Dynamics AX 2012 R3 Mobile Apps Configuration Using Self-Signed Certificate

In the last post we deployed Dynamics AX 2012 R2 DEMO instance on Microsoft Azure. If you don’t have it yet, I will recommend going back to the post “Use Lifecycle Services to deploy Dynamics AX on Azure” and complete the deployment.

In this post we are going to setup Dynamics AX Azure instance for Dynamics Mobile Apps using a Self-Signed Certificate. This is only for development / demo environments. In production, we will be using certificate from the Public CA like godaddy etc. Also remember we only have one DEMO VM with all AX components installed on it.

As this is going to be a lengthy post, here is the breakdown of the steps we need to follow:

  1. Create Azure Service Bus
  2. Azure VM Setup
    1. Review public DNS name for AX VM
    2. Add an endpoint to the VM 
  3. Change VM Host file 
  4. Install and Configure Active Directory Federation Services AD FS (hardest part)
    1. Create/Install SSL certificate from Public CA or from your organization 
    2. Install/Config AD FS
    3. Grant access to the users manage private keys
    4. Update AD FS Certificates
    5. Create Relying Party Trust to the Azure Service Bus
      1. Add Claim Rule
    6. Configure the Azure Service Bus Access Control Services (ACS) 
      1. Add Identity Provider
      2. Modify Rule Groups
    7. Update AD FS Relying Party Trust
    8. Test AD FS
  5. Configure Dynamics AX Mobile Connector 
  6. Install, config and run Mobile Apps 
    1. Install Self-Signed certificate on client machine
  7. Issues and solutions
Let’s get started.

These steps will be performed on Microsoft Azure Portal

Azure Service Bus

Note: As of 5/15/2015, Azure no longer supports creation of Service Bus with ACS enabled. You need to use Windows PowerShell to create service bus with access control service. If Azure CLI is installed, use this command:
New-AzureSBNamespace -Name ‘MyNamespace’ -Location ‘West US’

For more information on this change, see this link:
Change to Azure Service Bus Portal: Default Authentication Mechanism for Service Bus Namespaces now SAS

Open Azure management portal to create Service Bus. Remember namespace name as this will used later in the configuration.

Click CREATE and complete the form

 Click on Connection Information and note down Default Issuer and Default Key, will be used later.

Connection Information

Azure VM Setup

Open Azure management portal and look for your AX VM.

Dynamics AX VM

Note VM DNS name. This will be used throughout the configuration process.
Example: <Azure DNS Name>.cloudapp.net

Azure VM DNS Name

Add an endpoint to the VM

Click on your VM name to modify settings.

The next thing you’ll need is an endpoint so that Azure/Mobile apps can authenticate through AD FS. You see by default, this VM can only be accessed via PowerShell or RDP which is why there are only two endpoints configured in the management portal.

ENDPOINTS tab and click ADD

Lets enable HTTPS on port 443 for secure communication.
Add a stand-alone endpoint

Click NEXT

Select HTTPS and click FINISH

 You will see endpoint created

These steps will be performed on AX DEMO VM

Change HOST file on VM

Change HOST file name on Azure VM in order to translate machines IP Address into a name (<Azure DNS Name>.cloudapp.net)

Create Self-Signed SSL Certificate

We will use Active Directory Certificate Services to issue a SSL certificate. Make sure this is enabled.

Active Directory Certificate Services

On DEMO VM, we will use Contoso Certification Authority that is already installed for us.

Open IIS Manager (inetmgr) to create self-signed certificate request.

IIS – Server Certificates

 Common name will be same as your Azure DNS Name.

Create Certificate Request

Save the file. File will look like this and the content of this file will be used for submitting the certificate request.

Now open Contoso Certificate Server, https://localhost/CertSrv to complete the certification request.

Certificate Server

Request a Certificate

Advance Certificate Request

 Copy paste the Certificate Request text file content, select Web Server.

Submit Request

Download the certificate file.

Verify certificate

Copy the thumbnail value of the certificate, will be used later while configuring the AX Mobile Connector.

Install Self-Signed SSL Certificate

We can now install this certificate for both Local Machine and Current User into both Personal and Trusted Root Certification Authorities certificate stores (4 certificate imports).

Note: We will be running our Mobile Apps for user contosoadministrator but you can use any user and just install the certificate for that user as well. In production, we will be using the certificate from Public CA.

Open the certificate and install.

Install Certificate

Current User

Personal Certificate Store

Finish and import again for Current User and Trusted Root Certification Authorities store.

Finish the wizard.

Now install the certificate for Local Machine and for both the stores.

Local Machine

Verify the import

Open the console mmc.exe and add two Certificates add-ins. One for current user and one for local computer.

You should see the certificate installed on these four locations.

