Program testing can be used to show the presence of bugs, but never to show their absence!
I was tasked with load testing Microsoft Dynamics CRM 2013 and I quickly ran into some problems getting INVALID_WRPC_TOKEN error
We tried to use Telerik for performance testing but this ended in failure because we couldn’t get the encoded guids from the responses.
So I am now trying Visual Studio Web Performance and Load tests, which you need Visual studio 2013 Ultimate or Visual studio 2015 Enterprise editions.
Visual studio – Web Performance and Load Test Project
I won’t go into performance testing in this post but focus on the pesky token error. Please take into account when I do mention performance testing I might get things completely wrong, this is because I’m learning about it, using the tried and tested way of trying it and making lots of mistakes (feel free to correct me in the comments)
How did I get the error
When you do performance testing you go through this process
- you click start recording
- this brings up an Internet Explorer browser
- Run through the process you want to test
- Stop recording
This captures all the HTTP traffic (looks like a fiddler trace). If you haven’t used Fiddler I would recommend these two links to get started
- Getting Started with Fiddler and CRM
When I ran the test of my recording I got an INVALID_WRPC_TOKEN error
Which leads me to the question, what is an WRPC token?
What is a WRPC token
The first place to start the search should be the CRM SDK – Why CRM Developers should always start with the CRM SDK
It took quite a lot of searching but I finally got to this page
Microsoft Dynamics CRM uses two kinds of private encryption keys for deployments accessed over the Internet:
Web remote procedure call (WRPC) token key. This key is used to generate a security token, which helps make sure that the request originated from the user who made the request. This security token decreases the likelihood of certain attacks, such as a cross-site request forgery (one-click) attack.
The WRPC key’s purpose is to stop people using programs to send requests to CRM and trick it into return data.
The WRPC token is embedded into each request. You maybe thinking once you work out the token you can use it every time time.
Back to the Microsoft page Key management in Microsoft Dynamics CRM for another quote
Key Regeneration and renewal
CRM ticket keys are automatically generated and renewed and then distributed, or deployed, to all computers running Microsoft Dynamics CRM or running a specific Microsoft Dynamics CRM Server 2013 role. These keys are regenerated periodically and, in turn, replace the previous keys. By default, key regeneration occurs every 24 hours.
I have bolded the key part, key regeneration occurs every 24 hours. This is great for stopping bad people making naughty requests but it’s not so good for my load testing script which has the WRPC token embedded into it’s recording.
Other WRPC Token errors
Whilst I was searching for information about the WRPC token I found a few more errors I have listed below
- Can not mark CRM 2011 Appointments as Complete
- UR 7 breaks Attachment Download code, and how to fix it
An old CRM 4 error by the awesome David Jennaway, who sadly never writes about CRM on his blog any more, he used to be an awesome source of CRM developer information. The first link is a discussion about it.
It seems you can get a token error if you open CRM in two different browsers!
The blog was getting an error when they changed to HTTPS binding.
Work around for token errors
The only workaround I have found with regards to WRPC token is to disable the token being used.
I found the answer on this blog page
You can add a registry key which will disable the CRM token check.
On the CRM Server, open REGEDIT
Create a DWORD registry key with the name IgnoreTokenCheck
Set the value to 1
Restart IIS or Recycle App pool
As with a lot of workaround this does mean your CRM is more open to cross site scripting attacks.
I wouldn’t recommend this for a production environment, unless it’s only a short term fix.
Back to my Web performance testing
I disable the check and my recordings were working without error.
Talking about Performance testing, Microsoft have released the CRM Peformance Toolkit for CRM 2015 but which is compatible with CRM 2013 (for free)
The tests will test all default entities and will provide a good starting point for creating your own tests.
Hopefully these tests will provide a way to get the WRPC token and save it as a parameter because turning off the WRPC token will only work for on premise CRM organisation because you cannot turn off this setting for CRM Online (you don’t have access to the server).
Hopefully with a bit of digging around I can work out how Microsoft have got round this WRPC token problem I was experiencing.