AL icon indicating copy to clipboard operation
AL copied to clipboard

Published 20 hours ago verified publisher icon microsoft

URL is missing tenant parameter for sandbox containers after publishing when OAuth enabled

Open lippertmarkus opened this issue 2 years ago • 2 comments

1. Describe the bug When publishing an app into a sandbox container where OAuth is enabled the publish works fine but when the browser is opened afterwards and the sign-in with the AAD account is done, the redirect URL is missing the ?tenant=default part resulting in the well-known Problem identified for tenant error.

image

2. To Reproduce

  1. Create a container with AAD enabled like I described here: https://github.com/microsoft/navcontainerhelper/issues/2390#issue-1194696876
  2. Set up the launch.json to use AAD auth, example: 
    "type": "al",
"request": "launch",
"name": "launch: pdm-dev",
"server": "https://mybcserver",
"serverInstance": "mybcinstance",
"port": 443,
"authentication": "AAD",
"tenant": "default",
"breakOnError": true,
"launchBrowser": true,
"enableLongRunningSqlStatements": true,
"enableSqlInformationDebugger": true,
"environmentType": "OnPrem"
  3. Publish and debug with F5

3. Expected behavior Browser should be opened with the correct URL including the ?tenant=default parameter when it's a sandbox container.

4. Actual behavior

  1. Publish works: 
    [2022-06-22 10:01:21.84] Publishing AL application using launch configuration 'launch: pdm-dev'.
[2022-06-22 10:01:22.09] Authenticating...
[2022-06-22 10:01:22.85] Authenticated.
[2022-06-22 10:01:22.85] Authenticated as user '[email protected]'. Please note that these credentials are cached. Clear the credentials cache to authenticate as another user.
[2022-06-22 10:01:22.85] Targeting Dynamics 365 Business Central environment tenant ID 'default' and primary Azure AD tenant domain name ''.
[2022-06-22 10:01:22.85] Sending request to https://mybcserver/mybcinstance/dev/metadata?tenant=default
[2022-06-22 10:01:23.54] Publishing package to tenant 'default'
[2022-06-22 10:01:23.55] Sending request to https://mybcserver/mybcinstance/dev/apps?tenant=default&SchemaUpdateMode=synchronize&DependencyPublishingOption=default
[2022-06-22 10:01:35.02] Success: The package 'Cosmo Consult_COSMO Product Data Management_3.4.0.0.app' has been published to the server.
  2. AAD Sign in is opened, redirect URL is missing tenant parameter: https://login.microsoftonline.com/xxx/oauth2/authorize?client_id=xxx&redirect_uri=https:%2f%2fmybcserver%2fmybcinstance%2fSignIn&response_type=code%20id_token&scope=openid%20profile&response_mode=form_post&nonce=...
  3. After signing in and redirect to https://mybcserver/mybcinstance/SignIn, error occurs because of missing tenant parameter: image

Other configurations we tried My first guess was that the environmentType or tenant configuration in the launch.json needs to be different when using a sandbox container, but with other configurations we weren't even able to publish the extension:

  • No environmentType, tenant=default: VSC Error Could not publish the package to the server

    [2022-06-22 09:54:43.91] Publishing AL application using launch configuration 'launch: pdm-dev'.
[2022-06-22 09:54:44.61] Authenticating...
[2022-06-22 09:54:45.37] Error: Active Directory error invalid_request, AADSTS900023: Specified tenant identifier 'default' is neither a valid DNS name, nor a valid external domain.
Trace ID: 137a05fe-c07e-4b77-ae10-664dee5d2700
Correlation ID: 08d62d94-ef8c-455c-96a8-939e9cbcfca9
Timestamp: 2022-06-22 07:54:34Z
[2022-06-22 09:54:45.37] Error: An internal error has occurred

  • No environmentType, tenant=cosmoconsult.com: Tries to publish against BC SaaS, Could not publish the package to the server

