Develop Reference

Dynamics CRM online, throwing System.Security.Permissions.KeyContainerPermission

I am trying to call a Web API endpoint(https) using client certificate in Dynamics CRM plugin on Sandbox environment and I am getting the following error message.
Unhandled Exception:
System.ServiceModel.FaultException`1[[Microsoft.Xrm.Sdk.OrganizationServiceFault, Microsoft.Xrm.Sdk, Version=9.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]: Unexpected exception from plug-in (Execute): MyTestPlugin.PatchOnRevise: System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.KeyContainerPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.Detail:
<OrganizationServiceFault xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/xrm/2011/Contracts">
<ActivityId>9eb9f246-31da-42d4-a8ad-a93b16c783d7</ActivityId>
<ErrorCode>-2147220956</ErrorCode>
<ErrorDetails xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Collections.Generic" />
<Message>Unexpected exception from plug-in (Execute): MyTestPlugin.PatchOnRevise: System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.KeyContainerPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.</Message>
<Timestamp>2018-07-08T22:01:17.969528Z</Timestamp>
<ExceptionRetriable>false</ExceptionRetriable>
<ExceptionSource i:nil="true" />
<InnerFault i:nil="true" />
<OriginalException i:nil="true" />
<TraceText>
This is the code wherein I am attaching the certificate to WebClient.
protected override WebRequest GetWebRequest(Uri _address)
{
X509Certificate2 x509Certificate2 = new X509Certificate2(_bytes);
HttpWebRequest request = (HttpWebRequest)base.GetWebRequest(_address);
request.ClientCertificates.Add(x509Certificate2);
return request;
}
I have tried to disable Sandbox, but no luck. Is there anything else I need to do to fix this issue.

You can't disable sandbox in an online environment.
I suspect the issue is related to this, I'm not sure if certificate based security is supported.
Plug-in isolation, trusts, and statistics
Web access
Sandboxed plug-ins and custom workflow activities can access the
network through the HTTP and HTTPS protocols. This capability provides
support for accessing popular web resources like social sites, news
feeds, web services, and more. The following web access restrictions
apply to this sandbox capability.
Only the HTTP and HTTPS protocols are allowed.
Access to localhost (loopback) is not permitted.
IP addresses cannot be used. You must use a named web address that requires DNS name resolution.
Anonymous authentication is supported and recommended. There is no provision for prompting the logged on user for credentials or
saving those credentials.

SQL Generic Error When Notes are Clicked Dynamic CRM

I am using dynamic CRM 2015 version 7.0.1.129 On-Premise. When user click on notes in social pane. An error shows up which is "Generic SQL Error".
Here is the log
Unhandled Exception:
System.ServiceModel.FaultException`1[[Microsoft.Xrm.Sdk.OrganizationServiceFault, Microsoft.Xrm.Sdk, Version=7.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]: Generic SQL error.Detail:
<OrganizationServiceFault xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/xrm/2011/Contracts">
<ErrorCode>-2147204784</ErrorCode>
<ErrorDetails xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Collections.Generic" />
<Message>Generic SQL error.</Message>
<Timestamp>2016-04-12T17:00:52.6982705Z</Timestamp>
<InnerFault i:nil="true" />
<TraceText i:nil="true" />
</OrganizationServiceFault>
Actually the main issue is that the error is only showing for a single user not all of them and this happens every time when he click on Notes within a Pipeline Opportunity.
Any kind of Help/Suggestion will be appreciated.
Thanks

IDP initiated SAML login error - Authentication statement is too old to be used with value

