NAV 2017 On-Prem ADFS SSO Issue mapping users

(0) Share

Report

Posted on by russtoleum

Hello all, I am posting about a NAV environment I have inherited. It is currently setup and working. It is in a 2 server config

NAV01 -

SQL 2016 with NAV Components

NAV02 -

NAV Application and Components and Web Server

I feel like I should note that when I first started working on this the web client wasn't evening functioning. This was not an issue since all users were using the Windows client and for some reason, the option was installed but most of the web files were deleted so the page didn't load at all. I got that 100% working with Windows authentication.

The problem is I am needing to publicly publish the NAV web client due to new needs from accounting. Before I can publish I need to get mfa working. I planned to do this following this doc:

Authenticating Users with Active Directory Federation Services 2017 - Dynamics NAV | Microsoft Learn

What I find confusing is even though this doc touches on Azure AD integration, it appears if you have ADFS on-prem and NAV 2017 on-prem then you don't need to consider an azure environment. I'm still not certain of that.

Anyway, I can get it working so that the web client shows the ADFS login, accepts my creds and my DUO push (which is integrated with ADFS), but then throws the error that even though I am authorized I don't have access to NAV data. Even though I'm using the same user account that works when the auth is set to Windows and not AccessControlService. I am no expert on either NAV or ADFS but it really feels like a simple user mapping issue.

I have tried both SAML tokens and JSON Web tokens. I have tried so many different configurations I am very confused what I have tried and what I haven't.

I am attaching a screenshot of the NAV error. Here are some event log errors:

Error 1:

Server instance: NavTestCon

Tenant ID: <ii><ii>default</ii></ii>

<ii>You do not have access to Microsoft Dynamics NAV. Verify that is set up as a valid Microsoft Dynamics NAV user.</ii>

Error 2:

The management service endpoint is not available. Make sure that the management service port is set correctly in the web server config file.

Error 3:

Unable to redirect to retrieve authorization code. TokenAuthority: '', ClientID: '00000000-0000-0000-0000-000000000000'

Screenshot:

Last thing I feel I should mention. Our pre-windows 2000 Domain CTOSO\USERNAME is different than our USERNAME@contoso.org Domain. I never got a straight answer but I believe they changed the domain but didn't see the need to change them both.

Thank you for your time, any assistance is appreciated.

I have the same question (0)

All responses (12)

Answers (1)

Suggested answer

Nitin Verma 21,698 Moderator on at

Like (0)

Report

RE: NAV 2017 On-Prem ADFS SSO Issue mapping users

Hi,

make sure you have setup the same user in RTC first you are trying to log in web.

Thankyou.

Was this reply helpful? Yes No
russtoleum 5 on at

Like (0)

Report

RE: NAV 2017 On-Prem ADFS SSO Issue mapping users

Thank you for such a prompt response but I need clarification please.

I forgot to mention that since everything was already setup there are several users already created. Those users are however tied into the local AD.

I have had to glean everything up to now about users and permissions but my user was added by the accounting department with SUPER user permissions.

So how do I make sure I have setup the same user if it already exists and is associated with my AD user of the same username and password. I'm really just trying more or less convert to AccessControlService from Windows authentication.

I'm happy to provide any info you require.

Was this reply helpful? Yes No
Suggested answer

Nitin Verma 21,698 Moderator on at

Like (0)

Report

RE: NAV 2017 On-Prem ADFS SSO Issue mapping users

Can you check this?

The management service endpoint is not available. Make sure that the management service port is set correctly in the web server config file.

Was this reply helpful? Yes No
russtoleum 5 on at

Like (0)

Report

RE: NAV 2017 On-Prem ADFS SSO Issue mapping users

So I got that to go away but I still get these two warnings in the event viewer:

Event 1:

Unable to redirect to retrieve authorization code. TokenAuthority: 'login.windows.net/common', ClientID: '00000000-0000-0000-0000-000000000000'

I feel like this one shouldn't matter since I'm not involving Azure at all.

