Skip to main content

Notifications

Announcements

No record found.

Small and medium business | Business Central, N...
Suggested answer

Entra application proxy to Business Central redirect to private URL

(1) ShareShare
ReportReport
Posted on by 2
Entra application proxy to Business Central for single sign on Entra ID Users via External Public URL
Hi,

We have implemented Azure Entra Application Proxy in the environment together with the Business Central to authenticate Entra ID Users to login via External URL from Internet.

Azure App Proxy settings:

Internal Url:https://PrivateUrl:8443/ 
External Url: https://PublicUrl/ 
Redirect URI: https://<PublicUrl/ApplicationPage>/SignIn

Business Central (BC) use the below KB Article to change the Authentication point to Azure Entra ID and the Application Registered in Azure:
https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/administration/authenticating-users-with-azure-active-directory?tabs=singletenant%2Cadmintoolhttps://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/administration/authenticating-users-with-azure-active-directory?tabs=singletenant%2Cadmintool
The redirect URL in the Business Central (BC) Application is also set to the Public URL to match the Redirect URI in Azure App based on Above KB Task 4: 
/https://login.microsoftonline.com/<EntraTenant>/wsfed?wa=wsignin1.0%26wtrealm=https://<PublicUrl>%26wreply=https://<PublicUrl/ApplicationPage>/SignIn/

However when accessing the External URL from Internet, its getting redirected to the Private URL of the Appl With Error: AADSTS50011

When we add this Private URL 'https://PrivateURL:8443/ApplicaitonPage/SignIn' into the Azure Redirect URI Page, this will work fine when when connecting from the internal network as the private URL DNS resolve and the Authentication is successful to the Business Central using Entra ID User. But it fails when connecting in Public network as Private URL is not resolvable in Internet.

Based on below AADSTS50011 KB from Microsoft, its due to the Reply URL that is triggered from the Business Central Application. 

Please advice BC configuration required so that the Reply URL from the BC is Public URL instead of Private URL. Thanks
  • Suggested answer
    TJ-28111416-0 Profile Picture
    TJ-28111416-0 2 on at
    Entra application proxy to Business Central redirect to private URL
    Hi,
     
    late reply, but i found your post when trying to find a solution for this exact problem we had while testing the updated BC24 in UAT. BC18 used WSFederation where you could define a fixed reply URI in the WSFederation settings. Now that WSFederation is no more and OpenID is used, this reply URI cannot be set in the options and the behavior we both experienced is kicking in.
     
    Weirdly enough, we got it running by DISABLING the standard setting "Translate Urls in headers" in the advanced tab of the application proxy. No, i still can't explain why this would fix it, but it does. We updated the ticket with Microsoft with our finding and asked them to clarify why this actually fixes the problem and i will update this here if and when i get the answer.
     
    Hope this will be reproduceable in your environment as well. Good luck!

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Congratulations 2024 Spotlight Honorees

Kudos to all of our 2024 community stars! 🎉

Meet the Top 10 leaders for December

Congratulations to our December super stars! 🥳

Start Your Super User Journey Pt 2

Join the ranks of our community heros! 🦹

Leaderboard

#1
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 291,885 Super User 2024 Season 2

#2
Martin Dráb Profile Picture

Martin Dráb 230,569 Most Valuable Professional

#3
nmaenpaa Profile Picture

nmaenpaa 101,156

Leaderboard

Featured topics

Product updates

Dynamics 365 release plans