Microsoft Dynamics AX 2012 Configure Mobile Apps Using Self-Signed Certificate
Purpose: The purpose of this document is to illustrate how to configure Microsoft Dynamics AX 2012 Mobile Apps using Self-Signed certificate.
Challenge: Microsoft Dynamics AX 2012 Mobile Apps built by Microsoft and partners enable a variety of scenarios on various devices. The recommended architecture includes using Windows Azure Service Bus to relay messages between devices and Microsoft Dynamics AX 2012 for secure communication. Typically an appropriate SSL certificate is issued for the name of the machine where Microsoft Dynamics AX 2012 is installed and this SSL certificate can be obtained from one of certification authorities. However for the purposes of POC, demonstration or development/testing you may want to use a Self-Signed certificate which you can issued by yourself at no cost as opposed to a real SSL certificate issued by certification authority.
Solution: Microsoft Dynamics AX 2012 instance can be quickly provisioned in the Cloud using Microsoft Dynamics AX Lifecycle Services. In order to issue Self-Signed certificate for Mobile Apps we can use Contoso Certification authority installed directly on Microsoft Dynamics AX 2012 Demo VM. Then we can use this Self-Signed certificate to connect Mobile Apps to Microsoft Dynamics AX 2012 instance on Demo VM. Please find more info about how to easily set up Azure Demo environment for Mobile Apps here: http://blogs.msdn.com/b/axcompapp/archive/2014/09/04/easily-set-up-and-azure-demo-environment-for-mobile-apps.aspx
Walkthrough
We’ll start with provisioning Microsoft Dynamics AX 2012 instance in the Cloud using Microsoft Dynamics AX Lifecycle Services. Please learn more about Microsoft Dynamics AX Lifecycle Services here: http://technet.microsoft.com/en-us/library/dn268616.aspx
Please note that before you can provision Microsoft Dynamics AX 2012 instance in the Cloud using Microsoft Dynamics AX Lifecycle Services you will have to link your Windows Azure Subscription to LCS account in Microsoft Azure Settings (please refer to the link above for more details)
For those of you who has MSDN subscription but not yet using Microsoft Cloud I’d encourage you to leverage MSDN Windows Azure credit to check out all awesome things Microsoft Cloud has to offer. In order to activate your MSDN Windows Azure account please visit: http://azure.microsoft.com/en-us/pricing/member-offers/msdn-benefits-details/
Here is how one can activate MSDN Subscription for Azure at http://azure.microsoft.com/en-us/pricing/member-offers/msdn-benefits-details/
Azure benefits for MSDN subscribers
Please press ACTIVATE button and follow the steps
Please note that no Credit card info is required because the credit is included as a part of your MSDN Subscription
As the result you MSDN Windows Azure subscription will be activated
After you MSDN Windows Azure subscription is activated you can leverage your credit
Please complete these steps to set up your MSDN Subscription for Azure using your Microsoft account (former Live ID)
You can also leverage Windows Azure Free Trial (http://azure.microsoft.com/en-us/pricing/free-trial/), in fact as opposed to free trial which expires when credit is used or in a month your MSDN Subscription for Azure credit will be renewed every month automatically. More info on MSDN Subscription for Azure can be found here: http://azure.microsoft.com/en-us/pricing/member-offers/msdn-benefits-details/
All right! So now we should have Windows Azure subscription which is linked to our LCS account and we can provision an instance of Microsoft Dynamics AX 2012 in the Cloud
LCS > Project
LCS > Cloud hosted deployments
By clicking “+” we can select Deployment topology. For the sake of this demo I’ll select Demo topology
Deploy environment
Then we’ll give it a name
Deploy environment
And give it some time before we will have a brand new Microsoft Dynamics AX 2012 environment deployed in the Cloud
Cloud hosted environments
You can also log in into Windows Azure portal and review the details there. For example, this is how my newly deployed Microsoft Dynamics AX 2012 VM looks like in Windows Azure portal
Virtual Machines (VMs)
Please note that DNS name of my machine will look similar to this: ax2012r3-demo-alexanimobile-….cloudapp.net
At this point you can also access this VM through RDP
RDP
Now in order to enable a secure communication with this VM over HTTPS protocol I’ll also enable HTTPS port on the VM
Add endpoint – Add a stand-alone endpoint
Add endpoint – HTTPS
Endpoints
Next we’ll create Windows Azure Service Bus
SB – Create a namespace
Service Bus
At this point nothing will show up in the list of Relays
SB – Relays
Now you can also review Service Bus Connection Information which will be used when configuring Microsoft Dynamics AX Connector for Mobile Applications
SB – Access connection information
We can make a note of Default issuer and Default key at this point
As an example in this walkthrough I’ll configure Expenses App, in fact on the Demo VM you will have more apps installed. For example, Approvals App, Timesheets App, etc.
Store Apps
Please note that I’ll be using Contoso/Yoichiroo as App user solely because User Yoichiro Okada has appropriate security roles assigned to him in USSI company and there’s appropriate demo data for me to avoid any additional data setup in relation to Expenses App. Please also note that all the configuration work on the Demo VM I’ll be doing as Contoso/Administrator
Now we can start working on the most interesting part - Certificate
First I’ll double check that Active Directory Certificate Services are installed on the Demo VM which is the case
Active Directory Certificate Services
Also I will double check that Active Directory Federation Services are installed and running on the Demo VM
Active Directory Federation Services
Active Directory Federation Services – Services
Then I’ll Add Snap-in for Certification Authority for certificates management
Add a Snap-in – Certification Authority
Certification Authority - Contoso
Please note that Contoso Certification Authority is already installed on the Demo VM
Next I’ll double check that IIS Web Server Role is installed and running on the Demo VM
IIS
IIS Manager
From IIS Manager we can start the process of a new Self-Signed Certificate creation by clicking on “Create Certificate Request”
Request Certificate – Distinguished Name Properties
Request Certificate – Cryptographic Service Provider Properties
Request Certificate – File name
The resulting file will look like this
Certificate request file
Next we’ll navigate to Certificate Server installed on the Demo VM at https://localhost/certsrv to complete Certificate request. We’ll start with clicking at Request a certificate
Certificate Server URL - Welcome
I’ll continue by clicking at Advanced certificate request
Certificate Server URL – Request a certificate
Certificate Server URL – Advanced certificate request
And then Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file
Certificate Server URL – Submit a certificate request or renewal request
Please note that in Saved Request I provided the contents of Certificate Request file mentioned above
After we Submit the request it will be assigned ID and will be in Pending state
Certificate Server URL – Certificate pending
At this point we will be able to see our Pending Certificate Request in Certification Authority > Pending Requests. Here it is on the screenshot below and in order to approve it I’ll select All Tasks > Issue
Certification Authority - Pending Requests
Now we will come back to Certificate Server URL and click View the status of a pending certificate request
Certificate Server URL - Welcome
in order to retrieve our newly created Self-Signed Certificate
Certificate Server URL - View the status of a pending certificate request
Here it is listed above so I will click on it
Web Access Confirmation
Confirm Yes on the Web Access Confirmation screen to see issued certificate as shown below
Certificate Server URL – Certificate issued
Now I can download it as a file in the file system
Certificate file
If I double click on this file now I can review the details on a newly created Self-Signed certificate
Certificate - General
Please note that it is issued to the machine name (XYZ.cloudapp.net) by Contoso Certification Authority
Certificate - Details
Certificate – Certification path
After we got the certificate we can install it for both Local Machine and Current User into both Personal and Trusted Root Certification Authorities certificate stores (just be clear: 4 certificate imports will be required)
