Open gntpet opened 1 year ago
I would assume that something is wrong in your AAD App Registration. I have this script, which I run to validate AAD Auth (and OAuth and S2S)
It does use some keyvault secrets, which have been read - but I just ran it with the version above, and it works fine. Maybe you can compare and find the difference.
function Parse-JWTtoken([string]$token) {
if ($token.Contains(".") -and $token.StartsWith("eyJ")) {
$tokenHeader = $token.Split(".")[0].Replace('-', '+').Replace('_', '/')
while ($tokenHeader.Length % 4) { $tokenHeader += "=" }
Write-Host ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($tokenHeader)) | ConvertFrom-Json)
$tokenPayload = $token.Split(".")[1].Replace('-', '+').Replace('_', '/')
while ($tokenPayload.Length % 4) { $tokenPayload += "=" }
return [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($tokenPayload)) | ConvertFrom-Json
}
throw "Invalid token"
}
# _____ _
# | __ \ | |
# | |__) |_ _ _ __ __ _ _ __ ___ ___| |_ ___ _ __ ___
# | ___/ _` | '__/ _` | '_ ` _ \ / _ \ __/ _ \ '__/ __|
# | | | (_| | | | (_| | | | | | | __/ |_ __/ | \__ \
# |_| \__,_|_| \__,_|_| |_| |_|\___|\__\___|_| |___/
#
$containerName = "bcserver"
$licenseFile = $LicenseFileUrlSecret.SecretValue | Get-PlainText
$credential = New-Object pscredential -ArgumentList 'admin', $PasswordSecret.SecretValue
$artifactUrl = Get-BCArtifactUrl -country us -select NextMinor -sasToken ($InsiderSasTokenSecret.SecretValue | Get-PlainText)
$aadCredential = New-Object pscredential -ArgumentList ($AadUserNameSecret.SecretValue | Get-PlainText), $AadPasswordSecret.SecretValue
$version = '22.0.54157.55195'
$artifactUrl = Get-BCArtifactUrl -type OnPrem -country w1 -version $version
$useSSL = $false
$params = @{ "useSSL" = $useSSL }
if ($useSSL) {
$protocol = "https://"
$params += @{
"isolation" = "hyperv"
"installCertificateOnHost" = $true
}
}
else {
$protocol = "http://"
}
$aadTenant = "12ad5b0b-86c3-4df1-a022-a2083f9909a8"
$aadDomain = $aadCredential.UserName.Split('@')[1]
$appIdUri = "$protocol$containerName.$aadDomain/BC"
# _____ _ _ ______ ____ _____
# / ____| | | /\ | | /\ | ____| | _ \ / ____|
# | | _ __ ___ __ _| |_ ___ ______ / \ __ _ __| | / \ _ __ _ __ ___| |__ ___ _ __| |_) | |
# | | | '__/ _ \/ _` | __/ _ \______/ /\ \ / _` |/ _` | / /\ \ | '_ \| '_ \/ __| __/ _ \| '__| _ <| |
# | |____| | | __/ (_| | |_ __/ / ____ \ (_| | (_| |/ ____ \| |_) | |_) \__ \ | | (_) | | | |_) | |____
# \_____|_| \___|\__,_|\__\___| /_/ \_\__,_|\__,_/_/ \_\ .__/| .__/|___/_| \___/|_| |____/ \_____|
# | | | |
# |_| |_|
Write-Host "AAD Tenant: $aadTenant"
Write-Host "AAD Domain: $aadDomain"
Write-Host "AppIdUri: $appIdUri"
Connect-MgGraph -Scopes 'Application.ReadWrite.All'
$AdProperties = New-AadAppsForBC `
-appIdUri $appIdUri `
-publicWebBaseUrl "$protocol$($containerName)/BC" `
-PreAuthorizePowerShell `
-IncludeApiAccess `
-IncludeOtherServicesAadApp `
-IncludeExcelAadApp `
-useCurrentMicrosoftGraphConnection
