Microsoft Dynamics AX 2012

Configure
Microsoft
Dynamics AX
Connector for
Mobile
Applications
This document explains how to configure an
environment that runs Microsoft Dynamics
AX 2012, so that users can connect the
Microsoft Dynamics AX mobile phone
application.

White paper

October 2017

Send feedback.

www.microsoft.com/dynamics/ax
 Contents
Prerequisites 4

Create a new Service Bus namespace 4

Configuring a Federation Service for authentication 6

AD FS management 6
Enable the endpoint 7
Add and configure the token signing certificate 8
Claim descriptions 11
Add the trust relationship and claim rule 11
Save the AD FS FederationMetadata.xml file 17

Configuring the ACS 18

Add and configure the identity provider 19

Configure the relying party applications 20

Configure rule groups 21

Add a claim rule for the identity provider 22

Update the relying party federation metadata 23

Configuring the on-premises server with Microsoft Dynamics AX 2012 R2 and the Microsoft Dynamics AX
Connector for Mobile Applications service 23

Microsoft Dynamics AX 2012 R2 23

Unreconciled expense 23
Deploy the TrvUnreconciledExpense service 23
Set up inbound ports 24

Timesheet 25
Deploy the TSTimesheetService service 25
Set up inbound ports 25

Setting up the Microsoft Dynamics AX Connector for Mobile Applications service 26

Prerequisites 26
Installation 27

Configuring the Microsoft Dynamics AX application for Windows Phone 33

Configure Microsoft Dynamics AX Connector for Mobile Applications 2

 Configure Microsoft Dynamics AX Connector for Mobile
Applications
This document explains how to configure an environment that runs Microsoft Dynamics AX 2012 so that users can
connect the Microsoft Dynamics AX mobile phone application. The initial version of the mobile phone application
enables mobile expense capture and time reporting.

In order for the mobile phone application to interact with Microsoft Dynamics AX 2012, the following components
must be configured:

● Active Directory Federation Services (AD FS) – AD FS works with an organization’s instance of Active Directory
Domain Services (AD DS) to authenticate users of the mobile phone application. Users are authenticated based
on credentials that the mobile phone application sends. Upon successful authentication, AD FS returns a token to
the mobile phone application.
● Mobile phone application – The mobile phone application lets a user capture a transaction. It then
authenticates the user and sends the message.
● Microsoft Azure Service Bus and Access Control Service (ACS) – The Service Bus enables the mobile phone
application to send a message to Microsoft Dynamics AX, which resides on-premises. The ACS provides the
authentication that is required in order to send a message via the Service Bus.
● Microsoft Dynamics AX Connector for Mobile Applications – The connector listens for messages that are sent
via the Service Bus, authenticates the sender of the message, and then sends the message to the AX 2012
instance.
● Microsoft Dynamics AX 2012 – The AX 2012 instance receives messages that were originally sent from the
mobile phone application. It stores the messages as transactions that are available to the user. For example, in the
Microsoft Dynamics AX system, the user will see expense transactions that are captured via his or her mobile
phone.

The following illustration shows these components and the flows among them.

Configure Microsoft Dynamics AX Connector for Mobile Applications 3

 Prerequisites
Before you can configure the Microsoft Dynamics AX Connector for Mobile Applications, you must complete the
following prerequisites:

● Set up and configure the Active Directory server:

● The Active Directory server and domain controller should have been set up during the installation and
configuration of AX 2012.
● Install AD FS. You can download Active Directory Federation Services 2.0 RTW from
http://www.microsoft.com/en-us/download/details.aspx?id=10909.
● Configure AX 2012:
● Configure users for AX 2012.
● Configure Expense management.
● Configure Time management.
● Configure Human resources.
● Configure an Azure account. For more information, visit http://www.windowsazure.com.

Update: As of July 2017, you can no longer create a new ACS namespace through Azure Management Portal. To
create a new namespace for AX 2012 applications, open a technical support ticket to request that the Service Bus
team add a new ACS namespace to the approved list. Azure Customer Support will then engage you to review the
request. Make sure that you’re ready to provide the subscription IDs that you want to be on the approved list.

For more information, see the https://blogs.msdn.microsoft.com/servicebus/2017/06/01/upcoming-changes-to-acs-

enabled-namespaces/Upcoming Changes To ACS Enabled Namespaces post on the Service Team blog.

