web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics AX (Archived) / ADFS configuration for...
Microsoft Dynamics AX (Archived)

ADFS configuration for premises deployment: Invalid scope names

(0) ShareShare
ReportReport
Posted on by Sohaib Cheema 49,438 User Group Leader

I am near the finishing line of On-Prem deployment, where step number 18 is holding me and it is about ADFS configuration.

 

The line of Script where it fails is as following (Line Number 204 of script named as D365FO-OP-ADFSApplicationGroup.psm1)

Grant-AdfsApplicationPermission -ClientRoleIdentifier $workflowClientId -ServerRoleIdentifier $axApiIdentity -ScopeNames $script:openIdScope, $script:userImpersonationScope, $script:emailScope, $script:allAtClaimsScope, $script:azaScope



As per documentation I am supposed to run following command with my own HostURL.

 

# Host URL is your DNS record\host name for accessing the AOS

.\Publish-ADFSApplicationGroup.ps1 -HostUrl 'ax.d365ffo.onprem.contoso.com'

 

Every time I run the command, it gives me error.

 

The error message shown on PowerShell is as under.

PS C:\smcondc\adfschkns\fi> .\Publish-ADFSApplicationGroup.ps1 -HostUrl 'https://MyHostURL'
Grant-AdfsApplicationPermission : MSIS7628: Scope names should be a valid Scope Description name in AD FS configuration.
At C:\smcondc\adfschkns\fi\D365FO-OP\D365FO-OP-ADFSApplicationGroup.psm1:204 char:5
+     Grant-AdfsApplicationPermission -ClientRoleIdentifier $workflowCl ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Grant-AdfsApplicationPermission], StorageConstraintException
    + FullyQualifiedErrorId : MSIS7628,Microsoft.IdentityServer.Management.Commands.AddAdfsApplicationPermissionCommand
PS C:\smcondc\adfschkns\fi>

The error log in traces  folder is as following

 
Using redirect URL for AD FS: myhosturl/.../AXSF
Creating AD FS Application group: Microsoft Dynamics 365 for Operations On-premises
Client ID: 9af9f044-2164-43c5-96b8-3425fb018136
Creating AXSF Native application for browser usage with Client ID: 9af9f044-2164-43c5-96b8-3425fb018136
Creating AXSF Web application for browser usage
Creating AXSF Web API for services
Granting permission for browser application usage
Creating Workflow Native application
Granting permissions for Workflow application


PSMessageDetails      : 
Exception             : Microsoft.IdentityServer.PolicyModel.Client.StorageConstraintException: MSIS7628: Scope names should be a valid Scope 
                        Description name in AD FS configuration.
                           at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreClientManager.AddObjectWorker(ClientObject clientObject, 
                        Boolean firstTry)
                           at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreClientManager.AddObject(ClientObject clientObject)
                           at Microsoft.IdentityServer.PolicyModel.Client.PolicyManagerBase.Save(ClientObject clientObject)
                           at Microsoft.IdentityServer.Management.Commands.AddAdfsApplicationPermissionCommand.AddApplicationPermission()
                           at Microsoft.IdentityServer.Management.Commands.AddAdfsApplicationPermissionCommand.ProcessRecordOverride()
TargetObject          : 
CategoryInfo          : InvalidData: (:) [Grant-AdfsApplicationPermission], StorageConstraintException
FullyQualifiedErrorId : MSIS7628,Microsoft.IdentityServer.Management.Commands.AddAdfsApplicationPermissionCommand
ErrorDetails          : MSIS7628: Scope names should be a valid Scope Description name in AD FS configuration.
InvocationInfo        : System.Management.Automation.InvocationInfo
ScriptStackTrace      : at New-AdfsApplicationForWorkflow, C:\smcondc\adfschkns\fi\D365FO-OP\D365FO-OP-ADFSApplicationGroup.psm1: line 204
                        at New-AdfsConfiguration, C:\smcondc\adfschkns\fi\D365FO-OP\D365FO-OP-ADFSApplicationGroup.psm1: line 82
                        at <ScriptBlock>, C:\smcondc\adfschkns\fi\Publish-ADFSApplicationGroup.ps1: line 59
                        at <ScriptBlock>, <No file>: line 1
PipelineIterationInfo : {}
Jd

As it can be seen from error log that last successful step which happens, it is Granting permissions for Workflow application

 

And the exact point of failure is when it goes to grant permission for adfs

Looking forward for any input.

