web
You’re offline. This is a read only version of the page.
close
Skip to main content
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Customer experience | Sales, Customer Insights,... / Document agent routing...
Customer experience | Sales, Customer Insights,...
Suggested answer

Document agent routing - Problemas as a service

(2) ShareShare
ReportReport
Posted on by Fnavarro 4
Hi,
 
I have a big issue here, when I try to run document routing as a service it return me an login error.
>Document Routing MSAL authenticate start. 
  • I'm actually executing the service with the same user that I use to do the log in into the aplication
  • The user have system administrator rights
  • The service is running
  • The credentials are OK
  • If I run the document routing NOT as a service it works well.
Document Routing MSAL authenticate stop. 26,0036 ms
 
Regards
I have the same question (0)
  • Suggested answer
    Daivat Vartak (v-9davar) Profile Picture
    Daivat Vartak (v-9d... 7,827 Super User 2025 Season 2 on at
    Document agent routing - Problemas as a service
    Hello Fnavarro,
     

    This is a classic and often frustrating issue with service accounts and interactive logins versus service-based authentication. Even though the user you're using has System Administrator rights and the credentials work for interactive logins, running Document Routing as a service introduces a different authentication context.

    Here's a breakdown of why you're likely encountering this and how to troubleshoot it:

    Likely Causes:

    1. Interactive vs. Non-Interactive Authentication:

      • Interactive Login: When you log into the application directly, you're providing credentials through a user interface, and your session is managed interactively.
      • Service Authentication: Services often run under a different context and require non-interactive authentication. This usually involves service principals, dedicated service accounts with specific permissions, or other mechanisms that don't rely on a user actively entering credentials. 

    2. MSAL Configuration for Service: The Microsoft Authentication Library (MSAL) needs to be configured correctly for a service-to-service or non-interactive scenario. This might involve:

      • Client ID and Secret: If you're using an Azure AD application registration (Service Principal), you need to ensure the correct Client ID and Secret are being used.
      • Certificate-Based Authentication: The service might be configured to use a certificate for authentication instead of a password.
      • Permissions: The Azure AD application or service account needs the correct permissions granted to access Dynamics 365. 

    3. Service Account Permissions: While your user account has System Administrator rights, the context under which the service is running might not be inheriting those rights correctly. The service might be using a different process or identity internally.

    4. Configuration Files: The Document Routing Service likely has configuration files where the authentication details are stored. Ensure these files are correctly configured with the appropriate credentials and authentication method for a service context.

    5. Firewall or Network Issues: Although less likely given that it works when run non-service, there could be subtle network differences when the application runs as a service that are affecting authentication.


      6.  

    Troubleshooting Steps:

    1. Review Service Configuration:

      • Identify the Service Account: Determine the exact Windows service account under which the Document Routing Service is running. You can find this in the Windows Services Manager.
      • Check Service Permissions: Ensure this service account has the necessary local permissions on the server where it's running. 

    2. Examine Document Routing Service Configuration Files:

      • Look for configuration files (e.g., .config, .ini, .json) associated with the Document Routing Service. These files likely contain settings related to authentication.
      • Verify Authentication Method: Identify if the configuration specifies a specific authentication method for service mode (e.g., Service Principal, Windows Authentication, specific user credentials).
      • Check Credentials: If specific credentials are used in the configuration, double-check that they are correct and haven't expired. 

    3. Consider Using a Dedicated Service Principal (Recommended for Service Authentication):

      • Register an Application in Azure AD: If you haven't already, register an application in your Azure Active Directory. This application will act as the identity for your service.
      • Generate a Client Secret or Upload a Certificate: For the registered application, create a client secret or upload a certificate for authentication.
      • Grant Dynamics 365 Permissions to the Application: In the Power Platform Admin Center, grant the necessary Dynamics 365 permissions to the registered application (Service Principal). This might involve assigning a security role to the application user created in Dynamics 365 that represents the Service Principal. System Administrator is often used, but follow the principle of least privilege.
      • Update Service Configuration: Configure the Document Routing Service to use the Client ID and Secret (or certificate details) of the registered application for authentication. 

    4. Check Event Logs:

      • Review the Windows Event Logs (Application and System) on the server where the Document Routing Service is running. Look for any error messages related to the service or authentication failures. 

