Beruflich Dokumente
Kultur Dokumente
September 2013
www.microsoft.com/dynamics/ax
Table of Contents
Introduction ................................................................................................ 3
Prerequisites............................................................................................... 4
Creating a new Windows Azure Service Bus namespace ............................. 5
Configuring an Active Directory Federation Service for authentication ....... 8
AD FS management .............................................................................................................. 8
Enable the endpoint ........................................................................................................... 8
Add/Configure the token signing certificate ........................................................................... 9
Claim descriptions............................................................................................................. 12
Add the trust relationship and claim rule .............................................................................. 13
Save the AD FS FederationMetadata.xml file ........................................................................ 21
2
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
Introduction
This paper describes how to configure an environment that is running Microsoft Dynamics AX 2012, so
that users can connect the Microsoft Dynamics AX mobile phone application. The initial version of the
Microsoft Dynamics AX mobile phone application enables mobile expense capture and time reporting.
In order for the mobile phone application to interact with Microsoft Dynamics AX 2012, the following
components need to be configured:
Active Directory Federation Services (AD FS) AD FS works with an organizations instance
of Active Directory Domain Services to authenticate users of the mobile phone application. Users
are authenticated based on credentials that are sent by the mobile phone application. Upon
successful authentication, AD FS returns a token to the mobile phone application.
Mobile phone application The mobile phone application enables a user to capture a
transaction. It then authenticates the user and sends the message.
Microsoft Windows Azure Service Bus and Access Control Service (ACS) The Service Bus
enables the mobile phone application to send a message to Microsoft Dynamics AX (which resides
on-premises). The Access Control Service provides the authentication that is necessary to send a
message via the Service Bus.
Microsoft Dynamics AX Connector for Mobile Applications The connector listens for
messages sent via the Service Bus, authenticates the sender of the message, and then sends the
message to the Microsoft Dynamics AX 2012 instance.
Microsoft Dynamics AX 2012 The Microsoft Dynamics AX 2012 instance receives messages
originally sent from the mobile phone application. It stores the messages as transactions that are
available to the user (for example, the user will see expense transactions that are captured via the
users mobile phone in the Dynamics AX system).
3
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
The following diagram shows these components and the flows among them.
Prerequisites
Before you can configure the Microsoft Dynamics AX Connector for Mobile Applications, you must
complete the following prerequisites:
The Active Directory server and domain controller should have been set up during the
installation and configuration of Microsoft Dynamics AX 2012.
Install Active Directory Federation Services. You can download the Active Directory Federation
Services 2.0 RTW from http://www.microsoft.com/en-us/download/details.aspx?id=10909.
4
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
4. In the Namespace name field, enter a name for your namespace, such as contosomobile, and
select your region, as shown in the following screen shot.
6
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
7. When the Access key form opens, click the Copy button to copy the 256-bit default key.
The default issuer and the 256-bit secret default key are used when you configure the Microsoft
Dynamics AX Connector for Mobile Applications service that is deployed on the server. For more
7
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
details, see the Setting up the Microsoft Dynamics AX Connector for Mobile Applications service
section.
This Microsoft Dynamics AX Connector for Mobile Applications deploys a listening endpoint that
services the message coming from the Microsoft Dynamics AX mobile phone application. This endpoint
address is structured around the Windows Azure namespace that you created.
The next step is to set up the Active Directory server as the identity provider that the Service Bus and
its Access Control Service require for Federated Authentication.
8
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
4. In the Endpoints list, ensure that the three endpoints in the Metadata section are enabled, as
shown in the following screen shot.
You can view the certificates by clicking Certificates under the Services node in the left
navigation pane. You can also add new token certificates from this management tool by rightclicking the Certificates node.
9
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
Before you can add any new certificates, you may have to disable the automatic certificate rollover
feature by using Windows PowerShell commands.
Ensure that the token signing certificate is linked to a trusted root in the
Federation Service and is issued by an enterprise certification authority
For more information about token signing certificates, see http://technet.microsoft.com/enus/library/dd807039(v=WS.10).aspx.
