Microsoft Dynamics AX 2012 Configure Microsoft Dynamics AX Connector for Mobile Applications White Paper April 2013 www.microsoft.com/dynamics/ax Send suggestions and comments about this document to adocs@microsoft.com. Please include the title with your feedback.
Table of Contents Introduction... 3 Prerequisites... 4 Creating a new Windows Azure Service Bus namespace... 4 Configuring an Active Directory Federation Service for authentication... 7 AD FS management... 7 Enable the endpoint... 7 Add/Configure the token signing certificate... 8 Claim descriptions... 11 Add the trust relationship and claim rule... 12 Save the AD FS FederationMetadata.xml file... 19 Configuring the Access Control Service... 19 Add and configure the identity provider...20 Configure the relying party applications...21 Configure rule groups...23 Add a claim rule for the identity provider... 23 Update the relying party federation metadata... 25 Configuring the on-premises server with Microsoft Dynamics AX 2012 R2 and the Microsoft Dynamics AX Connector for Mobile Applications service25 Microsoft Dynamics AX 2012 R2...25 Unreconciled Expense...25 Deploy the TrvUnreconciledExpense service... 25 Set up inbound ports... 25 Timesheet...27 Deploy the TSTimesheetService service... 27 Set up inbound ports... 27 Setting up the Microsoft Dynamics AX Connector for Mobile Applications service...29 Prerequisites... 29 Installation... 30 Configuring the Microsoft Windows Phone Dynamics AX application... 35 2
Introduction This paper describes how to configure an environment that is running Microsoft Dynamics AX 2012, so that users can connect the Microsoft Dynamics AX mobile phone application. The initial version of the Microsoft Dynamics AX mobile phone application enables mobile expense capture and time reporting. In order for the mobile phone application to interact with Microsoft Dynamics AX 2012, the following components need to be configured: Active Directory Federation Services (AD FS) AD FS works with an organization s instance of Active Directory Domain Services to authenticate users of the mobile phone application. Users are authenticated based on credentials that are sent by the mobile phone application. Upon successful authentication, AD FS returns a token to the mobile phone application. Mobile phone application The mobile phone application enables a user to capture a transaction. It then authenticates the user and sends the message. Microsoft Windows Azure Service Bus and Access Control Service (ACS) The Service Bus enables the mobile phone application to send a message to Microsoft Dynamics AX (which resides on-premises). The Access Control Service provides the authentication that is necessary to send a message via the Service Bus. Microsoft Dynamics AX Connector for Mobile Applications The connector listens for messages sent via the Service Bus, authenticates the sender of the message, and then sends the message to the Microsoft Dynamics AX 2012 instance. Microsoft Dynamics AX 2012 The Microsoft Dynamics AX 2012 instance receives messages originally sent from the mobile phone application. It stores the messages as transactions that are available to the user (for example, the user will see expense transactions that are captured via the user s mobile phone in the Dynamics AX system). The following diagram shows these components and the flows among them. 3
Prerequisites Before you can configure the Microsoft Dynamics AX Connector for Mobile Applications, you must complete the following prerequisites: Set up and configure the Active Directory server: The Active Directory server and domain controller should have been set up during the installation and configuration of Microsoft Dynamics AX 2012. Install Active Directory Federation Services. You can download the Active Directory Federation Services 2.0 RTW from http://www.microsoft.com/en-us/download/details.aspx?id=10909. Configure Microsoft Dynamics AX 2012: Configure users for Microsoft Dynamics AX 2012. Configure Expense management. Configure Time management. Configure Human resources. Configure a Windows Azure account. For more information, see http://www.windowsazure.com. Creating a new Windows Azure Service Bus namespace After you have set up a Windows Azure account, open the Windows Azure Management Portal at https://windows.azure.com/default.aspx. For more information about the Windows Azure Service Bus, see http://msdn.microsoft.com/enus/library/windowsazure/ee732537.aspx. 1. Go to your Windows Azure dashboard. 2. In the left navigation pane, click Service Bus. 4
3. On the Action Pane, click Create to create a new Service Bus namespace. 4. In the Namespace name field, enter a name for your namespace, such as contosomobile, and select your region, as shown in the following screen shot. This namespace is used to reference the Service Bus and the Access Control Service that is tied to the Service Bus. 5. Click OK to create the namespace. 5
6. Select the Service Bus namespace. Then click Access key on the Action Pane to view the default issuer and default key. 7. When the Access key form opens, click the Copy button to copy the 256-bit default key. The default issuer and the 256-bit secret default key are used when you configure the Microsoft Dynamics AX Connector for Mobile Applications service that is deployed on the server. For more 6
