Data Encryption Errors After Restoring Dynamics CRM Database

Posted: October 9, 2014 in Dynamics CRM 2013, Dynamics CRM 2015

If you’re seeing an error similar to the one above, you’ve probably done a database backup and restore from a CRM 2013 instance into a new CRM 2013 or 2015 instance. This error will pop up when you try and modify a user’s email address, or open personal options from outlook, as well as when performing some other tasks around CRM that include sensitive data.

The Data Encryption error states: “There are encrypted fields in the organization database, but the data encryption feature isn’t activated. Contact your Microsoft Dynamics CRM system administrator to activate data encryption. To activate, go to System Settings > Data Management > Data Encryption…”

The reason this error occurs is because when we restore/import a database, data encryption is disabled by default, even if it was enabled in the system we took a backup from. This is because the encryption settings are stored in the config database, so the .bak file does not contain these settings.

According to the error, to enable encryption we need to go into Data Encryption under Data Management. However, we can only enable Data Encryption if CRM is using the https protocol, and usually the reason we’ve done a backup/restore is because we’re setting up a Dev or UAT copy of Prod, which may not need to be https.

This error states that “The HTTPS protocol is required for this type of request. Enable the HTTPS protocol and try again.” However, enabling https may not be ideal, and we still need to be able use the system.

Fortunately, there is a SQL script we can run on the config database which will allow us to use data encryption without using the https protocol:

UPDATE [MSCRM_CONFIG].[dbo].[DeploymentProperties]
SET [BitColumn]=1
WHERE ColumnName=’DisableSSLCheckForEncryption’

You shouldn’t do this on a production instance, but for Dev or UAT instances this is necessary.

Once that’s updated you need to do an IISRESET on the CRM server for the changes to take effect.

If we try opening that Data Encryption window again, we should see that encryption is disabled, and we can create a new key and activate it.

You should be able to get the encryption key from the original CRM system you backed up from. If not, then you can simply create a new encryption key.

When you activate, you might be faced with another error which states “Please select an account that is a member of the PrivUserGroup security group and try again”.

This is because although we might be a system admin in CRM, we cannot update the encryption key unless we are a member of the PrivUserGroup in Active Directory. We can either log into CRM as the user who installed CRM, or we can get our user added to that security group.

Once that’s done we should now be able to activate the encryption key.

You should now be able to edit user email addresses, and perform any other operations that require data encryption without any errors.

NOTE: This encryption error only happens when we restore from a CRM 2013 or 2015 backup. If we create a new org through Deployment Manager, or if we upgrade a CRM 2011 database, encryption will still be enabled by default. We can see when creating a new org the wizard informs us that encryption will be enabled.

  1. Fantastic help! You anticipated every hurdle I encountered and gave the clearest instructions I’ve ever seen. Thanks. I’ll be back!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s