Important: Because I’m gonna use Yoichiro Okada as App user for Expenses App thus I’ll need to login as Contoso/Yoichiroo to import certificate as Current User
Let’s quickly go through this routine procedure
Certificate import – Current user | Personal store
Certificate import – Current user | Personal store
Certificate import – Current user | Personal store
Certificate import was successful
Certificate import – Current user | Trusted Root Certification Authorities store
Certificate import – Current user | Trusted Root Certification Authorities store
Certificate import – Current user | Trusted Root Certification Authorities store
Certificate import was successful
Now the same thing but for Local Machine account. In order to do certificate import for Local Machine account I logged in as Contoso/Administrator
Certificate import – Local machine | Personal store
Certificate import – Local machine | Personal store
Certificate import – Local machine | Personal store
Certificate import was successful
Certificate import – Local machine | Trusted Root Certification Authorities store
Certificate import – Local machine | Trusted Root Certification Authorities store
Certificate import – Local machine | Trusted Root Certification Authorities store
Certificate import was successful
Now we can check the results of certificate import in Certificate Snap-in
Let’s add 2 Certificate Snap-ins for My user account and Computer account
My user account Certificate Snap-in
Computer account Certificate Snap-in
Computer account Certificate Snap-in – Select computer
Great! We added 2 Certificate Snap-ins now
Let’s see what is listed in the list of certificates
First for User Contoso/Yoichiroo we’ll see our Self-Signed certificate listed in Personal and Trusted Root Certification Authorities stores
Certificates – Current user (Personal)
Certificates – Current user (Trusted Root Certification Authorities)
Similarly for Local machine account
Certificates – Local machine (Personal)
Certificates – Local machine (Trusted Root Certification Authorities)
Next step will be to assign our newly created Self-Signed certificate as SSL certificate in IIS for Default Web site
IIS certificate
After I specified a new certificate I’ll restart IIS for changes to come into effect
Next we’ll assign our newly created Self-Signed certificate as Service communications certificate, Token-decrypting certificate and Token-signing certificate in ADFS Certificates settings
ADFS Certificates
Select a service communications certificate
ADFS Management - Select certificate
I’ll confirm Yes when prompted
ADFS Management - Select certificate
When assigning our Self-Signed certificate as Token-decrypting certificate and Toke-signing certificate I’ll also make it Primary by confirming Yes when prompted
Set as Primary
As the result I’ll have the following picture
ADFS Certificates
Now after we assigned needed certificate in ADFS Certificates I’ll restart ADFS for changes to come into effect
My next step will be to do a necessary ADFS setup. In this section I’ll start with Relying Party trust setup using Add Relying Party Trust Wizard
Relying Party trust – Add Relying Party Trust Wizard
Add Relying Party Trust Wizard - Welcome
Add Relying Party Trust Wizard – Select Data Source
Here I’ll specify FederationMetadata.xml file in federation metadata address
Add Relying Party Trust Wizard – Specify Display Name
Add Relying Party Trust Wizard – Configure Multi-factor Authentication now?