Set the newly added token signing certificate as the primary certificate.
Obtain the thumbprint of the X.509 token signing certificate (digital signature)
1. Select the token signing certificate in the Certificates list. Right-click, and then select View
Certificate.
10
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
2. On the Details tab of the Certificate form, copy the Thumbprint value, as shown in the
following screen shot, and save it without the spaces between pairs of characters. This
thumbprint value is used when you configure the connector parameters in the Microsoft
Dynamics AX Connector for Mobile Applications service.
Ensure that the Subject Name (CN) or Issued to property of the service communications
certificate (SSL certificate) matches the Federation Service name.
To view or edit the Federation Service name, right-click Service in the left navigation pane,
and then select Edit Federation Service Properties.
In our example, the service communications certificate has its Subject Name(CN) property
set to contosoadfs.com, which helps define the URL of the Federation Server endpointfor
example, https:// contosoadfs.com/adfs/ls/.
11
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
You can validate that your service is set up correctly by opening the URL
https://contosoadfs.com/adfs/fs/federationserverservice.asmx in a browser.
For additional debugging and troubleshooting, go to the Events tab in the Federation
Services Properties form, and turn on logging for error and other events. This can help you
debug any issues by looking at the logged events in Windows Event Viewer.
Claim descriptions
Ensure that the claim named Windows account name exists, and that the Published property is
set to Yes. This should be configured by default when AD FS 2.0 is installed.
12
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
The relying party is the Windows Azure Access Control Service associated with the Service Bus that
was set up in the Creating a new Windows Azure Service Bus namespace section.
1. In the left navigation pane, expand Trust Relationships, right-click Relying Party Trusts, and
then select Add Relying Party Trust.
This will open the Add Relying Party Trust Wizard that you need to follow to add your Windows
Azure Service Bus namespace as a relying party to the AD FS configuration database.
13
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
2. Click Start.
3. On the Select Data Source page, select one of the options to add data about your relying party.
If you select the first option, Import data about the relying party published online or on a
local network, enter the federation metadata address in the text box in the following format:
https://<AzureNamespace>-sb.accesscontrol.windows.net/FederationMetadata/200706/FederationMetadata.xml.
14
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
Figure 15: Add Relying Party Trust Wizard Select Data Source page
To use the second option, Import data about the relying party from a file, because your AD
FS server does not have Internet access, you need to do the following:
1. In a browser, open the address https://contosomobilesb.accesscontrol.windows.net/FederationMetadata/2007-06/FederationMetadata.xml, for
example, and save the FederationMetadata.xml file to a location.
2. Select the second option, Import data about the relying party from a file, click Browse,
and load the saved FederationMetadata.xml file.
4. Click Next.
15
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
5. On the Specify Display Name page, enter a display name or leave the default value, and then
click Next.
Figure 16: Add Relying Party Trust Wizard Specify Display Name page
16
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
6. On the Choose Issuance Authorization Rules page, ensure that the Permit all users to
access this relying party option is selected, and then click Next.
Figure 17: Add Relying Party Trust Wizard Choose Insurance Authorization Rules page
17
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
7. On the Ready to Add Trust page, click Next, and then finish the setup by clicking Close. The
Open the Edit Claim Rules dialog for this relying party trust when the wizard closes
option is selected by default. When the wizard closes, the Edit Claim Rules form will open.
8. Click Add Rule. You will be guided through the Add Transform Claim Rule Wizard.
18
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
9. On the Select Rule Template page, in the Claim rule template field, select Pass Through or
Filter an Incoming Claim, as shown in the following screen shot, and then click Next.
10. On the Configure Rule page, enter a name for the claim rule.
11. In the Incoming claim type field, select Windows account name.
19
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
12. Select the Pass through all claim values option, as shown in the following screen shot, and
then click Next.
13. In the Edit Claim Rules form, you can see the newly created claim rule. Click Apply and then OK
to save your changes.
You can get back to the Edit Claim Rules form by right-clicking the relying party trust that you just
added and then selecting Edit Claim Rules.
