Monday, November 24, 2014

Microsoft Dynamics AX 2012 Configure Mobile Apps Using Self-Signed Certificate

Microsoft Dynamics AX 2012 Configure Mobile Apps Using Self-Signed Certificate
 
Purpose: The purpose of this document is to illustrate how to configure Microsoft Dynamics AX 2012 Mobile Apps using Self-Signed certificate.
 
Challenge: Microsoft Dynamics AX 2012 Mobile Apps built by Microsoft and partners enable a variety of scenarios on various devices. The recommended architecture includes using Windows Azure Service Bus to relay messages between devices and Microsoft Dynamics AX 2012 for secure communication. Typically an appropriate SSL certificate is issued for the name of the machine where Microsoft Dynamics AX 2012 is installed and this SSL certificate can be obtained from one of certification authorities. However for the purposes of POC, demonstration or development/testing you may want to use a Self-Signed certificate which you can issued by yourself at no cost as opposed to a real SSL certificate issued by certification authority.               
 
Solution: Microsoft Dynamics AX 2012 instance can be quickly provisioned in the Cloud using Microsoft Dynamics AX Lifecycle Services. In order to issue Self-Signed certificate for Mobile Apps we can use Contoso Certification authority installed directly on Microsoft Dynamics AX 2012 Demo VM. Then we can use this Self-Signed certificate to connect Mobile Apps to Microsoft Dynamics AX 2012 instance on Demo VM. Please find more info about how to easily set up Azure Demo environment for Mobile Apps here: http://blogs.msdn.com/b/axcompapp/archive/2014/09/04/easily-set-up-and-azure-demo-environment-for-mobile-apps.aspx
 
Walkthrough
 
We’ll start with provisioning Microsoft Dynamics AX 2012 instance in the Cloud using Microsoft Dynamics AX Lifecycle Services. Please learn more about Microsoft Dynamics AX Lifecycle Services here: http://technet.microsoft.com/en-us/library/dn268616.aspx
 
Please note that before you can provision Microsoft Dynamics AX 2012 instance in the Cloud using Microsoft Dynamics AX Lifecycle Services you will have to link your Windows Azure Subscription to LCS account in Microsoft Azure Settings (please refer to the link above for more details)
 
For those of you who has MSDN subscription but not yet using Microsoft Cloud I’d encourage you to leverage MSDN Windows Azure credit to check out all awesome things Microsoft Cloud has to offer. In order to activate your MSDN Windows Azure account please visit: http://azure.microsoft.com/en-us/pricing/member-offers/msdn-benefits-details/
 
Here is how one can activate MSDN Subscription for Azure at http://azure.microsoft.com/en-us/pricing/member-offers/msdn-benefits-details/
 
Azure benefits for MSDN subscribers
 
 
Please press ACTIVATE button and follow the steps
 
 
Please note that no Credit card info is required because the credit is included as a part of your MSDN Subscription
 
 
As the result you MSDN Windows Azure subscription will be activated
 
 
After you MSDN Windows Azure subscription is activated you can leverage your credit
 
 
Please complete these steps to set up your MSDN Subscription for Azure using your Microsoft account (former Live ID)
 
You can also leverage Windows Azure Free Trial (http://azure.microsoft.com/en-us/pricing/free-trial/), in fact as opposed to free trial which expires when credit is used or in a month your MSDN Subscription for Azure credit will be renewed every month automatically. More info on MSDN Subscription for Azure can be found here: http://azure.microsoft.com/en-us/pricing/member-offers/msdn-benefits-details/
 
All right! So now we should have Windows Azure subscription which is linked to our LCS account and we can provision an instance of Microsoft Dynamics AX 2012 in the Cloud

LCS > Project
 
 
LCS > Cloud hosted deployments
 
 
By clicking “+” we can select Deployment topology. For the sake of this demo I’ll select Demo topology
 
Deploy environment
 
 
Then we’ll give it a name
 
Deploy environment
 
 
And give it some time before we will have a brand new Microsoft Dynamics AX 2012 environment deployed in the Cloud
 
Cloud hosted environments
 
 
You can also log in into Windows Azure portal and review the details there. For example, this is how my newly deployed Microsoft Dynamics AX 2012 VM looks like in Windows Azure portal
 
Virtual Machines (VMs)
 
