Authentication Protocols Impacting Dynamics GP Users
Microsoft announced security changes to Office 365 servers and Exchange Online. Effective October 2022, Basic Authentication protocols will be replaced with a new modern protocol to secure Exchange Online and hosted Office 365 from possible cyber-attacks. A side effect of these security changes is that email and workflow functionality will be impacted in older versions of Dynamics GP.
If you’d like to skip to a specific section, click on one of the topics below:
- Which Versions of Dynamics GP Are Impacted?
- What Functionality is Affected?
- Why is This Affecting GP Users?
- Why is Basic Authentication Going Away?
- What Options are Available to Ensure I’m Not Impacted?
- What if You Use SalesPad to Email an Invoice?
- Recorded Presentation of Dynamics GP – Impact of Authentication Protocol Changes
- How to Check Your Dynamics GP Version
- Microsoft Beginning to Roll Out Changes
- Announcements from Microsoft
Which Versions of Dynamics GP Are Impacted?
If you’re using Dynamics GP 18.2 or an older version such as GP 2010, GP 2013, GP 2015, GP 2016, GP 2018, then these security changes will disrupt email and workflow functionality.
- Please note that if you are on an older version of GP and do not use email or workflow functionality, then this will not impact you.
If you’re currently on Dynamics GP 18.3 or higher, you will not be impacted by this change because the Modern Authentication is already operational in GP 18.3 or later.
What Functionality is Affected?
Dynamics GP versions 18.2 and older will be unable to communicate with the Exchange server, resulting in emails containing orders, invoices, statements, purchase orders, and remittances from being sent to customer or vendors.
Why is This Affecting GP Users?
When we email out of GP we essentially connect to exchange and in order to connect, you need to authenticate as a user. Since Exchange will only support the Modern Authentication email, older versions of GP will be unable to communicate with the Exchange server and the emails will not be delivered. This will stop emails containing orders, invoices, statements, purchase orders, and remittances from sending. Workflows are also affected as they send email to move the workflow through its steps. These functions will stop operating in October 2022 when Basic Authentication is deprecated. Going forward systems will only use Modern Authentication for Office 365, which means that GP users that are affected need to be on a version (18.3 or later) where Modern Authentication can be used.
Why is Basic Authentication Going Away?
Basic Authentication, which is TLS 1.0, is an outdated industry standard and threats posed have only increased since Microsoft originally announced they were making this change. Utilizing Basic Authentication opens the client up to phishing emails, compromised files, ransomware attacks, and more.
Modern Authentication, which is TLS 1.2, helps increase your organizations security because it uses modern encryption of keys. It also supports features such as multi-factor authentication (MFA) which Encore highly recommends, certificate-based authentication (CBA), as well as a few others.
The history of authentication protocols starts with Microsoft writing SSL back in the 1990’s and then it was replaced with TLS 1.0, which then evolved to TLS 1.2. The change is happening now because Exchange and Office 365 are mandating TLS 1.2 across all programs. It’s not only Dynamics GP that is affected, it’s any program that is using TLS 1.0 that is affected.
What Options are Available to Ensure I’m Not Impacted?
For customers using a version of Dynamics GP 18.2 or older and that use email and/or workflow in GP, there are three scenarios. Each scenario will require a solution for functionality to continue post October 2022, because both the document connection (Exchange login during the GP session) and the SMTP (Workflow) connection will need to use the Modern Authentication.
Scenario 1: If you use Email for documents and use Workflow
An upgrade to the current version of GP is needed.
Scenario 2: If you do not use Email for documents and use Workflow
An upgrade to the current version of GP is needed.
Overall, there are more restrictions with workflows and there are no workarounds that will work past October. In the meantime, we have two temporary fixes for workflows:
Option 1: Turn off Modern Authentication in Office 365 for SMTP.
This means updating the dynamics.exe.config file, which is located in the code folder, with one line of code. This ensures that the application is using TLS 1.2 wherever it’s available as part of the move towards modern protocol.
