You’re offline. This is a read only version of the page.
5
I decided I needed to provide my ultimate solution on the unbelievable chance someone else got hung up on this super dumb thing.
I can't say for certain but it appears using https address on the second token (schemas.microsoft.com/.../objectidentifier) the outgoing claim for the primary SID.
I had upgraded the application platform to CU61, it still didn't work, once, I changed the above address to the same thing only http instead. It started accepting my creds for NAV.
Does that make any sense at all? I still have a lot to learn about ADFS.
Hi, just adding some info, hope the following helps as well.
Authenticating Business Central Users with Azure Active Directory (Sign in to Business Central On-Premises with Office 365 account)
Thanks.
ZHU
Hey Marco, I hope you are still around, I was hoping to clear a few things up. First, on the link you provided, that goes to the setup to 2018. When I click the link to see the instructions for 2017: learn.microsoft.com/.../authenticating-users-with-active-directory-federation-service-2017 and that is the document I have been referencing the whole time, it says in the beginning that NAV 2017 with no CUs is compatible. Is that not the case? I got the ok to install the latest CU but I have to wait for a lot of red tape still. I'd like to get this working but if I can't on CU 3, it is what it is.
Also, it's sort of neither here nor there, but I'm very familiar with AD, it's just ADFS I'm not very learned in. I suppose that's 2 out of components at play but I still gotta try. That is my attempt at convincing you that replying to me isn't futile.
The 2 settings you mention are set. I even setup a separate non-prod instance in NAV so I could tinker more. I have the CredentialType set to AccessControlService and the 2 above settings set for the instance server config. I also have everything in the web.config set for the new instance I setup there as well. But I'm still being told by nav my user doesn't exist.
I have also triple checked that on my user config page in NAV under the Office 365 Authentication tab has my email address in the auth email. And I'm still getting these errors:
Server instance: NavTestCon
Tenant ID: <ii><ii>default</ii></ii>
<ii>You do not have access to Microsoft Dynamics NAV. Verify that russtoleum@contoso.com is set up as a valid Microsoft Dynamics NAV user.</ii>
Server instance: NavTestCon
Tenant ID:
<ii>Received security token, which could be validated, but which does not give access to Microsoft Dynamics NAV.
Issuer: nav.contoso.com/.../trust
Expiry (UTC): 12/19/2022 8:11:23 PM
Claims in token:
schemas.xmlsoap.org/.../name: russtoleum@contoso.com
schemas.microsoft.com/.../objectidentifier: S-1-5-21-1757981266-2052111302-0000000000-00000
schemas.microsoft.com/.../authenticationmethod: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
schemas.microsoft.com/.../authenticationinstant: 2022-12-19T19:11:23.819Z
</ii>
As soon as I turn the cred type to Windows, i can login fine. This feels like either ADFS is sending the wrong info to NAV, are I am missing a setting somewhere.
What is frustrating for me is of course my ignorance of NAV. The instructions clearly say I don't need Azure AD to make this work, but I have to use the same settings as if I was setting up with Azure.
Also, this error looks like it might have something to do with the problem.
Server instance: NavTestCon
Tenant ID:
<ii>User:
Type: System.ObjectDisposedException
Message:
<ii>Cannot access a disposed object.
Object name: 'internalDictionary'.</ii>
ObjectName: internalDictionary
StackTrace:
at Microsoft.Dynamics.Nav.Runtime.DisposedImmutableDictionary`2.ContainsKey(TKey key)
at Microsoft.Dynamics.Nav.Runtime.NavTenantCollection.CheckAddTenant(String tenantId, IEnumerable`1 alternateIds)
at Microsoft.Dynamics.Nav.Runtime.NavTenantCollection.AddTenant(NavTenantSettings tenantSettings, Boolean overwriteTenantIdInDatabase, Boolean verifyDatabaseConnection, Boolean verifyServerInstanceKey, Boolean setSingleUserWhileOverwritingTenantId)
at Microsoft.Dynamics.Nav.Runtime.NavTenantCollection.ConfigureTenants(ServerUserSettings settings)
at Microsoft.Dynamics.Nav.Runtime.NavTaskFactory.<>c__DisplayClass11_0.<StartNewTask>b__0()
at System.Threading.Tasks.Task.Execute()
Source: Microsoft.Dynamics.Nav.Ncl
HResult: -2146232798
</ii>
Thanks for the info so far and any new direction you can give me. Even if it's just to say 'give up'.