details, see the Setting up the Microsoft Dynamics AX Connector for Mobile Applications service section. This Microsoft Dynamics AX Connector for Mobile Applications deploys a listening endpoint that services the message coming from the Microsoft Dynamics AX mobile phone application. This endpoint address is structured around the Windows Azure namespace that you created. The next step is to set up the Active Directory server as the identity provider that the Service Bus and its Access Control Service require for Federated Authentication. Configuring an Active Directory Federation Service for authentication AD FS management After the federation server and AD FS 2.0 are installed, as specified in the Prerequisites section, use the AD FS 2.0 Management tool to configure the service. For guidance about Active Directory federation servers, how to configure certificates, and how to install the AD FS 2.0 software by using the setup wizard and server management, see http://technet.microsoft.com/en-us/library/dd807089(v=ws.10).aspx. Next, run the AD FS 2.0 Federation Server Configuration Wizard to configure a new federation server and a new Federation Service. For more guidance, see http://technet.microsoft.com/enus/library/adfs2-help-how-to-configure-a-new-federation-server(v=ws.10).aspx. The configuration described here is for a Federation Service role for a stand-alone federation server. 1. Enable the endpoint for Windows Authentication. 2. Establish a trust relationship between the Federation Service and the relying party (the Access Control Service of the Windows Azure Service Bus for example, contosomobile-sb). 3. Create rules to pass claims through the Federation Service. 4. Obtain the X.509 token signing certificate s thumbprint that is required when you configure the Microsoft Dynamics AX Connector for Mobile Applications service. Enable the endpoint 1. Click Start > Administrative Tools > AD FS 2.0 Management to open the AD FS 2.0 Management tool. 2. In the left navigation pane, expand the Service node, and then select Endpoints. In the list of endpoints in the Token Issuance section, find the endpoint that has the URL /adfs/services/trust/13/usernamemixed. Select this endpoint, right-click, and enable the endpoint. After you enable the service endpoint, the authentication server URL of this Federation Service will be in the form https://<federationservicename>/adfs/services/trust/13/usernamemixed. Example: https://contosoadfs.com/adfs/services/trust/13/usernamemixed 3. Click Start > Administrative Tools > Service to open the Windows Services list. Restart the AD FS 2.0 Windows service. 7
4. In the Endpoints list, ensure that the three endpoints in the Metadata section are enabled, as shown in the following screen shot. Add/Configure the token signing certificate The Microsoft Dynamics AX Connector for Mobile Applications service requires the thumbprint of the X.509 token signing certificate used by the Federation Service. Both the service communications and token signing certificates are configured when you run the AD FS 2.0 setup wizard. For more about certificate requirements for federation servers, see http://technet.microsoft.com/en-us/library/dd807040(v=ws.10).aspx. You can view the certificates by clicking Certificates under the Services node in the left navigation pane. You can also add new token certificates from this management tool by rightclicking the Certificates node. 8
Before you can add any new certificates, you may have to disable the automatic certificate rollover feature by using Windows PowerShell commands. Ensure that the token signing certificate is linked to a trusted root in the Federation Service and is issued by an enterprise certification authority For more information about token signing certificates, see http://technet.microsoft.com/enus/library/dd807039(v=ws.10).aspx. Set the newly added token signing certificate as the primary certificate. Obtain the thumbprint of the X.509 token signing certificate (digital signature) 1. Select the token signing certificate in the Certificates list. Right-click, and then select View Certificate. 9
2. On the Details tab of the Certificate form, copy the Thumbprint value, as shown in the following screen shot, and save it without the spaces between pairs of characters. This thumbprint value is used when you configure the connector parameters in the Microsoft Dynamics AX Connector for Mobile Applications service. 3. Export this token signing certificate, and save it to a location. This certificate must be installed in the Trusted Root Certification Authorities store on the server machine that hosts the Microsoft Dynamics AX Connector for Mobile Applications service. Here are a few more points to keep in mind about these certificates: Ensure that the Subject Name (CN) or Issued to property of the service communications certificate (SSL certificate) matches the Federation Service name. To view or edit the Federation Service name, right-click Service in the left navigation pane, and then select Edit Federation Service Properties. In our example, the service communications certificate has its Subject Name(CN) property set to contosoadfs.com, which helps define the URL of the Federation Server endpoint for example, https:// contosoadfs.com/adfs/ls/. 10
You can validate that your service is set up correctly by opening the URL https://contosoadfs.com/adfs/fs/federationserverservice.asmx in a browser. For additional debugging and troubleshooting, go to the Events tab in the Federation Services Properties form, and turn on logging for error and other events. This can help you debug any issues by looking at the logged events in Windows Event Viewer. Claim descriptions Ensure that the claim named Windows account name exists, and that the Published property is set to Yes. This should be configured by default when AD FS 2.0 is installed. 11
Add the trust relationship and claim rule Active Directory Domain Services is the claim provider trust for issuing claims about an authenticated user. The relying party is the Windows Azure Access Control Service associated with the Service Bus that was set up in the Creating a new Windows Azure Service Bus namespace section. 1. In the left navigation pane, expand Trust Relationships, right-click Relying Party Trusts, and then select Add Relying Party Trust. This will open the Add Relying Party Trust Wizard that you need to follow to add your Windows Azure Service Bus namespace as a relying party to the AD FS configuration database. 2. Click Start. 3. On the Select Data Source page, select one of the options to add data about your relying party. 12 If you select the first option, Import data about the relying party published online or on a local network, enter the federation metadata address in the text box in the following format: https://<azurenamespace>-sb.accesscontrol.windows.net/federationmetadata/2007-06/federationmetadata.xml.