Create a new Service Bus namespace

After you create your namespace, use Microsoft Windows PowerShell to create a Service Bus.

For more information about the Service Bus, see Microsoft Azure Documentation.

1 On the Azure Downloads page, click the link to install the Windows PowerShell cmdlets. Then, in the Web
Platform Installer that is started, click Install to install the cmdlets.

Configure Microsoft Dynamics AX Connector for Mobile Applications 4

 2 In Windows PowerShell, run the Add-AzureAccount command, and provide the user name and password for a
Microsoft account (formerly known as a Windows Live ID) to connect to a default Azure subscription.

3 Create a new Service Bus namespace by running the following command.

New-AzureSBNamespace -Name mynamespace -Location "Central US" -CreateACSNamespace $true

-NamespaceType Messaging

Example

New-AzureSBNamespace -name axatozMobileConnector -location 'central us' -createACSNamespace $true

-namespacetype Messaging

Configure Microsoft Dynamics AX Connector for Mobile Applications 5

 4 Sign in to Azure portal, and verify that ACS Management Portal has been enabled.

Configuring a Federation Service for authentication

AD FS management
After the federation server and AD FS 2.0 are installed, as specified in the Prerequisites section, use the AD FS 2.0
Management tool to configure the service.

For guidance about Active Directory federation servers, how to configure certificates, and how to install the AD FS 2.0
software by using the setup wizard and server management, see Deploying Federation Servers.

Next, run the AD FS 2.0 Federation Server Configuration Wizard to configure a new federation server and a new
Federation Service. For guidance, see Configure a New Federation Server.

The configuration that is described here is for a Federation Service role for a stand-alone federation server.

1 Enable the endpoint for Windows authentication.

2 Establish a trust relationship between the Federation Service and the relying party. (The relying party is the ACS of
the Service Bus, such as contosomobile-sb).

Configure Microsoft Dynamics AX Connector for Mobile Applications 6

 3 Create rules to pass claims through the Federation Service.
4 Obtain the thumbprint of the X.509 token signing certificate that is required when you configure the Microsoft
Dynamics AX Connector for Mobile Applications service.

Enable the endpoint

1 Click Start > Administrative Tools > AD FS 2.0 Management to open the AD FS 2.0 Management tool.
2 In the left navigation pane, expand the Service node, and then select Endpoints. In the list of endpoints in the
Token Issuance section, select the endpoint that has the URL /adfs/services/trust/13/usernamemixed. Right-
click and enable the endpoint.

After you enable the service endpoint, the authentication server URL of this Federation Service will be in the form
https://<FederationServiceName>/adfs/services/trust/13/usernamemixed.

In our example, this URL is https://contosoadfs.com/adfs/services/trust/13/usernamemixed.

3 Click Start > Administrative Tools > Service to open the Windows Services list. Restart the AD FS 2.0 Windows
service.
4 In the Endpoints list, make sure that the three endpoints in the Metadata section are enabled, as shown in the
following illustration.

Configure Microsoft Dynamics AX Connector for Mobile Applications 7

 Add and configure the token signing certificate
The Microsoft Dynamics AX Connector for Mobile Applications service requires the thumbprint of the X.509 token
signing certificate that the Federation Service use.

Both the service communications and token signing certificates are configured when you run the AD FS 2.0 setup
wizard. For more information about certificate requirements for federation servers, see Certificate Requirements for
Federation Servers.

● To view the certificates, in the left navigation pane, under the Services node, click Certificates. To add new token
certificates, right-click the Certificates node.

Before you can add any new certificates, you might have to disable the automatic certificate rollover feature by using
Windows PowerShell commands.

Make sure that the token signing certificate is linked to a trusted root in the
Federation Service and is issued by an enterprise certification authority
For more information about token signing certificates, see Add a Token-Signing Certificate.

● Set the new token signing certificate as the primary certificate.

Obtain the thumbprint of the X.509 token signing certificate (digital signature)
1 In the Certificates list, select the token signing certificate, right-click, and then select View Certificate.

Configure Microsoft Dynamics AX Connector for Mobile Applications 8

 2 In the Certificate dialog box, on the Details tab, copy the Thumbprint value, delete the spaces between pairs of
characters, and then save the value. This thumbprint value is used when you configure the connector parameters
in the Microsoft Dynamics AX Connector for Mobile Applications service.

