Unable to authenticate using client_credentials on sandbox container

warlof commented 1 day ago

Describe the issue

When attempting to consume API from Sandbox container using S2S authentication, the server is returning a 401 with the following payload.

The service principal is properly added on page "Applications Azure Active Directory" or "Applications Microsoft Entra", activated and attached to required permission sets.

{
  "error": {
    "code": "Authentication_InvalidCredentials",
    "message": "The server has rejected the client credentials.  CorrelationId:  c32f628c-2b96-48c1-8b4b-7440366a21ef."
  }
}

Scripts used to create container and cause the issue

# Load BcContainerHelper functions
Import-Module BcContainerHelper

# init docker node FQDN (for SSL and routing)
$node_fqdn = $ENV:DOCKER_NODE

# init containers list
$containers = $ENV:CONTAINERS

$bcEnvType = $ENV:BC_ENVTYPE # Sandbox or OnPrem
$bcTargetVersion = $ENV:BC_TARGETVERSION # Ex. : 20.3
if ($bcTargetVersion.IndexOf(".") -lt 0) {
    $bcTargetVersion = "$($bcTargetVersion).0"
}
$bcLicenseVersion = "$(([version]$bcTargetVersion).Major)0" # Ex. : 190, 200, 210...
$bcCountry = $ENV:BC_COUNTRY # Ex. : FR
$bcRestart = "unless-stopped"
if ($ENV:BC_RESTART) {
    $bcRestart = $ENV:BC_RESTART
}

# Test Automation Packages
$useTests = $false
if ($null -ne $ENV:USE_TESTS) {
    $useTests = $true
}

# SSO Activation
$useSso = $true
$bcauth_application_id = ""
$bcauth_tenant_id = ""
if ($null -ne $ENV:USE_SSO) {
    $useSso = $true
}

# Excel Integration
$useExcel = $false
$excel_application_id = ""
if ($null -ne $ENV:USE_EXCEL) {
    if ($bcEnvType -eq "sandbox") {
        Throw "Excel Integration cannot be enabled with Sandbox container..."
    }

    $useSso = $true
    $useExcel = $true
}

# SSO User Account
$userEmail = $ENV:BUILD_REQUESTEDFOREMAIL
if ($null -eq $userEmail) {
    $userEmail = ""

    Write-Host "User e-mail is missing, use $($userEmail) instead."
}

# Business Central
$bcCredentials = (New-Object PSCredential $ENV:BC_USERNAME, (ConvertTo-SecureString -String $ENV:BC_PASSWORD -AsPlainText -Force))

Write-Host ""
Write-Host "-----------------------------------------"
Write-Host "Checking Docker Settings"
Write-Host "-----------------------------------------"
Write-Host ""

if (-Not ($node_fqdn)) {
    Throw "Required Docker public name (FQDN) is missing !"
}

if (-Not ($containers)) {
    Throw "Required container list is missing !"
}

Write-Host "Check pass" -ForegroundColor Green

# get Business Central package and license
$artifactUrl = Get-BCArtifactUrl -type $bcEnvType  -Country $bcCountry -version $bcTargetVersion

if (-Not ($artifactUrl)) {
    Throw "Required artifactUrl is empty for ($($bcEnvType) / $($bcCountry) / $($bcTargetVersion)."
}

$licenseFile = ""

if (-Not (Test-Path $licenseFile)) {
    $licenseFile = ""
    if (-Not (Test-Path $licenseFile)) {
        Throw "Required license file for Business Central $($bcTargetVersion) is missing !"
    }
}

# Collect TTF fonts available on container host
Write-Host ""
Write-Host "-----------------------------------------"
Write-Host "Collecting available TTF fonts from host"
Write-Host "-----------------------------------------"

$fonts = Get-ChildItem -Path "C:\windows\Fonts\" -Filter "*.ttf" | Select-Object -ExpandProperty FullName

# Explode containers list
$containers = $containers.Split(',')

Write-Host ""
Write-Host "-----------------------------------------"
Write-Host "Bootstrap $($containers.Length) container(s)"
Write-Host "-----------------------------------------"

# bootstrap containers
# $containers | ForEach-Object -Parallel # when powershell 7.0 compliant
foreach ($container in $containers) {
    $container = $container.Trim()

    # drop existing container
    Write-Host ""
    Write-Host "Drop existing container $container"
    Remove-BcContainer -containerName $container

    # spawn container
    Write-Host ""
    Write-Host "Spawning Container $($container)..."

    $myScripts = @()
    $additionalParameters = @()
    $parameters = @{
        "accept_eula" = $true
        "containerName" = $container
        "artifactUrl" = ${artifactUrl}
        "licenseFile" = ${licenseFile}
        "useTraefik" = $true
        "PublicDnsName" = ${node_fqdn}
        "auth" = "NavUserPassword"
        "shortcuts" = "None"
        "AddFontsFromPath" = $fonts
        "Credential" = ${bcCredentials}
        "isolation" = "process"
        "restart" = $bcRestart
        "assignPremiumPlan" = $true
    }

    if ($useSso)
    {
        Write-Host "Enabling SSO Authentication..."

        $parameters += @{
            "authenticationEMail" = ${userEmail}
            "AadTenant" = ${bcauth_tenant_id}
            "AadAppId" = ${bcauth_application_id}
            "AadAppIdUri" = "api://$($bcauth_application_id)"
        }
        $parameters.auth = "AAD"        
    }

    if ($useTests)
    {
        Write-Host "Configuring container to run tests packages"

        $parameters += @{
            "includeTestToolkit" = $true
            "includeTestLibrariesOnly" = $true
        }
    } else {
        Write-Host "Configuring container to use jobs"

        $parameters += @{
            "enableTaskScheduler" = $true
        }
    }

    if ($useExcel)
    {
        Write-Host "Enabling Excel Integration..."