 
Please note that DNS name of my machine will look similar to this: ax2012r3-demo-alexanimobile-….cloudapp.net
 
At this point you can also access this VM through RDP
 
RDP
 
 
Now in order to enable a secure communication with this VM over HTTPS protocol I’ll also enable HTTPS port on the VM
 
Add endpoint – Add a stand-alone endpoint
 
 
Add endpoint – HTTPS
 
 
Endpoints
 
 
Next we’ll create Windows Azure Service Bus
 
SB – Create a namespace
 
 
Service Bus
 
 
At this point nothing will show up in the list of Relays
 
SB – Relays
 
 
Now you can also review Service Bus Connection Information which will be used when configuring Microsoft Dynamics AX Connector for Mobile Applications
 
SB – Access connection information
 
 
We can make a note of Default issuer and Default key at this point
 
As an example in this walkthrough I’ll configure Expenses App, in fact on the Demo VM you will have more apps installed. For example, Approvals App, Timesheets App, etc.
 
Store Apps
 
 
Please note that I’ll be using Contoso/Yoichiroo as App user solely because User Yoichiro Okada has appropriate security roles assigned to him in USSI company and there’s appropriate demo data for me to avoid any additional data setup in relation to Expenses App. Please also note that all the configuration work on the Demo VM I’ll be doing as Contoso/Administrator
 
Now we can start working on the most interesting part - Certificate
 
First I’ll double check that Active Directory Certificate Services are installed on the Demo VM which is the case
 
Active Directory Certificate Services
 
 
Also I will double check that Active Directory Federation Services are installed and running on the Demo VM
 
Active Directory Federation Services
 
 
Active Directory Federation Services – Services
 
 
Then I’ll Add Snap-in for Certification Authority for certificates management
 
Add a Snap-in – Certification Authority
 
 
Certification Authority - Contoso
 
 
Please note that Contoso Certification Authority is already installed on the Demo VM
Next I’ll double check that IIS Web Server Role is installed and running on the Demo VM
 
IIS
 
 
IIS Manager
 
 
From IIS Manager we can start the process of a new Self-Signed Certificate creation by clicking on “Create Certificate Request”
 
Request Certificate – Distinguished Name Properties 
 
 
Request Certificate – Cryptographic Service Provider Properties
 
 
Request Certificate – File name
 
 
The resulting file will look like this
 
Certificate request file
 
 
Next we’ll navigate to Certificate Server installed on the Demo VM at https://localhost/certsrv to complete Certificate request. We’ll start with clicking at Request a certificate
 
Certificate Server URL - Welcome
 
 
I’ll continue by clicking at Advanced certificate request
 
Certificate Server URL – Request a certificate
 
 
Certificate Server URL – Advanced certificate request
 
 
And then Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file
 
Certificate Server URL – Submit a certificate request or renewal request
 
 
Please note that in Saved Request I provided the contents of Certificate Request file mentioned above
 
After we Submit the request it will be assigned ID and will be in Pending state
 
Certificate Server URL – Certificate pending 
 
 
At this point we will be able to see our Pending Certificate Request in Certification Authority > Pending Requests. Here it is on the screenshot below and in order to approve it I’ll select All Tasks > Issue
 
Certification Authority - Pending Requests   
 
 
Now we will come back to Certificate Server URL and click View the status of a pending certificate request
 
Certificate Server URL - Welcome
 
 
in order to retrieve our newly created Self-Signed Certificate
 
Certificate Server URL - View the status of a pending certificate request
 
 
Here it is listed above so I will click on it
 
Web Access Confirmation
 
 
Confirm Yes on the Web Access Confirmation screen to see issued certificate as shown below
 
Certificate Server URL – Certificate issued
 
 
Now I can download it as a file in the file system
 
Certificate file
 
 
If I double click on this file now I can review the details on a newly created Self-Signed certificate
 
Certificate - General
 
 
Please note that it is issued to the machine name (XYZ.cloudapp.net) by Contoso Certification Authority
 
Certificate - Details
 
 
Certificate – Certification path
 
 
After we got the certificate we can install it for both Local Machine and Current User into both Personal and Trusted Root Certification Authorities certificate stores (just be clear: 4 certificate imports will be required)
 
Important: Because I’m gonna use Yoichiro Okada as App user for Expenses App thus I’ll need to login as Contoso/Yoichiroo to import certificate as Current User
 