3 Export the token signing certificate, and save it to a location.

This certificate must be installed in the Trusted Root Certification Authorities store on the server machine that
hosts the Microsoft Dynamics AX Connector for Mobile Applications service.

Here are a few more points to keep in mind about these certificates:

● Make sure that the Subject Name (CN) or Issued to property of the service communications certificate (Secure
Sockets Layer [SSL] certificate) matches the name of the Federation Service.
● To view or edit the name of the Federation Service, in the left navigation pane, right-click Service, and then select
Edit Federation Service Properties.

In our example, the Subject Name (CN) property of the service communications certificate is set to
contosoadfs.com. This value helps define the URL of the federation server endpoint. For example, the URL might
be https://contosoadfs.com/adfs/ls/.

Configure Microsoft Dynamics AX Connector for Mobile Applications 9

 To validate that your service is set up correctly, open the following URL in a browser:
https://contosoadfs.com/adfs/fs/federationserverservice.asmx.

● For additional debugging and troubleshooting, in the Federation Services Properties dialog box, on the Events
tab, turn on logging for error and other events. You can then debug any issues by looking at the logged events in
Windows Event Viewer.

Configure Microsoft Dynamics AX Connector for Mobile Applications 10

 Claim descriptions
● Make sure that the claim that is named Windows account name exists, and that the Published property is set to
Yes. This claim should be configured by default when AD FS 2.0 is installed.

Add the trust relationship and claim rule

AD DS is the claim provider trust that is used to issue claims about an authenticated user.

The relying party is the ACS that is associated with the Service Bus that you set up in the Create a new Service Bus
namespace section.

Configure Microsoft Dynamics AX Connector for Mobile Applications 11

 1 In the left navigation pane, expand the Trust Relationships node, right-click Relying Party Trusts, and then
select Add Relying Party Trust.

The Add Relying Party Trust Wizard is started. You must complete this wizard to add your Service Bus namespace
to the AD FS configuration database as a relying party.

2 Click Start.

3 On the Select Data Source page, select one of the options to add data about your relying party.

If you select the first option, Import data about the relying party published online or on a local network,
enter the federation metadata address in the following form:

https://<AzureNamespace>-sb.accesscontrol.windows.net/FederationMetadata/2007-06/FederationMetadata.xml

Configure Microsoft Dynamics AX Connector for Mobile Applications 12

 In our example, this address is https://contosomobile-
sb.accesscontrol.windows.net/FederationMetadata/2007-06/FederationMetadata.xml, as shown in the
following illustration.

Because your AD FS server doesn’t have Internet access, you must follow these steps to use the second option,
Import data about the relying party from a file:

a In a browser, open the address (for example, https://contosomobile-

sb.accesscontrol.windows.net/FederationMetadata/2007-06/FederationMetadata.xml), and save the
FederationMetadata.xml file to a location.
b Select the second option, Import data about the relying party from a file, click Browse, and select the
FederationMetadata.xml file that you saved.
4 Click Next.

Configure Microsoft Dynamics AX Connector for Mobile Applications 13

 5 On the Specify Display Name page, enter a display name or leave the default value, and then click Next.

6 On the Choose Issuance Authorization Rules page, make sure that the Permit all users to access this relying
party option is selected, and then click Next.

Configure Microsoft Dynamics AX Connector for Mobile Applications 14

 7 On the Ready to Add Trust page, click Next, and then click Close to complete the setup. By default, the Open
the Edit Claim Rules dialog for this relying party trust when the wizard closes option is selected. When you
exit the wizard, the Edit Claim Rules dialog box appears.

8 Click Add Rule. The Add Transform Claim Rule Wizard is started.

Configure Microsoft Dynamics AX Connector for Mobile Applications 15

 9 On the Select Rule Template page, in the Claim rule template field, select Pass Through or Filter an Incoming
Claim, as shown in the following illustration, and then click Next.

10 On the Configure Rule page, enter a name for the claim rule.
11 In the Incoming claim type field, select Windows account name.
12 Select the Pass through all claim values option, and then click Next.

