A tech savvy client of ours had a business requirement of allowing their approved Vendors to gain access to AX Vendor information. This would allow vendors to review their paid invoices as well as invoice status. Their IT team did not want to provision Vendor Accounts in AD services, and rightfully so.
Having thousands of Vendors per location and a couple hundred locations it was very clear we needed to use Vendor Administrator, operators of a Vendor account in AX using the auto-provisioning capability of AX and SharePoint Form Based authentication.
Enterprise Portal for Dynamics AX comes with a Vendor Portal template. Once deployed an approved AX Vendor account consists of a Vendor Administrator and one or more operators.
Another requirement for this client was to allow locations as dimensions not company entities to have access to one or more Vendor Accounts. Microsoft AX supports vendor administration for single vendor account across one or more company entities, and not for multiple vendor Accounts within the same entity.
Several modifications are required within AX and Enterprise portal to make the solution useful.
With a Vendor Portal facing the internet a vendor can:
- View and maintain Vendor profile information. The profile includes the names of contacts in your organization that are authorized to interact with your organization.
- Maintain catalogs of products that are available to you.
- Request to add workers from your organization as users in the Vendor portal. (Aka vendor portal operators.)
- Request to be added to additional procurement categories.
- Respond to questionnaires.
- View notifications.
- Respond to new requests for quotations (RFQs).
- View the status of purchase orders and product receipts.
- Create and submit invoices. View status of invoices.
- View reports about your performance as a vendor.
Figure 1. Vendor self-service portal when vendor logged in.
What will the Environment Topology Look Like?
- One intranet-facing Enterprise Portal using integrated Windows authentication, configured as the default Enterprise Portal in AX.
- SSL certificate for a friendly URL servicing new external facing internet URL.
- One internet-facing claims-aware Enterprise Portal using Forms authentication, set up using the instructions on http://technet.microsoft.com/en-us/library/hh575253.aspx.
- Configure Claims authentication using FBA provider vs. the standard common Windows AD authentication.
- Alternate Access mapping; provides a friendly access point on the web to your portal.
- Activate the Dynamics AX User request workflow and configure the user request workflow to provision users automatically. Automation provides us with these benefits:
- A user is created in Microsoft Dynamics AX. The user alias in Microsoft Dynamics AX is the same alias that is used when the user logs on through the authentication provider.
- A profile is created for the user. Also, an external relationship is added to associate the vendor company with the legal entities in which the vendor is allowed to do business.
- A security role is assigned to the vendor.
- For vendor users, the security role is either Vendor portal administrator (external) or Vendor (external).
Figure 2. Vendor roles in AX
What does Forms Based Authentication do for Us?
- CALS not needed for AD users.
- Will not need to maintain AD.
- FBA users are maintained in IIS / SharePoint, also called the ASPNET database.
- Users can reset their password using self-serve principles.
- Password policies such as retention, expiration etc. can be set independently from the corporate security policy.
Now we understand the business reasons and pros let’s dive into the setup steps!
Install Enterprise Portal
Go ahead and install enterprise portal using standard options. I highly recommend Microsoft’s Install Enterprise Portal in a traditional perimeter network article placing the Enterprise portal inside a restricted domain. I usually modify the web.config file to allow Enterprise portal to connect to a specific Web only AOS instance. Handling those type of requests only through the dedicated AOS’(s), here is how:
- Specify the new Microsoft Dynamics AX client configuration file for your new Portal by editing the web.config file. By default, the web.config file is located in the following directory: C:\inetpub\wwwroot\wss\VirtualDirectories\<port number>
- Add the following Microsoft.Dynamics element under </system.web>. Replace <server_name>, <path>, and <configuration_file>.axc with the information specific to your computing environment. For example:<Microsoft.Dynamics></Microsoft.Dynamics>
<Session Configuration=”\\<server_name>\<path>\<configuration_file>.axc” />
<Session Configuration=”C:\inetpub\wwwroot\dynamicsax.axc” />
Install SSL Certificate
It goes without saying that you will want to secure traffic coming to and from your Web Portal. The topic has been covered well on the internet.
Claims Authentication Using Form Based Authentication Provider
You must enable the SharePoint claims to Windows token service for claims-based authentication.
Use the following procedure to start this service.
- In SharePoint Central Administration, under System Settings, click Manage services on server.
