Security and Upgrade Resources
Stay up to date with all of the latest changes and updates to make sure your organization is on track.
Latest Microsoft Update - September 9th 2022
As of Friday, Sept. 9, 2022, Sage received updated guidance from Microsoft specific to the use of SMTP Authorization for email integration between Sage 100 and 300 and Exchange Online.
While Microsoft will block basic authentication for many online services, active accounts using SMTP Auth will not be impacted by their actions as originally announced to begin October 1, 2022. This means that Sage 100 and 300 customers utilizing in-product email services to send quotes, invoices, etc. do not face a shutdown of this functionality beginning on October 1, 2022
TLS Security Changes
Sage is retiring support of Sage 100 versions to support important security enhancements.
Due to security risks, Sage servers will stop accepting communication from products using TLS 1.0 or 1.1. This means subscription customers will be required to be on a version that utilizes TLS 1.2. For Sage 100 this means 2019.4, 2020.1 or more current versions. If your software isn’t upgraded or updated by September 2023, Sage 100 will only be accessed in read-only mode.
If you are not using Sage 100 versions 2019.4, 2020.1 or newer, you will be impacted.
Contact us to discuss product upgrade or update options.
TLS Frequently Asked Questions
TLS is a security protocol that creates encryption paths over computer networks to help ensure that online communications cannot be intercepted.
Security protocols are a set of operations or steps that occur when data is delivered or exchanged between parties (e.g., when sending an email, processing a credit card transaction, or when any data is shared between a web browser and website). Security protocols help protect the communication and shared data.
Basic Authentication is outdated and more vulnerable to breach. Also, the two largest email providers (Google and Microsoft) have stopped or are planning to stop supporting Basic Authentication.
TLS 1.0 and 1.1 were replaced by TLS 1.2 starting in 2008 to provide improved data security and better protection for customer and application information communicated over the internet. Many companies and standards (e.g., HIPAA, PCI) require the use of TLS 1.2, as do many Sage ISVs. This move to TLS 1.2 will provide increased data protection and decreased risk for our customers and partners.
Since its launch in 2008, companies and regulatory standards have increasingly required adoption of TLS 1.2. Sage 100 and 300 began supporting the latest standard in our products several years ago, including announcements in product release notes and updates. However, until recently, Sage had not announced a mandatory upgrade.
Many customers are on older product versions where TLS 1.2 is not used. Sage implemented support of TLS 1.2 in Sage 100 and Sage 300 starting with version 2019. Customers automatically adopt the new standard as part of their update to any recent Sage 100 and Sage 300 version. We are notifying customers now to help ensure they will have adequate time to upgrade before Sage stops supporting the old security protocol come September 2023.
Subscription customers will be required to be on a version that utilizes TLS 1.2. For Sage 100 this means 2019.4, 2020.1 and newer versions. For Sage 300 this is 2019.6, 2020.3 and newer versions. Customers not on one of these recent releases, must upgrade to a version that utilizes TLS 1.2.
Upgrade time varies by customer and depends on several factors. Some customers will be able to apply product updates (PU’s), while others will need to perform a full upgrade as they would when moving to any new product version.
For customers that may also require a hardware upgrade, use of the hosted Sage Partner Cloud program may reduce or eliminate the need for a hardware investment, contact your DSD Strategic Account Manager or info@dsdinc.com
For customers on subscription, the software will be unable to acquire an updated expiration date from servers and will initiate subscription warning messages. If not addressed, the software will revert to read-only mode and restrict access after a grace period of approximately 45 days.
TLS 1.3 has not been implemented in Sage 100 and Sage 300 products, and internal systems do not require its use. While there are not specific plans yet, partners and customers Last update: August 12, 2022 will be notified once we update our software to support TLS 1.3 and notified well in advance of any required upgrade.
TLS 1.2 is already included in current and supported versions of the software. If you are not on one of the versions using TLS 1.2, you will need to upgrade.
For Sage 100, you must be on 2019.4, 2020.1 or a more current version.
