Error activating retail cloud POS on OneBox version 10.0.24: DA1023 - Could not resolve identity.

(0) Share

Report

Posted on by erptechnician

I recently downloaded and installed a D365 Finance & Operations OneBox development environment from Microsoft LCS (version 10.0.24 VHD which includes retail components and demo data). Everything seems to be running well (including most retail components) except that I'm unable to activate the retail cloud POS.

Before proceeding further, I'd like to mention that I'm aware that this is a very common error, and many posts on this forum have discussed this specific issue. I've probably read them all and have already tried the solutions given in the posts I've read. Having said that, I'm just now learning the commerce/retail module for the first time, so it's possible that I missed something (but probably not something obvious).

Retrieving stores failed.

DA1023 - Could not resolve identity. The Azure AD account is not mapped to an employee in Retail headquarters.

After running RetailTenantUpdateTool (i.e. link to PowerShell script on OneBox desktop), I confirmed that my external identity from Azure AD is mapped to the employee used in demo data for retail module. I also did a full data sync with Job '9999'.

I noticed there were several warnings in Windows Event Viewer immediately after I attempted to activate Retail Cloud POS.

Administrative Tools > Event Viewer > Applications and Services Logs > Microsoft > Dynamics > Commerce-RetailServer > Operational

The error says it couldn't find an identity mapped to the worker, but I've confirmed that's not the case, so I tried to determine if there was some authentication failure with Azure AD. I read through these warnings, but I'm not sure what I'm looking for. I could tell that the system had my correct Azure tenant Id and also the correct Object Id for the AAD external identity mapped to Worker '000160" (Alexander Eggerer) in the demo data, so I don't know why the authentication is failing.

Here's the most interesting warnings:

In the screenshot for Error 5034, I confirmed that AAD Tenant Id, AAD Object Id, and Identity Issuer are mapped with values that I recognize from my Azure tenant and user. But I don't recognize the ID for "External Identity Id" field, and I also noticed that Identity Provider"" seemed odd that it was blank. I'm not sure if these are the source of the problem or not.

Any help to resolve this mystery would be appreciated.

I have the same question (0)

All responses (7)

Answers (0)

SergeyP 2,928 on at

Like (0)

Report

RE: Error activating retail cloud POS on OneBox version 10.0.24: DA1023 - Could not resolve identity.

Glad you are unblocked Ashok.

By the way, there is a feature (Dynamics.AX.Application.RetailEmployeeExternalIdentityLocalAuthFeature) which controls the data source used to resolve an Employee based on AAD credentials. In a few relatively recent HQs, including 10.0.24, the above feature is available and by default is Enabled and that means the lookup is performed by using data present in the Channel DB so no RTS calls are made.

In contrast, when the feature is turned off, that is what was in older versions for years, the lookup is performed by employing an RTS call.

The benefit of looking up through the channel DB is a performance and resilience to possible RTS related issues when network/HQ is not available for any reasons but this approach does requires the jobs executed to deliver the data from AX to Channel DB.

When the lookup is performed by using an RTS call (when the feature is disabled) - the lookup works slower and relies on HQ's availability but this approach doesn't require executing the job to sync the employee data from Ax to HQ.

Was this reply helpful? Yes No
erptechnician 50 on at

Like (1)

Report

RE: Error activating retail cloud POS on OneBox version 10.0.24: DA1023 - Could not resolve identity.

I confirmed that the issue with the data encryption certificate was in fact the problem. More importantly, I found the solution to this problem in another post:

Issues with VM renaming (10.0.24)

After implementing the solution described in that post, I was able to run Default channel database batch job and the records in the Download Sessions (produced by the full data sync with Job '9999') were changed from status Available to status Applied. This updated the ax.* tables in the AxDB database so that my Azure AD credentials were properly applied to the AAD external identity mapped to Worker '000160" (Alexander Eggerer). Then the Retail Cloud POS activation finally worked.

Thank you, Sergey, for helping me find the path to the solution!

Was this reply helpful? Yes No
erptechnician 50 on at

Like (0)

Report

RE: Error activating retail cloud POS on OneBox version 10.0.24: DA1023 - Could not resolve identity.

I did some further troubleshooting, and I might have found the issue, but I don't know how to fix it. Per #2 in my post immediately above, I think it might be an invalid certificate that's causing the problem.

There's a recurring batch job ("Default channel database batch job") set up in D365FO. I'm not sure, but I believe this is the job that processes the Download Sessions mentioned earlier. All instances of this Default channel database batch job have been set to "Canceled".

I checked the logs on some of these batch job records, and there are errors.

Here's an excerpt of one of the detailed infolog error messages:

CDX download job 1060 encountered an error while applying download session 68719477487 on the target data store Default

The required data encryption certificate was not found when trying to edit the Database connection profile table and the ConnectionString field. Please add a valid certificate. Microsoft.Dynamics.Ax.Xpp.Security.CryptoEncryptionException: Encryption error occured with exception: Microsoft.Dynamics.Ax.Xpp.Security.CryptoEncryptionException: Encryption error occured with exception: Microsoft.Dynamics.AX.Configuration.CertificateHandler.NoCertificateFoundException: No certificate found for id ...

Was this reply helpful? Yes No
erptechnician 50 on at

Like (0)

Report
RE: Error activating retail cloud POS on OneBox version 10.0.24: DA1023 - Could not resolve identity.