        # rename Business Central service tier and Web Instance from "BC" to "{containerName}"
        # this will allow us to get valid pivot when getting URI generated by the service tier (ie: web services metadata)
        $serviceSettingsOverrideScriptPath = Join-Path -Path (Split-Path $MyInvocation.MyCommand.Path) -ChildPath "ServiceSettings.ps1"

@"
`$NavServiceName = 'MicrosoftDynamicsNavServer`$$("$container".ToUpperInvariant())'
`$WebServerInstance = "$($container.ToUpperInvariant())"
`$ServerInstance = "$($container.ToUpperInvariant())"
"@ | Set-Content $serviceSettingsOverrideScriptPath

    $myScripts += @($serviceSettingsOverrideScriptPath)

    # setup AAD principal in order to use Excel integration
    $setupConfigurationOverrideScriptPath = Join-Path -Path (Split-Path $MyInvocation.MyCommand.Path) -ChildPath "SetupConfiguration.ps1"

@"
# Run standard SetupConfiguration.ps1 script
. (Join-Path `$runPath `$MyInvocation.MyCommand.Name)

`$CustomConfigFile = Join-Path `$ServiceTierFolder "CustomSettings.config"
`$CustomConfig = [xml](Get-Content `$CustomConfigFile)

`$CustomConfig.SelectSingleNode("//appSettings/add[@key='ExcelAddInAzureActiveDirectoryClientId']").Value = "$($excel_application_id)"
`$CustomConfig.Save(`$CustomConfigFile)
"@ | Set-Content $setupConfigurationOverrideScriptPath

    $myScripts += @($setupConfigurationOverrideScriptPath)

    # add an extra rule which will mitigate callback issue due to web services metadata beeing invalidely generated
    # (the URI setup in NST is not properly used in order to generate endpoint with web services metadata)
    #
    # the rule bellow will redirect all query like /BC/ODataV4/{endpoint} to BC instance on port 7048
    # in order to keep a pivot callback, we rename the instance from BC to containerName
    #
    # see: https://github.com/microsoft/navcontainerhelper/issues/2595
    $excelRule = "PathPrefix:/{path:(?i:$($container.ToUpperInvariant()))/(?i:odatav4)}"
    $additionalParameters += @(
        "-l `"traefik.excel.frontend.rule=$excelRule`"",
        "-l `"traefik.excel.port=7048`""
    )
}

    $parameters += @{
        "additionalParameters" = ${additionalParameters}
        "myScripts" = $myScripts
    }

