Sandbox (Isolation) Mode in MS CRM

1         What is a Sandbox?

Sandbox is Testing or Isolated Environment where untested code will be deployed to test. It is also used in the information security. As the sandbox is meaning of filtering, When we code an application in sandbox mode. The code will get executed in the browser by limiting the Operating System API Calls. This will be helpful in stopping the malicious code to execute in the local System of the Server. This enhances the system security levels

2         MS-CRM Sandbox Understanding

Sandbox mode is introduced from 2011 MSCRM. Microsoft Dynamics CRM Provides the execution of Plugins and workflows in Isolation mode (Sandbox Mode), Dynamics CRM Collects runtime statistics of plugins and Custom workflows. If the sandbox worker process exceeds the threshold level, It will be automatically get killed by the application platform. So the plugins which are running by this worker process failed by throwing an exception. Exceptions will be found in trace files for the plugins registered in Sandbox. The above statements conclude that the Sandbox mode is recommended in secured environments, i.e. Sandbox mode (Isolation/Partial Trust) can be executed both in Online and On-Premises. None mode (Full Trust) is executed only in On-Premises.

2.1       Where can we see this Sandbox Runtime Statistics?

Plugin and Custom Workflows runtime information is captured in MSCRM Database. Search for the PluginTypeStatisticBase, Write a Select Query

“Select * from PluginTypeStatisticBase”.

This will record the Plugin Performance and runtime execution Statistics like failure or crash percentages of the Plugin.

plugintypestatasticbase-query

Figure 1: PluginTypeStatasticBase Query

 

2.2       Find Sandbox Processing Service

Sandbox Processing Service is found in your Services .mscservices

Figure 2: MS CRM Sandbox Processing Service

host-and-worker-process-services

Figure 3: Host and Worker Process Services

3         How Does Sandbox Plugin/Workflow Execution

  • Once the Plugin execution Context is created, the entire Context will be serialized and send it to the sandbox host process to execute the Plugin in the current Context.
  • The sandbox host process de-serializes the information and then serialize to assigned sandbox worker processes to execute the plugin
  • The sandbox worker process then de-serializes the current execution context and runs the plugin code in partial trust.
  • The returned result again shared back to the Host process.
  • The captured result in host process then sent back to the original process which raised the request for sandbox mode (w3wp.exe or CrmAsyncService.exe)

Note: Consider the plugin fired at Pre-Operation

plugin-execution-by-w3wp

Figure 4: Plugin Execution by w3wp Process

workflow-execution-by-crm-async-process

Figure 5: CRM Async Process Executing Custom Workflow

Note: Consider CRM Async Processes is running a workflow

 

 

4         Limitation of Sandbox Plugin/Custom Workflow

  • Only the HTTP and HTTPS protocols are allowed.
  • Access to localhost (loopback) is not permitted.
  • IP addresses cannot be used. You must use a named web address.
  • Anonymous authentication is supported and recommended.
  • Access to your local file Systems
  • Cannot be able to access the external Dlls and Dlls registered in GAC
  • Web Services cannot be accessed in the sandbox plugins

These restrictions are can be modified in server environment by editing the registry settings of the MSCRM. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM\SandboxWorkerOutboundUriPattern

The key is defined in the Regular expression format and added as a registry strings, editing the regular expression string you can take out the first three limitations (Web access). It will be in this format

“^http[s]?://(?!((localhost[:/])|(\[.*\])|([0-9]+[:/])|(0x[0-9a-f]+[:/])|(((([0-9]+)|(0x[0-9A-F]+))\.){3}(([0-9]+)|(0x[0-9A-F]+))[:/]))).+”;”

External Dlls cannot be added but we can achieve this limitation by using ILMERGE tool (DLL Merger) tool.

Note: The sandbox processing service role defaults to outbound calls being enabled. If you do not want to permit outbound calls from custom code, you can disable outbound calls by setting the following registry key to 1 (DWORD) on the server that hosts the sandbox processing service role. Next, restart the Microsoft Dynamics CRM Sandbox Processing Service.

5         General Errors that Occurs in Sandbox registered Plugin/Custom Workflow

  • Attempting to use the AppDomain.CurrentDomain.AssemblyResolve event
  • Security Exception (partially trust callers)
  • IO.Path.GetTempPath() [System.Security.Permissions.EnvironmentPermissionException]
  • Any filesystem access code [System.Security.Permissions.FileIOPermissionException]
  • Attempting to use the EventLog [System.Diagnostics.EventLogPermissionException]
  • Attempting to use Isolated Storage [System.Security.Permissions.IsolatedStoragePermissionException]
  • Any references to Thread.CurrentThread caused a security failure.

 

 

6         Advantages of Sandbox Plugin

  • .Net Code Access Security feature will be working and access to file Systems and event logs will be prevented. When you want to execute the code in secure way in your server.
  • The process which executes your plugin can be killed if your plugin exceeds certain thresholds or becomes unresponsive.
  • Each organization of CRM has sandbox processes. So it is independent from organization to organization.
  • When we debug the plugin using remote debugger which is in full trust (NONE mode) will use the full resources of the Server and other users cannot perform their action on it. Sandbox uses only the Sandbox process service.
  • Azure cloud services can be implemented in the Sandbox Plugins
  • Plugin runtime execution Statistics can be recorded in MSCRM Database. Performance measuring steps can be taken in consideration from the captured outputs in DB.

 

3 thoughts on “Sandbox (Isolation) Mode in MS CRM

  1. Great article , thanks for the info.
    i wonder is there anyway to limit resource usage of sanbox worker process for a organization? like limiting cpu or ram usage?

    thanks

    Like

    1. I Have done little bit research.. what i found from other blogs

      “Here are the results of another scenario where we have seen this issue and fixed it through registry and web.config modifications.

      First, the web.config file for CRM will need 2 values changed:

      MaxRequestLength = 100MB

      maxAllowedContentLength = 100MB

      Next, the following Registry settings will need to be changed in the MSCRM hive of the Sandbox Server(s)

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM]

      “SandboxWcfHostMaxReceivedMessageSize”=dword: 616690c

      “SandboxWcfWorkerClientMaxReceivedMessageSize”=dword: 616690c

      “SandboxWcfWorkerMaxReceivedMessageSize”=dword: 616690c

      “SandboxWcfClientMaxReceivedMessageSize”=dword: 616690c

      “SandboxWcfSdkClientMaxReceivedMessageSize”=dword: 616690c

      “SandboxWcfSdkListenerMaxReceivedMessageSize”=dword: 616690c

      These values are tested to allow for 32MB attachments as the application maximum would allow. The values to allow every possible 32MB file to be uploaded could be higher than this as the compression algorithms can have an impact here.”

      FYI: https://social.microsoft.com/Forums/en-US/1d4d97b0-05dc-4f85-a2f0-fb2f047a0699/what-is-the-memory-limit-for-a-plugin-in-sandbox-isolation?forum=crm

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.