There have been some disclosures from Microsoft about the retirement of the Windows Azure Access Control Service (ACS). This blog post tries to help you understand the perspective of the retirement, and the impact to us as Dynamics 365/CRM developers.
Azure ACS was designed to be a cloud-based service that provides an unified authentication and authorization framework which helps with application or service access management. As the overall Azure platform evolves, the ACS framework has proved to have some limitations including security and scalability, among probably some others. For this particular reason, Microsoft has determined that Azure Active Directory is the solution to replace ACS as shared by David Howell in his Technet blog post back in Jun 22, 2013.
Started from sometime last year, Azure team has started to scale down their ACS infrastructure (although I have not come across an official announcement from Azure team - if you happen to see one, please let me know so that I can share here by updating the blog post) to prepare for the complete phase-out of the ACS support.
As a result of the Azure paradigm change, Microsoft Dynamics 365/CRM team has started to remove the dependency of ACS authentication in CRM SDK code started from the SDK's v8.0 release, which was made available in December 2015. The message has never been delivered to the community in a clear way until recently. As the moves become crystal clear today, there are two main impacts for us as a Dynamics 365/CRM developer.
- CRM SDK use should be updated to the latest version.
- To work with Dynamics 365/CRM online, you need to make sure you are using a v8.x version of SDK. The latest version is v8.2.1 which was made available on March 22, 2017 (When you read this blog post, it is possible that the version you see from the link is even newer).
- If you application depends on a 6.0 SDK library (which corresponds to Dynamics CRM 2013), you will need to use the the latest v6.1.2 assemblies (NuGet package) - this is particularly an issue if you are using an ISV solutions that may not be actively maintained any more - in which case you can simply just replace the assemblies.
- If you have any ACS service endpoints created using CRM plugin registration tool, you need to make sure that you have updated the service endpoint to use SAS instead - which is the new authentication model to work with Azure Service Bus.
When you use an old SDK assembly to talk to your Dynamics 365/CRM instance, you will receive the following error message: "There was no endpoint listening at https://login.microsoftonline.com/RST2.srf that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details". When you receive this error message, you need to make sure you have the SDK assemblies updated.
Note that this change only matters to you if you are working with Dynamics 365/CRM Online. If you are still using Dynamics 365/CRM on-premise, it is up to your decision whether you want to upgrade the SDK assemblies that you might depend on in your development projects.