Event 2:

Server instance: DynamicsNAV100

Tenant ID:

<ii>Received security token, which could be validated, but which does not give access to Microsoft Dynamics NAV.

Issuer: sso.contoso.com/.../trust

Expiry (UTC): 12/15/2022 5:22:22 AM

Claims in token:

aud: https://dynamicsnavwebclient

iss: sso.contoso.com/.../trust

iat: 1671078142

nbf: 1671078142

exp: 1671081742

schemas.xmlsoap.org/.../name: russtoleum@contoso.com

schemas.microsoft.com/.../objectidentifier: S-1-5-21-1757981266-2052111302-1417001333-00000

schemas.microsoft.com/.../authenticationmethod: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

schemas.microsoft.com/.../authenticationinstant: 2022-12-15T04:22:22.415Z

ver: 1.0

</ii>

I of course had to remove the identifying stuff but these are now the only 2 errors when I attempt login, I still get this though:

But there is no more error about the management port and the user it says doesn't exist, does and is mapped to my AD user, the only difference is in NAV the syntax is the pre-2000 DOMAIN\USERNAME

Was this reply helpful? Yes No
Suggested answer

Nitin Verma 21,698 Moderator on at

Like (0)

Report

RE: NAV 2017 On-Prem ADFS SSO Issue mapping users

Refer the below link

community.dynamics.com/.../852357

Was this reply helpful? Yes No
Suggested answer

Nitin Verma 21,698 Moderator on at

Like (0)

Report

RE: NAV 2017 On-Prem ADFS SSO Issue mapping users

learn.microsoft.com/.../problem-getting-access-token-in-ad-aadsts70000-the.html

Was this reply helpful? Yes No
russtoleum 5 on at

Like (0)

Report

RE: NAV 2017 On-Prem ADFS SSO Issue mapping users

Thank you so much for the help but this sends me down another rabbit hole that I can't venture down until I get some sleep.

In the meantime would you mind at very least confirming that in theory this should work.

On-Prem Dynamics NAV 2017 CU3

On-Prem ADFS 3.0

And that's it, no other requirements are necessary?

Was this reply helpful? Yes No
Verified answer

Marco Mels on at

Like (1)

Report

RE: NAV 2017 On-Prem ADFS SSO Issue mapping users

Hello,

Yes, the scenario should work as I personally did setup ADFS a few times in a test environment for a few support requests I had to work on. The best advice I can give is to ensure you are running latest CU as this customer is running 58 CU's behind. Especially since you mentioned this needs to be published externally. In my opinion you should not do this if you are running such an old Dynamics NAV release. The documentation related to this setup can be find here:

learn.microsoft.com/.../authenticating-users-with-active-directory-federation-service

As you mentioned you are not familiar with ADFS and Dynamics NAV as you inherited the environment. Best probably is to find a Dynamics partner to help you with the setup. Apart from that, Dynamics NAV 2017 is no longer supported. Dynamics NAV 2018 will reach end of life cycle in January 2023.

The setup in Dynamics NAV is straight forward, there are two keys related in customsettings.config file:

1. wsfederationloginendpoint

2. ClientServicesFederationMetadataLocation

If the management endpoint (web.config file) is not reachable or is not yet supported in your Dynamics NAV release or CU release (support for this was added in a later CU release), then the scenario will fail. On the users page, the mail address should be populated with the correct mail address that is assigned to the users (UPN).

The setup is relatviely complicated when you are not that familiar with ADFS or AD in general. If you do want to use ADFS that ships with Office 365 (Azure AD authentication), then find a local partner that can help you with this.

Thank you.

Was this reply helpful? Yes No
russtoleum 5 on at

Like (0)

Report

RE: NAV 2017 On-Prem ADFS SSO Issue mapping users

Thank you both, I'm going to digest and try to apply this. I will report back with success or failure. Again, thanks.