We are using ADFS as an IDP and our application acts as SP. Below is a sample Auth response
<?xml version="1.0" encoding="UTF-8"?>
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_82062d3d-897f-473e-90ad-0bb351d63b22" IssueInstant="2015-04-29T20:39:17.240Z" Version="2.0">
<Issuer>http://adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_82062d3d-897f-473e-90ad-0bb351d63b22">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue />
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>certificate..... </ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID>username</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="923ki0eg8h7g7y2243fi9jbdd1977j9" NotOnOrAfter="2015-04-29T20:44:17.240Z" Recipient="https://localhost/saml/SSO" />
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2015-04-29T20:39:17.240Z" NotOnOrAfter="2015-04-29T21:39:17.240Z">
<AudienceRestriction>
<Audience>https://localhost/saml/metadata</Audience>
</AudienceRestriction>
</Conditions>
<AuthnStatement AuthnInstant="2015-04-29T20:39:17.162Z" SessionIndex="_92062g3d-897f-473e-90ad-0aa351d63b22">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
The problem I face can be categorized into two scenarios:
After 1 hour of Idle time, I logout the user locally. The server session expiry is a default value of 30min. I have my code to send heartbeat pings every 10min, if the user is actively working on something. Now, the problem is that when the user tries to login after the session expiry of 1 hour, I get the below exception
Caused by: org.springframework.security.authentication.CredentialsExpiredException: Authentication statement is too old to be used with value 2015-05-28T17:41:52.648Z
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAuthenticationStatement(WebSSOProfileConsumerImpl.java:538)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertion(WebSSOProfileConsumerImpl.java:306)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:214)
... 77 more
The question here is.. Why would our application try to validate the instance of when the token was issued? It could be granted anytime..
I keep getting SAMLException with message "Local entity is not the intended audience of the assertion in at least one AudienceRestriction". The trace is as below
Caused by: org.opensaml.common.SAMLException: Local entity is not the intended audience of the assertion in at least one AudienceRestriction
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAudience(WebSSOProfileConsumerImpl.java:506)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertionConditions(WebSSOProfileConsumerImpl.java:458)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertion(WebSSOProfileConsumerImpl.java:303)
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:214)
... 77 more
I dont understand why this exception occurs.
Please help me to understand the concept.
Thanks!

Your IDP is re-using information that user has authenticated earlier (at time identified by Authentication Instant) and Spring SAML is by default configured to not let user login if she's been authenticated more than 7200 seconds ago.
It's a security measure - if it's a long time ago since the computer has authenticated the user, it's hard to guarantee that it's still the same person operating the computer. Spring SAML provides you some means to configure what level of security will be acceptable - for example by making this configurable.
You can increase this value by setting property maxAuthenticationAge on the WebSSOProfileConsumerImpl bean.
The audience error should happen only when the assertion contains Audience elements and none of them matches the entity ID of your application. I don't think the Response in your question is the one triggering this error?

Just an FYI on this topic, Google has confirmed that currently do not honour the forceAuthN flag for SAML redirects. Seeing issues with authentication timeout on SAML token as a result. Documented here: Google Apps SSO as IdP into Spring SAML2 - Authentication token timeout

HTTP 401.2 Unauthorized error with Windows authentication from remote machine

My website has Windows Authentication enabled with Negotiate provider listed first as I want to use Kerberos for delegating. It works fine when I run the website from a browser on the web server itself. When I use IE from another machine in the domain, I get the login box. After 3 tries I get a HTTP 401.2 error: Unauthorized.
I've made sure the domain account used by the Application Pool has Read and Execute rights to the website folder, and so does the domain account I'm logging in under when hitting the website (and I've also thrown in 'Authenticated Users' for good measure).
Interestingly if I try to access the site using the web server's IP instead of the name, it loads fine.
Anyone have thoughts?

