Closed nicolassaleron closed 2 years ago
Yeah, some stuff was changed in 20 which requires the AAD app to be different. Setting the legacy field means that you can use the "old" aad app registration, but you should instead create a new AAD app registration, which works with both.
This code works for me:
$containerName = "bcserver"
$licenseFile = $LicenseFileSecret.SecretValue | Get-PlainText
$credential = New-Object pscredential -ArgumentList 'admin', $PasswordSecret.SecretValue
$artifactUrl = Get-BCArtifactUrl -country us
$aadCredential = New-Object pscredential -ArgumentList ($AadUserNameSecret.SecretValue | Get-PlainText), $AadPasswordSecret.SecretValue
$useSSL = $true
$params = @{ "useSSL" = $useSSL }
if ($useSSL) {
$protocol = "https://"
$params += @{
"isolation" = "hyperv"
"installCertificateOnHost" = $true
}
}
else {
$protocol = "http://"
}
$aadTenant = "12ad5b0b-86c3-4df1-a022-a2083f9909a8"
$aadDomain = $aadCredential.UserName.Split('@')[1]
$appIdUri = "$protocol$containerName.$aadDomain/BC"
# _____ _ _ ______ ____ _____
# / ____| | | /\ | | /\ | ____| | _ \ / ____|
# | | _ __ ___ __ _| |_ ___ ______ / \ __ _ __| | / \ _ __ _ __ ___| |__ ___ _ __| |_) | |
# | | | '__/ _ \/ _` | __/ _ \______/ /\ \ / _` |/ _` | / /\ \ | '_ \| '_ \/ __| __/ _ \| '__| _ <| |
# | |____| | | __/ (_| | |_ __/ / ____ \ (_| | (_| |/ ____ \| |_) | |_) \__ \ | | (_) | | | |_) | |____
# \_____|_| \___|\__,_|\__\___| /_/ \_\__,_|\__,_/_/ \_\ .__/| .__/|___/_| \___/|_| |____/ \_____|
# | | | |
# |_| |_|
Write-Host "AAD Tenant: $aadTenant"
Write-Host "AAD Domain: $aadDomain"
Write-Host "AppIdUri: $appIdUri"
$AdProperties = Create-AadAppsForBC `
-AadAdminCredential $aadCredential `
-appIdUri $appIdUri `
-publicWebBaseUrl "$protocol$containerName/BC" `
-PreAuthorizePowerShell `
-IncludeApiAccess `
-IncludePowerBiAadApp `
-IncludeExcelAadApp `
-IncludeEmailAadApp
# _ _ ____ _____ _ _
# | \ | | | _ \ / ____| | | (_)
# | \| | _____ ________| |_) | ___| | ___ _ __ | |_ __ _ _ _ __ ___ _ __
# | . ` |/ _ \ \ /\ / /______| _ < / __| | / _ \| '_ \| __/ _` | | '_ \ / _ \ '__|
# | |\ | __/\ V V / | |_) | (__| |____ (_) | | | | |_ (_| | | | | | __/ |
# |_| \_|\___| \_/\_/ |____/ \___|\_____\___/|_| |_|\__\__,_|_|_| |_|\___|_|
#
New-BcContainer @params `
-containerName $containerName `
-accept_eula `
-artifact $artifactUrl `
-auth AAD `
-Credential $credential `
-licenseFile $licenseFile `
-updatehosts `
-AuthenticationEMail $AadCredential.UserName `
-AadTenant $aadTenant `
-AadAppId $AdProperties.SsoAdAppId `
-AadAppIdUri $appIdUri `
-runSandboxAsOnPrem -dns '8.8.8.8' `
-additionalParameters @("--env customNavSettings=ExcelAddInAzureActiveDirectoryClientId=$($AdProperties.ExcelAdAppId)")
That was as easy as recreating the app in Azure, thank you!
Describe the issue I am trying to create a new container with AccessControlService credential type.
When login to BC in a private window, I am redirected to https://login.microsoftonline.com/48***-***-***-***-***aa/oauth2/authorize?client_id=90***-***-***-***-***718aea8c&redirect_uri=https%3A%2F%2F***.capvision-cloud.fr%3A7143%2FBC%2FSignIn&response_type=code%20id_token&scope=openid%20profile&response_mode=form_post&nonce=63***Ux&state=***DrQ&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=6.15.0.0
But once returned to BC, I got this page.
I have not found something relevant in the logs.
Scripts used to create container and cause the issue
Full output of scripts
Screenshots
Additional context I have noticed the following things that differ from the doc and might be the cause (but it does not solve the issue).
On the NST: WSFederationLoginEndpoint does not contain wreply in the query string (https://docs.microsoft.com/en-us/dynamics365/business-central/dev-itpro/administration/authenticating-users-with-azure-active-directory?tabs=singletenant%2Cadmintool#task-4-configure-) ClientServicesCredentialType is set to NavUserPassword, I think it should be AccessControlService
On the web server, The doc specifies that on BC 20, UseLegacyAcsAuthentication must be set to true (https://docs.microsoft.com/en-us/dynamics365/business-central/dev-itpro/administration/authenticating-users-with-azure-active-directory?tabs=singletenant%2Cadmintool#task-5-configure-).