# _ _ ____ _____ _ _
# | \ | | | _ \ / ____| | | (_)
# | \| | _____ ________| |_) | ___| | ___ _ __ | |_ __ _ _ _ __ ___ _ __
# | . ` |/ _ \ \ /\ / /______| _ < / __| | / _ \| '_ \| __/ _` | | '_ \ / _ \ '__|
# | |\ | __/\ V V / | |_) | (__| |____ (_) | | | | |_ (_| | | | | | __/ |
# |_| \_|\___| \_/\_/ |____/ \___|\_____\___/|_| |_|\__\__,_|_|_| |_|\___|_|
#
New-BcContainer @params `
-containerName $containerName `
-accept_eula `
-artifact $artifactUrl `
-auth AAD `
-Credential $credential `
-licenseFile $licenseFile `
-updatehosts `
-AuthenticationEMail $AadCredential.UserName `
-AadTenant $aadTenant `
-AadAppId $AdProperties.SsoAdAppId `
-AadAppIdUri $appIdUri `
-dns 'hostDNS' -multitenant:$false `
-additionalParameters @("--env customNavSettings=ExcelAddInAzureActiveDirectoryClientId=$($AdProperties.ExcelAdAppId)")
#Import-TestToolkitToBcContainer -containerName $containerName -includeTestFrameworkOnly
# _ _ ____ _ _ _____ _ _
# | \ | | | _ \ /\ | | | | / ____| | | | |
# | \| | _____ ________| |_) | ___ / \ _ _| |_| |__ | | ___ _ __ | |_ _____ __ |_
# | . ` |/ _ \ \ /\ / /______| _ < / __| / /\ \| | | | __| '_ \| | / _ \| '_ \| __/ _ \ \/ / __|
# | |\ | __/\ V V / | |_) | (__ / ____ \ |_| | |_| | | | |____ (_) | | | | |_ __/> <| |_
# |_| \_|\___| \_/\_/ |____/ \___/_/ \_\__,_|\__|_| |_|\_____\___/|_| |_|\__\___/_/\_\\__|
#
# Get AuthContext using Devicelogin flow (Delegation)
$authcontextDL = New-BcAuthContext -includeDeviceLogin -tenantID $aadTenant
$authcontextDL
Parse-JWTtoken $authcontextDL.AccessToken
# Get AuthContext using RefreshToken (Delegation)
$authcontextRT = New-BcAuthContext -refreshToken $authcontextDL.RefreshToken -tenantID $aadTenant
$authcontextRT
Parse-JWTtoken $authcontextRT.AccessToken
# _____ _____ _ ____ _ _ _
# /\ | __ \_ _| (_) | _ \ (_) /\ | | | |
# / \ | |__) || | _ _ ___ _ _ __ __ _ | |_) | __ _ ___ _ ___ / \ _ _| |_| |__
# / /\ \ | ___/ | | | | | / __| | '_ \ / _` | | _ < / _` / __| |/ __| / /\ \| | | | __| '_ \
# / ____ \| | _| |_ | |_| \__ \ | | | | (_| | | |_) | (_| \__ \ | (__ / ____ \ |_| | |_| | | |
# /_/ \_\_| |_____| \__,_|___/_|_| |_|\__, | |____/ \__,_|___/_|\___| /_/ \_\__,_|\__|_| |_|
# __/ |
# |___/
# API using basic auth
#$companyId = Get-NavContainerApiCompanyId -containerName $containerName -tenant "default" -credential $credential
#$CompanyId
#(Invoke-BcContainerApi -containerName $containerName -credential $credential -CompanyId $CompanyId -APIVersion "v2.0" -Query "customers").value
# _____ _____ _ _ _ _ _
# /\ | __ \_ _| (_) | | | | | | (_)
# / \ | |__) || | _ _ ___ _ _ __ __ _ __| | ___| | ___ __ _ __ _| |_ _ ___ _ __
# / /\ \ | ___/ | | | | | / __| | '_ \ / _` | / _` |/ _ \ |/ _ \/ _` |/ _` | __| |/ _ \| '_ \
# / ____ \| | _| |_ | |_| \__ \ | | | | (_| | | (_| | __/ | __/ (_| | (_| | |_| | (_) | | | |
# /_/ \_\_| |_____| \__,_|___/_|_| |_|\__, | \__,_|\___|_|\___|\__, |\__,_|\__|_|\___/|_| |_|
# __/ | __/ |
# |___/ |___/
# API using AAD auth (Delegation)
$CompanyId = Get-NavContainerApiCompanyId -containerName $containerName -bcAuthContext $authContextDL -APIVersion "v1.0"
$CompanyId
(Invoke-BcContainerApi -containerName $containerName -bcAuthContext $authContextDL -CompanyId $CompanyId -APIVersion "v2.0" -Query "customers").value