For Sage 300, you must be on at least 2019.6, 2020.3 or a more current version.
To identify what version of Sage 100 you are running, access Help from the menu bar and select About. The major release will be displayed. For Sage 300, select System Info.
For Sage 100, the product update will be listed as part of the version number. For example, version 7.00.4.0 would mean you are using product update (PU) 4.
Each ISV will use TLS differently and have their own support policies. It is best to check with each of the vendors you use to determine if their products are impacted and if any updates are required.
The necessity to upgrade to TLS 1.2 is a requirement that has impacted many industries. Security has been increased in TLS 1.2 to help prevent personal information from being breached. It is important to discuss the options provided by Sage with us.
Yes. Customers not on a subscription plan may not experience a direct impact to software services but are highly encouraged to upgrade to a current version of Sage 100 and Sage 300 that supports TLS 1.2 to help mitigate vulnerabilities presented in the continued use of TLS 1.0 and 1.1.
Subscription customers will be impacted as outlined in the Overview section. Please note that Sage 100 payroll and Sage 300 payroll are only available as a subscription and therefore are impacted even if your ERP is a perpetual/M&S plan.
Microsoft OAuth Changes
You may lose the ability to email invoices and reports directly from Sage 100 in versions 2020 and older.
While this guidance also applies to other applications (like Sage Intelligence) that utilize SMTP Auth for email communication, customers need to be aware that many online services will be impacted; so, while Sage 100 and 300 are safe in the near term, other client applications using POP, IMAP, etc. can be impacted starting October 1, 2022. The latest information from Microsoft, including which services are impacted and what to do in the event that a customer is inadvertently blocked, can be found here.
While this new guidance reduces the urgency of upgrading for Sage 100 and Sage 300 customers on older releases, Microsoft continues to push toward the elimination of basic authentication to protect their customers. DSD strongly recommends that all customers be on a version that supports OAuth to reduce the risk of data breach and leverage additional security updates built into newer versions of our software. Support for older versions of Sage 100 will be retired soon. To prevent interruptions to the full use of Sage 100, please update or upgrade your software according to the steps below or email us at info@dsdinc.com to get started.
Microsoft® has announced the retirement of Basic Authentication for Microsoft Exchange, and now requires Modern Authentication (OAuth) to send emails in Sage 100.
If you are using a Sage 100 version older than 2021.4 or 2022.1, you will be impacted.
Upgrade to at least the most current 2021 version by October 1, 2022.
Contact us to discuss product upgrade or update options.
Microsoft OAuth
Frequently Asked Questions
The original, simple way to verify your identity using a login ID and password. This basic approach has proven to be a security risk versus more modern methods because anyone that gets these credentials can access your accounts and information.
Modern Authentication or “OAuth” involves a combination login authentication and authorization to make it much harder to gain access to your information. An example is the use of multi-factor authentication (MFA) access codes sent via email or text, or authentication software tools like Microsoft Authenticator. It is far superior to Basic Authentication in protecting your accounts and information.
Basic Authentication is outdated and more vulnerable to breach.
Also, the two largest email providers (Google and Microsoft) have stopped or are planning to stop supporting Basic Authentication.
Various email providers have announced a move to modern authentication at different times. In September 2021, Microsoft announced that effective October 1, 2022, that they would stop supporting Basic Authentication for their online services (including Microsoft Exchange online email and other services). Google stopped supporting Basic Authentication for Gmail on May 30, 2022.
Both Sage 100 and Sage 300 use a customer’s email to perform certain functions in the product, like sending an invoice, quote, or statement to a client. In Sage 100 this is done in the Paperless Office module, and in Sage 300 there are various locations in the product where this occurs.
Customers on versions of Sage 100 and Sage 300 that do not support integration via Modern Authentication (OAuth) may see these functions stop working correctly if the customer uses an email service that no longer supports Basic Authentication.
No. Any product (Sage or otherwise) that a customer runs that integrates with Microsoft webbased email using Basic Authentication will be affected. For Sage 100, this is Paperless Office. For Sage 300 this interaction occurs throughout the product.