    New-BcContainer @parameters
}

Full output of scripts

2024-10-08T18:41:24.2220317Z ##[section]Starting: Create Container
2024-10-08T18:41:24.2226135Z ==============================================================================
2024-10-08T18:41:24.2226255Z Task         : PowerShell
2024-10-08T18:41:24.2226309Z Description  : Run a PowerShell script on Linux, macOS, or Windows
2024-10-08T18:41:24.2226397Z Version      : 2.245.1
2024-10-08T18:41:24.2226452Z Author       : Microsoft Corporation
2024-10-08T18:41:24.2226526Z Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/powershell
2024-10-08T18:41:24.2226615Z ==============================================================================
2024-10-08T18:41:25.2793528Z Generating script.
2024-10-08T18:41:25.3345888Z Formatted command: . ''
2024-10-08T18:41:25.3625745Z ========================== Starting Command Output ===========================
2024-10-08T18:41:31.6039976Z BcContainerHelper version 6.0.20
2024-10-08T18:41:32.3419784Z Setting hostHelperFolder = E:\bccontainerhelper\data
2024-10-08T18:41:32.3474826Z Setting bcartifactsCacheFolder = E:\bccontainerhelper\artifacts
2024-10-08T18:41:32.3664153Z BC.HelperFunctions emits usage statistics telemetry to Microsoft
2024-10-08T18:41:32.9276934Z Running on Windows, PowerShell 7.4.5
2024-10-08T18:41:43.8263051Z [33;1mWARNING: The names of some imported commands from the module 'BcContainerHelper' include unapproved verbs that might make them less discoverable. To find the commands with unapproved verbs, run the Import-Module command again with the Verbose parameter. For a list of approved verbs, type Get-Verb.[0m
2024-10-08T18:41:44.2260788Z 
2024-10-08T18:41:44.2264674Z -----------------------------------------
2024-10-08T18:41:44.2269368Z Checking Docker Settings
2024-10-08T18:41:44.2273785Z -----------------------------------------
2024-10-08T18:41:44.2278440Z 
2024-10-08T18:41:44.2289364Z Check pass
2024-10-08T18:41:45.7842217Z 
2024-10-08T18:41:45.7846984Z -----------------------------------------
2024-10-08T18:41:45.7851117Z Collecting available TTF fonts from host
2024-10-08T18:41:45.7855145Z -----------------------------------------
2024-10-08T18:41:45.7918381Z 
2024-10-08T18:41:45.7923011Z -----------------------------------------
2024-10-08T18:41:45.7936342Z Bootstrap 1 container(s)
2024-10-08T18:41:45.7940355Z -----------------------------------------
2024-10-08T18:41:45.7952004Z 
2024-10-08T18:41:45.7956673Z Drop existing container {{REDACTED_CONTAINERNAME}}
2024-10-08T18:41:46.3067368Z Removing Desktop shortcuts
2024-10-08T18:41:46.5847302Z 
2024-10-08T18:41:46.5851113Z Spawning Container {{REDACTED_CONTAINERNAME}}...
2024-10-08T18:41:46.5855116Z Enabling SSO Authentication...
2024-10-08T18:41:46.5873053Z Configuring container to use jobs
2024-10-08T18:41:47.5614495Z BcContainerHelper is version 6.0.20
2024-10-08T18:41:47.5623474Z BcContainerHelper is running as {{REDACTED_SERVICE_ACCOUNT}}
2024-10-08T18:41:49.8538329Z HyperV is Disabled
2024-10-08T18:41:49.8553791Z Host is Microsoft Windows Server 2019 Datacenter - 10.0.17763.6293
2024-10-08T18:41:49.8567491Z UsePsSession is True
2024-10-08T18:41:49.8580273Z UsePwshForBc24 is True
2024-10-08T18:41:49.8586217Z UseWinRmSession is allow
2024-10-08T18:41:49.8591664Z UseSslForWinRmSession is True
2024-10-08T18:41:49.9843399Z Docker Client Version is 27.0.3
2024-10-08T18:41:49.9851507Z Docker Server Version is 27.0.3
2024-10-08T18:41:50.3171983Z Removing Desktop shortcuts
2024-10-08T18:41:50.3668455Z Downloading artifact /sandbox/22.0.54157.63994/fr
2024-10-08T18:41:50.3833580Z Downloading C:\Windows\TEMP\b328269c-f276-414e-89f4-f9d36298f8c0.zip
2024-10-08T18:42:17.0335738Z Unpacking artifact to tmp folder using Expand-Archive
2024-10-08T18:42:20.3147606Z Downloading platform artifact /sandbox/22.0.54157.63994/platform
2024-10-08T18:42:20.3376941Z Downloading C:\Windows\TEMP\c79960df-5d41-46f8-8d64-59def063b7b9.zip
2024-10-08T18:42:36.1715613Z Unpacking artifact to tmp folder using Expand-Archive
2024-10-08T18:42:57.2670910Z Downloading Prerequisite Components
2024-10-08T18:42:57.3216855Z Downloading E:\bccontainerhelper\artifacts\sandbox\22.0.54157.63994\platform\Prerequisite Components\IIS URL Rewrite Module\rewrite_2.0_rtw_x64.msi
2024-10-08T18:42:57.4305765Z Downloading E:\bccontainerhelper\artifacts\sandbox\22.0.54157.63994\platform\Prerequisite Components\DotNetCore\DotNetCore.1.0.4_1.1.1-WindowsHosting.exe
2024-10-08T18:42:58.8877317Z Fetching all docker images