Thank you!

Sohaib

 

 


*This post is locked for comments

I have the same question (0)
  • Verified answer
    Sohaib Cheema Profile Picture
    Sohaib Cheema 49,438 User Group Leader on at

    To fix this, make sure you have all scope descriptions that are being used in PowerShell script. It was shame to find that all scope descriptions were there except one named as allatclaims. Adding it manually  in ADFS worked perfectly.

  • Suggested answer
    Hichem.Chekebkeb Profile Picture
    Hichem.Chekebkeb 3,371 on at

    Good point Sohaib,

    To overcome the error, I deleted the $script:allAtClaimsScope upfront from line 204 in Infrastructure\D365FO-OP\D365FO-OP-ADFSApplicationGroup.psm1, ran the Publish-ADFSApplicationGroup.ps1 command then added that allAtClaims in ADFS  manually as you said in ADFS > Services > Scope descriptions.

    This will allow the script to be fully executed.

    Hope this helps people facing the same issue,

  • Sohaib Cheema Profile Picture
    Sohaib Cheema 49,438 User Group Leader on at

    I would not prefer to delete the line of $script:allAtClaimsScope , to bypass the adding of needed token, just because it can create my application.

    I would prefer to add missing tokens first and then run the PS script as has been provided. About other scripts, there are many which need improvement. I hope Microsoft can update those which are having bugs. a week ago, for an installation I found an interesting fact for one of the script. I will blogpost that.

  • Hichem.Chekebkeb Profile Picture
    Hichem.Chekebkeb 3,371 on at

    Sohaib,

    I precisely deleted only that value not all the line.

    Could you please elaborate on how you added the token?

    I am not much into ADFS setup. I am afraid this is the only issue keeping me from running AX, When I open AX link it goes to An error occurred. Contact your administrator for more information.", prompted by ADFS

  • Sohaib Cheema Profile Picture
    Sohaib Cheema 49,438 User Group Leader on at

    As you will open ADFS, expand the services node/tree on left side; You will find a sub-node named as Service Descriptions. you can add new scope descriptions there. Also you can use PowerShell Add-AdfsScopeDescription command to get this.

  • Hichem.Chekebkeb Profile Picture
    Hichem.Chekebkeb 3,371 on at

    I did the same, yet the issue persists, It must be something else ...

  • Sohaib Cheema Profile Picture
    Sohaib Cheema 49,438 User Group Leader on at

    Yes, you may read error message and exact line where it is failing in PowerShell script.

    if your application has been created, make sure that you have certificates in your local cert folder. also make sure that port 19080 is open on which you can browse the orchestrator

  • shubhi gupta Profile Picture
    shubhi gupta 405 on at

    Hi sohaib,

    When I run the .\Publish-ADFSApplicationGroup.ps1 -HostUrl 'ax.d365ffo.onprem.contoso.com' script getting this error "MSIS9908: The application group identifier must be unique in AD FS configuration" can you suggest some solution for this.

  • Suggested answer
    Hichem.Chekebkeb Profile Picture
    Hichem.Chekebkeb 3,371 on at

    Hi Shubhi, You maybe running it more than one time, you have to delete all what ax application group in ADFS an retry

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics AX (Archived)

#1
Martin Dráb Profile Picture

Martin Dráb 4 Most Valuable Professional

#1
Priya_K Profile Picture

Priya_K 4

#3
MyDynamicsNAV Profile Picture

MyDynamicsNAV 2

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans