Closed warlof closed 6 hours ago
We've found some similar issues:
If any of the above are duplicates, please consider closing this issue out and adding additional context in the original issue.
Note: You can give me feedback by π or π this comment.
Have you tried this without traefik? I think I have heard other people having problems with traefik and AAD authentication. As a start - just to see whether this is the problem.
Hi @freddydk
I'll try and keep you inform Also, I checked the obtained access token using client_credentials and it sounds valid to me (compared to other tokens which are working on OnPrem containers)
I also wonder if it's tied to sandbox container or rather to the tenant capability. I will do another test using a OnPrem with tenant feature enabled.
Last but not least, why token delivered using authorization_code method are working ? So much questions π
So updates :
Scenario | Traefik | Type | Multitenant | Authorization Code | Client Credentials |
---|---|---|---|---|---|
1 | β | OnPrem | π₯ | β | β |
2 | β | Sandbox | β | β | π₯ |
3 | β | OnPrem | β | β | π₯ |
4 | π₯ | Sandbox | β | β | π₯ |
It appears issue is tied to tenant usage rather than binary support beeing either sandbox or onprem - or even if used behind Traefik or not
Bellow is the output of Get-NavTenant
command (when container is deployed using multitenant flag) :
ServerInstance : MicrosoftDynamicsNavServer$bc
DatabaseName : default
DatabaseServer : localhost\SQLEXPRESS
DatabaseUserName :
State : Operational
DetailedState :
DeletionState : Not deleted
IsInExclusiveAccessMode : False
TenantDataVersion : 22.5.59966.64723
Compression : Page
Id : default
AlternateId : {oauth-notraefik-default}
ValidAudiences : {}
AllowAppDatabaseWrite : False
NasServicesEnabled : False
RunNasWithAdminRights : False
EncryptionProvider : LocalKeyFile
AzureKeyVaultSettings :
DefaultCompany :
DefaultTimeZone : (UTC) Coordinated Universal Time
ExchangeAuthenticationMetadataLocation :
AadTenantId : {{ REDACTED_TENANT_PRIMARYDOMAIN }}
ApplicationInsightsConnectionString :
DisplayName :
EnvironmentName :
EnvironmentType : Sandbox
EnvironmentSettings :
I made a quick attempt while seeing AadTenantId
value was using the tenant primary domain rather than its GUID like it appears in the documentation.
I ran the following :
Dismount-NavTenant -ServerInstance bc -Tenant default
Mount-navTenant -serverinstance bc -tenant default -databasename default -DatabaseServer "localhost\SQLEXPRESS" -AadTenantId "{{ REDACTED_TENANT_ID }}"
It works π
So the issue seems to be the way the tenant is mounted https://github.com/microsoft/nav-docker/blob/f0fb8482f844061ce4d2b0d026112447cc189773/generic/Run/SetupTenant.ps1#L33 which appears to use the user email domain rather than the tenant guid
So the issue seems to be the way the tenant is mounted https://github.com/microsoft/nav-docker/blob/f0fb8482f844061ce4d2b0d026112447cc189773/generic/Run/SetupTenant.ps1#L33 which appears to use the user email domain rather than the tenant guid
That should be the same.
The domain name from the authentication email or the guid should yield the same AAD tenant.
At least, I have never before heard that it doesn't work.
Try here: https://gettenantpartitionweb.azurewebsites.net/
One of my demo tenant is directionsemea2019demo.onmicrosoft.com - and the GUID for that is here:
Are you seeing a different tenant GUID from your authentication email?
I got the same id (f2bc...)
However if I mount the tenant using primary domain (or the one from authentication email domain - but they're same), it doesn't work But while mounting the tenant using its GUID, is works
OK - strange. I am actually not sure whether I have the AADTenantId handy at that time inside the generic image - I will have to investigate that
Could you try to add this parameter to your New-BcContainer (just for a test)
-myScripts @('https://raw.githubusercontent.com/microsoft/nav-docker/refs/heads/freddydk/issue3709/generic/Run/SetupTenant.ps1')
This overrides the SetupTenant with a new version, which should be using the tenant Id instead of the domain name (if specified)
If this works, I will create a PR and get it in, then it will be part of the next generic image build (in a few days) The above link will work until the PR is merged, then you can reference the file from the main branch until images have been built.
Hello @freddydk
I confirm this is working with this version of the SetupTenant script Thank you very much π
Describe the issue
When attempting to consume API from Sandbox container using S2S authentication, the server is returning a 401 with the following payload.
The service principal is properly added on page "Applications Azure Active Directory" or "Applications Microsoft Entra", activated and attached to required permission sets.
Scripts used to create container and cause the issue
Full output of scripts
Screenshots
Additional context
https://api.businesscentral.dynamics.com/.default
as scope