Microsoft Dynamics CRM Online organization integration with the Microsoft Azure Service Bus

More information
Recent security enhancements require the Microsoft Dynamics CRM Online service to use a new certificate to authenticate against the Microsoft Azure service. Use the steps in this article to change the configuration in your Microsoft Azure namespace. These changes are necessary, and will allow the messages sent from the Microsoft Dynamics CRM Online service to the Microsoft Azure service endpoint to be authenticated with both the current certificate and the newer certificate that will be available soon. 

Note: This information also applies to the Dynamics Marketing/Dynamics CRM connector integration.

This configuration change should be made before Tuesday, April 26th 2016 globally, to ensure minimal impact.

Note: Do not remove the old certificate until after Thursday, April 28th 2016, as the new one is not valid until this date. However, both the new and old certificates can exist simultaneously without issues.

Also note that if these changes are not made, any integrations to Microsoft Dynamics CRM Online that use the Microsoft Azure Service bus will stop working. Also, if the PluginRegistration tool is used to verify authentication, an error message may occur similar to the following:

“The token provider was unable to provide a security token. The remote server returned an error: (401) Unauthorized”.

When the procedures in this article have been completed, ACS access control will be configured to allow Microsoft Dynamics CRM Online to continue to send messages with the new certificates.

First, retrieve the list of service endpoints. The steps in this article will need to be performed for each of the service endpoints. To find the service endpoints, in Microsoft Dynamics CRM, navigate to Settings, click Customizations, click Customize the System, and select Service Endpoints.

Note: If the service endpoint connection mode is "Federated," the same steps will need to be repeated in the following instructions for https://<servicenamespace>


To configure access control for a service namespace:

1. In a web browser, go to https://<servicenamespace>

 Note: If you do not have access, contact the solution developer to perform the steps.

2. Under Service Settings, click Service Identities.

3. Click your Microsoft Dynamics CRM Online service identity to proceed to the Edit Service Identity page. Please note the following items:

· If your organization URL contains “”, click here to download the public certificate and save it to your disk. Also, select the check box next to “”. 

4. Click Add

5. Under Type, choose X509, and then click Add. In the Add Credential screen (shown below), browse to the public certificate you previously saved to disk, and click Save.

6. You should now see the current (soon to expire) and new certificates in the Credentials list.

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Article ID: 2836034 - Last Review: 04/22/2016 18:48:00 - Revision: 15.0

Microsoft Dynamics CRM 2011

  • kbmbsmigrate kbsurveynew KB2836034