2024-10-08T18:42:58.9862498Z Fetching all docker volumes
2024-10-08T18:42:59.1144513Z Enabling SSL as otherwise all clients will see mixed HTTP / HTTPS request, which will cause problems e.g. on the mobile and modern windows clients
2024-10-08T18:42:59.6540307Z Using image mcr.microsoft.com/businesscentral:ltsc2019
2024-10-08T18:42:59.7584986Z PublicDnsName is {{REDACTED_FQDN}}
2024-10-08T18:42:59.9981571Z Creating Container {{REDACTED_CONTAINERNAME}}
2024-10-08T18:42:59.9990125Z Style: sandbox
2024-10-08T18:42:59.9995889Z Multitenant: Yes
2024-10-08T18:43:00.0009463Z Version: 22.0.54157.63994
2024-10-08T18:43:00.0016017Z Platform: 22.0.63977.0
2024-10-08T18:43:00.0024255Z Generic Tag: 1.0.2.39
2024-10-08T18:43:00.0066292Z Container OS Version: 10.0.17763.6054 (ltsc2019)
2024-10-08T18:43:00.0072214Z Host OS Version: 10.0.17763.6293 (ltsc2019)
2024-10-08T18:43:00.0146483Z WARNING: Host OS and Base Image Container OS doesn't match and process isolation is specified. If you encounter issues, you could try to specify -isolation hyperv
2024-10-08T18:43:00.0152539Z Using process isolation
2024-10-08T18:43:00.0172409Z Using locale fr-FR
2024-10-08T18:43:00.0192096Z Adding special CheckHealth.ps1 to enable Traefik support
2024-10-08T18:43:00.0203406Z Disabling the standard eventlog dump to container log every 2 seconds (use -dumpEventLog to enable)
2024-10-08T18:43:00.0610286Z Using license file c:\TBS\Licences\TBS_DEV_BC220.bclicense
2024-10-08T18:43:00.2321218Z Additional Parameters:
2024-10-08T18:43:00.2459866Z --expose 5986
2024-10-08T18:43:00.2465962Z -e webserverinstance={{REDACTED_CONTAINERNAME}}
2024-10-08T18:43:00.2471352Z -e publicdnsname={{REDACTED_FQDN}}
2024-10-08T18:43:00.2476411Z -l "traefik.protocol=https"
2024-10-08T18:43:00.2481610Z -l "traefik.web.frontend.rule=PathPrefix:/{{REDACTED_CONTAINERNAME}}"
2024-10-08T18:43:00.2486474Z -l "traefik.web.port=443"
2024-10-08T18:43:00.2491425Z -l "traefik.soap.frontend.rule=PathPrefix:/{{REDACTED_CONTAINERNAME}}soap;ReplacePathRegex: ^/{{REDACTED_CONTAINERNAME}}soap(.*) /BC$1"
2024-10-08T18:43:00.2496267Z -l "traefik.soap.port=7047"
2024-10-08T18:43:00.2501294Z -l "traefik.rest.frontend.rule=PathPrefix:/{{REDACTED_CONTAINERNAME}}rest;ReplacePathRegex: ^/{{REDACTED_CONTAINERNAME}}rest(.*) /BC$1"
2024-10-08T18:43:00.2506161Z -l "traefik.rest.port=7048"
2024-10-08T18:43:00.2511033Z -l "traefik.dev.frontend.rule=PathPrefix:/{{REDACTED_CONTAINERNAME}}dev;ReplacePathRegex: ^/{{REDACTED_CONTAINERNAME}}dev(.*) /BC$1"
2024-10-08T18:43:00.2515810Z -l "traefik.dev.port=7049"
2024-10-08T18:43:00.2520617Z -l "traefik.snap.frontend.rule=PathPrefix:/{{REDACTED_CONTAINERNAME}}snap;ReplacePathRegex: ^/{{REDACTED_CONTAINERNAME}}snap(.*) /BC$1"
2024-10-08T18:43:00.2525388Z -l "traefik.snap.port=7083"
2024-10-08T18:43:00.2530252Z -l "traefik.dl.frontend.rule=PathPrefixStrip:/{{REDACTED_CONTAINERNAME}}dl"
2024-10-08T18:43:00.2535132Z -l "traefik.dl.port=8080"
2024-10-08T18:43:00.2544129Z -l "traefik.dl.protocol=http"
2024-10-08T18:43:00.2549556Z -l "traefik.enable=true"
2024-10-08T18:43:00.2554576Z -l "traefik.frontend.entryPoints=https"
2024-10-08T18:43:00.2560128Z --env customNavSettings=ValidAudiences={{REDACTED_APPID}};https://api.businesscentral.dynamics.com,DisableTokenSigningCertificateValidation=True,ExtendedSecurityTokenLifetime=24,ClientServicesCredentialType=NavUserPassword,EnableTaskScheduler=True,PublicODataBaseUrl=https://{{REDACTED_FQDN}}/{{REDACTED_CONTAINERNAME}}rest/odata,PublicSOAPBaseUrl=https://{{REDACTED_FQDN}}/{{REDACTED_CONTAINERNAME}}soap/ws,PublicWebBaseUrl=https://{{REDACTED_FQDN}}/{{REDACTED_CONTAINERNAME}}
2024-10-08T18:43:00.2564898Z --env customWebSettings=AadApplicationId={{REDACTED_APPID}},AadAuthorityUri=https://login.microsoftonline.com/{{REDACTED_TENANTID}}
2024-10-08T18:43:00.2570798Z Files in E:\bccontainerhelper\data\Extensions\{{REDACTED_CONTAINERNAME}}\my:
2024-10-08T18:43:00.2716243Z - AdditionalOutput.ps1
2024-10-08T18:43:00.2722262Z - AdditionalSetup.ps1
2024-10-08T18:43:00.2727860Z - CheckHealth.ps1
2024-10-08T18:43:00.2733202Z - HelperFunctions.ps1
2024-10-08T18:43:00.2738559Z - license.bclicense
2024-10-08T18:43:00.2743841Z - MainLoop.ps1
2024-10-08T18:43:00.2748953Z - SetupNavUsers.ps1
2024-10-08T18:43:00.2754034Z - SetupVariables.ps1
2024-10-08T18:43:00.2759253Z - updatecontainerhosts.ps1
2024-10-08T18:43:00.2764349Z Creating container {{REDACTED_CONTAINERNAME}} from image mcr.microsoft.com/businesscentral:ltsc2019
