Académique Documents
Professionnel Documents
Culture Documents
April 2013
www.microsoft.com/dynamics/ax
Table of Contents
Introduction ................................................................................................ 3
Prerequisites............................................................................................... 4
Creating a new Windows Azure Service Bus namespace ............................. 4
Configuring an Active Directory Federation Service for authentication ....... 7
AD FS management .............................................................................................................. 7
Enable the endpoint ........................................................................................................... 7
Add/Configure the token signing certificate ........................................................................... 8
Claim descriptions............................................................................................................. 11
Add the trust relationship and claim rule .............................................................................. 12
Save the AD FS FederationMetadata.xml file ........................................................................ 19
2
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
Introduction
This paper describes how to configure an environment that is running Microsoft Dynamics AX 2012, so
that users can connect the Microsoft Dynamics AX mobile phone application. The initial version of the
Microsoft Dynamics AX mobile phone application enables mobile expense capture and time reporting.
In order for the mobile phone application to interact with Microsoft Dynamics AX 2012, the following
components need to be configured:
Active Directory Federation Services (AD FS) AD FS works with an organizations instance
of Active Directory Domain Services to authenticate users of the mobile phone application. Users
are authenticated based on credentials that are sent by the mobile phone application. Upon
successful authentication, AD FS returns a token to the mobile phone application.
Mobile phone application The mobile phone application enables a user to capture a
transaction. It then authenticates the user and sends the message.
Microsoft Windows Azure Service Bus and Access Control Service (ACS) The Service Bus
enables the mobile phone application to send a message to Microsoft Dynamics AX (which resides
on-premises). The Access Control Service provides the authentication that is necessary to send a
message via the Service Bus.
Microsoft Dynamics AX Connector for Mobile Applications The connector listens for
messages sent via the Service Bus, authenticates the sender of the message, and then sends the
message to the Microsoft Dynamics AX 2012 instance.
Microsoft Dynamics AX 2012 The Microsoft Dynamics AX 2012 instance receives messages
originally sent from the mobile phone application. It stores the messages as transactions that are
available to the user (for example, the user will see expense transactions that are captured via the
users mobile phone in the Dynamics AX system).
The following diagram shows these components and the flows among them.
3
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
Prerequisites
Before you can configure the Microsoft Dynamics AX Connector for Mobile Applications, you must
complete the following prerequisites:
The Active Directory server and domain controller should have been set up during the
installation and configuration of Microsoft Dynamics AX 2012.
Install Active Directory Federation Services. You can download the Active Directory Federation
Services 2.0 RTW from http://www.microsoft.com/en-us/download/details.aspx?id=10909.
4
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
3. On the Action Pane, click Create to create a new Service Bus namespace.
4. In the Namespace name field, enter a name for your namespace, such as contosomobile, and
select your region, as shown in the following screen shot.
This namespace is used to reference the Service Bus and the Access Control Service that is tied to
the Service Bus.
5. Click OK to create the namespace.
5
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
6. Select the Service Bus namespace. Then click Access key on the Action Pane to view the default
issuer and default key.
7. When the Access key form opens, click the Copy button to copy the 256-bit default key.
The default issuer and the 256-bit secret default key are used when you configure the Microsoft
Dynamics AX Connector for Mobile Applications service that is deployed on the server. For more
6
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
details, see the Setting up the Microsoft Dynamics AX Connector for Mobile Applications service
section.
This Microsoft Dynamics AX Connector for Mobile Applications deploys a listening endpoint that
services the message coming from the Microsoft Dynamics AX mobile phone application. This endpoint
address is structured around the Windows Azure namespace that you created.
The next step is to set up the Active Directory server as the identity provider that the Service Bus and
its Access Control Service require for Federated Authentication.
7
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
4. In the Endpoints list, ensure that the three endpoints in the Metadata section are enabled, as
shown in the following screen shot.
You can view the certificates by clicking Certificates under the Services node in the left
navigation pane. You can also add new token certificates from this management tool by rightclicking the Certificates node.
8
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
Before you can add any new certificates, you may have to disable the automatic certificate rollover
feature by using Windows PowerShell commands.
Ensure that the token signing certificate is linked to a trusted root in the
Federation Service and is issued by an enterprise certification authority
For more information about token signing certificates, see http://technet.microsoft.com/enus/library/dd807039(v=WS.10).aspx.
Set the newly added token signing certificate as the primary certificate.
Obtain the thumbprint of the X.509 token signing certificate (digital signature)
1. Select the token signing certificate in the Certificates list. Right-click, and then select View
Certificate.
9
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
2. On the Details tab of the Certificate form, copy the Thumbprint value, as shown in the
following screen shot, and save it without the spaces between pairs of characters. This
thumbprint value is used when you configure the connector parameters in the Microsoft
Dynamics AX Connector for Mobile Applications service.