Let’s quickly go through this routine procedure
 
Certificate import – Current user | Personal store
 
 
Certificate import – Current user | Personal store
 
 
Certificate import – Current user | Personal store
 
 
Certificate import was successful
 
 
Certificate import – Current user | Trusted Root Certification Authorities store
 
 
Certificate import – Current user | Trusted Root Certification Authorities store
 
 
Certificate import – Current user | Trusted Root Certification Authorities store
 
 
Certificate import was successful
 
 
Now the same thing but for Local Machine account. In order to do certificate import for Local Machine account I logged in as Contoso/Administrator
 
Certificate import – Local machine | Personal store
 
 
Certificate import – Local machine | Personal store
 
 
Certificate import – Local machine | Personal store
 
 
Certificate import was successful
 
 
Certificate import – Local machine | Trusted Root Certification Authorities store
 
 
Certificate import – Local machine | Trusted Root Certification Authorities store
 
 
Certificate import – Local machine | Trusted Root Certification Authorities store
 
 
Certificate import was successful
 
 
Now we can check the results of certificate import in Certificate Snap-in
 
Let’s add 2 Certificate Snap-ins for My user account and Computer account
 
My user account Certificate Snap-in
 
 
Computer account Certificate Snap-in
 
 
Computer account Certificate Snap-in – Select computer
 
 
Great! We added 2 Certificate Snap-ins now
 
 
Let’s see what is listed in the list of certificates
 
First for User Contoso/Yoichiroo we’ll see our Self-Signed certificate listed in Personal and Trusted Root Certification Authorities stores
 
Certificates – Current user (Personal)
 
 
Certificates – Current user (Trusted Root Certification Authorities)
 
 
Similarly for Local machine account
 
Certificates – Local machine (Personal)
 
 
Certificates – Local machine (Trusted Root Certification Authorities)
 
 
Next step will be to assign our newly created Self-Signed certificate as SSL certificate in IIS for Default Web site
 
IIS certificate
 
 
After I specified a new certificate I’ll restart IIS for changes to come into effect
Next we’ll assign our newly created Self-Signed certificate as Service communications certificate, Token-decrypting certificate and Token-signing certificate in ADFS Certificates settings 
 
ADFS Certificates
 
 
Select a service communications certificate
 
 
ADFS Management - Select certificate
 
 
I’ll confirm Yes when prompted
 
ADFS Management - Select certificate
 
 
When assigning our Self-Signed certificate as Token-decrypting certificate and Toke-signing certificate I’ll also make it Primary by confirming Yes when prompted
 
Set as Primary
 
 
As the result I’ll have the following picture
 
ADFS Certificates
 
 
Now after we assigned needed certificate in ADFS Certificates I’ll restart ADFS for changes to come into effect
 
My next step will be to do a necessary ADFS setup. In this section I’ll start with Relying Party trust setup using Add Relying Party Trust Wizard
 
Relying Party trust – Add Relying Party Trust Wizard
 
 
Add Relying Party Trust Wizard - Welcome
 
 
Add Relying Party Trust Wizard – Select Data Source
 
 
Here I’ll specify FederationMetadata.xml file in federation metadata address
 
Add Relying Party Trust Wizard – Specify Display Name
 
 
Add Relying Party Trust Wizard – Configure Multi-factor Authentication now?
 
 
Add Relying Party Trust Wizard – Choose Issuance Authorization Rules
 
 
Add Relying Party Trust Wizard – Ready to add trust
 
 
Add Relying Party Trust Wizard - Finish
 
 
Please note that I left Open the Edit Claim Rules dialog for this relying party trust when the wizard closes checkbox marked which leads me to the next step in the setup
 
Edit Claims Rules – Issuance Transform Rules
 
 
I’ll go ahead and click Add Rule here which will open another wizard
 
Add Transform Claim Rule Wizard – Choose Rule Type
 
 
Add Transform Claim Rule Wizard – Choose Claim Rule
 
 
Here’s my new Claim Rule created
 
Edit Claim Rules – Issuance Transform Rules
 
 
Now I can also see Relying Party Trust configured in ADFS > Trust Relationships > Relaying Party Trusts
 