2024-10-08T18:43:00.5951171Z 9cf287762994077e5576d621b2c35a57e2db6d1736054a43d0bfbd60bb1f2261
2024-10-08T18:43:03.7694516Z Waiting for container {{REDACTED_CONTAINERNAME}} to be ready
2024-10-08T18:43:22.9365599Z Using artifactUrl https://bcartifacts-exdbf9fwegejdqak.b02.azurefd.net/sandbox/22.0.54157.63994/fr
2024-10-08T18:43:22.9366590Z Using installer from C:\Run\210-new
2024-10-08T18:43:22.9367033Z Installing Business Central: multitenant=True, installOnly=False, filesOnly=False, includeTestToolkit=False, includeTestLibrariesOnly=False, includeTestFrameworkOnly=False, includePerformanceToolkit=False, appArtifactPath=c:\dl\sandbox\22.0.54157.63994\fr, platformArtifactPath=c:\dl\sandbox\22.0.54157.63994\platform, databasePath=c:\dl\sandbox\22.0.54157.63994\fr\BusinessCentral-FR.bak, licenseFilePath=c:\dl\sandbox\22.0.54157.63994\fr\Cronus.bclicense, rebootContainer=True
2024-10-08T18:43:22.9367460Z Installing from artifacts
2024-10-08T18:43:26.2730250Z Starting Local SQL Server
2024-10-08T18:43:27.3769548Z Starting Internet Information Server
2024-10-08T18:43:27.3769927Z Copying Service Tier Files
2024-10-08T18:43:27.3770224Z c:\dl\sandbox\22.0.54157.63994\platform\ServiceTier\Program Files
2024-10-08T18:43:27.3770592Z c:\dl\sandbox\22.0.54157.63994\platform\ServiceTier\System64Folder
2024-10-08T18:43:27.3770905Z Copying PowerShell Scripts
2024-10-08T18:43:28.4749192Z c:\dl\sandbox\22.0.54157.63994\platform\WindowsPowerShellScripts\Cloud\NAVAdministration
2024-10-08T18:43:28.4749636Z c:\dl\sandbox\22.0.54157.63994\platform\WindowsPowerShellScripts\WebSearch
2024-10-08T18:43:28.4749856Z Copying Web Client Files
2024-10-08T18:43:30.6883834Z c:\dl\sandbox\22.0.54157.63994\platform\WebClient\Microsoft Dynamics NAV
2024-10-08T18:43:30.6884241Z Copying ModernDev Files
2024-10-08T18:43:30.6884495Z c:\dl\sandbox\22.0.54157.63994\platform
2024-10-08T18:43:30.6884810Z c:\dl\sandbox\22.0.54157.63994\platform\ModernDev\program files\Microsoft Dynamics NAV
2024-10-08T18:43:30.6885091Z Copying additional files
2024-10-08T18:43:30.6885338Z Copying ConfigurationPackages
2024-10-08T18:43:30.6885619Z C:\dl\sandbox\22.0.54157.63994\fr\ConfigurationPackages
2024-10-08T18:43:30.6885912Z Copying Test Assemblies
2024-10-08T18:43:30.6886160Z C:\dl\sandbox\22.0.54157.63994\platform\Test Assemblies
2024-10-08T18:43:30.6886412Z Copying Extensions
2024-10-08T18:43:30.6886672Z C:\dl\sandbox\22.0.54157.63994\fr\Extensions
2024-10-08T18:43:30.6886936Z Copying Applications
2024-10-08T18:43:30.6887923Z C:\dl\sandbox\22.0.54157.63994\platform\Applications
2024-10-08T18:43:30.6888263Z Copying Applications.FR
2024-10-08T18:43:30.6888544Z C:\dl\sandbox\22.0.54157.63994\fr\Applications.FR
2024-10-08T18:43:31.7896578Z Copying dependencies
2024-10-08T18:43:47.6163365Z Copying ReportBuilder
2024-10-08T18:43:50.9059322Z Importing PowerShell Modules
2024-10-08T18:43:57.7482202Z Restoring CRONUS Demo Database
2024-10-08T18:43:58.8463651Z Setting CompatibilityLevel for tenant on localhost\SQLEXPRESS
2024-10-08T18:44:22.5200316Z Exporting Application to CRONUS
2024-10-08T18:44:27.0705684Z Removing Application from tenant
2024-10-08T18:44:27.0706110Z Modifying Business Central Service Tier Config File for Docker
2024-10-08T18:44:27.0706541Z Creating Business Central Service Tier
2024-10-08T18:44:27.0706762Z Installing SIP crypto provider: 'C:\Windows\System32\NavSip.dll'
2024-10-08T18:44:46.1694950Z Starting Business Central Service Tier
2024-10-08T18:44:49.4616508Z Importing license file
2024-10-08T18:44:49.4616743Z Copying Database on localhost\SQLEXPRESS from tenant to default
2024-10-08T18:44:49.4616921Z Taking database tenant offline
2024-10-08T18:44:49.4617114Z Copying database files
2024-10-08T18:44:52.8538456Z Attaching files as new Database default
2024-10-08T18:44:52.8538740Z Putting database tenant back online
2024-10-08T18:44:52.8538898Z Mounting tenant database
2024-10-08T18:47:11.4191547Z Mounting Database for default on server localhost\SQLEXPRESS with AllowAppDatabaseWrite = False
2024-10-08T18:47:13.6415363Z Sync'ing Tenant
2024-10-08T18:47:13.6415674Z Tenant is Operational
2024-10-08T18:47:13.6415868Z Stopping Business Central Service Tier
2024-10-08T18:47:13.6416071Z Installation took 230 seconds
2024-10-08T18:47:13.6416243Z Installation complete
2024-10-08T18:47:13.6416642Z Initializing...
2024-10-08T18:47:13.6418416Z Setting host.containerhelper.internal to 172.27.128.1 in container hosts file
2024-10-08T18:47:13.6418666Z Starting Container
2024-10-08T18:47:13.6418819Z Hostname is {{REDACTED_CONTAINERNAME}}