Thank you both, I'm going to digest and try to apply this. I will report back with success or failure. Again, thanks.
Hello,
Yes, the scenario should work as I personally did setup ADFS a few times in a test environment for a few support requests I had to work on. The best advice I can give is to ensure you are running latest CU as this customer is running 58 CU's behind. Especially since you mentioned this needs to be published externally. In my opinion you should not do this if you are running such an old Dynamics NAV release. The documentation related to this setup can be find here:
learn.microsoft.com/.../authenticating-users-with-active-directory-federation-service
As you mentioned you are not familiar with ADFS and Dynamics NAV as you inherited the environment. Best probably is to find a Dynamics partner to help you with the setup. Apart from that, Dynamics NAV 2017 is no longer supported. Dynamics NAV 2018 will reach end of life cycle in January 2023.
The setup in Dynamics NAV is straight forward, there are two keys related in customsettings.config file:
1. wsfederationloginendpoint
2. ClientServicesFederationMetadataLocation
If the management endpoint (web.config file) is not reachable or is not yet supported in your Dynamics NAV release or CU release (support for this was added in a later CU release), then the scenario will fail. On the users page, the mail address should be populated with the correct mail address that is assigned to the users (UPN).
The setup is relatviely complicated when you are not that familiar with ADFS or AD in general. If you do want to use ADFS that ships with Office 365 (Azure AD authentication), then find a local partner that can help you with this.
Thank you.
Thank you so much for the help but this sends me down another rabbit hole that I can't venture down until I get some sleep.
In the meantime would you mind at very least confirming that in theory this should work.
On-Prem Dynamics NAV 2017 CU3
On-Prem ADFS 3.0
And that's it, no other requirements are necessary?
Refer the below link
So I got that to go away but I still get these two warnings in the event viewer:
Event 1:
Unable to redirect to retrieve authorization code. TokenAuthority: 'login.windows.net/common', ClientID: '00000000-0000-0000-0000-000000000000'
I feel like this one shouldn't matter since I'm not involving Azure at all.
Event 2:
Server instance: DynamicsNAV100
Tenant ID:
<ii>Received security token, which could be validated, but which does not give access to Microsoft Dynamics NAV.
Issuer: sso.contoso.com/.../trust
Expiry (UTC): 12/15/2022 5:22:22 AM
Claims in token:
aud: https://dynamicsnavwebclient
iss: sso.contoso.com/.../trust
iat: 1671078142
nbf: 1671078142
exp: 1671081742
schemas.xmlsoap.org/.../name: russtoleum@contoso.com
schemas.microsoft.com/.../objectidentifier: S-1-5-21-1757981266-2052111302-1417001333-00000
schemas.microsoft.com/.../authenticationmethod: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
schemas.microsoft.com/.../authenticationinstant: 2022-12-15T04:22:22.415Z
ver: 1.0
</ii>
I of course had to remove the identifying stuff but these are now the only 2 errors when I attempt login, I still get this though:
But there is no more error about the management port and the user it says doesn't exist, does and is mapped to my AD user, the only difference is in NAV the syntax is the pre-2000 DOMAIN\USERNAME
Can you check this?
The management service endpoint is not available. Make sure that the management service port is set correctly in the web server config file.
Stay up to date on forum activity by subscribing. You can also customize your in-app and email Notification settings across all subscriptions.
#1
André Arnaud de Cal...
291,240
Super User 2024 Season 2
#2
Martin Dráb
230,149
Most Valuable Professional
#3
nmaenpaa
101,156
Share
Report
All responses (
Answers (