Dynamics CRM 2011 Plugin Sandbox Mode Security Restrictions

Header Photo Credit: Lorenzo Cafaro (Creative Commons Zero License)

Lately, I've been doing work with Microsoft's Dynamics CRM 2011. Specifically, I've been integrating InRule's flagship product into Dynamics, which includes utilizing the Plugin feature of Dynamics.  Dynamic provides the option of registering a plugin to run in "sandbox" mode, which is a Partial Trust process.  While the on-premise Dynamics software will allow you to run plugins in or out of sandbox mode, the Dynamics Online (Microsoft's hosted solution) will only run in sandbox mode.

Unfortunately, there's not really any good documentation saying what is or is not allowed in the sandbox mode.  Even when I spoke to a group of Microsoft Dynamics team members and MVPs at the Dynamics Acceleration Lab earlier this month on Microsoft's Redmond campus, there wasn't a known set.

So, I basically had to take the approach of just trying to run the software in isolated mode and see what fails.  As I uncovered a new security failure, I'd create a whitebox plugin that would test the specific scenario to ensure it was indeed a sandbox-induced issue and to test any potential workarounds.  The good news is that the sandbox mode for on-premise installations is the same as the Dynamics OnLine environment, so I could test things locally.

Below is a list of items I discovered during my testing.

This is not an exhaustive list by any means, as I focused only on functionality I needed for the InRule integration. I will continue to update it as I come across additional items.

Exception classes: With .Net 4, there was a change to how you must construct your Exception classes if you want to include any custom data when serializing your object.  Previously, you would override the GetObjectData() method, but with .Net 4, this has been slapped with the [SecurityCritical] attribute, which stops you from using it in partial trust environments.  Instead, you would need to change the implementation per this link: http://msdn.microsoft.com/en-us/library/system.runtime.serialization.isafeserializationdata.aspx

Using any of the following cause a security exception (not an exhaustive list):

  • Attempting to use the AppDomain.CurrentDomain.AssemblyResolve event
  • System.IO.Path.GetTempPath() [System.Security.Permissions.EnvironmentPermissionException]
  • Any filesystem access code [System.Security.Permissions.FileIOPermissionException]
  • Attempting to use the EventLog [System.Diagnostics.EventLogPermissionException]
  • Attempting to use IsolatedStorage [System.Security.Permissions.IsolatedStoragePermissionException]
  • Any references to Thread.CurrentThread caused a security failure. 

Usage of the XmlReader class using a StringReader to provide the XML, caused a security failure.  I haven't yet been able to narrow down the specifics as to where or why this was disallowed, but here is the code that fails:

using(XmlReader reader = XmlReader.Create( new StringReader (_xmlString ))
    reader.MoveToContent(); //Security exception occurs here.

As I determine more, I'll update this post.

Note: My testing was with Dynamics CRM 2011 Rollup 7 running on a Windows 2008 server virtual machine inside VMWare Player.

Update: I came across this MSDN article Plug-in Isolation, Trusts, and Statistics which provides some info on restrictions related to opening networking connections, including a registry edit you can make to ease the restrictions. Noteworthy excerpt from the article:

Sandboxed plug-ins and custom workflow activities can access the network through the HTTP and HTTPS protocols. This capability provides 
support for accessing popular web resources like social sites, news feeds, web services, and more. The following web access restrictions
apply to this sandbox capability.

* Only the HTTP and HTTPS protocols are allowed.
* Access to localhost (loopback) is not permitted.
* IP addresses cannot be used. You must use a named web address that requires DNS name resolution.
* Anonymous authentication is supported and recommended. There is no provision for prompting the 
  on user for credentials or saving those credentials.