2024-10-08T18:47:14.7373512Z PublicDnsName is {{REDACTED_FQDN}}
2024-10-08T18:47:14.7373788Z Using AccessControlService Authentication
2024-10-08T18:47:14.7373953Z Creating Self Signed Certificate
2024-10-08T18:47:15.8383175Z Self Signed Certificate Thumbprint C85568ACC9B065EF1AB5F3DC9D98A06ABCE15B1D
2024-10-08T18:47:15.8383462Z DNS identity {{REDACTED_FQDN}}
2024-10-08T18:47:15.8383634Z Modifying Service Tier Config File with Instance Specific Settings
2024-10-08T18:47:15.8383827Z Modifying Service Tier Config File with settings from environment variable
2024-10-08T18:47:15.8384038Z Setting ValidAudiences to {{REDACTED_APPID}};https://api.businesscentral.dynamics.com
2024-10-08T18:47:15.8384256Z Setting DisableTokenSigningCertificateValidation to True
2024-10-08T18:47:15.8384437Z Setting ExtendedSecurityTokenLifetime to 24
2024-10-08T18:47:15.8384603Z Setting ClientServicesCredentialType to NavUserPassword
2024-10-08T18:47:15.8384764Z Setting EnableTaskScheduler to True
2024-10-08T18:47:15.8386393Z Setting PublicODataBaseUrl to https://{{REDACTED_FQDN}}/{{REDACTED_CONTAINERNAME}}rest/odata
2024-10-08T18:47:15.8386605Z Setting PublicSOAPBaseUrl to https://{{REDACTED_FQDN}}/{{REDACTED_CONTAINERNAME}}soap/ws
2024-10-08T18:47:15.8386796Z Setting PublicWebBaseUrl to https://{{REDACTED_FQDN}}/{{REDACTED_CONTAINERNAME}}
2024-10-08T18:47:29.3629705Z Starting Service Tier
2024-10-08T18:47:29.3630210Z CertificateThumprint C85568ACC9B065EF1AB5F3DC9D98A06ABCE15B1D
2024-10-08T18:47:29.3630521Z Registering event sources
2024-10-08T18:47:29.3630793Z Creating DotNetCore Web Server Instance
2024-10-08T18:47:29.3631050Z Using application pool name: {{REDACTED_CONTAINERNAME}}
2024-10-08T18:47:29.3631337Z Using default container name: NavWebApplicationContainer
2024-10-08T18:47:32.6779690Z Copy files to WWW root C:\inetpub\wwwroot\{{REDACTED_CONTAINERNAME}}
2024-10-08T18:47:32.6780060Z Create the application pool {{REDACTED_CONTAINERNAME}}
2024-10-08T18:47:33.7817328Z Create website: NavWebApplicationContainer with SSL
2024-10-08T18:47:33.7817629Z Update configuration: navsettings.json
2024-10-08T18:47:33.7817805Z Done Configuring Web Client
2024-10-08T18:47:33.7817990Z Modifying Web Client config with settings from environment variable
2024-10-08T18:47:33.7818194Z Setting AadApplicationId to {{REDACTED_APPID}}
2024-10-08T18:47:34.9560130Z Setting AadAuthorityUri to https://login.microsoftonline.com/{{REDACTED_TENANTID}}
2024-10-08T18:47:34.9564941Z Enabling Financials User Experience
2024-10-08T18:47:34.9614589Z Using license file 'c:\run\my\license.bclicense'
2024-10-08T18:47:38.2577962Z Import License
2024-10-08T18:47:38.2578272Z Dismounting Tenant
2024-10-08T18:47:38.2578401Z Mounting Tenant
2024-10-08T18:47:38.2578551Z Setting AadTenantId to {{REDACTED_TENANTPRIMARYNAME}}
2024-10-08T18:48:06.4673235Z Mounting Database for default on server localhost\SQLEXPRESS with AllowAppDatabaseWrite = False
2024-10-08T18:48:06.4673550Z Sync'ing Tenant
2024-10-08T18:48:06.4673684Z Tenant is Operational
2024-10-08T18:48:07.6421194Z Creating http download site
2024-10-08T18:48:07.6421603Z Setting SA Password and enabling SA
2024-10-08T18:48:08.7480465Z Creating *** as SQL User and add to sys***
2024-10-08T18:48:15.4471363Z Creating SUPER user
2024-10-08T18:48:15.4471663Z Assign Premium plan for {{REDACTED_ACCOUNT}}
2024-10-08T18:48:32.3666997Z Enable PSRemoting and setup user for winrm
2024-10-08T18:48:32.3667337Z Creating self-signed certificate for winrm
2024-10-08T18:48:32.3667584Z Container IP Address: 172.27.129.241
2024-10-08T18:48:32.3667748Z Container Hostname  : {{REDACTED_CONTAINERNAME}}
2024-10-08T18:48:32.3667893Z Container Dns Name  : {{REDACTED_FQDN}}
2024-10-08T18:48:32.3668063Z Web Client          : https://{{REDACTED_FQDN}}/{{REDACTED_CONTAINERNAME}}/?tenant=default
2024-10-08T18:48:32.3668242Z Dev. Server         : https://{{REDACTED_FQDN}}
2024-10-08T18:48:32.3668593Z Dev. ServerInstance : BC
2024-10-08T18:48:32.3668751Z Dev. Server Tenant  : default
2024-10-08T18:48:32.3668915Z Setting {{REDACTED_CONTAINERNAME}}-default to 127.0.0.1 in container hosts file
2024-10-08T18:48:32.3668995Z 
2024-10-08T18:48:32.3669101Z Files:
2024-10-08T18:48:32.3669951Z http://{{REDACTED_FQDN}}:8080/ALLanguage.vsix
2024-10-08T18:48:32.3670265Z http://{{REDACTED_FQDN}}:8080/certificate.cer
2024-10-08T18:48:32.3670344Z 
2024-10-08T18:48:32.3670489Z WARNING: You are running a container which is 78 days old.