In our example, this address is https://contosomobilesb.accesscontrol.windows.net/federationmetadata/2007-06/federationmetadata.xml, as shown in the following screen shot. To use the second option, Import data about the relying party from a file, because your AD FS server does not have Internet access, you need to do the following: 1. In a browser, open the address https://contosomobilesb.accesscontrol.windows.net/federationmetadata/2007-06/federationmetadata.xml, for example, and save the FederationMetadata.xml file to a location. 2. Select the second option, Import data about the relying party from a file, click Browse, and load the saved FederationMetadata.xml file. 4. Click Next. 13
5. On the Specify Display Name page, enter a display name or leave the default value, and then click Next. 14
6. On the Choose Issuance Authorization Rules page, ensure that the Permit all users to access this relying party option is selected, and then click Next. 15
7. On the Ready to Add Trust page, click Next, and then finish the setup by clicking Close. The Open the Edit Claim Rules dialog for this relying party trust when the wizard closes option is selected by default. When the wizard closes, the Edit Claim Rules form will open. 8. Click Add Rule. You will be guided through the Add Transform Claim Rule Wizard. 16
9. On the Select Rule Template page, in the Claim rule template field, select Pass Through or Filter an Incoming Claim, as shown in the following screen shot, and then click Next. 10. On the Configure Rule page, enter a name for the claim rule. 11. In the Incoming claim type field, select Windows account name. 17
12. Select the Pass through all claim values option, as shown in the following screen shot, and then click Next. 13. In the Edit Claim Rules form, you can see the newly created claim rule. Click Apply and then OK to save your changes. You can get back to the Edit Claim Rules form by right-clicking the relying party trust that you just added and then selecting Edit Claim Rules. 18
Save the AD FS FederationMetadata.xml file 1. On your federation server, open the following address in a browser: https://<federationservicename>/federationmetadata/2007-06/federationmetadata.xml In our example, this address is https://contosoadfs.com/federationmetadata/2007-06/federationmetadata.xml. 2. Save the FederationMetadata.xml file to a location. 3. You will need to upload this federation metadata file (if the Federation Service does not have an Internet-facing IP address), or you can use this address directly when you add the WS-Federation Identity Provider while configuring the Windows Azure ACS as described in the Add and configure the identity provider section. This completes the required Active Directory Federation Service configuration. Configuring the Access Control Service The Service Bus uses the Access Control Service to implement Federated Authentication. A buddy namespace, contosomobile-sb, is created for the ACS when the Service Bus is created. Use the following steps to configure the ACS and its relying party related parameters, the identity provider, and rule groups. Select the namespace that you want to configure, and then click Access key on the Action Pane. In the form that opens, click the Open ACS Management Portal link. 19
The Access Control Service page will open. Add and configure the identity provider Use the following procedure to add the WS-Federation identity provider. The identity provider is the Federation Service that was configured in the Configuring an Active Directory Federation Service for authentication section. 20
1. Verify that the WS-Federation identity provider (e.g. Microsoft AD FS 2.0) option is selected, and then click Next. 2. On the Edit WS-Federation Identity Provider page, enter a display name for the identity provider, such as Contoso ADFS. 3. Under WS-Federation metadata, enter the federation metadata URL or the file that is available from your configured AD FS server, as described in the Configuring an Active Directory Federation Service for authentication section. 4. In the Used By section, under Relying party applications, ensure that the Service Bus check box is selected. Configure the relying party applications Because the Service Bus uses this ACS for Federated Authentication, the Service Bus is added as a relying party application. 21
1. Click the ServiceBus link, and then, in the Relying Party Application Settings section, verify that the settings for the Realm and Token format fields are as shown as in the following screen shot. 2. In the Authentication Settings section, select the identity provider to use with the relying party. The identity provider was created in the previous section, Add and configure the identity provider. 3. Select the Default Rule Group for ServiceBus check box to use the default rule group, as described in the Configure rule groups section. 22
