AccessControlService auth throws strange error in Web Client

Charleh

Hi all,

Desktop client works fine and logs in with SSO to O365. I've set this up before for other customers, the only difference here is that there's a load balancer in front of the web client app.

I get this stack:

Error accessing Website Microsoft Dynamics NAV 2017 Web Client
Raw Url: /company/WebClient/SignIn.aspx?ReturnUrl=blahblah
Url: https://www.someurl.com/company/WebClient/SignIn.aspx?ReturnUrl=blahblah
Type: System.InvalidOperationException
Message: This operation is not supported for a relative URI.
StackTrace:
   at System.Uri.get_Query()
   at Microsoft.Dynamics.Framework.UI.Web.FederatedAuthenticationUrlRewriter.CalculateReply(Uri originalRequestUri, Uri authUri, String replyQuery)
   at Microsoft.Dynamics.Framework.UI.Web.FederatedAuthenticationUrlRewriter.RewriteAcsUri(Uri originalRequestUri, Uri acsUri)
   at Microsoft.Dynamics.Nav.WebClient.Security.AcsAuthenticationProvider.Authenticate(HttpContextBase context, String userName, String password)
   at Microsoft.Dynamics.Nav.Client.WebClient.SignIn.Authenticate()
   at Microsoft.Dynamics.Nav.Client.WebClient.SignIn.SetAuthenticationProvider()
   at Microsoft.Dynamics.Nav.Client.WebClient.SignIn.OnInitCore(EventArgs e)
Source: System

I've decompiled the NAV dlls in order to figure out what code is running here and it boils down to this single line of code where the getter for Query is first accessed in the CalculateReply method on FederatedAuthenticationUrlRewriter

if (!HttpUtility.ParseQueryString(authUri.Query).AllKeys.Contains<string>(replyQuery, StringComparer.OrdinalIgnoreCase))

The getter for authUri.Query is throwing - so it seems the acsUri is relative...

In my config it is not relative:

https://login.windows.net/tenant-is-here.onmicrosoft.com/wsfed?etc-etc-etc

Does anyone have any clue why it might be reading this as a relative Url?

There are some acsUri transform methods before this, but I've run them through with various combinations of parameters and they seem ok.

Head sore from banging it against brick wall.

Charleh

Ok figured it out - this is not really documented so it took me a bit of pot-luck to figure out

The web client appears to draw its settings from the service tier configuration provider in NAV2017 and later.

The only reason I found this out was copying a config from a working customer over and forgetting to change the server name that pointed to the NST. The web.config kicked in and it started redirecting to the O365 sign in page.

When I put the correct server/NST name in it started throwing the error. It turns out the NST settings were not correct (but I had assumed it would ignore the NST settings and just use the web config)

I'm pretty sure it doesn't do this in 2016 so it's a little frustrating that it's not documented (as far as I can see).