One year after my first encountering this problem I've solved it.
Got the tip from http://blogs.technet.com/b/proclarity/archive/2011/03/08/useapppoolcredentials-true-with-kerberos-delegation-on-2008.aspx
Need to set useAppPoolCredentials="true" on the windowsAuthentication element in applicationHost.config (can set via IIS Manager)
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true">
<providers>
<clear />
<add value="Negotiate" />
</providers>
<extendedProtection tokenChecking="None" />
</windowsAuthentication>
</authentication>
</security>
</system.webServer>

The reason you're getting a 401.2 when using a DNS name is most likely due to the fact register the name you're using as a service principle name (SPN) in AD.
Here's a couple of links that should help you out:
Service Principal Name (SPN) checklist for Kerberos authentication with IIS 7.0/7.5
http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx
Register a Service Principal Name for Kerberos Connections:
http://technet.microsoft.com/en-us/library/ms191153.aspx

a sql server error occurred. try this action again

I've CRM 2011 on-premise installation. When a workflow (both custom and crm workflow) try to a create note in Account entity, an error occurred. When I check the workflow status it shows ‘Waiting’ and showing below error message.
“A SQL Server error occurred. Try this action again. If the problem continues check the Microsoft Dynamics CRM Community for solutions or contact your organization's Microsoft Dynamics CRM Administrator. Finally, you can contact Microsoft Support”
Workflow paused due to error: Unhandled Exception: System.ServiceModel.FaultException`1[[Microsoft.Xrm.Sdk.OrganizationServiceFault, Microsoft.Xrm.Sdk, Version=5.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]: Generic SQL error.Detail:
-2147204784
Generic SQL error.
2012-10-25T11:11:01.2064949Z
<ErrorCode>-2147204784</ErrorCode>
<ErrorDetails xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.Collections.Generic" />
<Message>Generic SQL error.</Message>
<Timestamp>2012-10-25T11:11:01.2064949Z</Timestamp>
<InnerFault>
<ErrorCode>-2147220970</ErrorCode>
<ErrorDetails xmlns:d4p1="http://schemas.datacontract.org/2004/07/System.Collections.Generic" />
<Message>System.Data.SqlClient.SqlException: Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #6F1D18EA</Message>
<Timestamp>2012-10-25T11:11:01.207495Z</Timestamp>
<InnerFault i:nil="true" />
<TraceText i:nil="true" />
</InnerFault>
<TraceText i:nil="true" />
at Microsoft.Crm.Extensibility.OrganizationSdkServiceInternal.RetrieveMultiple(QueryBase query, CorrelationToken correlationToken, CallerOriginToken callerOriginToken, WebServiceType serviceType)
at Microsoft.Crm.Extensibility.InprocessServiceProxy.RetrieveMultipleCore(QueryBase query)
at Microsoft.Crm.Workflow.RegardingObjectUtility.CreateLookup(String entityName, Guid entityId)
at Microsoft.Crm.Workflow.WorkflowContextBase.SetStepRegardingRecord(String entityName, Guid entityId)
at Microsoft.Crm.Workflow.Services.UpdateActivityService.<>c_DisplayClass1.b_0(IOrganizationService sdkService)
at Microsoft.Crm.Workflow.Services.ActivityServiceBase.ExecuteInTransactedContext(ActivityDelegate activityDelegate)
at Microsoft.Crm.Workflow.Services.UpdateActivityService.UpdateInternal(Entity entity, String stepId)
at Microsoft.Crm.Workflow.Services.UpdateActivityService.ExecuteInternal(ActivityContext executionContext, UpdateEntity updateEntity)
at Microsoft.Crm.Workflow.Services.UpdateActivityService.Execute(ActivityContext executionContext, UpdateEntity updateEntity)
at System.Activities.CodeActivity.InternalExecute(ActivityInstance instance, ActivityExecutor executor, BookmarkManager bookmarkManager)
at System.Activities.Runtime.ActivityExecutor.ExecuteActivityWorkItem.ExecuteBody(ActivityExecutor executor, BookmarkManager bookmarkManager, Location resultLocation)
I checked trace also.
Please suggest,
Thanks
Kiran

Enable tracing (using this tool easiest) and take a look at the resulting trace file for the Async service (can't remember the file name but it will have "async" in it somewhere). This should give you some additional detail.
Do you have any plugins registered on your system (especially against the Account or Annotation (Note) entity?