    [2022-06-22 09:57:31.58] Publishing AL application using launch configuration 'launch: pdm-dev'.
[2022-06-22 09:57:31.76] Authenticating...
[2022-06-22 09:57:32.48] Authenticated.
[2022-06-22 09:57:32.48] Authenticated as user '[email protected]'. Please note that these credentials are cached. Clear the credentials cache to authenticate as another user.
[2022-06-22 09:57:32.48] Targeting Dynamics 365 Business Central environment tenant ID 'cosmoconsult.com' and primary Azure AD tenant domain name ''.
[2022-06-22 09:57:32.48] Sending request to https://api.businesscentral.dynamics.com/v2.0/sandbox/dev/metadata?tenant=cosmoconsult.com
[2022-06-22 09:57:34.25] Publishing package to tenant 'cosmoconsult.com'
[2022-06-22 09:57:34.26] Sending request to https://api.businesscentral.dynamics.com/v2.0/sandbox/dev/apps?tenant=cosmoconsult.com&SchemaUpdateMode=synchronize&DependencyPublishingOption=default
[2022-06-22 09:57:36.48] The request for path /v2.0/sandbox/dev/apps?tenant=cosmoconsult.com&SchemaUpdateMode=synchronize&DependencyPublishingOption=default failed with code UnprocessableEntity. Reason: Ihre Lizenz gewährt Ihnen nicht die folgenden Berechtigungen für TableData Published Application: IndirectInsert.

Informationen zu Ihren Berechtigungen finden Sie auf der Seite „Effektive Berechtigungen“. Informationen zum Melden eines Problems finden Sie in der folgenden Serversitzungs-ID: „36418“.

  • environmentType=Sandbox, tenant=default: VSC Error Could not publish the package to the server

    [2022-06-22 10:08:42.47] Publishing AL application using launch configuration 'launch: pdm-dev'.
[2022-06-22 10:08:43.27] Authenticating...
[2022-06-22 10:08:44.02] Error: Active Directory error invalid_request, AADSTS900023: Specified tenant identifier 'default' is neither a valid DNS name, nor a valid external domain.
Trace ID: 2816782a-dca5-4fd6-9c81-3c43f98e2b00
Correlation ID: b58ed432-e39b-45b2-bf80-dbf0f8e697d4
Timestamp: 2022-06-22 08:08:33Z
[2022-06-22 10:08:44.02] Error: An internal error has occurred

  • environmentType=Sandbox, tenant=cosmoconsult.com: VSC Error Could not publish the package to the server

    [2022-06-23 08:19:14.78] Publishing AL application using launch configuration 'launch: pdm-dev'.
[2022-06-23 08:19:15.10] Authenticating...
[2022-06-23 08:19:16.04] Authenticated.
[2022-06-23 08:19:16.04] Authenticated as user '[email protected]'. Please note that these credentials are cached. Clear the credentials cache to authenticate as another user.
[2022-06-23 08:19:16.04] Targeting Dynamics 365 Business Central environment tenant ID 'cosmoconsult.com' and primary Azure AD tenant domain name ''.
[2022-06-23 08:19:16.04] Sending request to https://api.businesscentral.dynamics.com/v2.0/sandbox/dev/metadata?tenant=cosmoconsult.com
[2022-06-23 08:19:19.89] Publishing package to tenant 'cosmoconsult.com'
[2022-06-23 08:19:19.90] Sending request to https://api.businesscentral.dynamics.com/v2.0/sandbox/dev/apps?tenant=cosmoconsult.com&SchemaUpdateMode=synchronize&DependencyPublishingOption=default
[2022-06-23 08:19:24.20] The request for path /v2.0/sandbox/dev/apps?tenant=cosmoconsult.com&SchemaUpdateMode=synchronize&DependencyPublishingOption=default failed with code UnprocessableEntity. Reason: Ihre Lizenz gewährt Ihnen nicht die folgenden Berechtigungen für TableData Published Application: IndirectInsert.

Informationen zu Ihren Berechtigungen finden Sie auf der Seite „Effektive Berechtigungen“. Informationen zum Melden eines Problems finden Sie in der folgenden Serversitzungs-ID: „39625“.