No. All versions of Paperless Office are impacted if a customer is using the integrated email functionality.
Sage 100 began supporting OAuth in versions 2021.4 and 2022.1. Customers will need to upgrade or apply a product update if they are using an impacted email service. Sage 300 customers must be 2020.8, 2021.8 or 2022.2 to support Modern Authentication.
Currently for Sage 100, versions 2022 thru 2020 are supported by the lifecycle policy. Reference the Sage Knowledgebase for further details.
Currently for Sage 300, versions 2022 thru 2020 are supported by the lifecycle policy. Reference the Sage Knowledgebase for further details.
Important Note: Product versions that support Modern Authentication and TLS 1.2 may differ from current and supported products of Sage 100 and 300. The most current and supported version of Sage 100 and Sage 300 may also change during the course of these notifications as new product versions are released. You are encouraged to elect and remain on a current and supported version of the product to help mitigate security risks.
No. This matter affects all customers the same, regardless of license or if they are on or off plan
Integrated functions in the software that utilize a customer’s email service may stop working correctly.
This only applies to customers using an email service that requires Modern Authentication (OAuth).
Customers may receive an email login or connection error.
Upgrade time varies by customer and depends on several factors. Some will be able to apply product updates (PU’s) to get to supported versions, while others will need to perform a full upgrade as they would moving to any new version. For customers that may also require a hardware upgrade, use of our hosted Sage Partner Cloud program may reduce or eliminate the need for a hardware investment. Contact us for more information.
Yes, but it would require moving to an email service provider that will continue to support Basic Authentication or have an alternative means of supporting Modern Authentication outside of the ERP application. Some customers may also choose to run their own email server to bypass these requirements, but they would not realize the benefits of improved email security. Customers should check with us or IT providers for options and additional assistance.
This move by Microsoft, Google, and other email providers to discontinue support of Basic Authentication impacts any product or service that integrates with a customer’s email. This is not limited to Sage, or even the products that integrate with Sage. It is best that a customer and or their partner check with each of the vendors they use to determine if their products are impacted and if any upgrades are required.
Sage / Microsoft Articles
As of Friday, Sept. 9, 2022, Sage received updated guidance from Microsoft specific to our use of SMTP Auth for email integration between Sage 100 and 300 and Exchange Online.
10/14/2022 UPDATE:
How to configure Sage 100 OAuth E-mail settings for use with a Microsoft 365 App Registration
How to configure Sage 100 OAuth E-mail settings for use with a Microsoft 365 App Registration.
10/05/2022 UPDATE
Using OAuth 2.0 with
Sage 100
Using OAuth 2.0 with Sage 100 (available in Sage 100 2021 and later) for Paperless Office e-mail.
9/1/2022 UPDATE:
Microsoft Basic Authentication Deprecation in Exchange Online
Starting October 1st, Microsoft will start to randomly select tenants and disable basic authentication access for MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS), and Remote PowerShell. Microsoft will post a message to the Message Center 7 days prior, and we will post Service Health Dashboard notifications to each tenant on the day of the change.
08/18/2022 UPDATE:
Error: "The Authentication process failed." Resolution
Error: “The Authentication process failed.” {“error”:”invalid_request”, “error_description”: “AADSTS1002016: You are using TLS version 1.0, 1.1 and/or 3DES cipher which are deprecated to improve the security posture of Azure AD when testing email on a Sage 100 Advanced or Premium workstation from Company Maintenance using OAuth Authentication. Product updates have been released to address this issue.
09/09/2022 UPDATE:
Deprecation of Basic authentication in Exchange Online
Basic authentication makes it easier for attackers to capture user credentials (particularly if the credentials are not protected by TLS), which increases the risk of those stolen credentials being reused against other endpoints or services. Furthermore, the enforcement of multifactor authentication (MFA) is not simple or in some cases, possible when Basic authentication remains enabled.
DSD Resources
TLS Frequently Asked Questions