Add Relying Party Trust Wizard – Choose Issuance Authorization Rules
Add Relying Party Trust Wizard – Ready to add trust
Add Relying Party Trust Wizard - Finish
Please note that I left Open the Edit Claim Rules dialog for this relying party trust when the wizard closes checkbox marked which leads me to the next step in the setup
Edit Claims Rules – Issuance Transform Rules
I’ll go ahead and click Add Rule here which will open another wizard
Add Transform Claim Rule Wizard – Choose Rule Type
Add Transform Claim Rule Wizard – Choose Claim Rule
Here’s my new Claim Rule created
Edit Claim Rules – Issuance Transform Rules
Now I can also see Relying Party Trust configured in ADFS > Trust Relationships > Relaying Party Trusts
Relying Party Trusts
While I’m in ADFS Configuration I’ll also change ADFS properties
ADFS Properties
In particular I wanna change Federation Service Properties
This is how it looked like Before
And this is how it looked like After
Please note that I used machine name (XYZ.cloudapp.net) in Service names and URLs
ADFS Management
As usually after I’ve done some changes to ADFS setup I’ll restart ADFS
Now let’s setup Access Control Service (ACS) appropriately by going to ACS Portal
ACS
Here I’ll start with adding a new Identity Provider (Add)
ACS – Identity Providers
ACS – Add Identity Provider
On the next step I’ll need to provide Federation Metadata URL in the form like this: https://ax2012r3-demo-alexanimobile-XYZ.cloudapp.net/federationmetadata/2007-06/federationmetadata.xml
So let’s try to open this URL in the Web Browser
IE – Federation Metadata URL
Please note that if I try to open this URL from outside of Demo VM, for example, from my IE on the laptop I’ll see Untrusted Certificate warning which is logical
Untrusted Certificate
Untrusted Certificate – Certificate - General
Untrusted Certificate – Certificate - Details
Untrusted Certificate – Certificate – Certification Path
But if I try to open this URL from within Azure Demo VM Website identification will pass okay which is also logical
Website identification
Website identification – Certificate - General
Website identification – Certificate - Details
Website identification – Certificate – Certification Path
The final piece of setup related to the certificate needed will be to grant access to users to manage private keys. For this purpose I’ll go to Certificates Snap-in, find my certificate and click All Tasks > Manage Private Keys
Certificate – All Tasks – Manage Private Keys
Next we find “nt service\adfssrv” in the list from location: AX2012R2A and modify permissions as shown below
Permissions
Back to ACS setup now. We left it at the point when we wanted to add Federation Metadata URL link in the definition of a new Identity Provider. When doing this you may see “Unable to download a WS-Federation metadata document from the specified URL” message
ACS – Add WS-Federation Identity Provider
In order to upload WS-Federation metadata I used File option instead of URL. I downloaded/saved FederationMetadata.xml file from within Azure Demo VM in the Web Browser where this URL can be resolved
Downloads
And then simply uploaded a file as WS-Federation metadata
ACS – Add WS-Federation Identity Provider
Now as Identity Provider has been created we’ll need to take care of Rule Groups
ACS – Identity Providers
ACS – Rule Groups
As prescribed in the documentation I’ll delete last 2 rules
ACS – Edit Rule Group
ACS – Delete Claim Rules
And add 1 on my own
ACS – Add Claim Rule
ACS – Add Claim Rule
ACS – Add Claim Rule
Then I’ll also change hosts file on the Demo VM in order to translate machines IP Address into a name (XYZ.cloudapp.net)
Hosts file
After all this setup it is time to configure Microsoft Dynamics AX Connector for Mobile Apps which is already installed on the Demo VM
This is how Connector for Mobile Apps looks before configuration (Stopped state)
And this is how Connector for Mobile Apps looks after configuration (Started state)
Connector for Mobile Apps – Azure service namespace
When you start Connector for Mobile Apps in the UI appropriate Windows Service is started
Windows Service – Microsoft Dynamics AX Connector for Mobile Apps
You can also see appropriate events logged in Event Viewer
Event Viewer – Relay is now online
Event Viewer – host is now open
Event Viewer – Relay is now online
Event Viewer – host is now open
Now it is time to look at the list of Relays for the Service Bus in Windows Azure portal
SB Relays
As you can see after we started Microsoft Dynamics AX Connector for Mobile Apps bunch of active relays immediately popped up. This all looks great! We are on air now!
Let’s get to the Expense App now. Please note that when you first time launch Expenses App you can choose from Demo mode and Connected mode of operation. In our case we are interested in Connected mode. Please also note that you can switch between Demo mode and Connected mode using Apps settings
Expense App
Then we’ll provide a log in information using User Yoichiro Okada (contoso\yoichiroo)
Log in
Signing in to Microsoft Dynamics AX
Once signed in you can verify sign in information in Apps settings
Account
And, of course, what we were looking for was a real data displayed in the App
Expense App
Expense App
Now as real data from USSI company is displayed for User Yoichiro Okada you can start interacting with the App by looking at existing data or adding new data as needed
Okay! This is all great! We got everything working properly!