Configure rule groups 1. In the left navigation pane, click Rule Groups. 2. Select the Default Rule Group for ServiceBus check box to configure the default rule group. 3. You will be able to view the predefined rules that have Access Control Service as the claim issuer value. Click each rule to view the values. These rules have owner as the Input claim value, and Listen, Manage, or Send as the Output claim value. 4. Delete the rules that have Output claim values of Manage and Send. Add a claim rule for the identity provider 1. After deleting the Manage and Send rules, click Add to add a new claim rule for the identity provider. 2. Select the identity provider that was configured in the Add and configure the identity provider section. In our example, this identity provider is Contoso ADFS. 3. Under Input claim type, select the Select type option, and then select the following URI: http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname 4. Under Input claim value, leave the fields as-is. 23
5. Under Output claim type, select the Enter type option, and then enter the value net.windows.servicebus.action. 6. Under Output claim value, select the Enter value option, and then enter Send. 7. Optionally, add a description. This completes the required Access Control Service configuration. 24
Update the relying party federation metadata 1. On the Federation Service server, open the AD FS 2.0 Management tool. 2. In the left navigation pane, expand Trust Relationships, and then select Relying Party Trusts. 3. Right-click the relying party that was added in the Add the trust relationship and claim rule section, and then select Update from Federation Metadata. 4. Click Update. Configuring the on-premises server with Microsoft Dynamics AX 2012 R2 and the Microsoft Dynamics AX Connector for Mobile Applications service Microsoft Dynamics AX 2012 R2 The hotfix can be found at this location. Unreconciled Expense Deploy the TrvUnreconciledExpense service In the Developer Workspace, click Services > TrvUnreconciledExpense. Right-click, and then select Add ins > Register service. Set up inbound ports 1. In Microsoft Dynamics AX, click System Administration > Services and Application integration framework > Inbound ports > Create a new port name, description. 25
2. Under Service contract customizations, click Service operations. The WSDL URI is populated. 3. In the list of operations on the right side of the Select service operations form, select the following service operations, and add them to the list on the left side of the form. TrvExpenseCategoryService.getCategories TrvUnreconciledExpenseService.addUnreconciledExpense TrvUnreconciledExpenseService.getLabelTranslations 26
4. Close the Select service operations form. 5. In the Troubleshooting field group, select the Include exceptions in fault: check box, and then click Activate. Timesheet Deploy the TSTimesheetService service In the Developer Workspace, click Services > TSTimesheetService. Right-click, and then select Add ins > Register service. Set up inbound ports 1. In Microsoft Dynamics AX, click System Administration > Services and Application integration framework > Inbound ports > Create a new port name, description. 27
2. Under Service contract customizations, click Service operations. The WSDL URI is populated. 3. In the list of operations on the right side of the Select service operations form, select all eight (8) service operations for the service TSTimesheetService, and add them to the list on the left side of the form. 4. Close the Select service operations form. 5. In the Troubleshooting field group, select the Include exceptions in fault: check box, and then click Activate. 28
Setting up the Microsoft Dynamics AX Connector for Mobile Applications service The installer can be found at https://mbs.microsoft.com/partnersource/newsevents/news/msdyn_mobileappsax.htm?printpage=fals e&sid=512hmactzru0t0fs0dcgyvgm&stext=mobile applications for Dynamics AX. Use the following procedure to install and configure the Microsoft Dynamics AX Connector for Mobile Applications. Prerequisites 1. The AX Connector for Mobile Applications service should be deployed or run as a user account that is that of the.net Business Connector proxy account. For more information about how to create and set up the BC proxy account refer Specify the.net Business Connector proxy account [AX 2012] * If EP is deployed on the Server, it will be using the BC proxy account. Also it is very important that the.net BC proxy user account is added as an Administrator on the machine running the AX Connector service Also note the following guidance for the.net BC proxy account Must be a Windows domain account Must be a dedicated account (used only by Business Connector) Must have a password that does not expire Must not have interactive logon rights Must not be a Microsoft Dynamics AX user You can check which BC Proxy user account has been configured by going to AX> System Administration> System Service Accounts 2. Only one instance of the Microsoft Dynamics AX Connector for Mobile Applications can be deployed to run on a machine. 29