2024-10-08T18:48:32.3670679Z Microsoft recommends that you always run the latest version of our containers.
2024-10-08T18:48:32.3670762Z 
2024-10-08T18:48:33.4702973Z Container Total Physical Memory is 128.0Gb
2024-10-08T18:48:33.4703293Z Container Free Physical Memory is 78.8Gb
2024-10-08T18:48:33.4703369Z 
2024-10-08T18:48:33.4703504Z Initialization took 79 seconds
2024-10-08T18:48:33.4708757Z Ready for connections!
2024-10-08T18:48:39.8271614Z Reading CustomSettings.config from {{REDACTED_CONTAINERNAME}}
2024-10-08T18:48:41.5640280Z Skipping font 'lucon.ttf' as it is already installed
2024-10-08T18:48:52.5744434Z Installing fonts - Completed
2024-10-08T18:48:52.6273912Z Cleanup old dotnet core assemblies
2024-10-08T18:48:52.6295364Z Container {{REDACTED_CONTAINERNAME}} successfully created
2024-10-08T18:48:52.6301016Z Because of Traefik, the following URLs need to be used when accessing the container from outside your Docker host:
2024-10-08T18:48:52.6305884Z Web Client:        https://{{REDACTED_FQDN}}/{{REDACTED_CONTAINERNAME}}
2024-10-08T18:48:52.6311441Z SOAP WebServices:  https://{{REDACTED_FQDN}}/{{REDACTED_CONTAINERNAME}}soap
2024-10-08T18:48:52.6316100Z OData WebServices: https://{{REDACTED_FQDN}}/{{REDACTED_CONTAINERNAME}}rest
2024-10-08T18:48:52.6321623Z Dev Service:       https://{{REDACTED_FQDN}}/{{REDACTED_CONTAINERNAME}}dev
2024-10-08T18:48:52.6326785Z Snapshot Service:  https://{{REDACTED_FQDN}}/{{REDACTED_CONTAINERNAME}}snap
2024-10-08T18:48:52.6331895Z File downloads:    https://{{REDACTED_FQDN}}/{{REDACTED_CONTAINERNAME}}dl
2024-10-08T18:48:53.9813173Z Health check returns False, restarting container
2024-10-08T18:48:54.9510668Z Removing Session {{REDACTED_CONTAINERNAME}}
2024-10-08T18:49:15.9253242Z {{REDACTED_CONTAINERNAME}}
2024-10-08T18:49:16.1544233Z Waiting for container {{REDACTED_CONTAINERNAME}} to be ready
2024-10-08T18:49:17.3569334Z 
2024-10-08T18:49:17.3569990Z Initializing...
2024-10-08T18:49:17.3570234Z Setting host.containerhelper.internal to 172.27.128.1 in container hosts file
2024-10-08T18:49:17.3570460Z Restarting Container
2024-10-08T18:49:17.3570643Z PublicDnsName unchanged
2024-10-08T18:49:17.3570833Z Hostname is {{REDACTED_CONTAINERNAME}}
2024-10-08T18:49:17.3571028Z PublicDnsName is {{REDACTED_FQDN}}
2024-10-08T18:49:17.3571230Z Using AccessControlService Authentication
2024-10-08T18:49:19.5635135Z Starting Local SQL Server
2024-10-08T18:49:19.5635427Z Starting Internet Information Server
2024-10-08T18:49:25.4676647Z Starting Service Tier
2024-10-08T18:49:25.4676939Z Container IP Address: 172.27.128.141
2024-10-08T18:49:25.4677093Z Container Hostname  : {{REDACTED_CONTAINERNAME}}
2024-10-08T18:49:25.4677952Z Container Dns Name  : {{REDACTED_FQDN}}
2024-10-08T18:49:25.4678125Z Web Client          : https://{{REDACTED_FQDN}}/{{REDACTED_CONTAINERNAME}}?tenant=default
2024-10-08T18:49:25.4678299Z Dev. Server         : https://{{REDACTED_FQDN}}
2024-10-08T18:49:25.4678444Z Dev. ServerInstance : BC
2024-10-08T18:49:25.4680229Z Dev. Server Tenant  : default
2024-10-08T18:49:25.4680608Z Setting {{REDACTED_CONTAINERNAME}}-default to 127.0.0.1 in container hosts file
2024-10-08T18:49:25.4680941Z 
2024-10-08T18:49:25.4681237Z Files:
2024-10-08T18:49:25.4681525Z http://{{REDACTED_FQDN}}:8080/ALLanguage.vsix
2024-10-08T18:49:25.4682247Z http://{{REDACTED_FQDN}}:8080/certificate.cer
2024-10-08T18:49:25.4682389Z 
2024-10-08T18:49:25.4682608Z Container Total Physical Memory is 128.0Gb
2024-10-08T18:49:25.4682867Z Container Free Physical Memory is 82.3Gb
2024-10-08T18:49:25.4682976Z 
2024-10-08T18:49:25.4683170Z Initialization took 9 seconds
2024-10-08T18:49:25.4683395Z Ready for connections!
2024-10-08T18:49:27.6393302Z Waiting for tenants to be mounted
2024-10-08T18:49:33.6804564Z 
2024-10-08T18:49:33.6809695Z Use:
2024-10-08T18:49:33.6818810Z Get-BcContainerEventLog -containerName {{REDACTED_CONTAINERNAME}} to retrieve a snapshot of the event log from the container
2024-10-08T18:49:33.6828360Z Get-BcContainerDebugInfo -containerName {{REDACTED_CONTAINERNAME}} to get debug information about the container
2024-10-08T18:49:33.6839769Z Enter-BcContainer -containerName {{REDACTED_CONTAINERNAME}} to open a PowerShell prompt inside the container
2024-10-08T18:49:33.6850223Z Remove-BcContainer -containerName {{REDACTED_CONTAINERNAME}} to remove the container again
2024-10-08T18:49:33.6859860Z docker logs {{REDACTED_CONTAINERNAME}} to retrieve information about URL's again
2024-10-08T18:49:34.4192998Z ##[section]Finishing: Create Container