Configure IIS – Default Web Site 

Next step will be to assign our newly created Self-Signed certificate as SSL certificate in IIS for Default Web site.

Select HTTPS binding and use the self-signed certificate.

Restart IIS (iisreset).

Install Active Directory Federation Services (AD FS)

There is nothing much here to say, just open Server Manager, click on Add Roles and Features wizard. Select Active Directory Federation Services and complete the wizard.

Configure Active Directory Federation Services (AD FS)

Once Ad FS is installed, go to the Server Manager, and click on configure federation services on this server.

Select the self-signed certificate we created earlier. Federation Service Name should populate your azure dsn name.

Note: If you see an error like “contosoadmin could not be dropped, already exist”, simply re-run the federation service configuration wizard and override the database.

Once done, you should see these two databases AdfsArtifactStore and AdfsConfiguration.

SQL Server Management Studio

Grant access to the users manage private keys

Add “NT Serviceadfssrv” from AX2012R2A.

Update Active Directory Federation Services Certificates

Open PowerShell and run the following commands
  • Set-ADFSProperties -AutoCertificateRollover $false
  • Set-ADFSProperties -nettcpport 1160
Open AD FS Manager
Go to the start menu and search for AD FS

Make sure Federation Service name and identifier matches with the public DNS name of the azure VM, <Azure DNS Name>.cloudapp.net

Right click AD FS and select Edit Federation Service Properties

Next we’ll assign our newly created Self-Signed certificate as Service communications certificate, Token-decrypting certificate and Token-signing certificate in ADFS –> Service –> Certificates settings.

Select certificates.

Set Server Communication Certificate

 Set Server Communication Certificate

Confirm Yes on the next screen.

Add Token-Signing Certificate 

Right click on the certificate and set as primary.

Select Yes.

Add Token-Decryption Certificate

Set as Primary.

Restart AD FS.

Create Relying Party Trust

Create a new Relying Party Trust to the Azure Service Bus

  • Launch AD FS manager 
  • Expand Trust Relationships 
  • Select Relying Party Trusts and Add Relying Party Trust…

  • Click Start 
  • Select Import data and enter https://<Servicebusname>-sb.accesscontrol.windows.net/federationmetadata/2007-06/federationmetadata.xml
    Example: https://axcontosomobile-sb.accesscontrol.windows.net/federationmetadata/2007-06/federationmetadata.xml

  • Click next until the wizard is complete 
  • The claims rule window will pop open

  • Click Add Rule 
  • Select Pass Through or Filter an Incoming Claim 

  • Click Next 
  • In Claim Rule Name enter Windows Account Name 
  • From Incoming claim type select Windows Account Name 

  • Click Finish
  • Click OK

These steps will be performed on Microsoft Azure Portal

Configure the Azure Service Bus Access Control Services

  • Login into Microsoft Azure and select Service Bus that we created earlier. 
Connection Information
  • From the bottom, select Connection Information.
  • Take note of the Default Key. We will use it later while configuring AX Mobile Connector.

Open ACS Management Portal

  • Select Identity Providers 
  • Select Add 
  • Select WS-Federation identity Provider, Click Next 

  • In Display Name field enter Contoso ADFS 
  • In URL Enter the URL to the ADFS server using the virtual machine DNS name from earlier configuration. Example: https://<azure dns name>.cloudapp.net/federationmetadata/2007-06/federationmetadata.xml  
  • In Login Link Text enter Contoso ADFS
  • Click Save 
  • Select Rule Groups 
  • Select Default Rule Group for ServiceBus 

  • Review each predefined rule and delete the rules that have Output claim values of Manage and Send 
  • Click Add to add a new Claim rule 
  • In Select Type select http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname 
  • In Enter Type enter net.windows.servicebus.action 
  • In Enter Value enter Send 
  • Click Save 
These steps will be performed on AX DEMO VM

Update Relying Party Trust 

Open AD FS manager and update Relying Party Trust we created earlier to the Azure Service Bus.

Click Update.

These steps can be performed on your host laptop/pc

Test AD FS

You can test ADFS is it is installed correctly and authenticating users. Use this URL to check if users are being authenticated.

https://<azure dns name>.cloudapp.net/adfs/ls/idpinitiatedsignon.aspx

Example: https://ax2012r3-demo-ax2012r3cu8-xxx.cloudapp.net/adfs/ls/idpinitiatedsignon.aspx

If you noticed above, we are getting certificate error and that is correct as no one recognizes our VM/Server as trusted public CA. We will fix it in a minute.

These steps will be performed on AX DEMO VM

Configure Dynamics AX Mobile Connector

Open Microsoft Dynamics AX Connector for Mobile Applications.
Before configuring, is in Stopped state.

