Uncategorized

MSDyn365FO OneBox disabled – fix

April 13, 2020

Maybe your (trial) subscription expired, or maybe your Dynamics app registration has been corrupted. But someday it may happen that you want to logon to your on-prem or Azure (own subscription) deployed OneBox environment and you get an error:

AADSTS7000112: Application ‘00000015-0000-0000-c000-000000000000’ (Microsoft Dynamics ERP) is disabled

How to fix this? If problem is expired subscription, you should renew it! But maybe you need to logon immediately for some reason, or maybe you registered Dynamics under your own domain and that registration is corrupted. Anyway, below there are steps how you can restore access to the environment.
disclaimer: I do not suggest anyone to use it as permanent fix in case problem is expired subscription!

So what we will do in steps below is that,# we will create new app registration, assign permissions to it and then update IIS config files on Dynamics OneBox. To make ir more easy I scripted Azure part in powershell. OK, let’s start.

Create New App registration.

You can proceed manually in portal, this would mean create new app registration with Redirect URL set same as you Dynamics URL. Then you should assign API permissions to :

Microsoft Graph:

  • Directory.AccessAsUser.All
  • User.Read
  • User.Read.All

If you don’t want to do it manually, you can download and use script RegisterAzureApp.ps1 I shared on GitHub. Script will do App registration and grants rights listed above.

Script has 3 parameters

  • $appName – Name of AppRegistration
  • $appURI – Unique Identifier of AppRegistration
  • $replyURL – URL to your Dynamics site

When script runs, notice green line which contains AppID, note it, you will need it later.

In our case: 9ea4a5cc-5662-41c1-8323-1a4512372ca7

For both ways (manual and script) you must grant admin consent to added API permissions:

Adjust IIS config files on OneBox

Logon to Dynamics OneBox with administrator account using RDP and locate IIS files at C:\AOSService\webroot (or K:\AOSService\webroot ). Make a backup of files:

  • web.config
  • wif.config
  • wif.services.config

Once you have backup, open notepad “As Administrator” and start edit.

web.config

find key Aad.Realm in <appSetting> and replace SPN with AppID:

<add key="Aad.Realm" value="spn:9ea4a5cc-5662-41c1-8323-1a4512372ca7" />

wif.config

Find <audienceUris> and replace value with AppID

          <add value="spn:9ea4a5cc-5662-41c1-8323-1a4512372ca7" />    

wif.services.config

Find <wsFederation> find realm and replace SPN with AppID

<wsFederation passiveRedirectEnabled="true" issuer="https://login.windows.net/yourdomain.con/wsfed" realm="spn:a9ea4a5cc-5662-41c1-8323-1a4512372ca7 reply="https://youroneboxaddress.cloudax.dynamics.com/" requireHttps="true" />

Now restart IIS, (start cmd “as Administrator” and run iisreset). That’s it, you should be able to access your Dynamics. I tested this procedure one DEV/DEMO OneBox deployed to both Azure and on-prem.

Only registered users can comment.

  1. This was straightforward, understandable, and worked. I maintain Dyn365 FO for university students as part of Microsoft Business Applications Academic Community so it’s just me (i.e., no IT staff and good but not extensive Azure AD knowledge), an Azure VM, and fingers crossed. Not sure why my Dyn365 FO ‘gave out’ (I’ve been doing this for years) but this was the cure … much relief as we start to use it in class next week.

    1. I am glad it helped you. It’s similar in our country. Schools does not have IT staff and teachers have to help themselves. (I worked with some of them).

  2. Hi Rostislav, you are a genius. It’s worked perfectly. Great explanation and very straightforward. I am a functional consultant, so this is completely outside of my comfort zone. I am grateful I found your post.

Leave a Reply

Your email address will not be published. Required fields are marked *