Documente Academic
Documente Profesional
Documente Cultură
Configure
Microsoft
Dynamics AX
Connector for
Mobile
Applications
This document explains how to configure an
environment that runs Microsoft Dynamics
AX 2012, so that users can connect the
Microsoft Dynamics AX mobile phone
application.
White paper
October 2017
Send feedback.
www.microsoft.com/dynamics/ax
Contents
Prerequisites 4
AD FS management 6
Enable the endpoint 7
Add and configure the token signing certificate 8
Claim descriptions 11
Add the trust relationship and claim rule 11
Save the AD FS FederationMetadata.xml file 17
Configuring the on-premises server with Microsoft Dynamics AX 2012 R2 and the Microsoft Dynamics AX
Connector for Mobile Applications service 23
Unreconciled expense 23
Deploy the TrvUnreconciledExpense service 23
Set up inbound ports 24
Timesheet 25
Deploy the TSTimesheetService service 25
Set up inbound ports 25
In order for the mobile phone application to interact with Microsoft Dynamics AX 2012, the following components
must be configured:
● Active Directory Federation Services (AD FS) – AD FS works with an organization’s instance of Active Directory
Domain Services (AD DS) to authenticate users of the mobile phone application. Users are authenticated based
on credentials that the mobile phone application sends. Upon successful authentication, AD FS returns a token to
the mobile phone application.
● Mobile phone application – The mobile phone application lets a user capture a transaction. It then
authenticates the user and sends the message.
● Microsoft Azure Service Bus and Access Control Service (ACS) – The Service Bus enables the mobile phone
application to send a message to Microsoft Dynamics AX, which resides on-premises. The ACS provides the
authentication that is required in order to send a message via the Service Bus.
● Microsoft Dynamics AX Connector for Mobile Applications – The connector listens for messages that are sent
via the Service Bus, authenticates the sender of the message, and then sends the message to the AX 2012
instance.
● Microsoft Dynamics AX 2012 – The AX 2012 instance receives messages that were originally sent from the
mobile phone application. It stores the messages as transactions that are available to the user. For example, in the
Microsoft Dynamics AX system, the user will see expense transactions that are captured via his or her mobile
phone.
The following illustration shows these components and the flows among them.
Update: As of July 2017, you can no longer create a new ACS namespace through Azure Management Portal. To
create a new namespace for AX 2012 applications, open a technical support ticket to request that the Service Bus
team add a new ACS namespace to the approved list. Azure Customer Support will then engage you to review the
request. Make sure that you’re ready to provide the subscription IDs that you want to be on the approved list.
For more information about the Service Bus, see Microsoft Azure Documentation.
1 On the Azure Downloads page, click the link to install the Windows PowerShell cmdlets. Then, in the Web
Platform Installer that is started, click Install to install the cmdlets.
Example
For guidance about Active Directory federation servers, how to configure certificates, and how to install the AD FS 2.0
software by using the setup wizard and server management, see Deploying Federation Servers.
Next, run the AD FS 2.0 Federation Server Configuration Wizard to configure a new federation server and a new
Federation Service. For guidance, see Configure a New Federation Server.
The configuration that is described here is for a Federation Service role for a stand-alone federation server.
After you enable the service endpoint, the authentication server URL of this Federation Service will be in the form
https://<FederationServiceName>/adfs/services/trust/13/usernamemixed.
3 Click Start > Administrative Tools > Service to open the Windows Services list. Restart the AD FS 2.0 Windows
service.
4 In the Endpoints list, make sure that the three endpoints in the Metadata section are enabled, as shown in the
following illustration.
Both the service communications and token signing certificates are configured when you run the AD FS 2.0 setup
wizard. For more information about certificate requirements for federation servers, see Certificate Requirements for
Federation Servers.
● To view the certificates, in the left navigation pane, under the Services node, click Certificates. To add new token
certificates, right-click the Certificates node.
Before you can add any new certificates, you might have to disable the automatic certificate rollover feature by using
Windows PowerShell commands.
Make sure that the token signing certificate is linked to a trusted root in the
Federation Service and is issued by an enterprise certification authority
For more information about token signing certificates, see Add a Token-Signing Certificate.
Obtain the thumbprint of the X.509 token signing certificate (digital signature)
1 In the Certificates list, select the token signing certificate, right-click, and then select View Certificate.
This certificate must be installed in the Trusted Root Certification Authorities store on the server machine that
hosts the Microsoft Dynamics AX Connector for Mobile Applications service.
Here are a few more points to keep in mind about these certificates:
● Make sure that the Subject Name (CN) or Issued to property of the service communications certificate (Secure
Sockets Layer [SSL] certificate) matches the name of the Federation Service.
● To view or edit the name of the Federation Service, in the left navigation pane, right-click Service, and then select
Edit Federation Service Properties.
In our example, the Subject Name (CN) property of the service communications certificate is set to
contosoadfs.com. This value helps define the URL of the federation server endpoint. For example, the URL might
be https://contosoadfs.com/adfs/ls/.
● For additional debugging and troubleshooting, in the Federation Services Properties dialog box, on the Events
tab, turn on logging for error and other events. You can then debug any issues by looking at the logged events in
Windows Event Viewer.
The relying party is the ACS that is associated with the Service Bus that you set up in the Create a new Service Bus
namespace section.
The Add Relying Party Trust Wizard is started. You must complete this wizard to add your Service Bus namespace
to the AD FS configuration database as a relying party.
