Troubleshoot service authentication issues
This topic provides some tips for troubleshooting issues that involve service authentication.
When you troubleshoot service authentication issues, there are a few basic and common procedures that can help resolve the issues that are most often encountered. These procedures also provide a hands-on demonstration of how the authentication mechanism works. This topic includes instructions and also lists a few common issues that users have encountered so far.
Inspect the JWT
Capture the JWT from an HTTP request
- Download Fiddler from https://www.telerik.com/fiddler.
- Set up HTTPS capture to watch the HTTPS traffic from the client.
- Find the Open Authorization (OAuth) JSON Web Token (JWT). It's the value of the HTTP "Authorization" header without the "bearer" segment.
Use a deserializer tool to look at the token contents
Go to https://jwt.io, and paste the JWT into the input panel.
View the contents in the form of name-value pairs. See the example that follows.
Verify that the following information is correct:
"aud" – The value corresponds to the Microsoft Azure Active Directory (Azure AD) resource concept. Here are some typical issues that involve "aud":
- The "aud" segment of the JWT contains a URI that has a trailing slash.
- The "aud" segment of the JWT contains a URI that uses an incorrect capitalization style. The URI must be all lowercase.
"appid" – The value corresponds to the Azure AD Native Client App ID (or Service App ID).
"upn" – The value corresponds to the user who is being authenticated through a Native Client App.
The following illustration shows an example of the contents of the JWT.
Review the event logs
You can also look at the event logs of the instance machine, if you have access to the virtual machine (VM).
Start Event Viewer by running the eventvwr command from the Run window.
Go to the following channels:
- Application and Services Logs > Microsoft > Dynamics > AX-IntegrationServices > Channel:Operational (Microsoft-Dynamics-AX-IntegrationServices/Operational)
- Application and Services Logs > Microsoft > Dynamics > AX-SystemRuntime > Channel:Operational (Microsoft-Dynamics-AX-SystemRuntime/Operational)
- For more information about how OAuth is configured, see Service endpoints overview.
- You can also try to call the service in parallel by using your own client code. The sample code that we published is available at https://github.com/Microsoft/Dynamics-AX-Integration.
- If the second method works, you can compare the JWTs from each method.
AADSTS65001: The user or administrator hasn't consented to use the application
- The "aud" segment of the JWT might contain a URI that has a trailing slash. The slash must be removed.
- The "aud" segment of the JWT might contain a URI that uses an incorrect capitalization style. The URI must be all lowercase.