Enable SSO with Business Central On-Prem in Web Client

Hi,

in this blog post, I will describe steps which you need to complete to have fully functional Office 365 Authentification into Business Central On-Prem.

Out of the box, O365 Authentification was enabled for years and it was expected that it will work in Dynamics 365 Business Central On-Prem, but when you created Azure VM with manual installation of Dynamics 365 Business Central, you usually get Error 404 from IIS.

I was sure that I did everything by the book in Dynamics 365 BC configuration, double check navsettings.json, firewall, ports, DNS, certificate, customsettings.config everything was how it needs to be – how it was configured in NAV 2018.

I have successful login with O365 to Dynamics 365 BC Windows Client, but what I am missing for Web Client was my biggest question. Then I started to read each letter in the navsettings.json file and found this.

“AccessControlService – Authentication for the Web Client is handled by Microsoft Azure Access Control Service (ACS).”,
” An ACS namespace needs to be set up before. Also, the Identity Providers need to be set up”,
” as well as the Relying Party representing the NAV Web Client.”,
” To support ACS, you must specify the WS-Federation Login Endpoint in the Dynamics NAV Server”,
” instance configuration file (key = WSFederationLoginEndpoint).”

First thing what is “Relying Party representing the NAV Web Client?” – this was my light bubble over the head. To configure that first, you need to have a server which is part of the domain – you need to have “Active Directory Domain Controller” – how to install that you can find on this link https://www.youtube.com/watch?v=VkcoX8_v4IQ.

Now I need Active Directory Federation Services (AD FS). To do that I will install server role called Active Directory Federation Services on my server. After the installation is completed I need to do the setup, and for that, I will click on Server Manager -> Tools -> AD FS Management and in a new window I will click on Relying Party Trusts

In new window, I will choose Claims aware and click on Start.

In Select data source, I will choose Enter data about relying part manually and click Next.

In Specify display name enter a Display name for your web client.

In Configure URL window select Enable support for the WS-Federation Passive protocol and after that enter Protocol URL in format https://computername:port/instancename. This is the address of your web client. If you use default 443 port for SSL then the port is not needed.

In Configure Identifiers window leave Relying party trust identifiers as it is configured already – only address of your web client and click Next to the Finish window.

When you come to Finish window select boolean on Configure claims issuance policy for this application and then click Close. 

New window Edit Claim Issuance Policy for Business Central Web Client will open. Click Add rule…

Now I will enable SAML and YWT tokens.

In new window Add Transform Claim Rule Wizard choose Transform an Incoming Claim template and click Next. 

In Configure Claim Rule window specify parameters like on the following picture and click Finish.

Now when in window Edit Claim Issuance Policy for Business Central Web Client click again Add rule … In new window Add Transform Claim Rule Wizard choose Transform an Incoming Claim template and click Next. In Configure Claim Rule window specify parameters like on the following picture and click Finish.

Now when in window Edit Claim Issuance Policy for Business Central Web Client click again Add rule … In new window Add Transform Claim Rule Wizard choose Send Claims Using a Custom Rule and then click Next. 

In Configure Claim Rule window specify parameters like on the following picture and click Finish.

Now when in window Edit Claim Issuance Policy for Business Central Web Client click again Add rule … In new window Add Transform Claim Rule Wizard choose Send Claims Using a Custom Rule and then click Next. In Configure Claim Rule window specify parameters like on the following picture and click Finish.

Now what we need to finish configuration of AD FS is execute PowerShell script: Set-ADFSRelyingPartyTrust –TargetIdentifier “https://computername.eastus.cloudapp.azure.com/bc130/” –EnableJWT $true

Now what you need is to create Azure app in Azure Management Portal in my Office 365 subs.

I will register an application with following Properties.

• Application ID – generated app ID, I need it later
• Name – the name of my azure app
• APP ID URI – generated app id URI, I need it later
• home page URL – address of my web client

In Reply URLs I must define the address of my web client/signin

Now I will go to Microsoft Dynamics 365 Business Central Administration and do the following setup

1. Application Client ID: Application ID from Azure
2. Azure AD App ID URI: App ID URI from Azure
3. WS-Federation Login Endpoint: https://login.windows.net/O365 TENANT/wsfed?wa=wsignin1.0%26wtrealm=AZURE AD APP ID URI%26wreply=REPLY URL FROM AZURE
4. WS-Federation Metadata Location: copy value from Federation Metadata Document under the Endpoints.

Now to enable Office 365 authentification in Web client you need to find the navsettings.json file on the server.

Open navsettings.json and modify following keys:

“ClientServicesCredentialType”: “AccessControlService”

“DnsIdentity”: “computername.eastus.cloudapp.azure.com” – or the name of the certificate.

That’s all for this blog post. Hope you will find it useful.

Br,

Renato.

The post Enable SSO with Business Central On-Prem in Web Client appeared first on fajdiga.info.