But now let’s discuss what can go wrong during your configuration. First of all I’ll mention that you can use fiddler for troubleshooting your authentication and connection problems. You can download Fiddler from here: http://www.telerik.com/fiddler
Now let’s discuss what you may face with when working with Demo VM
Issue #1: “The token provider was unable to provide a security token while accessing ‘https://xyz-sb.accesscontrol.windows.net/WRAPv0.9/’. Token provider returned message: ‘Unable to connect to remote server’. Unable to connect to the remote server No connection could be made because the target machine actively refused it 127.0.0.1:abc” message when you try to start Microsoft Dynamics AX Connector for Mobile Apps
which may also be accompanied with the messages in Event Viewer
Fault bucket , type 0
Event Name: WWAJSE
Response: Not available
Cab Id: 0
Problem signature:
P1: Microsoft.DynamicsAX2012Expenses_1.3.0.115_x64__8wekyb3d8bbwe
P2: App
P3: b994
P4: 0
P5: ms-appx://microsoft.dynamicsax2012expenses/js/lib/jquery-1.9.0.js
P6: 492_3
P7:
P8:
P9:
P10:
Attached files:
ErrorInfo.15460.11896.txt
C:\Program Files\WindowsApps\Microsoft.DynamicsAX2012Expenses_1.3.0.115_x64__8wekyb3d8bbwe\AppXManifest.xml
These files may be available here:
Analysis symbol:
Rechecking for solution: 0
Report Id: ad9cf06e-fb8a-11e3-80f0-00155de0bb53
Report Status: 262144
Hashed bucket:
|
Solution #1: The reason may be as easy as that you just have an invalid proxy server setup and the solution will be to unmark “Use proxy server for your LAN” checkbox in your LAN settings in IE
LAN Settings - “Use proxy server for your LAN”
You can also easily validate this problem by opening IE and trying to navigate to any web page
The proxy server isn’t responding
Issue #2: “There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.” message in ADFS events log
There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.
Additional Data
Exception details:
System.ServiceModel.AddressAlreadyInUseException: There is already a listener on IP endpoint 0.0.0.0:808. This could happen if there is another application already listening on this endpoint or if you have multiple service endpoints in your service host with the same IP endpoint but with incompatible binding configurations. ---> System.Net.Sockets.SocketException: Only one usage of each socket address (protocol/network address/port) is normally permitted
at System.Net.Sockets.Socket.DoBind(EndPoint endPointSnapshot, SocketAddress socketAddress)
at System.Net.Sockets.Socket.Bind(EndPoint localEP)
at System.ServiceModel.Channels.SocketConnectionListener.Listen()
--- End of inner exception stack trace ---
at System.ServiceModel.Channels.SocketConnectionListener.Listen()
at System.ServiceModel.Channels.ConnectionAcceptor.StartAccepting()
at System.ServiceModel.Channels.ExclusiveTcpTransportManager.OnOpen()
at System.ServiceModel.Channels.TransportManager.Open(TransportChannelListener channelListener)
at System.ServiceModel.Channels.TransportManagerContainer.Open(SelectTransportManagersCallback selectTransportManagerCallback)
at System.ServiceModel.Channels.TcpChannelListener`2.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at Microsoft.IdentityServer.ServiceHost.STSService.StartSTSService(ServiceHostManager serviceHostManager, ServiceState serviceState)
|
As the result the following URL will return Service Unavailable: https://ax2012r3-demo-alexanimobile-xyz.cloudapp.net/adfs/services/trust/13/usernamemixed
Service Unavailable
Solution #2: The reason ADFS Service won’t start is because a designated port may already be occupied by another application/service. In order to resolve this problem you can use Ser-ADFSProperties command to reassign a port
…
Set-ADFSProperties –nettcpport 1160
…
PowerShell
Depending on particular settings (for example, you changed the port to one which is also already occupied) you may see the following error
Issue #2.1: “The Federation Service configuration could not be loaded correctly from the AD FS configuration database” error message
The Federation Service configuration could not be loaded correctly from the AD FS configuration database.