Relying Party Trusts
 
 
While I’m in ADFS Configuration I’ll also change ADFS properties
 
ADFS Properties
 
 
In particular I wanna change Federation Service Properties
 
This is how it looked like Before
 
 
And this is how it looked like After
 
 
Please note that I used machine name (XYZ.cloudapp.net) in Service names and URLs
 
ADFS Management
 
 
As usually after I’ve done some changes to ADFS setup I’ll restart ADFS
 
Now let’s setup Access Control Service (ACS) appropriately by going to ACS Portal
 
ACS
 
 
Here I’ll start with adding a new Identity Provider (Add)
 
ACS – Identity Providers
 
 
ACS – Add Identity Provider
 
 
On the next step I’ll need to provide Federation Metadata URL in the form like this: https://ax2012r3-demo-alexanimobile-XYZ.cloudapp.net/federationmetadata/2007-06/federationmetadata.xml
 
So let’s try to open this URL in the Web Browser
 
IE – Federation Metadata URL
 
 
Please note that if I try to open this URL from outside of Demo VM, for example, from my IE on the laptop I’ll see Untrusted Certificate warning which is logical
 
Untrusted Certificate
 
 
Untrusted Certificate – Certificate - General
 
 
Untrusted Certificate – Certificate - Details
 
 
Untrusted Certificate – Certificate – Certification Path
 
 
But if I try to open this URL from within Azure Demo VM Website identification will pass okay which is also logical
 
Website identification
 
 
Website identification – Certificate - General
 
 
Website identification – Certificate - Details
 
 
Website identification – Certificate – Certification Path
 
 
The final piece of setup related to the certificate needed will be to grant access to users to manage private keys. For this purpose I’ll go to Certificates Snap-in, find my certificate and click All Tasks > Manage Private Keys
 
Certificate – All Tasks – Manage Private Keys 
 
 
Next we find “nt service\adfssrv” in the list from location: AX2012R2A and modify permissions as shown below
 
Permissions
 
 
Back to ACS setup now. We left it at the point when we wanted to add Federation Metadata URL link in the definition of a new Identity Provider. When doing this you may see “Unable to download a WS-Federation metadata document from the specified URL” message
 
ACS – Add WS-Federation Identity Provider
 
 
In order to upload WS-Federation metadata I used File option instead of URL. I downloaded/saved FederationMetadata.xml file from within Azure Demo VM in the Web Browser where this URL can be resolved
 
Downloads
 
 
And then simply uploaded a file as WS-Federation metadata
 
ACS – Add WS-Federation Identity Provider
 
 
Now as Identity Provider has been created we’ll need to take care of Rule Groups
 
ACS – Identity Providers
 
 
ACS – Rule Groups
 
 
As prescribed in the documentation I’ll delete last 2 rules
 
ACS – Edit Rule Group
 
 
ACS – Delete Claim Rules
 
 
And add 1 on my own
 
ACS – Add Claim Rule
 
 
ACS – Add Claim Rule
 
 
ACS – Add Claim Rule
 
 
Then I’ll also change hosts file on the Demo VM in order to translate machines IP Address into a name (XYZ.cloudapp.net)
 
Hosts file
 
 
After all this setup it is time to configure Microsoft Dynamics AX Connector for Mobile Apps which is already installed on the Demo VM
 
This is how Connector for Mobile Apps looks before configuration (Stopped state)
 
 
And this is how Connector for Mobile Apps looks after configuration (Started state)
 
Connector for Mobile Apps – Azure service namespace
 
 
When you start Connector for Mobile Apps in the UI appropriate Windows Service is started
 
Windows Service – Microsoft Dynamics AX Connector for Mobile Apps
 
 
You can also see appropriate events logged in Event Viewer
 
Event Viewer – Relay is now online
 
 
Event Viewer – host is now open
 
 
Event Viewer – Relay is now online
 
 
Event Viewer – host is now open
 
 
Now it is time to look at the list of Relays for the Service Bus in Windows Azure portal
 
SB Relays
 
 
As you can see after we started Microsoft Dynamics AX Connector for Mobile Apps bunch of active relays immediately popped up. This all looks great! We are on air now!
 