Configure Microsoft Dynamics AX Connector for Mobile Applications 16

 13 The Edit Claim Rules dialog box shows the new claim rule. Click Apply and then OK to save your changes.

To return to the Edit Claim Rules dialog box, right-click the relying party trust that you just added, and then select
Edit Claim Rules.

Save the AD FS FederationMetadata.xml file

1 On your federation server, in a browser, open an address in the following form:

https://<FederationServiceName>/FederationMetadata/2007-06/FederationMetadata.xml.

In our example, this address is https://contosoadfs.com/FederationMetadata/2007-

06/FederationMetadata.xml.

2 Save the FederationMetadata.xml file to a location.

3 If the Federation Service doesn’t have an Internet-facing IP address, you must upload this file. Otherwise, you can
use this address directly when you add the WS-Federation identity provider during configuration of the ACS, as
described in the Add and configure the identity provider section.

You’ve now completed the required Federation Service configuration.

Configure Microsoft Dynamics AX Connector for Mobile Applications 17

 Configuring the ACS
The Service Bus uses the ACS to implement federated authentication. When the Service Bus is created, a buddy
namespace, contosomobile-sb, is created for the ACS. Use the following procedures to configure the ACS and its
relying party–related parameters, the identity provider, and rule groups.

● Select the namespace to configure, and then, on the Action Pane, click Access key. In the dialog box that
appears, click the Open ACS Management Portal link.

The Access Control Service page appears.

Configure Microsoft Dynamics AX Connector for Mobile Applications 18

 Add and configure the identity provider
Use the following procedure to add the WS-Federation identity provider. The identity provider is the Federation
Service that you configured in the Configuring an Active Directory Federation Service for authentication section.

1 On the Add Identity Provider page, verify that the WS-Federation identity provider (e.g. Microsoft
AD FS 2.0) option is selected, and then click Next.
2 On the Edit WS-Federation Identity Provider page, enter a display name for the identity provider, such as
Contoso ADFS.
3 Under WS-Federation metadata, enter the federation metadata URL or browse to the file that is available from
your configured AD FS server, as described in the Configuring an Active Directory Federation Service for
authentication section.

Configure Microsoft Dynamics AX Connector for Mobile Applications 19

 4 In the Used By section, under Relying party applications, make sure that the Service Bus check box is selected.

Configure the relying party applications

Because the Service Bus uses this ACS for federated authentication, the Service Bus is added as a relying party
application.

1 On the Relying Party Applications page, click the ServiceBus link, and then, in the Relying Party Application
Settings section, verify that the Realm and Token format fields are set as shown as in the following illustration.

2 In the Authentication Settings section, select the identity provider to use with the relying party. You created the
identity provider in the previous section, Add and configure the identity provider.

Configure Microsoft Dynamics AX Connector for Mobile Applications 20

 3 Select the Default Rule Group for ServiceBus check box to use the default rule group, as described in the
Configure rule groups section.

Configure rule groups

1 In the left navigation pane, click Rule Groups.
2 Select the Default Rule Group for ServiceBus check box to configure the default rule group.

3 You can view the predefined rules that have Access Control Service as the claim issuer value. Click each rule to
view the values. These rules have owner as the Input claim value, and Listen, Manage, or Send as the Output
claim value.
4 Delete the rules that have Manage and Send as the Output claim value.

Configure Microsoft Dynamics AX Connector for Mobile Applications 21

 Add a claim rule for the identity provider
1 After you delete the Manage and Send rules, click Add to add a new claim rule for the identity provider.
2 Select the identity provider that you configured in the Add and configure the identity provider section. In our
example, this identity provider is Contoso ADFS.
3 Under Input claim type, select the Select type option, and then select the following URI:
http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname.
4 Under Input claim value, leave the fields as they are.
5 Under Output claim type, select the Enter type option, and then enter the value
net.windows.servicebus.action.
6 Under Output claim value, select the Enter value option, and then enter the value Send.
7 Optionally enter a description.

You’ve now completed the required ACS configuration.

Configure Microsoft Dynamics AX Connector for Mobile Applications 22

 Update the relying party federation metadata
1 On the Federation Service server, open the AD FS 2.0 Management tool.
2 In the left navigation pane, expand the Trust Relationships node, and then select Relying Party Trusts.
3 Right-click the relying party that you added in the Add the trust relationship and claim rule section, and then
select Update from Federation Metadata.

