Announcements
Hi all!
If found the following when trying to determine whether my app will stop working or not based on the WS-Trust deprecation:
https://docs.microsoft.com/en-us/powerapps/developer/data-platform/authenticate-office365-deprecation#how-do-i-know-if-my-code-or-application-is-using-ws-trust
----
How do I know if my code or application is using WS-Trust?
First and most importantly, this change only impacts client applications that connect to the Microsoft Dataverse. It does not impact custom plug-ins, workflow activities, or on-premises/IFD service connections.
-----However, my app (that connects against the former Dynamics CRM Online) is using the SOAP API directly (instead with requests like the following one. It's being used by several customers and we need to determine how to proceed. Will it stop working? Thanks!
URL: https://myOrganization.api.crm.dynamics.com/XRMServices/2011/Organization.svc
<?xml version='1.0' encoding='UTF-8'?><s:Envelopexmlns:a="http://www.w3.org/2005/08/addressing"xmlns:s="http://www.w3.org/2003/05/soap-envelope"xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><s:Header><a:Action s:mustUnderstand="1">http://schemas.microsoft.com/xrm/2011/Contracts/Services/IOrganizationService/Execute</a:Action><a:MessageID>urn:uuid:messageId</a:MessageID><a:ReplyTo><a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address></a:ReplyTo><a:To s:mustUnderstand="1">https://xxx.api.crm.dynamics.com/XRMServices/2011/Organization.svc</a:To><o:Securityxmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" s:mustUnderstand="1"><u:Timestamp u:Id="_0"><u:Created>2022-03-07T19:59:03.933Z</u:Created><u:Expires>2022-03-09T19:59:03.933Z</u:Expires></u:Timestamp><EncryptedDataxmlns="http://www.w3.org/2001/04/xmlenc#" Id="Assertion0" Type="http://www.w3.org/2001/04/xmlenc#Element"><EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"></EncryptionMethod><ds:KeyInfoxmlns:ds="http://www.w3.org/2000/09/xmldsig#"><EncryptedKey><EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></EncryptionMethod><ds:KeyInfo Id="keyinfo"><wsse:SecurityTokenReferencexmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">G/YmqJgv2n7dYCBKQO7rXPszews=</wsse:KeyIdentifier></wsse:SecurityTokenReference></ds:KeyInfo><CipherData><CipherValue>myValue</CipherValue></CipherData></EncryptedKey></ds:KeyInfo><CipherData><CipherValue>myValue2</CipherValue></CipherData></EncryptedData></o:Security></s:Header><s:Body><Executexmlns="http://schemas.microsoft.com/xrm/2011/Contracts/Services"xmlns:ns10="http://schemas.microsoft.com/xrm/2011/Metadata/Query"xmlns:ns11="http://schemas.microsoft.com/crm/2011/Contracts"xmlns:ns12="http://schemas.microsoft.com/xrm/2012/Contracts"xmlns:ns13="http://schemas.microsoft.com/2003/10/Serialization/"xmlns:ns2="http://schemas.datacontract.org/2004/07/System.Collections.Generic"xmlns:ns3="http://schemas.microsoft.com/xrm/2011/Contracts"xmlns:ns4="http://schemas.microsoft.com/2003/10/Serialization/Arrays"xmlns:ns5="http://schemas.datacontract.org/2004/07/Microsoft.Crm.Sdk.Messages"xmlns:ns6="http://schemas.datacontract.org/2004/07/Microsoft.Xrm.Sdk"xmlns:ns7="http://schemas.microsoft.com/xrm/2011/Metadata"xmlns:ns8="http://schemas.microsoft.com/xrm/2013/Metadata"xmlns:ns9="http://schemas.microsoft.com/xrm/2014/Contracts"><request><ns3:Parameters><ns3:KeyValuePairOfstringanyType><ns2:key>Target</ns2:key><ns2:valuexmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns3:EntityReference"><ns3:Id>myId</ns3:Id><ns3:LogicalName>account</ns3:LogicalName></ns2:value></ns3:KeyValuePairOfstringanyType><ns3:KeyValuePairOfstringanyType><ns2:key>ColumnSet</ns2:key><ns2:valuexmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns3:ColumnSet"><ns3:AllColumns>true</ns3:AllColumns></ns2:value></ns3:KeyValuePairOfstringanyType></ns3:Parameters><ns3:RequestIdxmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true" /><ns3:RequestName>Retrieve</ns3:RequestName></request></Execute></s:Body></s:Envelope>
If your code is using a username and password to connect to dataverse, it is using WSTrust, and it will stop working.
