Microsoft CRM Web Services Security
Microsoft CRM uses two different data access and "remote procedure calls" technologies. The newer web based CRM API is based on OData 4.0 and represents the currently desired data access target that Microsoft promotes. The older Organization service provides access to data and "methods/actions" based on Web Services (WS) technologies. The security access mechanisms used for each are different. Most interesting, the newer Web API requires registration of the "client program" in order to allow it to connect to a CRM instance, while the older SOAP based methods do not. Using SOAP based access to MS CRM can be interesting for this reason alone.
The Organization service uses fairly old and somewhat inefficient technologies to provide access using XML based SOAP messages. The SOAP messages are secured using various WS security standards now managed by OASIS. It is fairly well accepted that the SOAP XML approach is no longer preferred and considered difficult (conceptually) to use and inefficient to process. SOAP approaches to messaging tried to re-implement many aspects of communication that were already covered by other standards and today, the HTTP based methods, using various HTTP technologies, shift many of the components found in SOAP to other areas of the communication stack e.g. encryption is handled by HTTP encryption methods instead of by SOAP XML encryption methods.
Various OASIS specifications (specifically WS-Security knows as "WSS") defines a set of extensions (and various updated versions of those extensions) used to secure web services security. They is extensible and fairly comprehensive. However, this flexibility comes at a cost as comprehensibility suffers greatly. There are some 15 different standards documents that must be used to understand the security applied to MS CRM alone, making implementation of security difficult. Most programmers use libraries provided by vendors to ease the usage burden. Understanding and applying security has always been hard and the past state of affairs lead to the newer HTTP based standards and updated OAuth approaches that are preferred today. While the reality is that the same conceptual functionality is required to secure web service messages, shifting the burden of implementing security out of the core messaging area is seen as some as simplifying the state of affairs with regard to message composition and processing by the "client" programmer versus, say, the deployment environment.
You should read the various WSS standards or at least glance over them. They are full of concepts that you need to understand if you want to implement security at a lower level that a supplied library or understand why a library acts like it does.
This document contains notes on web service security specific to MS CRM using the older Organization service. It assumes that you have a basic understand of some security concepts but have probably found most of the WSS concepts confusing and overlapping but wish to understand a few concepts better so you can better understand client software and how it runs.
Last updated