  • environmentType=OnPrem, tenant=cosmoconsult.com: Fails

    [2022-06-23 08:28:02.18] Publishing AL application using launch configuration 'launch: pdm-dev'.
[2022-06-23 08:28:02.43] Publishing package to tenant 'cosmoconsult.com'
[2022-06-23 08:28:02.43] Authenticating...
[2022-06-23 08:28:02.59] Authenticated.
[2022-06-23 08:28:02.59] Authenticated as user '[email protected]'. Please note that these credentials are cached. Clear the credentials cache to authenticate as another user.
[2022-06-23 08:28:02.59] Targeting Dynamics 365 Business Central environment tenant ID 'cosmoconsult.com' and primary Azure AD tenant domain name ''.
[2022-06-23 08:28:02.60] Sending request to https://mybcserver/mybcinstance/dev/apps?tenant=cosmoconsult.com&SchemaUpdateMode=synchronize&DependencyPublishingOption=default
[2022-06-23 08:28:03.41] Error: Error while copying content to a stream.
Unable to write data to the transport connection: An existing connection was forcibly closed by the remote host..
An existing connection was forcibly closed by the remote host.

[2022-06-23 08:28:03.41] Error: An error occured while processing the request.
Request ID: 813d6e1f-26a0-4b83-8fc3-3f0264a0f457
Session ID: 529776f2-5f10-490c-bc27-a50124cd7ce0

If you are targeting a cloud instance, supply these IDs if contacting Microsoft support.

5. Versions:

  • AL Language: v9.3.646020
  • Visual Studio Code: 1.68.1
  • Business Central: Container sandbox-20.2.41144.42415-de-mt
  • List of Visual Studio Code extensions that you have installed: not relevant

Final Checklist

Please remember to do the following:

  • [x] Search the issue repository to ensure you are reporting a new issue

  • [x] Reproduce the issue after disabling all extensions except the AL Language extension

  • [x] Simplify your code around the issue to better isolate the problem

lippertmarkus avatar Jun 30 '22 08:06 lippertmarkus

@thloke is there any progress on this issue?

pri-kise avatar Aug 12 '22 06:08 pri-kise

@thloke As long as this bug exists, client sessions between VS Code and the client cannot be synchronized: AAD environments cannot be debugged. Could you please assign an according priority?

NKarolak avatar Sep 19 '22 12:09 NKarolak

For me, this has gotten somewhat worse in AL Language extension v10.0.687650: For sandbox containers (multitenant true), the browser doesn't even start anymore. For onprem containers, it works

tfenster avatar Oct 20 '22 07:10 tfenster

We temporaly disabled multitenant for our sandbox containers to deal with this issue. (https://tobiasfenster.io/using-aad-authentication-for-development-against-a-business-central-container#the-details-things-to-be-aware-of) But don't know which side effects this might have. And this problem isn't new. This has been a problem since january.

pri-kise avatar Oct 20 '22 08:10 pri-kise

As I see it, there are two workarounds, which can be applied until there is a "real" fix for this.

One would be to do like @pri-kise did and use singletenancy (-multitenant:$false)

Second would be to use URL Rewrite and always add tenant=default if multitenant. Unfortunately, it looks like the rewrite sections in web.config are outcommented by default, but you can override the SetupWebConfiguration and modify the web.config, by adding this to your New-BcContainer:

-myScripts @('https://raw.githubusercontent.com/microsoft/nav-docker/master/override/issue7100/setupWebConfiguration.ps1') `

The code in this override:

$wwwRootPath = Get-WWWRootPath
$webConfigFile = Join-Path $wwwRootPath "$webServerInstance\web.config"
$webconfig = Get-Content -Path $webConfigFile -Raw -Encoding UTF8
$webConfig = $webconfig.Replace('<!-- <rewrite>','<rewrite>').Replace('</rewrite> -->','</rewrite>').Replace('{R:0}?tenant={C:1}','{R:0}?tenant=default')
Set-Content -Path $webConfigFile -Value $webconfig -Encoding UTF8
. 'C:\run\SetupWebConfiguration.ps1'

By adding this - it works - but it will always use default tenant if no tenant is specified.

freddydk avatar Dec 05 '22 21:12 freddydk

Any updates on a "real" fix?

lippertmarkus avatar Feb 17 '23 13:02 lippertmarkus