Plug-in Isolation, Trusts, and Statistics

Microsoft Dynamics CRM 2011 and Microsoft Dynamics CRM Online support the execution of plug-ins in an isolated environment. In this isolated environment, also known as a sandbox, a plug-in can make use of the full power of the Microsoft Dynamics CRM SDK to access the organization Web service. Access to the file system, system event log, certain network protocols, registry, and more is prevented in the sandbox. However, sandbox plug-ins do have access to external endpoints like the Windows Azurecloud.

The Microsoft Dynamics CRM platform collects run-time statistics and monitors plug-ins that execute in the sandbox. If the sandbox worker process that hosts a plug-in exceeds threshold CPU/memory/handle limits or is otherwise unresponsive, then that process will be killed by the platform. At that point any currently executing plug-ins in that worker process will fail with exceptions. However, the next time the plug-in is executed it will run normally. There is one worker process per organization so failures in one organization will not affect another organization.

In summary, the sandbox is the recommended execution environment for plug-ins as it is more secure, supports run-time monitoring and statistics reporting, and is supported on all Microsoft Dynamics CRM deployments.

Trusts

Plug-in developers have the option of registering their plug-ins in the sandbox, known as partial trust, or outside the sandbox, known as full trust. Full trust is supported for on-premises and Internet-facing Microsoft Dynamics CRM deployments. For a Microsoft Dynamics CRM Online deployment, plug-ins must be registered in the sandbox (partial trust) where they are isolated as previously described.

Run-time Statistics

The Microsoft Dynamics CRM platform collects run-time information on plug-ins that execute in the sandbox. This information is stored in the database using PluginTypeStatistic entity records. These records are populated within 30 minutes to one hour after a sandboxed plug-in executes. See the PluginTypeStatistic attributes to find out what information is collected. You can retrieve this information using the retrieve message or method.

Web Access

Sandboxed plug-ins can access the network through the HTTP and HTTPS protocols. This capability provides support for accessing popular Web resources like social sites, news feeds, Web services, and more. The following Web access restrictions apply to this sandbox capability.

• Only the HTTP and HTTPS protocols are allowed.
  
  
• Access to localhost (loopback) is not permitted.
  
  
• IP addresses cannot be used. You must use a named Web address that requires DNS name resolution.
  
  
• Anonymous authentication is supported and recommended. There is no provision for prompting the logged on user for credentials or saving those credentials.
  
  

These default Web access restrictions are defined in a registry key on the server running the Microsoft.Crm.Sandbox.HostService.exe process. The value of the registry key can be changed by the System Administrator according to business and security needs. The registry key path on the server is:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM\SandboxWorkerOutboundUriPattern

The key value is a regular expression string that defines the Web access restrictions. The default key value is:

"^http[s]?://(?!((localhost[:/])|(\[.*\])|([0-9]+[:/])|(0x[0-9a-f]+[:/])|(((([0-9]+)|(0x[0-9A-F]+))\.){3}(([0-9]+)|(0x[0-9A-F]+))[:/]))).+";

By changing this registry key value, you can alter the allowed Web access for sandboxed plug-ins.

See Also

Concepts

Write a Plug-In
PluginTypeStatistic Messages and Methods

Other Resources

Azure Extensions for Microsoft Dynamics CRM
Sample: Web Access from a Sandboxed Plug-In

Microsoft Dynamics CRM 2011 and Microsoft Dynamics CRM Online
Send comments about this topic to Microsoft.
© 2011 Microsoft Corporation. All rights reserved.