4 Click Update.

Configuring the on-premises server with Microsoft

Dynamics AX 2012 R2 and the Microsoft Dynamics AX
Connector for Mobile Applications service
Microsoft Dynamics AX 2012 R2
You can find the hotfix at https://go.microsoft.com/fwlink/?linkid=286321.

Unreconciled expense
Deploy the TrvUnreconciledExpense service
● In the Developer Workspace, click Services > TrvUnreconciledExpense. Right-click, and then select Add ins >
Register service.

Configure Microsoft Dynamics AX Connector for Mobile Applications 23

 Set up inbound ports
1 In Microsoft Dynamics AX, click System Administration > Services and Application integration framework >
Inbound ports > Create a new port name, description.
2 On the Service contract customizations FastTab, click Service operations. The Web Services Description
Language (WSDL) URI is filled in.

3 In the list of operations on the right side of the Select service operations form, select the following service
operations, and add them to the list on the left side of the form:
● TrvExpenseCategoryService.getCategories
● TrvUnreconciledExpenseService.addUnreconciledExpense
● TrvUnreconciledExpenseService.getLabelTranslations

Configure Microsoft Dynamics AX Connector for Mobile Applications 24

 4 Close the Select service operations form.
5 On the Troubleshooting FastTab, select the Include exceptions in fault check box, and then click Activate.

Timesheet

Deploy the TSTimesheetService service

● In the Developer Workspace, click Services > TSTimesheetService. Right-click, and then select Add ins >
Register service.

Set up inbound ports

1 In Microsoft Dynamics AX, click System Administration > Services and Application integration framework >
Inbound ports > Create a new port name, description.
2 On the Service contract customizations FastTab, click Service operations. The WSDL URI is filled in.

Configure Microsoft Dynamics AX Connector for Mobile Applications 25

 3 In the list of operations on the right side of the Select service operations form, select all eight service operations
for the TSTimesheetService service, and add them to the list on the left side of the form.

4 Close the Select service operations form.

5 On the Troubleshooting FastTab, select the Include exceptions in fault check box, and then click Activate.

Setting up the Microsoft Dynamics AX Connector for Mobile

Applications service
You can find the installer at
https://mbs.microsoft.com/partnersource/newsevents/news/msdyn_mobileappsax.htm?printpage=false&sid=512hm
actzru0t0fs0dcgyvgm&stext=Mobile applications for Dynamics AX.

Use the following procedure to install and configure the Microsoft Dynamics AX Connector for Mobile Applications.

Prerequisites
● The Microsoft Dynamics AX Connector for Mobile Applications service should be deployed or run as a user
account that is the user account of the .NET Business Connector proxy account. For more information about how
to create and set up the .NET Business Connector proxy account, see Specify the .NET Business Connector proxy
account [AX 2012].

Note: If Enterprise Portal for Microsoft Dynamics AX is deployed on the server, it will use the .NET Business
Connector proxy account.

Important: The .NET Business Connector proxy user account must be added as an Administrator on the machine
that runs the AX Connector service.

Configure Microsoft Dynamics AX Connector for Mobile Applications 26

 Also note the following guidance for the .NET Business Connector proxy account:

● It must be a Windows domain account.

● It must be a dedicated account (that is, it must be used only by .NET Business Connector).
● It must have a password that doesn’t expire.
● It must not have interactive sign-on rights.
● It must not be a Microsoft Dynamics AX user.

To see which .NET Business Connector proxy user account has been configured, in Microsoft Dynamics AX, click
System Administration > System Service Accounts.

● Only one instance of the Microsoft Dynamics AX Connector for Mobile Applications can be deployed to run on a
computer.

Installation
1 Click Start > All Programs > Microsoft Dynamics AX Connector for Mobile Applications, and start the
Microsoft Dynamics AX Connector for Mobile Applications Setup Wizard.

Configure Microsoft Dynamics AX Connector for Mobile Applications 27

 2 Select the I accept the terms in the License Agreement check box, and then click Next.

3 On the Destination Folder page, accept the default folder location for the connector, or click Change to select
another location. Then click Next.

Configure Microsoft Dynamics AX Connector for Mobile Applications 28

 4 On the Service account page, enter the name and password for the .NET Business Connector proxy user account
that you previously created, and then click Next.