20
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
Select the namespace that you want to configure, and then click Access key on the Action Pane.
In the form that opens, click the Open ACS Management Portal link.
21
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
22
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
1. Verify that the WS-Federation identity provider (e.g. Microsoft AD FS 2.0) option is
selected, and then click Next.
2. On the Edit WS-Federation Identity Provider page, enter a display name for the identity
provider, such as Contoso ADFS.
3. Under WS-Federation metadata, enter the federation metadata URL or the file that is available
from your configured AD FS server, as described in the Configuring an Active Directory Federation
Service for authentication section.
4. In the Used By section, under Relying party applications, ensure that the Service Bus check
box is selected.
23
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
1. Click the ServiceBus link, and then, in the Relying Party Application Settings section, verify
that the settings for the Realm and Token format fields are as shown as in the following screen
shot.
2. In the Authentication Settings section, select the identity provider to use with the relying party.
The identity provider was created in the previous section, Add and configure the identity provider.
24
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
3. Select the Default Rule Group for ServiceBus check box to use the default rule group, as
described in the Configure rule groups section.
3. You will be able to view the predefined rules that have Access Control Service as the claim
issuer value. Click each rule to view the values. These rules have owner as the Input claim
value, and Listen, Manage, or Send as the Output claim value.
25
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
4. Delete the rules that have Output claim values of Manage and Send.
26
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
27
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
3. Right-click the relying party that was added in the Add the trust relationship and claim rule
section, and then select Update from Federation Metadata.
4. Click Update.
Prerequisites
1. The .Net Business Connector proxy account must be created. In a later the step, the Dynamics AX
Connector for Mobile Applications service should be deployed and run using this same account. For
more information about how to create and set up the .Net Business Connector (BC) proxy account,
see Specify the .NET Business Connector proxy account [AX 2012]
* If EP is deployed on the Server, it will be using the BC proxy account.
Also it is very important that the .Net BC proxy user account is added as an
Administrator on the machine running the AX Connector service
Also note the following guidance for the .Net BC proxy account
28
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
You can check which BC Proxy user account has been configured by going to AX> System
Administration> System Service Accounts
2. Only one instance of the Microsoft Dynamics AX Connector for Mobile Applications can be deployed
to run on a machine.
Installation
1. Click Start > All Programs > Microsoft Dynamics AX Connector for Mobile Applications,
and start the Microsoft Dynamics AX Connector for Mobile Applications Setup Wizard.
Figure 34: Microsoft Dynamics AX Connector for Mobile Applications Setup Wizard Welcome page
2. Select the I accept the terms in the License Agreement check box, and then click Next.
Figure 35: Microsoft Dynamics AX Connector for Mobile Applications Setup End-User License Agreement
29
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
3. On the Destination Folder page, accept the default folder location for the connector, or click
Change to select another location. Then click Next.
4. On the Service account page, in the Account name and Password fields, enter the name and
password for the BC Proxy user account that was previously created, and then click Next.
30
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
5. Click Install.
6. Click Finish.
7. Click Start > Administrative Tools > Service to open the Windows Services list.
31
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
8. Click Start to start the Microsoft Dynamics AX Connector for Mobile Applications service. The
service will run under the context of the service user account.
Figure 40: Microsoft Dynamics AX Connector for Mobile Applications service page
9. On the Start menu, click the Microsoft Dynamics AX Connector for Mobile Applications
shortcut. The GUI for configuring the connector parameters will open.
10. Use the information in the following table to configure the connector parameters.
Parameter
Configuration
Enter the service namespace that you set up in the Creating a new
Windows Azure Service Bus namespace section, and then click Save.
Enter the service identity name that you set up in the Creating a new
Windows Azure Service Bus namespace section.
Enter the 256-bit symmetric key for the service identity that was
generated in the Creating a new Windows Azure Service Bus
namespace section.