Let’s get to the Expense App now. Please note that when you first time launch Expenses App you can choose from Demo mode and Connected mode of operation. In our case we are interested in Connected mode. Please also note that you can switch between Demo mode and Connected mode using Apps settings
 
Expense App
 
 
Then we’ll provide a log in information using User Yoichiro Okada (contoso\yoichiroo)
 
Log in
 
 
Signing in to Microsoft Dynamics AX
 
 
Once signed in you can verify sign in information in Apps settings
 
Account
 
 
And, of course, what we were looking for was a real data displayed in the App
 
Expense App
 
 
Expense App
 
 
Now as real data from USSI company is displayed for User Yoichiro Okada you can start interacting with the App by looking at existing data or adding new data as needed
 
Okay! This is all great! We got everything working properly!
 
But now let’s discuss what can go wrong during your configuration. First of all I’ll mention that you can use fiddler for troubleshooting your authentication and connection problems. You can download Fiddler from here: http://www.telerik.com/fiddler
 
Now let’s discuss what you may face with when working with Demo VM
 
Issue #1: “The token provider was unable to provide a security token while accessing ‘https://xyz-sb.accesscontrol.windows.net/WRAPv0.9/’. Token provider returned message: ‘Unable to connect to remote server’. Unable to connect to the remote server No connection could be made because the target machine actively refused it 127.0.0.1:abc” message when you try to start Microsoft Dynamics AX Connector for Mobile Apps
 
 
which may also be accompanied with the messages in Event Viewer
 
 
Fault bucket , type 0
Event Name: WWAJSE
Response: Not available
Cab Id: 0
 
Problem signature:
P1: Microsoft.DynamicsAX2012Expenses_1.3.0.115_x64__8wekyb3d8bbwe
P2: App
P3: b994
P4: 0
P5: ms-appx://microsoft.dynamicsax2012expenses/js/lib/jquery-1.9.0.js
P6: 492_3
P7:
P8:
P9:
P10:
 
Attached files:
ErrorInfo.15460.11896.txt
C:\Program Files\WindowsApps\Microsoft.DynamicsAX2012Expenses_1.3.0.115_x64__8wekyb3d8bbwe\AppXManifest.xml
 
These files may be available here:
 
 
Analysis symbol:
Rechecking for solution: 0
Report Id: ad9cf06e-fb8a-11e3-80f0-00155de0bb53
Report Status: 262144
Hashed bucket:
 
Solution #1: The reason may be as easy as that you just have an invalid proxy server setup and the solution will be to unmark “Use proxy server for your LAN” checkbox in your LAN settings in IE
 
LAN Settings - “Use proxy server for your LAN”
 
 
You can also easily validate this problem by opening IE and trying to navigate to any web page
 
The proxy server isn’t responding
 
 
Issue #2: “There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.” message in ADFS events log 
 
There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.
 
Additional Data
Exception details:
System.ServiceModel.AddressAlreadyInUseException: There is already a listener on IP endpoint 0.0.0.0:808. This could happen if there is another application already listening on this endpoint or if you have multiple service endpoints in your service host with the same IP endpoint but with incompatible binding configurations. ---> System.Net.Sockets.SocketException: Only one usage of each socket address (protocol/network address/port) is normally permitted
   at System.Net.Sockets.Socket.DoBind(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Bind(EndPoint localEP)
   at System.ServiceModel.Channels.SocketConnectionListener.Listen()
   --- End of inner exception stack trace ---
   at System.ServiceModel.Channels.SocketConnectionListener.Listen()
   at System.ServiceModel.Channels.ConnectionAcceptor.StartAccepting()
   at System.ServiceModel.Channels.ExclusiveTcpTransportManager.OnOpen()
   at System.ServiceModel.Channels.TransportManager.Open(TransportChannelListener channelListener)
   at System.ServiceModel.Channels.TransportManagerContainer.Open(SelectTransportManagersCallback selectTransportManagerCallback)
   at System.ServiceModel.Channels.TcpChannelListener`2.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at Microsoft.IdentityServer.ServiceHost.STSService.StartSTSService(ServiceHostManager serviceHostManager, ServiceState serviceState)
 
As the result the following URL will return Service Unavailable: https://ax2012r3-demo-alexanimobile-xyz.cloudapp.net/adfs/services/trust/13/usernamemixed
 
Service Unavailable
 
 
 
Solution #2: The reason ADFS Service won’t start is because a designated port may already be occupied by another application/service. In order to resolve this problem you can use Ser-ADFSProperties command to reassign a port
Set-ADFSProperties –nettcpport 1160
 
PowerShell
 
 
Depending on particular settings (for example, you changed the port to one which is also already occupied) you may see the following error
 
Issue #2.1: “The Federation Service configuration could not be loaded correctly from the AD FS configuration database” error message
 
 
The Federation Service configuration could not be loaded correctly from the AD FS configuration database.
 