- Locate the Claims to Windows Token Service.
- In the Action column, click Start.
- In Windows, click Start > Run, type services.msc and press Enter.
- In the Services console, verify that the Claims to Windows Token Service is running.
Optional requirements:
When you use a specific service account to run the Claims to Windows Token Service perform additional permissions using local security policy tool.
Set the following rights on both the Application server and the Web Front-end Server (WFE) by running gpedit.msc to Farm admin and BC proxy account below.
Navigate to Computer Configuration> Windows settings> Security settings> Local settings> User rights assignment:
- Act as part of the Operating System
- Impersonate a client after authentication
- Log on as a service
- Make sure that Farm admin and BC proxy account accounts are local administrator on both servers (Application server and WFE).
- Run iisreset on both servers.
- Restart the “Claims to windows token” service on both machines from SharePoint Central Administrator.
Form Based Authentication
Let’s create a forms-based website and a database to maintain external user credentials and roles.
ASPNET Database is a base database for SQL (SQL express is sufficient) that controls the Front-end Forms based site.
You can install it from the .NET framework that is current for your server.
%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
Complete the wizard. The wizard creates a new database in Microsoft SQL Server called aspnetdb if you choose <default> in database name.
Create forms-based provider and register it as a claims provider in SharePoint for Enterprise Portal:
Note: Have your SSL certificate ready as a pfc file as we are going to trust this SSL certificate for the new Portal.
On the Enterprise Portal server, execute in AX Management shell the commands:
$Cred = Get-Credential
When prompted, enter the credentials of the user that you want to set up as the site administrator of the Enterprise Portal site that will be created.
$SSLCert = Get-PfxCertificate “c:\temp\www.vendorportal.com.pfx”
new-AXClaimsAwareEnterprisePortalServer -Credential $Cred -Port 443 -SSLCertificate $SSLCert
new-AXClaimsAwareEnterprisePortalServer -Credential $Cred –WebApplication “ExistingWebApplicationName”
For example: new-AXClaimsAwareEnterprisePortalServer -Credential $Cred –WebApplication “DynamicsEP – 443”
Add a registered claims-based authentication provider to the Enterprise Portal server.
The Add-AXEnterprisePortalClaimsAuthenticationProvider cmdlet associates an existing Microsoft SharePoint Server claims authentication provider with an Enterprise Portal site. All users of the authentication provider are added as users to the Enterprise Portal web application and are granted full control of the web application.
Add-AXEnterprisePortalClaimsAuthenticationProvider -Name FormsAuth -URL https://www.vendorportal.com:443
Create Claims Users
Let’s setup an initial user in AX using AX management shell.
New-AXUser -AccountType ClaimsUser -AXUserId IBIS -UserName IBIS -UserDomain FormsAuth -CreateInProvider -ClearTextPassword “pass@word1”
Alternate Access Mapping
Configure a friendly mapping for your portal using AAM in SharePoint.
Dynamics AX Setup
Setup users are provisioned in Enterprise portal – Enterprise portal – Enterprise portal parameters
Set Forms Based authentication for:
- Unsolicited vendor authentication.
- Vendor authentication method.
Vendor Request Automatic Provisioning Workflow
This procedure explains some of the workflow tasks that are specific to the user request process.
- Click System administration > Setup > Workflow > User workflows.
- On the Action Pane, click New to create a new workflow configuration for user requests.
- In the Create workflow form, in the Name field, select User request workflow. Then click Create workflow.
- In the workflow editor, select and configure the workflow tasks.
Automated provision user – Use this task to start the user provisioning process automatically. To use this task, the Use e-mail address as user alias check box in the Enterprise Portal parameters form must be selected.
Notify user alias – Use this task to send an email message to users to notify them of their user alias in Microsoft Dynamics AX. To use this task, a template must be selected in the Enterprise Portal parameters form, in the User alias notification template field.
We now have a FBA site prompting for username and password. AX will authenticate the user using trusted intermediary being the Claims Authenticator Site. AX will create a user as Claims user.
This resource has been provided by I.B.I.S. Inc.'s DynamicsCare product experts.
Companies utilizing DynamicsCare benefit from rapid response support, application development, consulting, customized training, and managed IT service.- Consulting
- Support
- Application Development
- Customized Training
- DynamicsCare Managed IT Services
- DynamicsCare On-Demand Training Assessment