32
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
Parameter
Configuration
Endpoint URI of
EmailApprovalsServices (if using
Email approvals)
ADFS URL
Support Email
An email address the mobile user will see to contact in case of any
issues. For example, support@contoso.com
11. Note that the Endpoint URI parameters for the following services are optional:
Expense
Timesheet
Approvals
Email Approvals
If you choose not to configure one of the services, leave that field blank, and then click Save.
When the Microsoft Dynamics AX Connector for Mobile Applications service is started, you will
notice that the URL for that service does not appear, and the phone applications will not display
the corresponding feature.
Note: Windows 8 applications will fail to connect to Microsoft Dynamics AX if the corresponding
URI entry does not exist. For example, the Windows 8 Expenses app will fail to connect to
Microsoft Dynamics AX if the Endpoint URI of ExpenseServices parameter is blank or not
correct.
33
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
12. Enter values for each parameter, and then click Save.
34
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
13. After the connector parameters are saved, click Start in the form. You can see that the status has
changed to Started, and that the Mobile Application Connector service is now running and
listening on the Service Bus.
User name
Password
Service connection name. This is the name of the Service Bus namespace that was set up in the
Creating a new Windows Azure Service Bus namespace section.
When the information is entered, the user presses sign in, the data is synced from the server, and
they can then begin using the application.
35
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
36
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
Figure 44: Screen capture of the contextual information shown on the Overview tab
37
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
Extended context for a timesheet (Time details, Time summary, and Project impact tabs)
38
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
Although the extended context for timesheets and expenses is built into the app and cant be provided
for other approval types, all the other contextual information, such as context on a tile, context on the
Overview tab, and attachments, can be customized to meet the requirements of your organization by
making configurations on the server. All customizations are performed in the following form, which is
accessible in the Microsoft Dynamics AX client under System Administration > Setup > Windows
Store > Windows application store setup.
Figure 47: Screen capture Approvals page and Tile information tab
RecId
_recId)
{
SalesQuotationTable t;
if(_tableId == tableNum(SalesQuotationTable))
{
t = SalesQuotationTable::findRec(_recId);
return t.invoiceAmount();
}
return 0;
}
Adding reports
You can build reports to customize the information that an approver will receive in the Approval app,
and then associate the reports with the workflow template. For example, a new report might show all
the details of the quotation that is being approved. When an approval work item is generated, the
report that displays the quotation information is rendered and included as an attachment in the email
message to the approver. The approver can then open and view the report. The following steps must
be completed if you want to include a custom report:
1. Author a new report: The new report must use a query-based data source whose root is the
same table as the workflow templates document. Continuing the example with
PSASalesQuotation from the previous sections, the new report must be based on a query whose
root table is SalesQuotationTable. This enables the context of the quotation that is being approved
to be passed to the report when it is executed.
2. Create a menu item: Create a new display menu item that references your new report. In order
to associate the report with the workflow template, you must complete these steps:
1. Verify that the configuration key matches the configuration key of the workflow template.
2. Use the same prefix for the menu item and the report. The prefix refers to the first three
letters of the element name in the AOT.
3. Pick the menu item: On the Report association tab of the Windows Store App configuration
screen, select the newly created menu item.
After you have completed these steps, the report will be rendered when an approver clicks view on
the approval item in the attachments section of the application.
40
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
41
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS
Microsoft Dynamics is a line of integrated, adaptable business management solutions that enables you and your people to make
business decisions with greater confidence. Microsoft Dynamics works like and with familiar Microsoft software, automating and
streamlining financial, customer relationship and supply chain processes in a way that helps you drive business success.
U.S. and Canada Toll Free 1-888-477-7989
Worldwide +1-701-281-6500
www.microsoft.com/dynamics
This document is provided as-is. Information and views expressed in this document, including URL and other Internet
Web site references, may change without notice. You bear the risk of using it.
Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is
intended or should be inferred.
This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may
copy and use this document for your internal, reference purposes. You may modify this document for your internal,
reference purposes.
2013 Microsoft Corporation. All rights reserved.
42
CONFIGURE MICROSOFT DYNAMICS AX CONNECTOR FOR MOBILE APPLICATIONS