it to get an authorization token and then construct an OrganizationWebProxyClient as the IOrganizationService that is then used.

Problem is 99.9% (perhaps even 100%) of implementations of xRM Portals probably are using username and password (if you are using S2S with xRM Portals please post in the comments) as the documentation and the setup wizard very much take you through a username and password flow.

xRM Portals Community Edition Setup

So is this the end of xRM Portals Community Edition come April 2022 when existing and new instances have WS-Trust removed? It probably is.

The xRM Portals Community Edition has served a good purpose and if it makes it to April 2022 then that would be quiet a bit longer than I had expected.

Note this is online only type of issue, on premise with xRM Portals Community Edition should continue to function, but keep in mind online changes will likely trickle down to on premise at some point as well.

@amervitz who manages the xRM Portals git repo has posted this deprecation as well as other online issues for those that are interested in participating in any fixes. I will caution though that replacement of the library Microsoft.Xrm.Client is likely required for long term viability of the project. That is not a small undertaking and my advice would be to put effort in elsewhere. Not to say it would not be possible, just a large amount of effort and investment on technology that is not being moved forward.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s