Installation 1. Click Start > All Programs > Microsoft Dynamics AX Connector for Mobile Applications, and start the Microsoft Dynamics AX Connector for Mobile Applications Setup Wizard. 2. Select the I accept the terms in the License Agreement check box, and then click Next. 30
3. On the Destination Folder page, accept the default folder location for the connector, or click Change to select another location. Then click Next. 4. On the Service account page, in the Account name and Password fields, enter the name and password for the BC Proxy user account that was previously created, and then click Next. 31
5. Click Install. 6. Click Finish. 7. Click Start > Administrative Tools > Service to open the Windows Services list. 8. Click Start to start the Microsoft Dynamics AX Connector for Mobile Applications service. The service will run under the context of the service user account. 32
9. On the Start menu, click the Microsoft Dynamics AX Connector for Mobile Applications shortcut. The GUI for configuring the connector parameters will open. 10. Use the information in the following table to configure the connector parameters. Parameter Azure service namespace Azure service identity name Azure service identity password Thumbprint of X.509 certificate used to sign SAML token Endpoint URI of TrvUnreconciledExpenseService Endpoint URI of TSTimesheetService ADFS URL Support Email Configuration Enter the service namespace that you set up in the Creating a new Windows Azure Service Bus namespace section, and then click Save. Enter the service identity name that you set up in the Creating a new Windows Azure Service Bus namespace section. Enter the 256-bit symmetric key for the service identity that was generated in the Creating a new Windows Azure Service Bus namespace section. Information about the thumbprint value can be found in the Add/Configure the token signing certificate section. The following text is preconfigured in this field: net.tcp://<aos_machine_name>:8201/dynamicsax/service s/trvunreconciledexpense Replace <AOS_MACHINE_NAME> with the name of the machine that hosts Microsoft Dynamics AX Application Object Server (AOS). Replace the default AOS port number, 8201, if a different port is used. The following text is preconfigured in this field: net.tcp://<aos_machine_name>:8201/dynamicsax/service s/tstimesheet Replace <AOS_MACHINE_NAME> with the name of the machine that hosts Microsoft Dynamics AX Application Object Server (AOS). Replace the default AOS port number, 8201, if a different port is used. An authentication server URL. This is the endpoint URL of the AD FS server that was set up in the Enable the endpoint section. In our example, this URL is in the form https://contosoadfs.com/adfs/services/trust/13/usernamemixed An email address the mobile user will see to contact in case of any issues. For example, support@contoso.com 11. Note that the Endpoint URI parameters for the expense and time services are optional. If you choose not to configure one of those services, leave that field blank and press Save. When the Microsoft Dynamics AX Connector for Mobile Applications service is started, you will notice the URL for that service does not appear, and the Windows Phone Dynamics AX application will not display the corresponding feature. 33
12. Enter values for each parameter, and then click Save. 34
13. After the connector parameters are saved, click Start in the form. You can see that the status has changed to Started, and that the Mobile Application Connector service is now running and listening on the Service Bus. Configuring the Microsoft Windows Phone Dynamics AX application When you notify users that the solution is available, they will have to provide their domain credentials and the service connection name to use the Dynamics AX application for their Windows Phone. When users open the Microsoft Dynamics AX application for the first time, they are directed to a sign in page with the following fields: User name Password Service connection name. This is the name of the Service Bus namespace that was set up in the Creating a new Windows Azure Service Bus namespace section. When the information is entered, the user presses sign in, the data is synced from the server, and they can then begin using the application. 35
Microsoft Dynamics is a line of integrated, adaptable business management solutions that enables you and your people to make business decisions with greater confidence. Microsoft Dynamics works like and with familiar Microsoft software, automating and streamlining financial, customer relationship and supply chain processes in a way that helps you drive business success. U.S. and Canada Toll Free 1-888-477-7989 Worldwide +1-701-281-6500 www.microsoft.com/dynamics This document is provided as-is. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. You may modify this document for your internal, reference purposes. 2013 Microsoft Corporation. All rights reserved. 36