End of mainstream support for Microsoft Dynamics AX 2009, 2012, and 2012Mainstream support for Dynamics AX 2009 Service Pack 1 (SP1), Dynamics AX 2012, and Dynamics AX 2012 R2 ended Oct. 9, 2018. After that date, only security hotfixes will be provided for these three versions through the extended support period that until Oct. 12, 2021. Read more
2019 release wave 2 Discover the latest updates to Dynamics 365Release overview guides and videos Release Plan | Early Access Availability
Ace your Dynamics 365 deployment with packaged services delivered by expert consultants. | Explore service offerings
Connect with the ISV success team on the latest roadmap, developer tool for AppSource certification, and ISV community engagements | ISV self-service portal
The FastTrack program is designed to help you accelerate your Dynamics 365 deployment with confidence.
FastTrack Program | Finance and Operations TechTalks | Customer Engagement TechTalks | Talent TechTalks
I'm running into an issue where the Dynamics Ax Expense app was working fine until one day it stopped working and is displaying the error Unauthorized.
I started by restarting the mobile connector service as we already had issues where it was not responding. It did not solve the issue. I started looking into the configuration on ADFS. At first I saw the Decryption and Signing certificate were coming to expiration soon. I asked our sysadmins to renew them. This did not solve the issue.
I started looking at the mobile connector configuration pdf and I thought to verify the ADFS certificate was in sync with Azure. We ended up running
Update-ADFSCertificate –CertificateType token-signing
to sync the certificate with Azure. I could then run
Get-MsolFederationProperty -DomainName <domain.name> | FL Source, TokenSigningCertificate
to validate both certificates were in sync and showing the same thumbprint.
I then updated this thumbprint in the "Dynamics AX Connector for Mobile Applications" tool.
From there I tested the expense app and I was getting unauthorized still.
I started fiddler, logged in again and I'm getting 401:SubCode:T0:Detail:ACS50008: Invalid SAML token.
I started looking into the ADFS configuration by comparing with what's in the mobile connector configuration pdf. Since it has already worked I'm wondering where it could go wrong.
I'm able to authenticate using the https://mydomain/adfs/ls/idpinitiatedsignon.aspx
I'm also able to get xml from mydomain/.../federationserverservice.asmx. I also extracted the signing certificate found in this xml and was able to confirm the certs validity.
I'm not sure if I'm onto something but when I'm looking at the information gathered from fiddler, the authentication certificate that is valid for about 5minutes is created in another timezone --GMT instead of EST. I cannot see where this timezone is configured in.
The servers are Virtual Machines running on Windows Server 2012 R2. There are seperate servers for Dynamics AX AOS and the one running the mobile connector. ADFS is running elsewhere in the same domain. Were using Dynamics AX 2012 R3, ADFS 2.0.
Is there something else I should be looking at? What else can I investigate?
I ended up openning a Support Ticket with Microsoft. The problem was that I was validating the synchronization between ADFS and Azure AD and not Azure Service Bus. The support agent provided the old Azure portal link --
Once in there we went to the identity providers and immediately noticed that the certs were expired. We executed Reimport data from WS-Federation metadata URL upon save by clicking on the checkbox and then save.
This did not fully fix the problem as we are now seeing these errors : The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.
I've made sure the proper certs were in the proper cert stores but it seems something is missing. I'm currently contuing my investigation.
Our federation ADFS certificate was signed by a third party and contained the dns urls required for the adfs signing and decrypting so Microsoft suggested that I use the same cert for all of those. One that was in place the same error occured: "ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer."
I had to update the SAML thumbprint in the mobile connector configuration and I thought of a post I saw elsewhere which mentions that when you copy the thumbprint from the certificate it can include so "invisible" characters. I pasted the thumbprint in notepad++ and changed the encoding to ANSI and found some weird characters showing up.
I deleted those characters and then the mobile App started working for everyone.
Business Applications communities