locked
Dynamics CRM 2013 - IgnoreTokenCheck for INVALID_WRPC_TOKEN warning RRS feed

  • Question

  • Hello All,

    Recently we have upgraded from CRM 4 version to CRM 2013 for one of our client (On premise version). I was just checking event viewer on application server and found one warning which saying "INVALID_WRPC_TOKEN". I googled on this and found following forum in which they are saying to set "IgnoreTokenCheck" in registry.

    https://social.microsoft.com/Forums/en-US/4b30b899-fbdb-4c9e-807e-f442858412b2/ignoretokencheck?forum=crm

    For us, this is happening only in "Activities/Attachment/download.aspx" page. This is CRM's in built page opening when we try to download email attachments. I don't see any issues in downloading attachments though warning is there in event viewer.

    Following are my questions:

    1) Why this warning logged in event viewer although I am able to download attachment without any issue?

    2) Why this is happening only on download.aspx page?

    3) If I will set IgnoreTokenCheck in registry, what will be security impact due to this?

    4) Is there any other way to fix this warning without setting IgnoreTokenCheck in registry?

    Thanks in advance.


    • Edited by Ravi MRC Tuesday, April 21, 2015 12:28 PM
    Friday, April 17, 2015 1:14 PM

All replies

  • Taking your questions in turn:

    1. Not sure. Are you certain the warning coincides with when a user downloads an attachment, or could it be from some other action ?
    2. You may have a cached page with an expired token, or maybe the token has been hard-coded into a separate web resource or report
    3. Setting IgnoreTokenCheck will also stop Crm using tokens elsewhere. Tokens are used as a defence against cross-site request forgery attacks. There are 2 schools of thought on this: Either 'cross-site request forgery is only possible if you have other exploits, e.g. cross-site scripting, in which case you've a bigger problem anyway', or 'you should always defend in depth'
    4. Not that I know of, apart from my answer to 2) above

    Microsoft CRM MVP - http://mscrmuk.blogspot.com/ http://www.excitation.co.uk

    Friday, April 17, 2015 2:45 PM
    Moderator
  • Thanks for your reply.

    Regarding,

    1) Yes the warning coincided when user downloads an attachment only.

    2) When I do F12 on attachment page, I see token value in aspx page code. It's crm's internal page, so it should come dynamically, so not sure where to check next on this.

    Sunday, April 19, 2015 4:56 AM