Screenshots

Additional context

Access Token obtained from Authorization Code method is working
Access Token obtained from Client Credentials method is working on container deployed using OnPrem format
Access Token obtained from Client Credentials method is not working on container deployed using Sandbox format
Web Client is working using SSO
Debug and publish is working with VSCode using AAD authentication
Tested on containers using either 22.x, 24.x or 25.x versions
In all cases, using https://api.businesscentral.dynamics.com/.default as scope

similar-issues-ai[bot] commented 1 day ago

We've found some similar issues:

microsoft/navcontainerhelper#1375 , similarity score: 84%
microsoft/navcontainerhelper#2324 , similarity score: 84%
microsoft/navcontainerhelper#3474 , similarity score: 83%
microsoft/navcontainerhelper#2528 , similarity score: 83%
microsoft/navcontainerhelper#3334 , similarity score: 82%
microsoft/navcontainerhelper#3580 , similarity score: 81%

If any of the above are duplicates, please consider closing this issue out and adding additional context in the original issue.

Note: You can give me feedback by 👍 or 👎 this comment.

freddydk commented 1 day ago

Have you tried this without traefik? I think I have heard other people having problems with traefik and AAD authentication. As a start - just to see whether this is the problem.

warlof commented 1 day ago

Hi @freddydk

I'll try and keep you inform Also, I checked the obtained access token using client_credentials and it sounds valid to me (compared to other tokens which are working on OnPrem containers)

I also wonder if it's tied to sandbox container or rather to the tenant capability. I will do another test using a OnPrem with tenant feature enabled.

Last but not least, why token delivered using authorization_code method are working ? So much questions 😂

warlof commented 1 day ago

So updates :

Scenario	Traefik	Type	Multitenant	Authorization Code	Client Credentials
1	✅	OnPrem	🟥	✅	✅
2	✅	Sandbox	✅	✅	🟥
3	✅	OnPrem	✅	✅	🟥
4	🟥	Sandbox	✅	✅	🟥

It appears issue is tied to tenant usage rather than binary support beeing either sandbox or onprem - or even if used behind Traefik or not

Bellow is the output of Get-NavTenant command (when container is deployed using multitenant flag) :

ServerInstance                         : MicrosoftDynamicsNavServer$bc
DatabaseName                           : default
DatabaseServer                         : localhost\SQLEXPRESS
DatabaseUserName                       :
State                                  : Operational
DetailedState                          :
DeletionState                          : Not deleted
IsInExclusiveAccessMode                : False
TenantDataVersion                      : 22.5.59966.64723
Compression                            : Page
Id                                     : default
AlternateId                            : {oauth-notraefik-default}
ValidAudiences                         : {}
AllowAppDatabaseWrite                  : False
NasServicesEnabled                     : False
RunNasWithAdminRights                  : False
EncryptionProvider                     : LocalKeyFile
AzureKeyVaultSettings                  :
DefaultCompany                         :
DefaultTimeZone                        : (UTC) Coordinated Universal Time
ExchangeAuthenticationMetadataLocation :
AadTenantId                            : {{ REDACTED_TENANT_PRIMARYDOMAIN }}
ApplicationInsightsConnectionString    :
DisplayName                            :
EnvironmentName                        :
EnvironmentType                        : Sandbox
EnvironmentSettings                    :

warlof commented 1 day ago

I made a quick attempt while seeing AadTenantId value was using the tenant primary domain rather than its GUID like it appears in the documentation.

I ran the following :

Dismount-NavTenant -ServerInstance bc -Tenant default
Mount-navTenant -serverinstance bc -tenant default -databasename default -DatabaseServer "localhost\SQLEXPRESS" -AadTenantId "{{ REDACTED_TENANT_ID }}"

It works 👍

So the issue seems to be the way the tenant is mounted https://github.com/microsoft/nav-docker/blob/f0fb8482f844061ce4d2b0d026112447cc189773/generic/Run/SetupTenant.ps1#L33 which appears to use the user email domain rather than the tenant guid

freddydk commented 1 day ago

So the issue seems to be the way the tenant is mounted https://github.com/microsoft/nav-docker/blob/f0fb8482f844061ce4d2b0d026112447cc189773/generic/Run/SetupTenant.ps1#L33 which appears to use the user email domain rather than the tenant guid

That should be the same.

The domain name from the authentication email or the guid should yield the same AAD tenant.

At least, I have never before heard that it doesn't work.

Try here: https://gettenantpartitionweb.azurewebsites.net/

One of my demo tenant is directionsemea2019demo.onmicrosoft.com - and the GUID for that is here:

Are you seeing a different tenant GUID from your authentication email?

warlof commented 1 day ago

I got the same id (f2bc...)

However if I mount the tenant using primary domain (or the one from authentication email domain - but they're same), it doesn't work But while mounting the tenant using its GUID, is works

freddydk commented 1 day ago

OK - strange. I am actually not sure whether I have the AADTenantId handy at that time inside the generic image - I will have to investigate that

freddydk commented 9 hours ago

Could you try to add this parameter to your New-BcContainer (just for a test)

-myScripts @('https://raw.githubusercontent.com/microsoft/nav-docker/refs/heads/freddydk/issue3709/generic/Run/SetupTenant.ps1')

This overrides the SetupTenant with a new version, which should be using the tenant Id instead of the domain name (if specified)

If this works, I will create a PR and get it in, then it will be part of the next generic image build (in a few days) The above link will work until the PR is merged, then you can reference the file from the main branch until images have been built.

warlof commented 7 hours ago

Hello @freddydk

I confirm this is working with this version of the SetupTenant script Thank you very much 👍

microsoft / nav-docker

Unable to authenticate using client_credentials on sandbox container #570