Wednesday, November 23, 2016

Google Chrome Penalizes Websites Using SHA-1 SSL Certificates

Just recently, I was working with the Microsoft Dynamics GP 2016 web client and, as is customary, I run my tests on Google Chrome and Microsoft Internet Explorer and Edge browsers. When I brought up the web client website on Internet Explorer and Edge, nothing out of the ordinary seem to happen and effectively, the address bar is squeaky clean, as shown below:

Microsoft Edge address bar

Internet Explorer address bar

However, when you bring up the same site in Google Chrome, you are greeted with a site configuration warning and struck-out https prefix, as shown below

Chrome address bar

If you further click on the warning sign, you get additional information stating:

"This site uses a weak security configuration (SHA-1 signatures), so your connection may not be private."

The Details link is further more descriptive by opening the Chrome Security pane, where you get additional information stating the certificate expiration date is approaching soon and that the page is insecure.

So, I figured, an SSL certificate is an SSL certificate and SHA-1 is by far better than HTTP or no certificate at all (which is not supported by the web client). However, I started digging a bit more and, as it turned out, Google began phasing out support for SHA-1 certificates since version 42 of Chrome. The phase out has happened slowly. In version 42, users received a simple yellow warning triangle with a padlock to indicate the site used a weak SSL encryption, IF their certificate expired in 2016. If the certificate expires past 2016 -- like in the case of my certificate -- the user would receive a "broken https" indication.

However, at this point, it seems Google is not planning on blocking connection to sites with SHA-1 certificates, but this is not assurance that it won't happen. So what do you need to do? If you have third party certificates in place, you probably have already been contacted by your Certificate Authority company and they probably have issued you a SHA-256 certificate. If you are using Active Directory Certificate Store certificates, you can read up the Technet article on Implementing SHA-2 in Active Directory Certificate Services.

If you are using Self-Signed certificates, you may want to use these only in a development environment and forego their use in production.

If you are unsure of what type of encryption you are running, you can check your SLL certificates at:


Note that the Qualys test can only be run on port 443.

Until next post!

Mariano Gomez, MVP

Thursday, November 10, 2016

Five Microsoft Dynamics GP Accounts Payable windows in need of renaming

As many of you know, I am now a member of Mekorma's Software Engineering team. A big part of what I do revolves around designing and engineering new features for our existing products and building entirely new products. In a cursory review of our flagship product, Mekorma MICR, I realized that Microsoft Dynamics GP has five (5) windows in need of some serious face lift. You see, the face lift is not because there's anything wrong with the windows layout, but rather, everything wrong with their titles.

In the days when all the Accounts Payable module could do was check printing, the title of these windows made perfect sense. However, times have evolved and product functionality has expanded to support multiple vendor payment methods: everything from traditional checks, to transferring of electronic funds (EFTs), to -- with the introduction of Dynamics GP 2016 -- credit card payments.

NOTE: The credit card payment feature supports building the payment batch and generating the remittances, but does not perform the actual charge and settlement of the credit card itself.

The windows are as follow:

1) Select Payables Checks

The proposed name change for this window is Build Payments Batch.

Select Payables Checks window
 2) Edit Payables Check Batch

The proposed name change for this window is Edit Payment Batch.
Edit Pauables Check Batch

3)  Edit Payables Checks

The proposed name change for this window is Edit Vendor Payments.

Edit Payables Checks

4) Print Payables Checks

The proposed name change for this window is Print Payables Documents.

Print Payables Checks window

5) Post Payables Checks

The proposed name change for this window is Post Payables Documents.

Post Payables Checks
Some of these windows will need to undergo changes to prompts, values within drop-down lists, changes in button captions and even changes in reports to reflect the new realities. However, it is for the greater good of the product. 

So, here's what I need... I need you to click on the following link and vote to push Microsoft to make these changes.

Here are a few immediate benefits of this change:

1. Increase relevancy of and provide clarity to the Accounts Payable functionality. Frankly, GP doesn't only print checks as a mean to pay vendors.