5 Click Install.

Configure Microsoft Dynamics AX Connector for Mobile Applications 29

 6 Click Finish.

7 Click Start > Administrative Tools > Service to open the Windows Services list.
8 Click Start to start the Microsoft Dynamics AX Connector for Mobile Applications service. The service will run
under the context of the service user account.

9 On the Start menu, click the Microsoft Dynamics AX Connector for Mobile Applications shortcut. The
graphical user interface (GUI) for configuring the connector parameters appears.
10 Use the information in the following table to configure the connector parameters.

Parameter Configuration

Azure service namespace Enter the service namespace that you set up in the Create a new Service Bus
namespace section, and then click Save.

Azure service identity name Enter the name of the service identity that you set up in the Create a new
Service Bus namespace section.

Azure service identity password Enter the 256-bit symmetric key for the service identity that was generated
in the Create a new Service Bus namespace section.

Thumbprint of X.509 certificate For information about the thumbprint value, see the Add and configure the
used to sign SAML token token signing certificate section.

Configure Microsoft Dynamics AX Connector for Mobile Applications 30

 Parameter Configuration

Endpoint URI of The following text is preconfigured in this field:

TrvUnreconciledExpenseService
net.tcp://<AOS_MACHINE_NAME>:8201/DynamicsAx/Services/TrvUnreconci
ledExpense
Replace <AOS_MACHINE_NAME> with the name of the machine that
hosts Microsoft Dynamics AX Application Object Server (AOS).
Replace the default AOS port number, 8201, if a different port is used.

Endpoint URI of The following text is preconfigured in this field:

TSTimesheetService net.tcp://<AOS_MACHINE_NAME>:8201/DynamicsAx/Services/TSTimesheet
Replace <AOS_MACHINE_NAME> with the name of the machine that
hosts AOS.
Replace the default AOS port number, 8201, if a different port is used.

ADFS URL An authentication server URL. This URL is the endpoint URL of the AD FS
server that you set up in the Enable the endpoint section.
In our example, this URL is in the form
https://contosoadfs.com/adfs/services/trust/13/usernamemixed.

Support Email The contact email address that the mobile user will see if any issues occur.
For example, the email address might be support@contoso.com.

Note: The endpoint URI parameters for the expense and time services are optional. If you decide not to configure
one of those services, leave the field blank, and then click Save. When the Microsoft Dynamics AX Connector for
Mobile Applications service is started, you will notice the URL for that service doesn’t appear, and the Microsoft
Dynamics AX application for Microsoft Windows Phone won’t show the corresponding feature.

Configure Microsoft Dynamics AX Connector for Mobile Applications 31

 11 Enter values for each parameter, and then click Save.
12 After the connector parameters are saved, click Start in the form. You can see that the status has changed to
Started, and the Microsoft Dynamics AX Connector for Mobile Applications service is now running and listening
on the Service Bus.

Configure Microsoft Dynamics AX Connector for Mobile Applications 32

 Configuring the Microsoft Dynamics AX application for
Windows Phone
After you notify users that the solution is available, they must provide their domain credentials and the service
connection name to use the Microsoft Dynamics AX application for their Windows Phone.

When users open the Microsoft Dynamics AX application for the first time, they are directed to a sign-in page that
has the following fields:

● User name
● Password
● Service connection name – The name of the Service Bus namespace that you set up in the Create a new Service
Bus namespace section.

After users enter the information and click sign in, the data is synced from the server, and the users can begin to use
the application.

Configure Microsoft Dynamics AX Connector for Mobile Applications 33

Send feedback. © 2017 Microsoft Corporation. All rights
reserved.
Microsoft Dynamics is a line of integrated, adaptable business
management solutions that enables you and your people to make This document is provided “as-is.”
business decisions with greater confidence. Microsoft Dynamics works Information and views expressed in this
like and with familiar Microsoft software, automating and streamlining document, including URL and other
financial, customer relationship, and supply chain processes in a way Internet Web site references, may
that helps you drive business success. change without notice. You bear the risk
of using it.
United States and Canada toll-free: (888) 477-7989
Some examples are for illustration only
Worldwide: (1) (701) 281-6500
and are fictitious. No real association is
www.microsoft.com/dynamics intended or inferred.

This document does not provide you

with any legal rights to any intellectual
property in any Microsoft product. You
may copy and use this document for
your internal, reference purposes.