Troubleshoot service authentication issues
This article provides some tips for troubleshooting issues that involve service authentication.
When you troubleshoot service authentication issues, there are a few basic and common procedures that can help resolve the issues that are most often encountered. These procedures also provide a hands-on demonstration of how the authentication mechanism works. This article includes instructions and also lists a few common issues that users have encountered so far.
Inspect the JWT
Capture the JWT from an HTTP request
- Download Fiddler from https://www.telerik.com/fiddler.
- Set up HTTPS capture to watch the HTTPS traffic from the client.
- Find the Open Authorization (OAuth) JSON Web Token (JWT). It's the value of the HTTP "Authorization" header without the "bearer" segment.
Use a deserializer tool to look at the token contents
Go to https://jwt.io, and paste the JWT into the input panel.
View the contents in the form of name-value pairs. See the example that follows.
Verify that the following information is correct:
"aud" – The value corresponds to the Microsoft Microsoft Entra resource concept. Here are some typical issues that involve "aud":
- The "aud" segment of the JWT contains a URI that has a trailing slash.
- The "aud" segment of the JWT contains a URI that uses an incorrect capitalization style. The URI must be all lowercase.
"appid" – The value corresponds to the Microsoft Entra Native Client App ID (or Service App ID).
"upn" – The value corresponds to the user who is being authenticated through a Native Client App.
The following illustration shows an example of the contents of the JWT.
Review the event logs
You can also look at the event logs of the instance machine, if you have access to the virtual machine (VM).
Start Event Viewer by running the eventvwr command from the Run window.
Go to the following channels:
- Application and Services Logs > Microsoft > Dynamics > AX-IntegrationServices > Channel:Operational (Microsoft-Dynamics-AX-IntegrationServices/Operational)
- Application and Services Logs > Microsoft > Dynamics > AX-SystemRuntime > Channel:Operational (Microsoft-Dynamics-AX-SystemRuntime/Operational)
Other approaches
- For more information about how OAuth is configured, see Service endpoints overview.
- You can also try to call the service in parallel by using your own client code. The sample code that we published is available at https://github.com/Microsoft/Dynamics-AX-Integration.
- If the second method works, you can compare the JWTs from each method.
Known issues
Microsoft EntraSTS65001: The user or administrator hasn't consented to use the application
- The "aud" segment of the JWT might contain a URI that has a trailing slash. The slash must be removed.
- The "aud" segment of the JWT might contain a URI that uses an incorrect capitalization style. The URI must be all lowercase.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for