2. Increase product acceptance in international markets. Most countries outside of the USA and Canada do not generate checks as a payment instrument and the simple fact that all these windows make reference to checks (cheques elsewhere) can turn off a prospective client from buying the product or may put a re-seller to explain his or herself away. 

3. Ease of understanding of product capabilities by customers and partners. You are the one who benefits directly as a result. Clear windows, with clear descriptions can only facilitate and reduce the amount of training required to understand the product.

4. Ability to expand into future payment methods without impacting customer's and partner's understanding of the product.

So please get out there and vote!

Until next post!

Mariano Gomez, MVP

Thursday, November 3, 2016

Microsoft Dynamics GP 2016 web client UI not displaying icons

Just today, I ran into a community forum post requesting an answer on why Microsoft Dynamics GP 2016 web client UI does not display icons. Since I had ran into this same issue before, I though I would I create this article to address the topic.

The Problem

Most users reporting this issue, experience things like the images shown below, where the Microsoft Dynamics GP logo and upper left corner application splash image are missing.

Microsoft Dynamics GP Sign In page (Sessions)

Furthermore, if you are able to access the application, mind you, sometimes this is not possible due to static content restrictions, you may find that your navigation bar and other areas of the application are missing the respective icons.

It is worth noting that in most cases, the missing icons do not negate the events of the buttons or objects they are associated with.

The theory

In web development, static content are files that don't change based on user input, and they consist of things like JavaScript, Cascading Style Sheets, Images, and HTML files. As you would expect, the Microsoft Dynamics GP web client icons and images fall within the category of static content. However, it is necessary to instruct the web server, in this case Internet Information Services (IIS), that it must publish any such content when identified.

Static Content is a feature that is turned on by default when IIS is deployed bare bones, this is, accepting all the default features - this is also known as deploying a static content IIS web server, which is the most basic of web servers.

The solution

Below, you will find instructions for Windows 10 and Windows Server 2012 and above.

Installing IIS Features on Windows 8 and Windows 10: Static Content

1. Right-click on Start and choose Program and Features

2. In the Windows Features window, locate and expand Internet Information Services.

3. Expand World Wide Web Services and Common HTTP Features.

4. Click on Static Content, to enable this feature.

5. Click the OK button. Windows 8 and Windows 10 will proceed to apply the selected changes. When finished, click the Close button to exit.

At this stage, a reboot may or may not be required. Follow any instructions provided after closing the window.

Installing IIS Features on Windows Server 2012 R2: Static Content

1. Open Server Manager by clicking the Server Manager icon on the task bar

2. In the Server Manager window, with the Dashboard and Quick Start selected, click Add roles and features, or click the Manage menu, and then click Add Roles and Features. The Add Roles and Features Wizard will start with a Before You Begin page. The wizard asks for verification of the following:

  • The administrator account has a strong password. 
  • The network settings, such as IP addresses, are configured. 
  • The most current security updates from Windows® Update are installed.
3. On the Before You Begin page, click Next.
4. On the Installation Type page, select Role-based or feature-based installation to configure a single server. Click Next.

5. On the Server Selection page, select Select a server from the server pool, and then select a server.

6. On the Server Roles page, expand Web Server (IIS).

7. Click Next twice to bypass the Features page and the Web Server Role (IIS) page.

8. On the Role Services page, expand Web Server and Common HTTP Features. Click to enable Static Content.

9. After you have added the role services that you need on the Role Services page, click Next.

10. On the Confirmation page, verify the role services and features that are selected. Select Restart the destination server automatically if required to restart the destination server if the settings need to take immediate effect. To save the configuration information to an XML-based file that you can use for unattended installations with Windows PowerShell, select Export configuration settings, move to the appropriate path in the Save As dialog box, enter a file name, and then click Save.

When you are ready to start the installation process on the Confirmation page, click Install.

Until next post!

Mariano Gomez, MVP