Ensure that the Subject Name (CN) or Issued to property of the service communications
certificate (SSL certificate) matches the Federation Service name.
To view or edit the Federation Service name, right-click Service in the left navigation pane,
and then select Edit Federation Service Properties.
In our example, the service communications certificate has its Subject Name(CN) property
set to contosoadfs.com, which helps define the URL of the Federation Server endpointfor
example, https:// contosoadfs.com/adfs/ls/.
10
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
You can validate that your service is set up correctly by opening the URL
https://contosoadfs.com/adfs/fs/federationserverservice.asmx in a browser.
For additional debugging and troubleshooting, go to the Events tab in the Federation
Services Properties form, and turn on logging for error and other events. This can help you
debug any issues by looking at the logged events in Windows Event Viewer.
Claim descriptions
Ensure that the claim named Windows account name exists, and that the Published property is
set to Yes. This should be configured by default when AD FS 2.0 is installed.
11
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
The relying party is the Windows Azure Access Control Service associated with the Service Bus that
was set up in the Creating a new Windows Azure Service Bus namespace section.
1. In the left navigation pane, expand Trust Relationships, right-click Relying Party Trusts, and
then select Add Relying Party Trust.
This will open the Add Relying Party Trust Wizard that you need to follow to add your Windows
Azure Service Bus namespace as a relying party to the AD FS configuration database.
2. Click Start.
3. On the Select Data Source page, select one of the options to add data about your relying party.
If you select the first option, Import data about the relying party published online or on a
local network, enter the federation metadata address in the text box in the following format:
https://<AzureNamespace>-sb.accesscontrol.windows.net/FederationMetadata/200706/FederationMetadata.xml.
12
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
To use the second option, Import data about the relying party from a file, because your AD
FS server does not have Internet access, you need to do the following:
1. In a browser, open the address https://contosomobilesb.accesscontrol.windows.net/FederationMetadata/2007-06/FederationMetadata.xml, for
example, and save the FederationMetadata.xml file to a location.
2. Select the second option, Import data about the relying party from a file, click Browse,
and load the saved FederationMetadata.xml file.
4. Click Next.
13
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
5. On the Specify Display Name page, enter a display name or leave the default value, and then
click Next.
14
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
6. On the Choose Issuance Authorization Rules page, ensure that the Permit all users to
access this relying party option is selected, and then click Next.
15
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
7. On the Ready to Add Trust page, click Next, and then finish the setup by clicking Close. The
Open the Edit Claim Rules dialog for this relying party trust when the wizard closes
option is selected by default. When the wizard closes, the Edit Claim Rules form will open.
8. Click Add Rule. You will be guided through the Add Transform Claim Rule Wizard.
16
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
9. On the Select Rule Template page, in the Claim rule template field, select Pass Through or
Filter an Incoming Claim, as shown in the following screen shot, and then click Next.
10. On the Configure Rule page, enter a name for the claim rule.
11. In the Incoming claim type field, select Windows account name.
17
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
12. Select the Pass through all claim values option, as shown in the following screen shot, and
then click Next.
13. In the Edit Claim Rules form, you can see the newly created claim rule. Click Apply and then OK
to save your changes.
You can get back to the Edit Claim Rules form by right-clicking the relying party trust that you just
added and then selecting Edit Claim Rules.
18
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
Select the namespace that you want to configure, and then click Access key on the Action Pane.
In the form that opens, click the Open ACS Management Portal link.
19
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
20
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
1. Verify that the WS-Federation identity provider (e.g. Microsoft AD FS 2.0) option is
selected, and then click Next.
2. On the Edit WS-Federation Identity Provider page, enter a display name for the identity
provider, such as Contoso ADFS.
3. Under WS-Federation metadata, enter the federation metadata URL or the file that is available
from your configured AD FS server, as described in the Configuring an Active Directory Federation
Service for authentication section.
4. In the Used By section, under Relying party applications, ensure that the Service Bus check
box is selected.
21
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
1. Click the ServiceBus link, and then, in the Relying Party Application Settings section, verify
that the settings for the Realm and Token format fields are as shown as in the following screen
shot.
2. In the Authentication Settings section, select the identity provider to use with the relying party.
The identity provider was created in the previous section, Add and configure the identity provider.
3. Select the Default Rule Group for ServiceBus check box to use the default rule group, as
described in the Configure rule groups section.
22
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
3. You will be able to view the predefined rules that have Access Control Service as the claim
issuer value. Click each rule to view the values. These rules have owner as the Input claim
value, and Listen, Manage, or Send as the Output claim value.
4. Delete the rules that have Output claim values of Manage and Send.
23
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
5. Under Output claim type, select the Enter type option, and then enter the value
net.windows.servicebus.action.