You need to have an app registration with either an App User registered in Dataverse or an App User with user impersonation privs to act as a delegate and retrieve a user token from Azure Active Directory.
Thanks for your response, @cchannon ! Then:1) Is "Dynamics CRM Online" part of the Dataverse?
2) If that's the case and my app will stop working, is it possible to continue using the SOAP API and inject the token somehow? Any document that explains that is available?
I have the exact same Issue. We are using an custom application where the authentication is build the same way and it does the authentication directly with XML WS Trust with SOAP and the following URL https://login.microsoftonline.com/extSTS.srf.I tried to use the Token from an Azure Application which has enough rights to read and write our Dynamics CRM but it did not work because it is not compatible with https://login.microsoftonline.com/extSTS.srf endpoint. In the application it gets a securityToken0, securityToken1 and a keyIdentifier but from the OData Azure Application (https://login.microsoftonline.com/<mytenantid>/oauth2/token) we only get one access_token which seems not compatible with the format I stated above.Is it somehow possible to get a compatible token for the SOAP API from Azure?
1. Yes. "Dynamics" is the brand name for Microsoft's first-party line of applications built on Dataverse. And, it used to be the case that the whole stack (power automate, dataverse, canvas apps, all of it) was called Dynamics 365. So, often times you will see outdated documentation that refers to Dynamics 365, but really means the same thing as Dataverse.
2. I haven't used the SOAP endpoint in probably 7 years. You really should modernize. But, if you can't update that code, then I think it should still work with modern authentication. You just need to instantiate your client correctly using oauth... I would think.
Use OAuth authentication with Microsoft Dataverse (Dataverse) - Power Apps | Microsoft Docs
Thank you for your reply and your explanation regarding the Microsoft Dataverse. At the moment I can not update the code sadly and need a short time solution.I will give it a try with modern authentication for now.
That is exactly my problem and I'm urgent lookup for a workaround. Actually the Ws-Trust service has been shutdown by Microsoft by April 2022! Now my Customer can't exchange any business data!!!
We are using SOAP Endpoint OrganizationService Username/Password - Fetch/Upsert/MultipleRetrieve application=soap+xml header. We have requested Azure App registration and are able to get OAuth2.0 Security Token. But we did not figure out how to make SOAP Header/Body - OAuth2.0 enabled?
I would appreciate any hint or example how this could be fixed.
Thanks for your support
Best regards Peter
Hi @prodriguez
I have written a blog post on WS-Trust Authentication and changes required ..please see this link once to get clarify on what all will are deprecated...
https://ecellorscrm.wordpress.com/2020/06/09/are-you-still-using-ws-trust-auth-and-organizationserviceproxy-then-it-is-time-to-change/
For your question regarding using SOAP API, you can refer this https://community.dynamics.com/crm/f/microsoft-dynamics-crm-forum/400297/how-to-use-oauth-bearer-token-in-soap-request-soap-body
You can test your SOAP requests using SOAP UI..https://www.soapui.org/
I hope this should give you a direction firstly and possibly the solution....
Cheers,
PMDY
Hi Peter,
We are facing the same issue. I was wondering if you had fixed the issue. If positive, how did you compose SOAP Header/Body for OAuth authorization? Please advise.
Thank you in advance.
Sincerely,
James
Hey @Anonymous Hey @PeterSchlagi ,
I was able to fix this issue with a few changes to the xml structure so the soap /web endpoint was able to process my requests. Please try the following:1) Delete the whole <s:Header> XML Header if you have any.
2) Change „xmlns:s=http://www.w3.org/2003/05/soap-envelope“ to -> „xmlns:s=http://schemas.xmlsoap.org/soap/envelope/“ in the <s:Envelope> XML Tag3) Send the SOAP Action as http header like in the attached picture4) Add the Azure Bearer Token to the Http Header like "Authorization Bearer {{authToken}}"
Cheers, Floschna
Hi Floschna,
Thank you so much for your reply.
I tried your approach and kept getting 415 Unsupported Media Type error. It seems XRMServices/2011/Organization.svc/web is not supported?
Did you need to put any specific configurations in your Dynamic CRM please? Thank you.
Under review
Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.
Congratulations to our 2026 Super Users!
Congratulations to our 2025 community superstars!
These are the community rock stars!
Stay up to date on forum activity by subscribing.
Vish WR 610
Haque 317
WarrenBelz 315 Most Valuable Professional