Additional Data
Error: 
There is already a listener on IP endpoint 0.0.0.0:809. This could happen if there is another application already listening on this endpoint or if you have multiple service endpoints in your service host with the same IP endpoint but with incompatible binding configurations.
 
Then you may end up AD FS Service which won’t start again, what is even worse is that AD FS Service will be in faulted state not allowing you to do anything with it. In this case reinstalling AD FS may be seen as the only option, in fact you can resolve this problem even without reinstalling ADFS.
 
Solution #2.1: For this you will need to figure out who (which application/services) occupies this port by using netstat command
netstat –a –n –o | findstr :abc
 
Command prompt
 
 
And then knowing that Process with ID 123 (in my case 2192) occupies this port I can kill this process to release the port by using taskkill command
taskkill /pid 123 /f
..
 
Command prompt
 
 
Issue #2.2: For example, this is another variation of the same problem which you may face with when configuring AD FS on the Demo VM: “There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service”
 
 
There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.
 
Additional Data
Exception details:
System.ServiceModel.AddressAlreadyInUseException: HTTP could not register URL https://+:49443/adfs/services/trust/2005/certificatetransport/ because TCP port 49443 is being used by another application. ---> System.Net.HttpListenerException: The process cannot access the file because it is being used by another process
   at System.Net.HttpListener.AddAllPrefixes()
   at System.Net.HttpListener.Start()
   at System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen()
   --- End of inner exception stack trace ---
   at System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen()
   at System.ServiceModel.Channels.TransportManager.Open(TransportChannelListener channelListener)
   at System.ServiceModel.Channels.TransportManagerContainer.Open(SelectTransportManagersCallback selectTransportManagerCallback)
   at System.ServiceModel.Channels.HttpChannelListener`1.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at Microsoft.IdentityServer.ServiceHost.STSService.StartSTSService(ServiceHostManager serviceHostManager, ServiceState serviceState)
 
Solution #2.2: In this particular case Visual Studio occupied the port, so I had to stop Visual Studio, then start AD FS and then I could launch Visual Studio (on the different port)
As the result you will be able to successfully resolve the following URL: https://ax2012r3-demo-alexanimobile-xyz.cloudapp.net/adfs/services/trust/13/usernamemixed
 
Now instead of showing Service Unavailable you will see the following (which is the expected result)
 
The webpage cannot be found
 
 
Fiddler can be used to effectively and efficiently troubleshoot authentication and connection problems with Mobile Apps and also allows you to see what is happening under the hood (contents of protocol messages) if you enable Capture of HTTPS traffic
My final comment will be about Win 8 Config settings in Fiddler
 
Issue #3: In case you installed Fiddle for troubleshooting and then you are trying to Log in into a Mobile App and upon not successful login (and invitation to log in again) nothing else really happens then you may want to review Win 8 Config settings
 
Solution #3: The thing is that for security and reliability reasons, Windows 8 blocks apps from sending network traffic to the local computer. AppContainer Loopback Exemption Utility enables removal of this restriction for debugging purposes
 
AppContainer Loopback Exemption Utility
 
 
In the list you will need to find your app and add an exemption rule by marking a checkbox, or you can exempt all Mobile Apps by pressing “Exempt All” button
 
AppContainer Loopback Exemption Utility
 
 
Summary: This document describes how to configure Microsoft Dynamics AX 2012 Mobile Apps using Self-Signed certificate for POC, demonstration or development/testing purposes without obtaining a real SSL certificate from certification authority.
 
Tags: Microsoft Dynamics AX 2012, Microsoft Cloud, Windows Azure, Service Bus, Relay, Expenses, Approvals, Timesheets, Mobile Apps, Fiddler, Self-Signed Certificate, SSL.
 
Note: This document is intended for information purposes only, presented as it is with no warranties from the author. This document may be updated with more content to better outline the issues and describe the solutions.
 
Author: Alex Anikiev, PhD, MCP