    5. Verify MSAL Configuration in Service Code (If Accessible):

      • If you have access to the code of the Document Routing Service, examine how MSAL is being initialized and used for authentication in the service context. Ensure it's configured for non-interactive authentication using the appropriate Client ID, Secret/Certificate, and Tenant ID. 

    6. Test Network Connectivity: While less likely, ensure there are no firewall rules or network restrictions preventing the service from reaching the necessary authentication endpoints (e.g., Azure AD).

       


      7.  

    Steps to Implement Service Principal Authentication (General Guidance):

    1. Azure AD App Registration:

      • Go to the Azure portal.
      • Navigate to "Azure Active Directory" > "App registrations".
      • Click "New registration".
      • Give your application a name (e.g., "DocumentRoutingServiceApp").
      • Select the supported account types (usually "Accounts in this organizational directory only").
      • For "Redirect URI (optional)," you don't need to configure anything for a service application.
      • Click "Register". 

    2. Get Client ID: Note down the "Application (client) ID" from the app registration overview.

    3. Generate Client Secret:

      • Go to "Certificates & secrets" under your app registration.
      • Click "New client secret".
      • Add a description and choose an expiration period.
      • Click "Add".
      • Copy the secret value immediately and store it securely. You won't be able to retrieve it again. 

    4. Grant API Permissions:

      • Go to "API permissions" under your app registration.
      • Click "Add a permission".
      • Select "Dynamics 365" (or "Microsoft CRM").
      • Choose "Delegated permissions" or "Application permissions" depending on how the service needs to interact. Application permissions are generally preferred for service applications.
      • Grant the necessary permissions (e.g., user_impersonation under Dynamics CRM).
      • Click "Grant admin consent for [Your Tenant]". 

    5. Create Application User in Dynamics 365:

      • Go to your Dynamics 365 instance.
      • Navigate to Settings > Security > Users.
      • Change the view to "Application Users".
      • Click + New.

      • Fill in the required details:

        • User Name: A descriptive name (e.g., "DocumentRoutingService").
        • Application ID: Enter the Application (client) ID you copied from Azure AD. 

      • Assign Security Role(s): Assign the necessary security roles to this application user. Start with System Administrator for testing, but ideally, grant the least privilege required.
      • Save the application user. 

    6. Configure Document Routing Service:

      • Update the configuration files of your Document Routing Service to use:

        • Client ID: The Application (client) ID.
        • Client Secret: The secret you generated.
        • Tenant ID: Your Azure AD Directory (tenant) ID.
        • Dynamics 365 URL: The URL of your Dynamics 365 instance.
        • Authentication Method: Ensure it's set to use MSAL with Client Credentials flow. 
          

      7.  

    By properly configuring the service with a dedicated Service Principal, you should be able to resolve the login error and have Document Routing run successfully as a service without relying on the interactive user session. Remember to consult the specific documentation for your Document Routing Service for detailed configuration instructions.

     
    If my answer was helpful, please click Like, and if it solved your problem, please mark it as verified to help other community members find more. If you have further questions, please feel free to contact me.
     
    My response was crafted with AI assistance and tailored to provide detailed and actionable guidance for your Microsoft Dynamics 365 query.
     
    Regards,
    Daivat Vartak
  • KV-11040839-0 Profile Picture
    KV-11040839-0 2 on at
    Document agent routing - Problemas as a service
    Same issue here. Were you able to resolve it? how?

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Dynamics 365 Community Calls Return
Join experts in person to explore low code and AI agents at the Power Platform Community Conference sponsored by Microsoft
Responsible AI policies for the Community

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Andrés Arias – Community Spotlight

We are honored to recognize Andrés Arias as our Community Spotlight honoree for…

Congratulations to the August Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Customer experience | Sales, Customer Insights, CRM

#1
DAnny3211 Profile Picture

DAnny3211 126

#2
Daniyal Khaleel Profile Picture

Daniyal Khaleel 117

#3
Abhilash Warrier Profile Picture

Abhilash Warrier 70 Super User 2025 Season 2

Last 30 days Overall leaderboard

Featured topics

Hide selecting Contact for potential customer when creating quote

Product updates

Dynamics 365 release plans