Code to add to the dynamics.exe.config file:
<runtime> <AppContextSwitchOverrides value="Switch.System.Net.DontEnableSystemDefaultTlsVersions=false"/> </runtime>
Option 2: Continue to use Workflow internal to GP only
- Every user will require a GP user license
- No notifications that items are pending – manually go into GP to check for notifications
- Approvals done inside GP
Scenario 3: If you use Email for documents and do not use Workflow
Four options are available here:
- Upgrade to the current version of GP.
- Change the system preference from Exchange to MAPI in GP. This requires that the user be using the 32-bit version of Outlook and that we implement ClickYes pro (this software prevents you from having to say yes, yes, yes, yes to every email going out). ClickYes Pro – Download (softonic.com). This authenticates using Outlook which already uses the Modern Authentication. When you go to email, it will open an Outlook email prefilled with any email templates you have, rather than connecting to Exchange. One disadvantage is that if you have multiple users on the same server/workstation, every user must have their individual profile set up on Outlook for this to work. This means that if you’re running on an RDS server with 35 people, the IT department will have to put 35 separate profiles on there, each one with a full Outlook implementation, which takes up space, backup, and resources.
- Another option that uses MAPI is Binary Stream Email Manager.
- Switching to Liaison Messenger EDD – it is a product that allows you to send emails directly to Office 365. It does support TLS 1.2, so you can move to it and then it would continue to run. It works on GP versions 2015 and above. There is set up time required and requires a workstation to run the print driver. Sends your standard print jobs through this and then it will email them out to the individuals. It works well but does have a cost associated to it through user count licensing and maintenance.
Please contact us or reach out to your Encore Account Executive if you have any questions about which scenario is best for your organization or if you’d like to review options of moving to a cloud-based ERP solution.
A reminder, no action is needed if:
- If you’re currently on GP 18.3 and above, no action is necessary.
- If you’re on a version older than GP 18.3 (GP 2021, GP 2013, GP 2015, GP 2016, GP 2018, GP 18.2), but do not use email or workflow in GP, the issue will not impact the functionality of your solution.
What if You Use SalesPad to Email an Invoice?
Emails sent from SalesPad versions v188.8.131.52 and later will not be affected by the protocol changes. SalesPad does not rely on Dynamics GP for the email functionality. The addition of TLS1.2 for SalesPad was completed 5/26/2017. TLS 1.1 and 1.2 is supported in SalesPad versions v184.108.40.206 and later. For more information, please see the SalesPad desktop release notes.
Recorded Presentation of Dynamics GP – Impact of Authentication Protocol Changes
See the video below for our webinar recording about the impact of authentication protocol changes.
Topics discussed during this session include:
- What are Authentication Protocols – 1:25
- The Effect of Protocol Changes on your Systems – 3:35
- Fixes and Workarounds – 6:25
- Q&A – 15:40
How to Check Your Dynamics GP Version
In Dynamics GP, users can verify their version by:
- Select the blue question mark in the upper right corner.
- Then in the menu, select ‘About Microsoft Dynamics GP’.
- In the window that appears, the version number is in the first line of the right-hand column.
Microsoft Beginning to Roll Out Changes
Beginning now, Microsoft is running a ‘Proactive Protection Expansion’ which means that as changes begin to roll out, they will begin disabling Basic Authentication for some customers on a short-term and temporary basis. This means that some clients may see email and workflow in GP affected for a 12–48-hour period sometime before October. In this blog article, Microsoft explains how through the Microsoft 365 admin center your administrator can re-enable a protocol that was disabled. However, these workarounds will only work until Basic Authentication is turned off permanently in October 2022.
Announcements from Microsoft
The following links are from Microsoft and indicate the changes they are making:
- In February 2021, Microsoft announced that they are going to be turning off Basic Authentication in Exchange in this update to the Microsoft Tech Community.
- In September 2021, the message about Basic Authentication was further reinforced in this announcement.
If you have any questions, please contact us or reach out to your Encore Account Executive.
Get 8 premium pieces of content that will help you plan a Dynamics GP upgrade!