Sergey,

Your latest response definitely helped a lot. I'm getting closer to identifying the problem now. Per your guidance, I checked the view [crt].[RETAILSTAFFEXTERNALIIDENTITYVIEW]. I also checked the tables [ax].RETAILSTAFFTABLE and [dbo].RETAILSTAFFTABLE, and I found part of the problem. The [EXTERNALIDENTITYID] and [EXTERNALIDENTITYSUBID] fields in the ax table do not match the same fields in the dbo table. The fields in the dbo table have the correct values as confirmed in my screenshots above (i.e. those values match the values that I observed from Azure AD via the Azure Portal). So it appears that my previous sync attempts did not work.

Continuing on with your guidance, I checked the Download Sessions form, and that also indicates a problem. I see the results of what I believe are several failed sync attempts. To clarify, I did NOT see any records with Error status. However, multiple Download Session records are present for each job, and 100% of them have status Available. Here's an example of the Job 1060 results:

These records are several days old, so it appears that the Download Sessions status is stuck in the Available state instead of progressing on to the Applied state.

Questions:

Could I have missed a manual step that is required after running the full sync? Or maybe I didn't run the sync using the correct procedure? Or maybe there's a required recurring batch job that's in the "Withheld" state instead of "Waiting" state?

OR

Could there be something that is causing a processing failure (like an invalid certificate or credentials issue on the component that processes the download sessions)? If so, where would be the next place to check for troubleshooting?

Was this reply helpful? Yes No
SergeyP 2,928 on at

Like (0)

Report

RE: Error activating retail cloud POS on OneBox version 10.0.24: DA1023 - Could not resolve identity.

>... Could you please tell me the specific table in the channel DB that I could look at to see if it is populated correctly? ...

Please have a look into the view [crt].[RETAILSTAFFEXTERNALIIDENTITYVIEW], it leverages the table [ax].RETAILSTAFFTABLE.

That table should have the mapping you outlined in HQ while mapping an employee to AAD user. If you don't see your record there in the table with "AX" schema, but you are seeing in the record in the same table in "DBO" schema then you need to execute the job 9999 and wait for its completion. The job "9999" is a logical job which includes all other jobs so by executing that job you are making Full Sync to send the data from HQ DB to CRT DB (there are performance penalties associated with this so run it outside of business hours in PROD scenarios).

To figure out the status of running jobs you can leverage Download Sessions UI in HQ - type that in the HQ's search box and a corresponding menu items will appear in the list - then hit [ENTER] to navigate to it.

On that screen, once you run the job 9999, you will see initially number of records with the status Available, once the data is sent to the channel DB the status will change to Applied. In case of status Failed - investigate the corresponding failures - there is a dedicated link in the grid to download the logs/failed records.

Was this reply helpful? Yes No
erptechnician 50 on at

Like (0)

Report

RE: Error activating retail cloud POS on OneBox version 10.0.24: DA1023 - Could not resolve identity.

Sergey,

Thanks for responding to my post.

Response to question #1:

To answer your first question, I believe that the 2 events in the screenshots above (5102, 5034) simply might not be consistent in how they label the identifiers. In Event 5102, "External Identity ID" references my Azure Tenant Id and "External Identity SubId" references my O365 user's Object ID in Azure AAD. In Event 5034, "AAD Tenant Id" references my Azure Tenant Id and "AAD Object Id" references my O365 user's Object ID in Azure AAD. Also, the "Identity Issuer" URL in Event 5034 references my AAD tenant id. I believe these values are correct although the 2 error events aren't consistent in their labeling of these fields. So far, so good.

But I simply don't recognize the value of "External identity Id" in Event 5034. My guess is that it is NOT actually the same thing as "External identity Id" from Event 5102. In Event 5102 "External identity id" appears to mean Azure Tenant Id. But I have no idea what "External identity Id' in Event 5034 is referring to. I suspect that the coders who wrote the text portion of the Event errors simply weren't consistent in their labeling. The "External identity Id" in Event 5034 might be the correct value, but I have no idea what it is. That's the only value that I couldn't recognize. I also wasn't sure if the "Identity provider" field from Event 5034 should be blank (as highlighted in the screenshot).

Response to question #2:

Sorry, being completely new to Commerce/Retail, I did not understand what you meant by "Did you check, via Download Sessions, that all the jobs successfully completed?". When running the "9999" job in D365FO, I did monitor the Batch job being run, and all the tasks appeared to complete without error. As I understand it, in D365FO OneBox development VHD, the data for commerce/retail is stored in the AxDB database within database tables having ax.* and crt.* database schemas. I noticed that the ax.* tables appear to be fully populated with data, but I didn't see data in the crt.* tables. Also, using Azure Storage Explorer, I looked at data in Azure Storage Emulator and found data that appears to be related to commerce/retail:

Question:

"you also have to successfully sync that data to the Channel DB"

Could you please tell me the specific table in the channel DB that I could look at to see if it is populated correctly?

Was this reply helpful? Yes No
SergeyP 2,928 on at

Like (0)

Report

RE: Error activating retail cloud POS on OneBox version 10.0.24: DA1023 - Could not resolve identity.

>... But I don't recognize the ID for "External Identity Id" ...

Can double check the above statement as it contradicts to your screenshot where you say "Matches my Azure tenant Id" for the "External Identity ID"?

So, do you recognize all the values in the error log or not?

In relatively recent versions, including yours, the employee's identity is resolved by using a data present int Channel DB, so it is not enough to just set correct mapping inside HQ, you also have to successfully sync that data to the Channel DB.

>...I also did a full data sync with Job '9999'. ...

Did you check, via Download Sessions, that all the jobs successfully completed?

Was this reply helpful? Yes No