Update the following fields

  • Azure Service namespace: Name of the Service Bus 
  • Azure service identity password: Default Key of the Service Bus 
  • Thumbprint of X.509 certificate used to sign SAML token. This is your self-signed certificate’s thumbprint, no question mark and no spaces.

You can also check event viewer for detailed trace.

Azure Service Bus Relay will now show listeners.

Install, config and run Dynamics AX Mobile Apps

Finally, after all this hard work, it’s time to run Dynamics AX Apps 🙂 . For this, we will run Dynamics AX 2012 Expense app on Windows 8.1 machine.

Before you can run the app, remember we still need to fix the certification trust error? Lets fix that…

Install Self-Signed SSL certificate on your computer/laptop where the app will be running

  • Export the certificate from the VM
    • No, do not export the private key.
    • DER encoded binary X.509 (.CER)
    • Save the file
  • Import certificate on your computer / laptop in the following certificate stores (Certificates-LocalComputer / Trusted Root Certificate Authority and Certificates-LocalComputer / Trusted People)

    Windows 8.1 App Login

    Service connection name is your Azure Service Bus namespace.

    Successful login and data fetched from AX.

    Now after that hard work, your Dynamics AX Mobile Apps should work with Azure AX instance. 🙂

    Update 5/18/2015:
    I have added this following section to keep track of various issues you might encounter while working with AD FS or Dynamics Mobile Apps.

    Issue 1) Oops! Looks like the server is down. Try again later.
    While connecting to Mobile Apps you might see that you are not able to login and app just throws this error. There might be various reason behind this. To start with check if Microsoft Dynamics AX Connector for Mobile Applications and Active Directory Federation services are running.

    a) AD FS not running and if you browse these URLs…


    will result in…

    Service Unavailable

    HTTP Error 503. The service is unavailable.

    When you check the even log at Event Viewer –> Applications and Services Log –> AD FS

    There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.

    Additional Data
    Exception details:
    System.ServiceModel.AddressAlreadyInUseException: There is already a listener on IP endpoint [::]:1160. This could happen if there is another application already listening on this endpoint or if you have multiple service endpoints in your service host with the same IP endpoint but with incompatible binding configurations. —> System.Net.Sockets.SocketException: Only one usage of each socket address (protocol/network address/port) is normally permitted
       at System.Net.Sockets.Socket.DoBind(EndPoint endPointSnapshot, SocketAddress socketAddress)
       at System.Net.Sockets.Socket.Bind(EndPoint localEP)
       at System.ServiceModel.Channels.SocketConnectionListener.Listen()
       — End of inner exception stack trace —
       at System.ServiceModel.Channels.SocketConnectionListener.Listen()
       at System.ServiceModel.Channels.ConnectionAcceptor.StartAccepting()
       at System.ServiceModel.Channels.ExclusiveTcpTransportManager.OnOpen()
       at System.ServiceModel.Channels.TransportManager.Open(TransportChannelListener channelListener)
       at System.ServiceModel.Channels.TransportManagerContainer.Open(SelectTransportManagersCallback selectTransportManagerCallback)
       at System.ServiceModel.Channels.TcpChannelListener`2.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at Microsoft.IdentityServer.Service.SecurityTokenService.ServiceHostManager.Open(ServiceHostEntry entry)
       at Microsoft.IdentityServer.Service.SecurityTokenService.ServiceHostManager.Open()
       at Microsoft.IdentityServer.ServiceHost.STSService.StartAdministrationService()
       at Microsoft.IdentityServer.ServiceHost.STSService.OnStartInternal(Boolean requestAdditionalTime)

    Solution a): As the originally assigned port is being used by some other application, you can either change the port of AD FS itself or move the other applications which might be using the same port.

    When you change port, system might say AD FS service is not running, so you might have to use both options kill existing application and change port.

    To change AD FS port, use powershell command:
     Set-ADFSProperties -nettcpport <new port>

    To know and kill other application ports so that AD FS can continue on original port:
     netstats -a -n -o | findstr :1160
     taskkill /pid 1160 /f

    If you liked the story and want to see more of this kind of content, please follow our twitter handle @CursorRun or FB page @CursorRun
    If you liked the story and want to see more of this kind of content, please follow our twitter handle @CursorRun or FB page @CursorRun
    Default image
    Rahul Sharma
    Rahul is a technology enthusiast, solutions architect, trainer, and blogger, working on various Microsoft and open source solutions with more than 18 years of industry experience. He specially takes interest in designing enterprise applications, cloud integrations, IoT, and other architecture rich business solutions. Rahul is a guest author with us and shares his knowledge through technology blog posts.
    Articles: 59


    Enter your email address below to subscribe to our website. We will never flood your inbox with unwanted emails & you can always unsubscribe anytime.

    Leave a Reply