A couple of months back, we were upgrading a client’s CRM 2011 installation to the next major release, CRM 2013. Everything seemed to be going smoothly as we upgraded the test environment, until we realized we couldn’t edit user settings or send e-mails.

The common factor here seemed to be that anything that used user data failed. This is because CRM 2013 introduces data encryption to select fields in the database.  Among them, those that store the CRM user data.

We proceeded to investigate, and after setting up HTTPS on the test server with a dummy certificate…

Note: I later learned we could have skipped this step quite easily with a little tweak to the configuration DB:

UPDATE [MSCRM_CONFIG].[dbo].[DeploymentProperties]
SET [BitColumn]=1
WHERE ColumnName='DisableSSLCheckForEncryption'
Source: http://www.crmphilly.com/crm-2013-data-encryption/

Not sure if this workaround is supported by MS. In any case, don’t change the setting on your production environment. The security is there for a reason.

… we found, in the encryption key configuration window, that no encryption key had been stored for this organization. But the data had still been encrypted, making it essentially useless.

After about a week of dead ends, and with the go-live date looming, we finally found a workaround. We tried re-importing our CRM 2011 organisation database  with the Deployment Manager, and let it handle the organisation upgrade. To our relief, this time there was an encryption key.

As far as I’ve been able to gather, the problem was this: when we had performed the initial upgrade, we used the CRM 2013 RTM (not to be confused with a pre-release) media for the installation. We had allowed the installer to upgrade the organization for us. This was true for both our development and test environment. Both were missing their encryption keys.  On our second attempt (the re-import) we had CRM 2013 SP1 installed, and while I can’t find any mention of a fix for this issue in the release notes, I’m pretty sure this is what made the difference. So, the moral of the story? Install your CRM 2013 upgrade first, as well as the latest updates. Then import and upgrade your organization.  Don’t let the installer upgrade your organization for you.

I hope this blog post can help someone avoid having the same problem that we had.


Error messages

When trying to manipulate CRM user data:
Data Encryption error – There are encrypted fields in the organization database, but the data encryption feature isn’t activated. Contact your Microsoft Dynamics CRM system administrator to activate data encryption. To activate, go to System Settings > Data Management > Data Encryption. For more information, see http://go.microsoft.com/fwlink/?linkid=316366.

When trying to enable data encryption:
In the error dialog:
SQL Encryption error – The encryption key you entered does not match the original one that was used to encrypt the data in the database.
In the log file:
Cannot perform ‘activate’ because the encryption key doesn’t match the original encryption key that was used to encrypt the data.

When running a trace when trying to enable data encryption:
Crm Exception: Message: Encryption Symmetric Key password does not exist in Config DB., ErrorCode: -2147187410
Which after a little decimal to hex conversion maps to (source):

Error ID Managed Error Name Error Message
8004852E SqlEncryptionSymmetricKeyPasswordDoesNotExistInConfigDB Encryption Symmetric Key password does not exist in Config DB.