Was this reply helpful? Yes No
russtoleum 5 on at

Like (0)

Report

RE: NAV 2017 On-Prem ADFS SSO Issue mapping users

Hey Marco, I hope you are still around, I was hoping to clear a few things up. First, on the link you provided, that goes to the setup to 2018. When I click the link to see the instructions for 2017: learn.microsoft.com/.../authenticating-users-with-active-directory-federation-service-2017 and that is the document I have been referencing the whole time, it says in the beginning that NAV 2017 with no CUs is compatible. Is that not the case? I got the ok to install the latest CU but I have to wait for a lot of red tape still. I'd like to get this working but if I can't on CU 3, it is what it is.

Also, it's sort of neither here nor there, but I'm very familiar with AD, it's just ADFS I'm not very learned in. I suppose that's 2 out of components at play but I still gotta try. That is my attempt at convincing you that replying to me isn't futile.

The 2 settings you mention are set. I even setup a separate non-prod instance in NAV so I could tinker more. I have the CredentialType set to AccessControlService and the 2 above settings set for the instance server config. I also have everything in the web.config set for the new instance I setup there as well. But I'm still being told by nav my user doesn't exist.

I have also triple checked that on my user config page in NAV under the Office 365 Authentication tab has my email address in the auth email. And I'm still getting these errors:

Server instance: NavTestCon

Tenant ID: <ii><ii>default</ii></ii>

<ii>You do not have access to Microsoft Dynamics NAV. Verify that russtoleum@contoso.com is set up as a valid Microsoft Dynamics NAV user.</ii>

Server instance: NavTestCon

Tenant ID:

<ii>Received security token, which could be validated, but which does not give access to Microsoft Dynamics NAV.

Issuer: nav.contoso.com/.../trust

Expiry (UTC): 12/19/2022 8:11:23 PM

Claims in token:

schemas.xmlsoap.org/.../name: russtoleum@contoso.com

schemas.microsoft.com/.../objectidentifier: S-1-5-21-1757981266-2052111302-0000000000-00000

schemas.microsoft.com/.../authenticationmethod: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

schemas.microsoft.com/.../authenticationinstant: 2022-12-19T19:11:23.819Z

</ii>

As soon as I turn the cred type to Windows, i can login fine. This feels like either ADFS is sending the wrong info to NAV, are I am missing a setting somewhere.

What is frustrating for me is of course my ignorance of NAV. The instructions clearly say I don't need Azure AD to make this work, but I have to use the same settings as if I was setting up with Azure.

Also, this error looks like it might have something to do with the problem.

Server instance: NavTestCon

Tenant ID:

<ii>User:

Type: System.ObjectDisposedException

Message:

<ii>Cannot access a disposed object.

Object name: 'internalDictionary'.</ii>

ObjectName: internalDictionary

StackTrace:

at Microsoft.Dynamics.Nav.Runtime.DisposedImmutableDictionary`2.ContainsKey(TKey key)

at Microsoft.Dynamics.Nav.Runtime.NavTenantCollection.CheckAddTenant(String tenantId, IEnumerable`1 alternateIds)

at Microsoft.Dynamics.Nav.Runtime.NavTenantCollection.AddTenant(NavTenantSettings tenantSettings, Boolean overwriteTenantIdInDatabase, Boolean verifyDatabaseConnection, Boolean verifyServerInstanceKey, Boolean setSingleUserWhileOverwritingTenantId)

at Microsoft.Dynamics.Nav.Runtime.NavTenantCollection.ConfigureTenants(ServerUserSettings settings)

at Microsoft.Dynamics.Nav.Runtime.NavTaskFactory.<>c__DisplayClass11_0.<StartNewTask>b__0()

at System.Threading.Tasks.Task.Execute()

Source: Microsoft.Dynamics.Nav.Ncl

HResult: -2146232798

</ii>

Thanks for the info so far and any new direction you can give me. Even if it's just to say 'give up'.

Was this reply helpful? Yes No