Personalized Community is here!
Quickly customize your community to find the content you seek.
Choose your path Increase your proficiency with the Dynamics 365 applications that you already use and learn more about the apps that interest you. Up your game with a learning path tailored to today's Dynamics 365 masterminds and designed to prepare you for industry-recognized Microsoft certifications.
Visit Microsoft Learn
2023 Release Wave 1Check out the latest updates and new features of Dynamics 365 released from April 2023 through September 2023
The FastTrack program is designed to help you accelerate your Dynamics 365 deployment with confidence.
FastTrack Community | FastTrack Program | Finance and Operations TechTalks | Customer Engagement TechTalks | Upcoming TechTalks | All TechTalks
make sure you have setup the same user in RTC first you are trying to log in web.
Thank you for such a prompt response but I need clarification please.
I forgot to mention that since everything was already setup there are several users already created. Those users are however tied into the local AD.
I have had to glean everything up to now about users and permissions but my user was added by the accounting department with SUPER user permissions.
So how do I make sure I have setup the same user if it already exists and is associated with my AD user of the same username and password. I'm really just trying more or less convert to AccessControlService from Windows authentication.
I'm happy to provide any info you require.
Can you check this?
The management service endpoint is not available. Make sure that the management service port is set correctly in the web server config file.
So I got that to go away but I still get these two warnings in the event viewer:
Unable to redirect to retrieve authorization code. TokenAuthority: 'login.windows.net/common', ClientID: '00000000-0000-0000-0000-000000000000'
I feel like this one shouldn't matter since I'm not involving Azure at all.
Server instance: DynamicsNAV100
<ii>Received security token, which could be validated, but which does not give access to Microsoft Dynamics NAV.
Expiry (UTC): 12/15/2022 5:22:22 AM
Claims in token:
I of course had to remove the identifying stuff but these are now the only 2 errors when I attempt login, I still get this though:
But there is no more error about the management port and the user it says doesn't exist, does and is mapped to my AD user, the only difference is in NAV the syntax is the pre-2000 DOMAIN\USERNAME
Refer the below link
Thank you so much for the help but this sends me down another rabbit hole that I can't venture down until I get some sleep.
In the meantime would you mind at very least confirming that in theory this should work.
On-Prem Dynamics NAV 2017 CU3
On-Prem ADFS 3.0
And that's it, no other requirements are necessary?
Yes, the scenario should work as I personally did setup ADFS a few times in a test environment for a few support requests I had to work on. The best advice I can give is to ensure you are running latest CU as this customer is running 58 CU's behind. Especially since you mentioned this needs to be published externally. In my opinion you should not do this if you are running such an old Dynamics NAV release. The documentation related to this setup can be find here:
As you mentioned you are not familiar with ADFS and Dynamics NAV as you inherited the environment. Best probably is to find a Dynamics partner to help you with the setup. Apart from that, Dynamics NAV 2017 is no longer supported. Dynamics NAV 2018 will reach end of life cycle in January 2023.
The setup in Dynamics NAV is straight forward, there are two keys related in customsettings.config file:
If the management endpoint (web.config file) is not reachable or is not yet supported in your Dynamics NAV release or CU release (support for this was added in a later CU release), then the scenario will fail. On the users page, the mail address should be populated with the correct mail address that is assigned to the users (UPN).
The setup is relatviely complicated when you are not that familiar with ADFS or AD in general. If you do want to use ADFS that ships with Office 365 (Azure AD authentication), then find a local partner that can help you with this.
Thank you both, I'm going to digest and try to apply this. I will report back with success or failure. Again, thanks.
Hey Marco, I hope you are still around, I was hoping to clear a few things up. First, on the link you provided, that goes to the setup to 2018. When I click the link to see the instructions for 2017: learn.microsoft.com/.../authenticating-users-with-active-directory-federation-service-2017 and that is the document I have been referencing the whole time, it says in the beginning that NAV 2017 with no CUs is compatible. Is that not the case? I got the ok to install the latest CU but I have to wait for a lot of red tape still. I'd like to get this working but if I can't on CU 3, it is what it is.
Also, it's sort of neither here nor there, but I'm very familiar with AD, it's just ADFS I'm not very learned in. I suppose that's 2 out of components at play but I still gotta try. That is my attempt at convincing you that replying to me isn't futile.
The 2 settings you mention are set. I even setup a separate non-prod instance in NAV so I could tinker more. I have the CredentialType set to AccessControlService and the 2 above settings set for the instance server config. I also have everything in the web.config set for the new instance I setup there as well. But I'm still being told by nav my user doesn't exist.
I have also triple checked that on my user config page in NAV under the Office 365 Authentication tab has my email address in the auth email. And I'm still getting these errors:
Server instance: NavTestCon
Tenant ID: <ii><ii>default</ii></ii>
<ii>You do not have access to Microsoft Dynamics NAV. Verify that firstname.lastname@example.org is set up as a valid Microsoft Dynamics NAV user.</ii>
Expiry (UTC): 12/19/2022 8:11:23 PM
As soon as I turn the cred type to Windows, i can login fine. This feels like either ADFS is sending the wrong info to NAV, are I am missing a setting somewhere.
What is frustrating for me is of course my ignorance of NAV. The instructions clearly say I don't need Azure AD to make this work, but I have to use the same settings as if I was setting up with Azure.
Also, this error looks like it might have something to do with the problem.
<ii>Cannot access a disposed object.
Object name: 'internalDictionary'.</ii>
at Microsoft.Dynamics.Nav.Runtime.DisposedImmutableDictionary`2.ContainsKey(TKey key)
at Microsoft.Dynamics.Nav.Runtime.NavTenantCollection.CheckAddTenant(String tenantId, IEnumerable`1 alternateIds)
at Microsoft.Dynamics.Nav.Runtime.NavTenantCollection.AddTenant(NavTenantSettings tenantSettings, Boolean overwriteTenantIdInDatabase, Boolean verifyDatabaseConnection, Boolean verifyServerInstanceKey, Boolean setSingleUserWhileOverwritingTenantId)
at Microsoft.Dynamics.Nav.Runtime.NavTenantCollection.ConfigureTenants(ServerUserSettings settings)
Thanks for the info so far and any new direction you can give me. Even if it's just to say 'give up'.
Hi, just adding some info, hope the following helps as well.
Authenticating Business Central Users with Azure Active Directory (Sign in to Business Central On-Premises with Office 365 account)
I decided I needed to provide my ultimate solution on the unbelievable chance someone else got hung up on this super dumb thing.
I can't say for certain but it appears using https address on the second token (schemas.microsoft.com/.../objectidentifier) the outgoing claim for the primary SID.
I had upgraded the application platform to CU61, it still didn't work, once, I changed the above address to the same thing only http instead. It started accepting my creds for NAV.
Does that make any sense at all? I still have a lot to learn about ADFS.
Business Applications communities