Additional Data
Error:
There is already a listener on IP endpoint 0.0.0.0:809. This could happen if there is another application already listening on this endpoint or if you have multiple service endpoints in your service host with the same IP endpoint but with incompatible binding configurations.
|
Then you may end up AD FS Service which won’t start again, what is even worse is that AD FS Service will be in faulted state not allowing you to do anything with it. In this case reinstalling AD FS may be seen as the only option, in fact you can resolve this problem even without reinstalling ADFS.
Solution #2.1: For this you will need to figure out who (which application/services) occupies this port by using netstat command
…
netstat –a –n –o | findstr :abc
…
Command prompt
And then knowing that Process with ID 123 (in my case 2192) occupies this port I can kill this process to release the port by using taskkill command
…
taskkill /pid 123 /f
..
Command prompt
Issue #2.2: For example, this is another variation of the same problem which you may face with when configuring AD FS on the Demo VM: “There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service”
There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.
Additional Data
Exception details:
System.ServiceModel.AddressAlreadyInUseException: HTTP could not register URL https://+:49443/adfs/services/trust/2005/certificatetransport/ because TCP port 49443 is being used by another application. ---> System.Net.HttpListenerException: The process cannot access the file because it is being used by another process
at System.Net.HttpListener.AddAllPrefixes()
at System.Net.HttpListener.Start()
at System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen()
--- End of inner exception stack trace ---
at System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen()
at System.ServiceModel.Channels.TransportManager.Open(TransportChannelListener channelListener)
at System.ServiceModel.Channels.TransportManagerContainer.Open(SelectTransportManagersCallback selectTransportManagerCallback)
at System.ServiceModel.Channels.HttpChannelListener`1.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at Microsoft.IdentityServer.ServiceHost.STSService.StartSTSService(ServiceHostManager serviceHostManager, ServiceState serviceState)
|
Solution #2.2: In this particular case Visual Studio occupied the port, so I had to stop Visual Studio, then start AD FS and then I could launch Visual Studio (on the different port)
As the result you will be able to successfully resolve the following URL: https://ax2012r3-demo-alexanimobile-xyz.cloudapp.net/adfs/services/trust/13/usernamemixed
Now instead of showing Service Unavailable you will see the following (which is the expected result)
The webpage cannot be found
Fiddler can be used to effectively and efficiently troubleshoot authentication and connection problems with Mobile Apps and also allows you to see what is happening under the hood (contents of protocol messages) if you enable Capture of HTTPS traffic
My final comment will be about Win 8 Config settings in Fiddler
Issue #3: In case you installed Fiddle for troubleshooting and then you are trying to Log in into a Mobile App and upon not successful login (and invitation to log in again) nothing else really happens then you may want to review Win 8 Config settings
Solution #3: The thing is that for security and reliability reasons, Windows 8 blocks apps from sending network traffic to the local computer. AppContainer Loopback Exemption Utility enables removal of this restriction for debugging purposes
AppContainer Loopback Exemption Utility
In the list you will need to find your app and add an exemption rule by marking a checkbox, or you can exempt all Mobile Apps by pressing “Exempt All” button
AppContainer Loopback Exemption Utility
Summary: This document describes how to configure Microsoft Dynamics AX 2012 Mobile Apps using Self-Signed certificate for POC, demonstration or development/testing purposes without obtaining a real SSL certificate from certification authority.
Tags: Microsoft Dynamics AX 2012, Microsoft Cloud, Windows Azure, Service Bus, Relay, Expenses, Approvals, Timesheets, Mobile Apps, Fiddler, Self-Signed Certificate, SSL.
Note: This document is intended for information purposes only, presented as it is with no warranties from the author. This document may be updated with more content to better outline the issues and describe the solutions.
Author: Alex Anikiev, PhD, MCP