2 Click Start.
3 On the Select Data Source page, select one of the options to add data about your relying party.
If you select the first option, Import data about the relying party published online or on a local network,
enter the federation metadata address in the following form:
https://<AzureNamespace>-sb.accesscontrol.windows.net/FederationMetadata/2007-06/FederationMetadata.xml
Because your AD FS server doesn’t have Internet access, you must follow these steps to use the second option,
Import data about the relying party from a file:
6 On the Choose Issuance Authorization Rules page, make sure that the Permit all users to access this relying
party option is selected, and then click Next.
8 Click Add Rule. The Add Transform Claim Rule Wizard is started.
10 On the Configure Rule page, enter a name for the claim rule.
11 In the Incoming claim type field, select Windows account name.
12 Select the Pass through all claim values option, and then click Next.
To return to the Edit Claim Rules dialog box, right-click the relying party trust that you just added, and then select
Edit Claim Rules.
https://<FederationServiceName>/FederationMetadata/2007-06/FederationMetadata.xml.
● Select the namespace to configure, and then, on the Action Pane, click Access key. In the dialog box that
appears, click the Open ACS Management Portal link.
1 On the Add Identity Provider page, verify that the WS-Federation identity provider (e.g. Microsoft
AD FS 2.0) option is selected, and then click Next.
2 On the Edit WS-Federation Identity Provider page, enter a display name for the identity provider, such as
Contoso ADFS.
3 Under WS-Federation metadata, enter the federation metadata URL or browse to the file that is available from
your configured AD FS server, as described in the Configuring an Active Directory Federation Service for
authentication section.
1 On the Relying Party Applications page, click the ServiceBus link, and then, in the Relying Party Application
Settings section, verify that the Realm and Token format fields are set as shown as in the following illustration.
2 In the Authentication Settings section, select the identity provider to use with the relying party. You created the
identity provider in the previous section, Add and configure the identity provider.
3 You can view the predefined rules that have Access Control Service as the claim issuer value. Click each rule to
view the values. These rules have owner as the Input claim value, and Listen, Manage, or Send as the Output
claim value.
4 Delete the rules that have Manage and Send as the Output claim value.
4 Click Update.
Unreconciled expense
Deploy the TrvUnreconciledExpense service
● In the Developer Workspace, click Services > TrvUnreconciledExpense. Right-click, and then select Add ins >
Register service.
3 In the list of operations on the right side of the Select service operations form, select the following service
operations, and add them to the list on the left side of the form:
● TrvExpenseCategoryService.getCategories
● TrvUnreconciledExpenseService.addUnreconciledExpense
● TrvUnreconciledExpenseService.getLabelTranslations
Timesheet
Use the following procedure to install and configure the Microsoft Dynamics AX Connector for Mobile Applications.
Prerequisites
● The Microsoft Dynamics AX Connector for Mobile Applications service should be deployed or run as a user
account that is the user account of the .NET Business Connector proxy account. For more information about how
to create and set up the .NET Business Connector proxy account, see Specify the .NET Business Connector proxy
account [AX 2012].
Note: If Enterprise Portal for Microsoft Dynamics AX is deployed on the server, it will use the .NET Business
Connector proxy account.
Important: The .NET Business Connector proxy user account must be added as an Administrator on the machine
that runs the AX Connector service.
To see which .NET Business Connector proxy user account has been configured, in Microsoft Dynamics AX, click
System Administration > System Service Accounts.
● Only one instance of the Microsoft Dynamics AX Connector for Mobile Applications can be deployed to run on a
computer.
Installation
1 Click Start > All Programs > Microsoft Dynamics AX Connector for Mobile Applications, and start the
Microsoft Dynamics AX Connector for Mobile Applications Setup Wizard.
3 On the Destination Folder page, accept the default folder location for the connector, or click Change to select
another location. Then click Next.
5 Click Install.
7 Click Start > Administrative Tools > Service to open the Windows Services list.
8 Click Start to start the Microsoft Dynamics AX Connector for Mobile Applications service. The service will run
under the context of the service user account.
9 On the Start menu, click the Microsoft Dynamics AX Connector for Mobile Applications shortcut. The
graphical user interface (GUI) for configuring the connector parameters appears.
10 Use the information in the following table to configure the connector parameters.
Parameter Configuration
Azure service namespace Enter the service namespace that you set up in the Create a new Service Bus
namespace section, and then click Save.
Azure service identity name Enter the name of the service identity that you set up in the Create a new
Service Bus namespace section.
Azure service identity password Enter the 256-bit symmetric key for the service identity that was generated
in the Create a new Service Bus namespace section.
Thumbprint of X.509 certificate For information about the thumbprint value, see the Add and configure the
used to sign SAML token token signing certificate section.
ADFS URL An authentication server URL. This URL is the endpoint URL of the AD FS
server that you set up in the Enable the endpoint section.
In our example, this URL is in the form
https://contosoadfs.com/adfs/services/trust/13/usernamemixed.
Support Email The contact email address that the mobile user will see if any issues occur.
For example, the email address might be support@contoso.com.
Note: The endpoint URI parameters for the expense and time services are optional. If you decide not to configure
one of those services, leave the field blank, and then click Save. When the Microsoft Dynamics AX Connector for
Mobile Applications service is started, you will notice the URL for that service doesn’t appear, and the Microsoft
Dynamics AX application for Microsoft Windows Phone won’t show the corresponding feature.
When users open the Microsoft Dynamics AX application for the first time, they are directed to a sign-in page that
has the following fields:
● User name
● Password
● Service connection name – The name of the Service Bus namespace that you set up in the Create a new Service
Bus namespace section.
After users enter the information and click sign in, the data is synced from the server, and the users can begin to use
the application.