# _____ _____ _ _____ ___ _____
# /\ | __ \_ _| (_) / ____|__ \ / ____|
# / \ | |__) || | _ _ ___ _ _ __ __ _ | (___ ) | (___
# / /\ \ | ___/ | | | | | / __| | '_ \ / _` | \___ \ / / \___ \
# / ____ \| | _| |_ | |_| \__ \ | | | | (_| | ____) |/ /_ ____) |
# /_/ \_\_| |_____| \__,_|___/_|_| |_|\__, | |_____/|____|_____/
# __/ |
# |___/
Write-Host "Open $protocol$containerName/BC?tenant=default and add $($AdProperties.ApiAdAppId) as Aad registration"
Write-Host "Remember to grant access, Enable the app and add D365 AUTOMATION + D365 BUS FULL ACCESS to permissions"
Read-Host "Press ENTER when done"
# Get AuthContexct using ClientCredentials flow (S2S)
$authcontextCC = New-BcAuthContext `
-clientId $AdProperties.ApiAdAppId `
-clientSecret $AdProperties.ApiAdAppKeyValue `
-tenantID $aadTenant `
-scopes "$appIdUri/.default"
$authcontextCC
Parse-JWTtoken $authcontextCC.AccessToken
# API using AAD auth (S2S)
$CompanyId = Get-NavContainerApiCompanyId -containerName $containerName -bcAuthContext $authContextCC -APIVersion "v1.0"
$CompanyId
(Invoke-BcContainerApi -containerName $containerName -bcAuthContext $authContextCC -CompanyId $CompanyId -APIVersion "v2.0" -Query "customers").value
# _ _ _____ ____ _____
# /\ | | | | | __ \ | _ \_ _| /\
# / \ __| | __| | | |__) |____ _____ _ __| |_) || | / \ _ __ _ __
# / /\ \ / _` |/ _` | | ___/ _ \ \ /\ / / _ \ '__| _ < | | / /\ \ | '_ \| '_ \
# / ____ \ (_| | (_| | | | | (_) \ V V / __/ | | |_) || |_ / ____ \| |_) | |_) |
# /_/ \_\__,_|\__,_| |_| \___/ \_/\_/ \___|_| |____/_____| /_/ \_\ .__/| .__/
# | | | |
# |_| |_|
#
Publish-BcContainerApp -containerName $containerName -appFile "https://businesscentralapps.azureedge.net/azureadappsetup/18.0.67361.0/apps.zip" -install -sync -skipVerification
$companyId = Get-NavContainerApiCompanyId -containerName $containerName -tenant "default" -credential $credential
$parameters = @{
"name" = "SetupAzureAdApp"
"value" = "$($AdProperties.OtherServicesAdAppId),$($AdProperties.OtherServicesAdAppKeyValue)"
}
Invoke-NavContainerApi -containerName $containerName -tenant "default" -credential $credential -APIPublisher "Microsoft" -APIGroup "Setup" -APIVersion "beta" -CompanyId $companyId -Method "POST" -Query "aadApps" -body $parameters | Out-Null
# Work in progress - programatically add Aad App Registration to BC
$parameters = @{
"name" = "SetupAadApplication"
"value" = "$($AdProperties.ApiAdAppId),API,D365 ADMINISTRATOR:D365 FULL ACCESS"
}
Invoke-NavContainerApi -containerName $containerName -tenant "default" -credential $credential -APIPublisher "Microsoft" -APIGroup "Setup" -APIVersion "beta" -CompanyId $companyId -Method "POST" -Query "aadApps" -body $parameters | Out-Null
Describe the issue When users authenticates to bc container, warning message with NavConfigurationException is generated in eventlog Is there some setup missing, or this platform bug?
Scripts used to create container and cause the issue
Full output of scripts
Warning message
Best Regards, Gintautas