6. Under Output claim value, select the Enter value option, and then enter Send.
7. Optionally, add a description.
24
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
Unreconciled Expense
Deploy the TrvUnreconciledExpense service
In the Developer Workspace, click Services > TrvUnreconciledExpense. Right-click, and then
select Add ins > Register service.
25
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
2. Under Service contract customizations, click Service operations. The WSDL URI is populated.
3. In the list of operations on the right side of the Select service operations form, select the
following service operations, and add them to the list on the left side of the form.
TrvExpenseCategoryService.getCategories
TrvUnreconciledExpenseService.addUnreconciledExpense
TrvUnreconciledExpenseService.getLabelTranslations
26
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
Timesheet
Deploy the TSTimesheetService service
In the Developer Workspace, click Services > TSTimesheetService. Right-click, and then select
Add ins > Register service.
27
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
2. Under Service contract customizations, click Service operations. The WSDL URI is populated.
3. In the list of operations on the right side of the Select service operations form, select all eight
(8) service operations for the service TSTimesheetService, and add them to the list on the left side
of the form.
Prerequisites
1. The AX Connector for Mobile Applications service should be deployed or run as a user account that
is that of the .Net Business Connector proxy account. For more information about how to
create and set up the BC proxy account refer Specify the .NET Business Connector proxy account
[AX 2012]
* If EP is deployed on the Server, it will be using the BC proxy account.
Also it is very important that the .Net BC proxy user account is added as an
Administrator on the machine running the AX Connector service
Also note the following guidance for the .Net BC proxy account
You can check which BC Proxy user account has been configured by going to AX> System
Administration> System Service Accounts
2. Only one instance of the Microsoft Dynamics AX Connector for Mobile Applications can be deployed
to run on a machine.
29
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
Installation
1. Click Start > All Programs > Microsoft Dynamics AX Connector for Mobile Applications,
and start the Microsoft Dynamics AX Connector for Mobile Applications Setup Wizard.
2. Select the I accept the terms in the License Agreement check box, and then click Next.
30
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
3. On the Destination Folder page, accept the default folder location for the connector, or click
Change to select another location. Then click Next.
4. On the Service account page, in the Account name and Password fields, enter the name and
password for the BC Proxy user account that was previously created, and then click Next.
31
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
5. Click Install.
6. Click Finish.
7. Click Start > Administrative Tools > Service to open the Windows Services list.
8. Click Start to start the Microsoft Dynamics AX Connector for Mobile Applications service. The
service will run under the context of the service user account.
32
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
9. On the Start menu, click the Microsoft Dynamics AX Connector for Mobile Applications
shortcut. The GUI for configuring the connector parameters will open.
10. Use the information in the following table to configure the connector parameters.
Parameter
Configuration
Enter the service namespace that you set up in the Creating a new
Windows Azure Service Bus namespace section, and then click Save.
Enter the service identity name that you set up in the Creating a new
Windows Azure Service Bus namespace section.
Enter the 256-bit symmetric key for the service identity that was
generated in the Creating a new Windows Azure Service Bus
namespace section.
Endpoint URI of
TrvUnreconciledExpenseService
ADFS URL
Support Email
An email address the mobile user will see to contact in case of any
issues. For example, support@contoso.com
11. Note that the Endpoint URI parameters for the expense and time services are optional. If you
choose not to configure one of those services, leave that field blank and press Save. When the
Microsoft Dynamics AX Connector for Mobile Applications service is started, you will notice the URL
for that service does not appear, and the Windows Phone Dynamics AX application will not display
the corresponding feature.
33
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
12. Enter values for each parameter, and then click Save.
34
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
13. After the connector parameters are saved, click Start in the form. You can see that the status has
changed to Started, and that the Mobile Application Connector service is now running and
listening on the Service Bus.
User name
Password
Service connection name. This is the name of the Service Bus namespace that was set up in the
Creating a new Windows Azure Service Bus namespace section.
When the information is entered, the user presses sign in, the data is synced from the server, and
they can then begin using the application.
35
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
Microsoft Dynamics is a line of integrated, adaptable business management solutions that enables you and your
people to make business decisions with greater confidence. Microsoft Dynamics works like and with familiar
Microsoft software, automating and streamlining financial, customer relationship and supply chain processes in a
way that helps you drive business success.
U.S. and Canada Toll Free 1-888-477-7989
Worldwide +1-701-281-6500
www.microsoft.com/dynamics
This document is provided as-is. Information and views expressed in this document, including URL and other Internet Web site
references, may change without notice. You bear the risk of using it.
Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or
should be inferred.
This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and
use this document for your internal, reference purposes. You may modify this document for your internal, reference purposes.
2013 Microsoft Corporation. All rights reserved.
36
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS