Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Wrong redirect URI when using Oauth with AAD ( http instead of https ) #3612

Open
ChrisChristophers opened this issue Aug 16, 2024 · 38 comments

Comments

@ChrisChristophers
Copy link

ChrisChristophers commented Aug 16, 2024

Describe the issue
The redirectURI uses http instead of https despite us using https in the script
(note: our frontend.endpoint in traefik is http because we use a loadbalancer for handling https )
image
but that shouldn't affect the redirection from the application , right ?
when trying to connect to the container the redirectURL contains:
......&redirect_uri=http%3A%2F%2Fbctest.sw.data.com%2Fbc-test-aad%2FSignIn......
and brings this error since you can't use http in AAD:
image

if i manually change http to https it works perfectly fine. why is the URL wrong though? is it overwritten in the script at some point?

Script for creating the container:

$tenantId = "xxxxxxx-ea12-1234-1234-xxxxxxxxxx" 
$applicationId = "xxxxxxx-ea90-4473-8287-xxxxxxxxxx" 
$applicationIdUri = "api://xxxxxxx-ea90-4473-8287-xxxxxxxxxx" 
$redirectUrl = "https://bctest.sw.data.com/bc-test-aad/SignIn"
 
$federationLoginEndpoint = "https://login.microsoftonline.com/$tenantId/wsfed?wa=wsignin1.0%26wtrealm=$applicationIdUri%26wreply=$redirectUrl"
$federationMetadataLocation = "https://login.microsoftonline.com/$tenantId/FederationMetadata/2007-06/FederationMetadata.xml"
 
$containerName = 'bc-test-aad'
$multitenant = $false
$BCDatabaseUser = "BcContainer"
$BCDatabasePassword = "PASSWORD"
$databaseName = "bc-test-aad"
$databaseCredential = New-Object System.Management.Automation.PSCredential -argumentList $BCDatabaseUser, (ConvertTo-SecureString -String $BCDatabasePassword -AsPlainText -Force)
$20ArtifactUrl = Get-BCArtifactUrl -country "de" -type OnPrem -select Latest ##-Version "21.4"
$partnerLicense = "C:\Install\240411.bclicense"
 
 
 
New-BCContainer `
    -accept_eula `
    -containerName $containerName `
    -multitenant:$multitenant `
    -updateHosts `
    -artifactUrl $20ArtifactUrl `
    -memoryLimit 10G `
    -EnableTaskScheduler:$false `
    -licenseFile $partnerLicense `
    -Credential $databaseCredential `
    -databaseServer 'host.containerhelper.internal' `
    -databaseInstance '' `
    -databaseName $databaseName `
    -databaseCredential $databaseCredential `
    -accept_outdated `
    -useTraefik `
    -PublicDnsName 'bctest.sw.data.com' `
    -shortcuts None `
    -alwaysPull `
	-useSSL `
    -auth AAD `
    -AadAppId $applicationId `
    -AadAppIdUri $applicationIdUri `
    -authenticationEMail "[email protected]" `
    -additionalParameters @(
        "-v C:\Install:C:\Install"
        "--env appIdUri=$applicationIdUri",
        "--env federationLoginEndpoint=$federationLoginEndpoint",
        "--env federationMetadata=$federationMetadataLocation",
        "--env [email protected]"
        )

        

BCContainerhelper version 6.0.19

@freddydk
Copy link
Contributor

I think this is caused by the fact that BC offloads the handling of SSL to traefik when running traefik - and as such, BC doesn't know it is running SSL.

Could you paste CustomSettings.config from the container here?

@ChrisChristophers
Copy link
Author

Sure thing. (I replaced the application ID )
File:

CustomSettings.txt

Content:

<?xml version="1.0" encoding="utf-8"?>
<appSettings>
  <!--
    The network protocol used to access the database.
    Valid options: Default, NamedPipes, Sockets
  -->
  <add key="NetworkProtocol" value="Default" />
  <!--
    Name of the database server to connect to.
  -->
  <add key="DatabaseServer" value="host.containerhelper.internal" />
  <!--
    Name of the database instance to connect to.
  -->
  <add key="DatabaseInstance" value="" />
  <!--
    Name of the database to connect to.
  -->
  <add key="DatabaseName" value="bc-test-aad" />
  <!--
    The degree of parallelism (DOP) value to use for rebuilding indexes during upgrade. The setting applies only if the setting is set higher than the database’s MAXDOP setting.
  -->
  <add key="DegreeOfParallelismForUpgrade" value="3" />
  <!--
    Database user name, specified when SQL authentication is used.
  -->
  <add key="DatabaseUserName" value="BcContainer" />
  <!--
    Protected database password, specified when SQL authentication is used.
  -->
  <add key="ProtectedDatabasePassword" value="Cf4PweAvvKOf0FBsH9/suoKjLBj7nFq3RDcQpPVSVjwPBVoB4GsBd6hEJkvnjOUqUo2fc3xFya7O9HP9Snf6MPRZh3wEWcJYdEKNYkQYRejGD1+UVXwgCg9PdW9vYpfXpYnp/K3aM58HCxefm/q57L+vPBEv1iCoY4SlTMw3vnOJrBfhIoLl0m410WgU0NMqE6pw0XVgobAWKcrGkYgQga/nlIuHsR5Aco+9J/r4PZ/ycJYonVaqQ+/5M6zAiK33hzG8Ad+aNZ32BMVQFhRCdrXeIAL9TTQnxQZlZzXWIQhNA0/+eXxBfygwGkf8ROoCMraZTXAu/vvI1GeMeByPAQ==" />
  <!--
    Configures the server to request encryption on the SQL Connections used against the database.
  -->
  <add key="EnableSqlConnectionEncryption" value="true" />
  <!--
    Configures the server to trust the SQL Server certificate.
  -->
  <add key="TrustSQLServerCertificate" value="true" />
  <!--
    Name of the Microsoft Dynamics NAV Server instance to connect
    to (for client) or listen on (for server).
  -->
  <add key="ServerInstance" value="BC" />
  <!-- 
    Specifies whether the debugger should collect the last used SQL statements and show them in the debugger.
  -->
  <add key="EnableSqlInformationDebugger" value="true" />
  <!-- 
    Specifies the amount of SQL statements used in the debugger; the higher number you choose, the more data will be sent to the debugger.
  -->
  <add key="AmountOfSqlStatementsInDebugger" value="10" />
  <!-- 
    Specifies whether long running SQL statements will be shown in the debugger.
  -->
  <add key="EnableLongRunningSqlStatementsInDebugger" value="true" />
  <!-- 
    Specifies the amount of time (in milliseconds) that an SQL query can run before it is logged in debugger telemetry.
  -->
  <add key="LongRunningSqlStatementsInDebuggerThreshold" value="500" />
  <!--
    The listening TCP port for the Microsoft Dynamics NAV Server.
    This is part of the server's URL.
    Valid range: 1-65535
  -->
  <add key="ClientServicesPort" value="7046" />
  <!--
    The listening HTTP port for the Microsoft Dynamics NAV
    Business Web Services.
    This is part of the web service's URL.
    Valid range: 1-65535
  -->
  <add key="SOAPServicesPort" value="7047" />
  <!--
    The listening HTTP port for the Microsoft Dynamics NAV
    OData services.
    This is part of the data service's URL.
    Valid range: 1-65535
  -->
  <add key="ODataServicesPort" value="7048" />
  <!--
    The listening TCP port for the Microsoft Dynamics NAV management Endpoint.
    Valid range: 1-65535
  -->
  <add key="ManagementServicesPort" value="7045" />
  <!--
    Configures the server to support management services.
  -->
  <add key="ManagementServicesEnabled" value="true" />
  <!--
    The listening HTTP port for the Business Central management API endpoint.
    Valid range: 1-65535
  -->
  <add key="ManagementApiServicesPort" value="7086" />
  <!--
    Turns on or off the https for management API services.
  -->
  <add key="ManagementApiServicesSSLEnabled" value="false" />
  <!--
    Configures the server to support management API services.
  -->
  <add key="ManagementApiServicesEnabled" value="true" />
  <!--
    Configures the server to support connections from the Microsoft Dynamics NAV clients.
  -->
  <add key="ClientServicesEnabled" value="true" />
  <!--
    Turns on or off the https for client services.
  -->
  <add key="ClientServicesSSLEnabled" value="false" />
  <!--
    Configures the server to support running automated tests.
  -->
  <add key="TestAutomationEnabled" value="true" />
  <!--
      Sets the list of allowed .Net methods which can be invoked from a page background task completion trigger.
      The syntax is in the form '(methodName ; fullyQualifiedAssemblyName), (methodName ; fullyQualifiedAssemblyName)'.
      Example syntax: (insert; System.Data.SQLite, PublicKeyToken=db937bc2d44ff139)
  -->
  <add key="PageBackgroundTaskAllowedAutomationMethods" value="(Update,BusinessChart;PublicKeyToken=a4af7ee0f073bc1a),(SerializeObject,Newtonsoft.Json.JsonConvert;PublicKeyToken=30ad4fe6b2a6aeed)" />
  <!--
    The listening TCP port for the Microsoft Dynamics NAV Development Services Endpoint.
    Valid range: 1-65535
  -->
  <add key="DeveloperServicesPort" value="7049" />
  <!--
    The listening TCP port for the Microsoft Dynamics NAV Reporting Service Endpoint.
    Valid range: 0 - 65535. If the setting is set to 0, a random port will be chosen every time the Reporting Service is started.
  -->
  <add key="ReportingServicePort" value="0" />
  <!--
    The listening TCP port for the Microsoft Dynamics NAV NetFxComponents.Service Endpoint.
    Valid range: 0 - 65535. If the setting is set to 0, a random port will be chosen every time the NetFxComponents.Service is started.
  -->
  <add key="NetFxComponentsServicePort" value="0" />
  <!--
    The URI that the NetFxComponentsService is hosted on.
  -->
  <add key="NetFxComponentsServiceUri" value="http://localhost/" />
  <!--
    Specifies the maximum permitted size of a Dynamics 365 Business Central Developer web services request, in bytes.
  -->
  <add key="DeveloperServicesMaxRequestLength" value="419430400" />
  <!--
    Configures the server to support development services.
  -->
  <add key="DeveloperServicesEnabled" value="true" />
  <!--
    Turns on or off the https for development services.
  -->
  <add key="DeveloperServicesSSLEnabled" value="false" />
  <!--
     Defines the port used by the snapshot debugger
    -->
  <add key="SnapshotDebuggerServicesPort" value="7083" />
  <!--
      Specifies if snapshot debugging is allowed.
    -->
  <add key="SnapshotDebuggerEnabled" value="true" />
  <!--
      Specifies if sampling profiling is allowed allowed.</value>
    -->
  <add key="SamplingProfilingEnabled" value="true" />
  <!--
      Specifies whether the application permissions are loaded from the application database or from the extensions. If true, the permission sets from extensions will be used. If false, the permissions sets from the application database will be used.
    -->
  <add key="UsePermissionSetsFromExtensions" value="true" />
  <!--
      Turns on or off the https for snapshot debugger services.
    -->
  <add key="SnapshotDebuggerServicesSSLEnabled" value="false" />
  <!--
    Specifies the allowed target level when publishing extensions. Note that this setting can be used to enable restricted APIs and .NET interoperability features.
  -->
  <add key="ExtensionAllowedTargetLevel" value="Internal" />
  <!--
    Specifies a list of required extensions that cannot be uninstalled from the Extension Management page in the client. The extensions can still be uninstalled by using the Uninstall-NAVApp cmdlet of the Administration Shell.
    You specify an extension by its AppID (which is a GUID). When you have more than one extension, separate each AppID with a semicolon. The AppID for the deafult BaseApp extension is 437dbf0e-84ff-417a-965d-ed2bb9650972 and default System Application extension is 63ca2fa4-4f03-4f2b-a480-172fef340d3f.
   -->
  <add key="RequiredExtensions" value="" />
  <!--
    Specifies the ID of the extension whose version number will show as the Application Version on the client's Help and Support page. Typically, you'd use the extension considered to be your solution's base application. If your solution uses the Microsoft Base Application, set the value to 437dbf0e-84ff-417a-965d-ed2bb9650972.
  -->
  <add key="SolutionVersionExtension" value="00000000-0000-0000-0000-000000000000" />
  <!--
    Configures whether fonts are embedded in PDF files that are generated for reports.
    The setting applies to reports that are run server-side and client-side.
  -->
  <add key="ReportPDFFontEmbedding" value="true" />
  <!--
    Specifies whether application domain isolation is used for rendering custom RDLC layouts. This setting pertains to on-premise installations only.
    Enabling application domain isolation (true) provides a more secure and reliable environment for processing custom RDLC layouts;
    however, it can considerably increase the time it takes to render reports. This is the default setting. Disabling application domain
    isolation (false) can improve the rendering time but might have a negative impact on security and reliability.
  -->
  <add key="ReportAppDomainIsolation" value="true" />
  <!--
    Specifies whether On-Premises Windows printers should be enbled for PDF document prints.
  -->
  <add key="EnableWindowsPdfPrint" value="true" />
  <!--
    Specifies the printer timeout for printing pdf documents for direct windows printing On-Premises.
  -->
  <add key="WindowsPdfPrintTimeout" value="00:10:00" />
  <!--
    Specifies a JSON array of probibited printer names. These printers cannot be used for server side printing.
  -->
  <add key="ProhibitedReportServerPrinters" value="[&quot;Microsoft Print to PDF&quot;,&quot;Microsoft XPS Document Writer&quot;]" />
  <!-- 
   Specifies the maximum number of rows that can be processed in a report. If exceeded, the report will be canceled by the server. 
   To turn off this limit set the value to MaxValue.
  -->
  <add key="ReportMaxRows" value="10000000" />
  <!--
   Specifies the default maximum number of rows that can be processed in a report if nothing is specified in metadata.
  -->
  <add key="ReportDefaultMaxRows" value="500000" />
  <!-- 
   Specifies the maximum execution time for a report to be generated. If exceeded, the report will be canceled by the server. 
   Time interval format: [dd.]hh:mm:ss[.ff]
   To turn off this timeout set the value to MaxValue.
  -->
  <add key="ReportTimeout" value="12:00:00" />
  <!--
   Specifies the default maximum execution time for a report if nothing is specified in metadata.
  -->
  <add key="ReportDefaultTimeout" value="06:00:00" />
  <!-- 
   Specifies the maximum number of documents that can be merged when using WordMergeDataItem. If exceeded, the report will be canceled by the server. 
   To turn off this limit set the value to MaxValue.
  -->
  <add key="ReportMaxDocuments" value="500" />
  <!-- 
   Specifies the default maximum number of documents that can be processed in a document report if nothing is specified in metadata.
  -->
  <add key="ReportDefaultMaxDocuments" value="200" />
  <!-- 
   Specifies the maximum number of rows that can be returned by a query. If exceeded, the query will be canceled by the server.
   To turn off this limit set the value to MaxValue.
  -->
  <add key="QueryMaxRows" value="MaxValue" />
  <!-- 
   Specifies the maximum execution time for a query to be computed. If exceeded, the query will be canceled by the server. 
   Time interval format: [dd.]hh:mm:ss[.ff]
   To turn off this timeout set the value to MaxValue.
  -->
  <add key="QueryTimeout" value="MaxValue" />
  <!--
    Specifies whether users can open or save a report that is based on an RDLC report layout as Microsoft Word document from the report request page.
    If you clear this check box, the Word option is removed from the Print menu on the request page.
  -->
  <add key="EnableSaveToWordForRdlcReports" value="true" />
  <!--
    Specifies whether users can open or save a report that is based on an RDLC layout as Microsoft Excel document from the report request page.
    If you clear this check box, the Excel option is removed from the Print menu on the request page.
  -->
  <add key="EnableSaveToExcelForRdlcReports" value="true" />
  <!--
    Specifies whether users can save a report as a PDF, Microsoft Word, or Microsoft Excel document from the report preview window.
    If you clear this check box, the Save As icon is removed from the report preview window.
  -->
  <add key="EnableSaveFromReportPreview" value="true" />
  <!--
    Configures the server to support SOAP web services.
  -->
  <add key="SOAPServicesEnabled" value="true" />
  <!--
    Configures the server to support OData web services.  This will be used by ODataV4.
  -->
  <add key="ODataServicesEnabled" value="true" />
  <!--
    Configures whether the ODataV4 service endpoint will be enabled.
  -->
  <add key="ODataServicesV4EndpointEnabled" value="true" />
  <!--
    Turns on or off the https for SOAP Services
  -->
  <add key="SOAPServicesSSLEnabled" value="false" />
  <!--
    Turns on or off the https for OData Services
  -->
  <add key="ODataServicesSSLEnabled" value="false" />
  <!--
    Specifies the maximum number of OData connections before returning a 503 error.
    To disable throttling set the value to 0.
  -->
  <add key="ODataMaxConnections" value="0" />
  <!--
    Specifies the maximum number of OData connections (per tenant) before returning a 429 error.
    To disable per-tenant throttling set the value to 0.
  -->
  <add key="ODataMaxConnectionsPerTenant" value="0" />
  <!--
    Specifies the maximum number of concurrent OData V4 connections per tenant which server can actively process. Set value to 0 to disable.
  -->
  <add key="ODataV4MaxConcurrentRequests" value="5" />
  <!--
    Specifies the rate (in miliseconds) between checks if a side service process is still alive.
  -->
  <add key="SideServiceProcessAliveCheckRate" value="00:00:10" />
  <!--
    Specifies if RDLC reports should be rendered in an external process or in the main server process.
  -->
  <add key="ReportingServiceIsSideService" value="true" />
  <!--
    Specifies the amount of time the Reporting Service waits to establish a connection.
  -->
  <add key="ReportingServiceEstablishConnectionTimeout" value="00:00:05" />
  <!--
    Specifies if NetFxComponents.Service should be started as a side service.
  -->
  <add key="NetFxComponentsServiceIsSideService" value="false" />
  <!--
    Specifies the amount of time the NetFxComponents.Service waits to establish a connection.
  -->
  <add key="NetFxComponentsServiceEstablishConnectionTimeout" value="00:00:05" />
  <!--
    Specifies the maximum number of outstanding OData V4 connections per tenant before returning a 429 error. Set value to 0 to disable.
  -->
  <add key="ODataV4MaxRequestQueueSize" value="95" />
  <!--
    Specifies the JSON-serialized list of application object ids exempt from OData read only GET requests.
  -->
  <add key="ODataReadonlyGetDisabledForObjects" value="[]" />
  <!--
    Specifies if the server should set read only intent on all OData GET requests.
  -->
  <add key="ODataReadonlyGetEnabled" value="true" />
  <!--
    Specifies the maximum number of concurrent SOAP connections per tenant which server can actively process. Set value to 0 or int.MaxValue to disable.
  -->
  <add key="SOAPMaxConcurrentRequests" value="5" />
  <!--
    Specifies the maximum number of outstanding SOAP connections per tenant before returning a 429 error. Set value to int.MaxValue to disable.
  -->
  <add key="SOAPMaxRequestQueueSize" value="95" />
  <!--
    Specifies the maximum number of SOAP connections before returning an error.
    To disable throttling set the value to 0.
  -->
  <add key="SOAPMaxConnections" value="0" />
  <!--
    Specifies the maximum number of SOAP connections (per tenant) before returning an error.
    To disable per-tenant throttling set the value to 0.
  -->
  <add key="SOAPMaxConnectionsPerTenant" value="0" />
  <!--
    Specifies the global limit of concurrent OData requests which the server can actively process.
    This is a global limit for all users across all tenants.
  -->
  <add key="ODataMaxConcurrentRequestsGlobalLimit" value="500" />
  <!--
    Specifies the global limit of outstanding OData requests before returning a 429 error.
    This is a global limit for all users across all tenants.
  -->
  <add key="ODataMaxRequestQueueSizeGlobalLimit" value="9500" />
  <!--
    Specifies the maximum number of concurrent OData requests per user which the server can actively process.
    This is a per user limit.
  -->
  <add key="ODataMaxConcurrentRequestsPerUser" value="5" />
  <!--
    Specifies the global limit of outstanding OData requests before returning a 429 error.
    This is a global limit for all users across all tenants.
  -->
  <add key="ODataMaxRequestQueueSizePerUser" value="95" />
  <!--
    Specifies the global limit of concurrent API requests which the server can actively process.
    This is a global limit for all users across all tenants.
  -->
  <add key="APIMaxConcurrentRequestsGlobalLimit" value="500" />
  <!--
    Specifies the global limit of outstanding API requests before returning a 429 error.
    This is a global limit for all users across all tenants.
  -->
  <add key="APIMaxRequestQueueSizeGlobalLimit" value="9500" />
  <!--
    Specifies the maximum number of concurrent API requests per user which the server can actively process.
    This is a per user limit.
  -->
  <add key="APIMaxConcurrentRequestsPerUser" value="5" />
  <!--
    Specifies the global limit of outstanding API requests before returning a 429 error.
    This is a global limit for all users across all tenants.
  -->
  <add key="APIMaxRequestQueueSizePerUser" value="95" />
  <!--
      Specifies the time allowed for a OData operation before returning a RequestTimeout error.
      To turn off this timeout set the value to MaxValue or 00:00:00.
    -->
  <add key="ODataServicesOperationTimeout" value="00:08:00" />
  <!--
      Specifies the time allowed for a SOAP operation before returning a timeout error.
      To turn off this timeout set the value to MaxValue or 00:00:00.
    -->
  <add key="SOAPServicesOperationTimeout" value="00:10:00" />
  <!--
    The public URL for accessing OData services.
    The URL must have the following format:
         http[s]://<hostname>:<port>/<nav-instance>/
    For example
         https://Cronus.Nav.net:7048/dynamicsnav/
  -->
  <add key="PublicODataBaseUrl" value="https://bctest.sw.$CompanyName.com/bc-test-aadrest/odata" />
  <!--
    The public URL for accessing SOAP web services.
    The URL must have the following format:
         http[s]://<hostname>:<port>/<nav-instance>/WS/
    For example
         https://Cronus.Nav.net:7047/dynamicsnav/WS/
  -->
  <add key="PublicSOAPBaseUrl" value="https://bctest.sw.$CompanyName.com/bc-test-aadsoap/ws" />
  <!--
    The public URL for Web Clients to access the Web Server.
    The url must have the following format:
         http[s]://<hostname>:<port>/<nav-instance>/Webclient/
    For example
         https://Cronus.Nav.net:443/dynamicsnav/Webclient/
  -->
  <add key="PublicWebBaseUrl" value="https://bctest.sw.$CompanyName.com/bc-test-aad" />
  <!--
    The public URL for accessing Windows (RTC) clients.
    The URL must have the following format:
         dynamicsnav://<hostname>:<port>/<nav-instance>/
    For example
         dynamicsnav://Cronus.Nav.net:7085/dynamicsnav/
  -->
  <add key="PublicWinBaseUrl" value="DynamicsNAV://bctest.sw.$CompanyName.com:7046/BC/" />
  <!--
    The default client type.

    This is used in order to define URLs when the GetUrl method is called with the client type set to Default.
    The value must be one of the following; Windows, Web, SOAP, or OData.
  -->
  <add key="DefaultClient" value="Web" />
  <!--
    The Option format to use with SOAP web services and OData services.

    The value must be one of the following; OptionCaption, OptionString.
    The service will deliver the option value in the specified format and will expect it in the same format back
  -->
  <add key="ServicesOptionFormat" value="OptionCaption" />
  <!--
    The Global Language to use to use with SOAP web services and OData services.

    The value must be a valid CultureInfo string like en-US or da-DK.
  -->
  <add key="ServicesLanguage" value="en-US" />
  <!--
    Sets the last year of a 100-year range that can be represented by a 2-digit year. If this value is specified as a negative number, the value will be read from the current server culture settings.
  -->
  <add key="CalendarTwoDigitYearMax" value="-1" />
  <!--
    Maximum permitted size of a SOAP and OData Services request, in kilobytes
  -->
  <add key="SOAPServicesMaxMsgSize" value="65536" />
  <!--
    Turns on or off NTLM authentication protocol for SOAPServices and ODataServices
        false: Use SPNEGO for SOAPServices or Windows for ODataServices (recommended)
        true: Use NTLM only
  -->
  <add key="ServicesUseNTLMAuthentication" value="false" />
  <!--
    The default time zone in which WebService, OData and NAS calls are run.
    Supported values "UTC" (the default), "Server Time Zone"
    (the time zone of the server), or the ID of a Windows
    time zone defined in the system registry under
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones,
    for example "Romance Standard Time"
  -->
  <add key="ServicesDefaultTimeZone" value="UTC" />
  <!--
    The default company that is used for Client, OData, and NAS Services.
  -->
  <add key="ServicesDefaultCompany" value="" />
  <!--
    Maximum permitted page size of a Data Services response, in number of entities
  -->
  <add key="ODataServicesMaxPageSize" value="20000" />
  <!--
    Maximum time in seconds a call from the client to the server
    may take to return.
    Time span format: [dd.]hh:mm:ss[.ff]
        dd: days
        hh: hours
        mm: minutes
        ss: seconds
        ff: fractions of a second
    Or "MaxValue" to indicate there is no timeout.
  -->
  <add key="ClientServicesOperationTimeout" value="MaxValue" />
  <!--
    The security services used to protect the client/server data stream.
    Valid options: EncryptAndSign, Sign, None
  -->
  <add key="ClientServicesProtectionLevel" value="EncryptAndSign" />
  <!--
    Maximum number of concurrent client calls that can be active on the
    Microsoft Dynamics NAV Server. To disable this setting set the value
    to "MaxValue".
  -->
  <add key="MaxConcurrentCalls" value="1000" />
  <!--
    The maximum number of concurrent client connection that the service
    will accept. To disable this setting set the value to "MaxValue".
  -->
  <add key="ClientServicesMaxConcurrentConnections" value="4000" />
  <!--
    Threshold for when to start compressing data sets to avoid that they
    consume prohibitive amounts of memory.
  -->
  <add key="ClientServicesCompressionThreshold" value="64" />
  <!--
    Limits the size of files that can be uploaded in order to avoid out of memory errors. This value is in megabytes.
  -->
  <add key="ClientServicesMaxUploadSize" value="350" />
  <!--
    With the EnableDebugging flag set to true the Microsoft Dynamics NAV Server
      will start with debugging mode enabled.  This mode has three main functions:
    1)	Upon first connection by a RoleTailored Client all C# for that application
        will be generated.
    2)	C# files will be persisted between server restarts.
    3)  Application Objects will be compiled with debug information.
  -->
  <add key="EnableDebugging" value="false" />
  <!--
    Specifies whether C/AL debugging is allowed for this Microsoft Dynamics NAV Server instance.
  -->
  <add key="DebuggingAllowed" value="true" />
  <!--
    Specifies whether SQL tracing is allowed on the server instance. If set to false, SQL tracing cannot be enable on the client sessions.
  -->
  <add key="SqlTracingAllowed" value="true" />
  <!--
      Limits the size of the body of requests that can be received through Web Services.
  -->
  <add key="ODataMaxBodySize" value="350" />
  <!--
    Specifies the number of seconds that a blocked transaction waits for the blocking lock to be released.
    If the timeout value is exceeded, the transaction is terminated, and an error is returned.
    The value that you set will override the $ndo$dbproperty.locktimeoutperiod value in the application database.
    If you do not want to override the $ndo$dbproperty.locktimeoutperiod value, leave this value blank.
    If you do not want a timeout, meaning that transactions will wait indefinitely, set the value to -1.
  -->
  <add key="SqlLockTimeoutOverride" value="0" />
  <!--
    Sets the maximum number of items to serialize or deserialize.
  -->
  <add key="ClientServicesMaxItemsInObjectGraph" value="512" />
  <!--
    Sets the default size of a chunk, in KB. Should be a value between 4 and 80.
  -->
  <add key="ClientServicesChunkSize" value="28" />
  <!--
    Limit the file types that can't be uploaded to or downloaded from the server, by definig a list of prohibited file types.
    Possible ways of setting this:
    1) * - all file types prohibited.
    2) Empty string or not specified - default value will be used.
    3) Whitespace string ("" "") - all file types will be allowed.
    4) List of file types separated by a semicolon (;) - for example "txt;xml;pdf" will prohibit the file types txt, xml and pdf.
    Trailing semi-colons will be ignored.
  -->
  <add key="ClientServicesProhibitedFileTypes" value="ade;adp;asp;bas;bat;chm;cmd;com;cpl;csh;exe;fxp;gadget;hlp;hta;inf;ins;isp;its;js;jse;ksh;lnk;mad;maf;mag;mam;maq;mar;mas;mat;mau;mav;maw;mda;mdb;mde;mdt;mdw;mdz;msc;msi;msp;mst;ops;pcd;pif;prf;ps1;psm1;prg;pst;reg;scf;scr;sct;shb;shs;url;vb;vbe;vbs;vsmacros;vss;vst;vsw;ws;wsc;wsf;wsh" />
  <!--
    Limit the file types that can be uploaded to or downloaded from the serverby specifying a semicolon-separated list of allowed file types.
    If the key is not specified or the value is empty, then the "ClientServicesProhibitedFileTypes" setting is used.
    Any non-empty list of "ClientServicesAllowedFileTypes" will disable "ClientServicesProhibitedFileTypes" setting.
    Possible ways of setting this:
    1)  * - all file types allowed.
    2) Empty string or not specified - ClientServicesProhibitedFileTypes setting will be taken into account.
    3) List of file types separated by a semicolon (;) - for example "txt;xml;pdf" will allow only the file types txt, xml and pdf.
    Trailing semi-colons will be ignored.
  -->
  <add key="ClientServicesAllowedFileTypes" value="" />
  <!--
    This is codeunit-id that contains the method that will be called by the NASServicesStartupMethod.
    Examples are value="", the NAS does not start (default) value="1", runs the trigger specified by NASServicesStartupMethod key in codeunit 1
  -->
  <add key="NASServicesStartupCodeunit" value="" />
  <!--
    Specifies whether the NAS service runs with administrator rights instead of the rights granted by the Microsoft Dynamics NAV Server service account.
  -->
  <add key="NASServicesRunWithAdminRights" value="false" />
  <!--
    Specifies whether the deadlock monitoring is enabled on the server.
  -->
  <add key="EnableDeadlockMonitoring" value="false" />
  <!--
        Specifies whether the lock timeout monitoring is enabled on the server.
    -->
  <add key="EnableLockTimeoutMonitoring" value="false" />
  <!--
    This is method name that will be called by the NAS at startup.
    Examples are value="", runs the OnRun trigger (default) value="StartNAS", runs the StartNAS method in the codeunit specified NASServicesStartupCodeunit
  -->
  <add key="NASServicesStartupMethod" value="" />
  <!--
    This is the argument that will be used by the NAS when it starts up.
  -->
  <add key="NASServicesStartupArgument" value="" />
  <!--
    When this value is set to true, then the NAS will startup with a 60 sec delay.
  -->
  <add key="NASServicesEnableDebugging" value="false" />
  <!--
    The type of client credential used for authentication.
    Possible values:
          Windows          - Windows authentication is used, and client will connect with "current user"
                            this user is expected to be the same and known to both server and client
                            This is the default mode and is typically used on a LAN with Active Directory
                            In this mode X.509 certificates are not used and options set below are ignored
          UserName         - Windows authentication on the server. Client is expected to present username/password
                            identifying a windows user known (created) on the server.
                            Typically the client will ask for these credentials and pass them to the server
                            Certificates are used to protect the passing of credentials.
                            This is typically used when only the server is part of an Active Directory, or
                            when the client is not trusted, e.g. connection over a WAN/Internet
    AccessControlService  - Authentication is handled by Windows Azure Access Control Service or Microsoft Azure Active Directory
                            To support Windows Azure Access Control Service, you must specify the symmetric key for signing in ClientServicesTokenSigningKey.
                            To support Microsoft Azure Active Directory, you must specify the federation metadata location in WSFederationLoginEndpoint.
                            Web services (SOAP and OData) are configured for OAuth authentication. You must specify AppIdUri and WSFederationLoginEndpoint.
          NavUserPassword  - Authentication is managed by the server but not based on windows users.
                            Client is expected to present username/password matching a user known to the server.
                            Typically the client will ask for these credentials and pass them to the server
                            Certificates are used to protect the passing of credentials.
                            This mode is used in hosted environments, such as Azure, where the list of allowed users
                            are maintained by Microsoft Dynamics NAV and not based on Windows users.
                            In this configuration, the Microsoft Dynamics NAV Server also allows Windows and Web clients to connect using ACS or Azure AD
                            as well as Web Service clients to connect using OAuth (see above).
  -->
  <add key="ClientServicesCredentialType" value="NavUserPassword" />
  <!--
    The type of permissions used for removing UI elements:
    Possible values:

        None                           - No UI Elements will be removed
        LicenseFile                    - Only object permissions in the License File will be used.
        LicenseFileAndUserPermissions  - Both object permissions from the License File and User Permissions system will be used.
  -->
  <add key="UIElementRemovalOption" value="LicenseFileAndUserPermissions" />
  <!--
    ACS signs all SWT security tokens it issues using a 256-bit symmetric key.
    SWT tokens can be issued over multiple protocols, such as OAuth WRAP and WS-Federation, and are always signed using a symmetric key.
  -->
  <add key="ClientServicesTokenSigningKey" value="" />
  <!--
    Microsoft Azure Active Directory and other identity providers support openid metadata. 
    It typically has the following format:
       https://login.microsoftonline.com/{AADTENANTID}/.well-known/openid-configuration
    - When NAV is configured for single-tenancy, just replace the placeholder with the value of the the aad tenant id.
    - When NAV is configured for multi-tenancy, and the corresponding AAD application is also configured as a multi-tenant application, use "common" as the {AADTENANTID} value.
    - When NAV is configured for multi-tenancy, and each NAV tenant corresponds to an AAD tenant, which contains an AAD service principal, use "{AADTENANTID}" as the value.
      NAV will automatically replace that value with the value that was used when mounting the NAV tenant.
  -->
  <add key="ADOpenIdMetadataLocation" value="https://login.microsoftonline.com/common/.well-known/openid-configuration" />
  <!--
    The CertificateThumbprint, for the x509 certificate that is going to be used for authentication
    The Certificate is required to be stored in the "local computer", "personal" folder in the certificate store and
    the private key of the certificate needs to be present and exchangable (.cer file is not enough, you will need a .pfx file)
    Depending on the setting below (validation), the certificate can either be self-signed or issued by a trusted CA

    To issue a self-signed certificate for use on a server for testing purposes issue the following commands:

          makecert -n "CN=YourServiceNameOrURL" -r -sky exchange -sv YourFileName.pvk YourFileName.cer
          pvk2pfx -pvk YourFileName.pvk -spc YourFileName.cer -pfx YourFileName.pfx
          certutil -importpfx YourFileName.pfx

          You can optionally protect the private key with a password.
          This password is only used during certificate import/export operations.

    See online documentation if you want to use trusted certificates
  -->
  <add key="ServicesCertificateThumbprint" value="" />
  <!--
    Indicate if you want to enforce validation of the certificate.

    When validation is enabled, the certificate needs to be trusted, not revoked and the CN name should
    match the URL of your service.

    When validation is disabled you can use a self-signed certificate with no revocation list and there
    are no constraint on the CN name
  -->
  <add key="ServicesCertificateValidationEnabled" value="true" />
  <!--
    Specifies whether to disable the validation of the token-signing certificate.
    This setting is only applicable if 'ServicesCertificateValidationEnabled' is set when authenticating using Active Directory Federation Services (AD FS).
   -->
  <add key="DisableTokenSigningCertificateValidation" value="True" />
  <!--
    Specifies which certificate validation mode to use for token signing validation. This setting is only applicable if 'ServicesCertificateValidationEnabled' is 'true'.
        'NameIssuerValidation'  validates tokens by verifying the issuer name (tenant) only. 
        'PeerOrChainValidation' validates tokens by verifying that the certificate is either in the Trusted People store or is part of a chain trust to a certification authority in the Trusted Root store.
   -->
  <add key="TokenSigningCertificateValidationMode" value="IssuerNameValidation" />
  <!--
    Sets the data cache size. This is an abstract value with contextual meaning on the type of the item being cached.
  -->
  <add key="DataCacheSize" value="10" />
  <!--
    Specifies the time interval that sessions in the Session Events table remain before they are deleted.
    This value has format d.hh:mm:ss.
  -->
  <add key="SessionEventTableRetainInterval" value="90.00:00:00" />
  <!--
    Specifies the time interval that background and web service sessions remain in the Session Event table before they are deleted.
    This value has format d.hh:mm:ss.
  -->
  <add key="NonInteractiveSessionsLogRetainInterval" value="5.00:00:00" />
  <!--
    Timeout for Sql command
  -->
  <add key="SqlCommandTimeout" value="00:30:00" />
  <!--
    Specifies the timeout for SQL commands related to management operations, for example schema synchronization and company management operations. The value has the format HH:MM:SS or the value -1 to fall back to the SQL Command Timeout.
  -->
  <add key="SqlManagementCommandTimeout" value="-1" />
  <!--
    Specifies the time to wait while trying to connect to the database before terminating the attempt and generating an error. This setting also applies to begin, rollback, and commit of transactions. The value has the format hh:mm:ss.
  -->
  <add key="SqlConnectionTimeout" value="00:01:30" />
  <!--
    Specifies if the server is allowed to connect to a SQL Server secondary read-only replica of an Always On availability group.
  -->
  <add key="EnableSqlReadOnlyReplicaSupport" value="false" />
  <!--
    Specifies whether the server instance uses an exclusive lock when modifying a record if the record's in-memory instance is unchanged (not dirty) since the record was retrieved from the database.
  -->
  <add key="EnableExclusiveExistsCheckOnModify" value="false" />
  <!--
    Specifies whether to enable the SQL Buffered Insert functionality to buffer rows that are being inserted into a database table.
    When this parameter is enabled, up to 5 rows will be buffered in the table queue before they are inserted into the table.
    To optimize performance in a production environment, you should set this parameter to TRUE (enabled). In a test environment,
    you can set this parameter to FALSE (disabled) to debug SQL insert failures.
  -->
  <add key="BufferedInsertEnabled" value="true" />
  <!--
    Specifies whether to disable the SmartSql feature.
    The SmartSql feature converts find requests and calculation of flow-fields into a single SQL statement.
  -->
  <add key="DisableSmartSql" value="false" />
  <!--
    Specifies whether full AL function tracing is  enabled when an ETW session is performed.
    When this setting is enabled, all AL functions and statements are logged in an ETL log file.
  -->
  <add key="EnableFullALFunctionTracing" value="false" />
  <!--
    Specifies whether this is a multitenant server.
    When this settings is enabled multiple tenants can be mounted on the server.
  -->
  <add key="Multitenant" value="False" />
  <!--
    Specifies the time that a SQL connection can remain idle before being closed. The value has the format HH:MM:SS.
  -->
  <add key="SqlConnectionIdleTimeout" value="00:05:00" />
  <!--
    Specifies whether access to server files by AL file data type functions is allowed.
  -->
  <add key="EnableALServerFileAccess" value="true" />
  <!--
    Specifies whether to log events in the Windows Application log of the computer running Microsoft Dynamics NAV Server. You can view events by using Event Viewer.
    Regardless of this setting, events are always logged in the Microsoft Dynamics NAV Server event log channels of the Applications and Services Logs.
    The default setting is TRUE to support backwards compatibility.
  -->
  <add key="EnableApplicationChannelLog" value="true" />
  <!--
    Specifies the encryption provider. It can be one of LocalKeyFile or AzureKeyVault
    The default setting is LocalKeyFile to support backwards compatibility.
    This setting is valid only when running in legacy (single-tenant) mode.
  -->
  <add key="EncryptionProvider" value="LocalKeyFile" />
  <!--
    Specifies the AzureKeyVault configuration.

    These settings specify the Azure Active Directory application/client id that will be used for authentication to key vault.
    Specify these values only if in these cases:
      - Running with AzureKeyVault as the encryption provider and running in single-tenant mode. In multi-tenant mode, the key vault
        settings are provided when mounting each tenant.
      - Using app secrets, i.e., specifying key vault URLs in the app.json file

    <add key="AzureKeyVaultClientId" value=" The guid value of the client id 00000000-0000-0000-0000-000000000000" />
    <add key="AzureKeyVaultClientCertificateStoreLocation" value="The certificate store location name: LocalMachine or CurrentUser" />
    <add key="AzureKeyVaultClientCertificateStoreName" value="The certificate store name: AddressBook, My, Root, TrustedPeople or TrustedPublisher" />
    <add key="AzureKeyVaultClientCertificateThumbprint" value="The certificate thumbprint" />

    Specify the Azure Key Vault key to use for encryption.
    Specify this value only in this case:
      - Running with AzureKeyVault as the encryption provider and running in single-tenant mode. In multi-tenant mode, the key vault
        settings are provided when mounting each tenant.
    <add key="AzureKeyVaultKeyUri" value="The key uri https://mykeyvault.vault.azure.net/keys/MySecretKey" />
  -->
  <!--
    Specifies whether publisher validation should be performed. When validation is enabled, the server will compare the app publisher's
    AAD tenant ID (as specified during app publishing) with the AAD tenant ID of the key vaults that are specified in the app.json file.
    If they don't match, the app will not be able to retrieve secrets from the key vaults.
    It is recommended to leave the value to prevent unauthorized key vault access, however, it can be useful to disable the validation during development.
  -->
  <add key="AzureKeyVaultAppSecretsPublisherValidationEnabled" value="true" />
  <!--
    Specifies the URL for Microsoft Exchange authentication metadata document of the service or authority that is trusted to sign Exchange identity tokens.
    This URL is compared to the Exchange authentication metadata document URL in the Exchange identity token. The scheme and host part of the two URLs must match to pass authentication. Paths in the URLs require only partial match.
    The default value is "https://outlook.office365.com/".

    <add key="ExchangeAuthenticationMetadataLocation" value="https://mailhost.contoso.com:443/autodiscover/metadata/json/1" />
  -->
  <add key="ExchangeAuthenticationMetadataLocation" value="" />
  <!--
    Specifies the App ID URI that is registered for Microsoft Dynamics NAV in the Microsoft Azure Active Directory.
    The App ID URI is used when Microsoft Dynamics NAV web services are configured for OAuth authentication, i.e., when the ClientServicesCredentialType is AccessControlService.
    The App ID URI is a logical identifier and doesn't have to represent a valid location, although it is common practice to use the physical URL of the Microsoft Dynamics NAV service.
    Example of valid AppIdUri:
       https://localhost:7047/
  -->
  <add key="AppIdUri" value="api://dataapplicationId" />
  <!--
    Specifies the sign-in page that Microsoft Dynamics NAV redirects to when configured for Single Sign-On.
    For Azure AD (Office 365) authentication, the WSFederationLoginEndpoint setting has the following format:
         https://login.microsoftonline.com/<AAD TENANT ID>/wsfed?wa=wsignin1.0%26wtrealm=<APP ID URI>%26wreply=<APP RETURN URL>
        Where
        "<AAD TENANT ID>" is the ID of the Azure AD tenant, for example "CRONUSInternationLtd.onmicrosoft.com".
        "<APP ID URI>" is the ID that was assigned to the Microsoft Dynamics NAV application when it was registered in Azure AD, for example "https://localhost/".
        "<APP RETURN URL>" is the reply URL that was assigned to the Microsoft Dynamics NAV application when it was registered in Azure AD, for example "https://localhost/".
    The following ensures that Microsoft Dynamics NAV redirects to the right sign-in page:
        - When NAV is configured for single-tenancy, just write the URL with has the same format as specified above.
        - When NAV is configured for multi-tenancy, and the corresponding AAD application is also configured as a multi-tenant application, use "common" as the {AADTENANTID} value.
        - When NAV is configured for multi-tenancy, and each NAV tenant corresponds to an AAD tenant, which contains an AAD service principal, use "{AADTENANTID}" as the value.
          NAV will automatically replace that value with the value that was used when mounting the NAV tenant, for example https://login.microsoftonline.com/{AADTENANTID}/wsfed?wa=wsignin1.0%26wtrealm=...%26wreply=...

    The following ensures that the Azure AD sign-in page redirects back to Microsoft Dynamics NAV correctly:
        - When Microsoft Dynamics NAV redirects to the Azure AD sign-in page, it dynamically adds a wreply query parameter.
          This is how Azure AD knows how to redirect back to Microsoft Dynamics NAV.
        - In some cases, the dynamically added wreply query parameter is not what you want. This is the case when the public URL
          is different from the private URL on which Microsoft Dynamics NAV actually lives. An example is when Microsoft
          Dynamics NAV is deployed in a load-balanced environment, where the public URL is that of the load-balancer,
          and the private URLs are different for each Microsoft Dynamics NAV instance.
        - To enable scenarios where the public URL is different from the private URL, you must hard-code the public URL in the WSFederationLoginEndpoint.
          In the following example, the public URL is https://www.cronusinternational.com:
            https://login.microsoftonline.com/<AAD TENANT ID>/wsfed?wa=wsignin1.0%26wtrealm=<APP ID URI>%26wreply=https://www.cronusinternational.com/NAV/WebClient/SignIn.aspx

        - Furthermore, Microsoft Dynamics NAV may be configured to use host name-based tenant resolution, i.e., each tenant is assigned a unique
          domain such as customer1.cronusinternational.com. A customer then accesses their tenant using e.g. https://customer1.cronusinternational.com/NAV/WebClient.
          This implies that the public URL is different for each tenant. To support this scenario, you can specify that the host name should be dynamically
          calculated by Microsoft Dynamics NAV as follows:
            https://login.microsoftonline.com/<AAD TENANT ID>/wsfed?wa=wsignin1.0%26wtrealm=<APP ID URI>%26wreply=https://{HOSTNAME}/NAV/WebClient/SignIn.aspx
          Microsoft Dynamics NAV replaces the placeholder with the actual request domain at runtime, resulting in:
            https://login.microsoftonline.com/<AAD TENANT ID>/wsfed?wa=wsignin1.0%26wtrealm=<APP ID URI>%26wreply=https://customer1.cronusinternational.com/NAV/WebClient/SignIn.aspx

        -  The value for AppIdUri can also be used to substitute a placeholder {APPIDURI} value with the value specified in the AppIdUri configuration setting.
             https://login.microsoftonline.com/<AAD TENANT ID>/wsfed?wa=wsignin1.0%26wtrealm={APPIDURI}%26wreply=....

    For ACS authentication, the WSFederationLoginEndpoint setting is a top level partition of ACS that is used to create the ACS tokens, for example "https://CRONUSInternationalLtd.accesscontrol.windows.net/v2/wsfederation?wa=wsignin1.0%26wtrealm=https://localhost/"

    Remarks:
    - Notice the difference between ACS "wsfederation" and Azure AD "wsfed" resource
  -->
  <add key="WSFederationLoginEndpoint" value="https://login.microsoftonline.com/53d93613-0e8d-4be0-854b-9df85429e6b3/wsfed?wa=wsignin1.0%26wtrealm=api://dataapplicationId%26wreply=https://bctest.sw.$CompanyName.com/bc-test-aad/SignIn" />
  <!--
    Specifies the ID of this application tenant. Used when accessing data in Azure Active Directory.
    The authentication token for communicating with AAD, must be retrieved preferably by specifying the AzureActiveDirectoryClientCertificateThumbprint,
    with a fallback to use the AzureActiveDirectoryClientSecret.
  -->
  <add key="AzureActiveDirectoryClientId" value="" />
  <!--
    The Secret, is going to be used with AzureActiveDirectoryClientId for AAD authentication.
  -->
  <add key="AzureActiveDirectoryClientSecret" value="" />
  <!--
    CertificateThumbprint is for the x509 certificate that is going to be used with AzureActiveDirectoryClientId for AAD authentication.
    Public certificate file (.cer) must be must be registered on the AAD Service Principal.
    Private certificate file (.pfx) must be installed on the NST machine, under LocalMachine\My (the personal certificates for the local machine)
    Certificates can be self signed, so it isn't nessesary for the certificate have a trusted root, but the service account must have access to the private key of that certificate.
    Easy verification that the certificate is installed in the corrent location, by running this command.
    PS C:\> dir Cert:\LocalMachine\My
  -->
  <add key="AzureActiveDirectoryClientCertificateThumbprint" value="" />
  <!--
    Configures the server instance to use membership entitlement.
  -->
  <add key="EnableMembershipEntitlement" value="" />
  <!--
    Configures if the server should use any level of partial loading on records.
  -->
  <add key="EnablePartialRecords" value="true" />
  <!--
    Configures if the server should write to the event log and ETW when a background session call Message or sends a notification.
  -->
  <add key="WriteALMessageToEventLog" value="false" />
  <!--
    Specifies the maximum number rows that are allowed in an Excel document generated from a list in the client.
    To disable the setting, set the value to MaxValue.
  -->
  <add key="MaxRowsToExportToExcel" value="MaxValue" />
  <!--
    Configures the server instance to run the Task Scheduling Engine.
  -->
  <add key="EnableTaskScheduler" value="False" />
  <!--
    Maximum number of scheduled tasks concurrently running.
  -->
  <add key="TaskSchedulerMaximumConcurrentRunningTasks" value="5" />
  <!--
    The period to add to the current timestamp to calculate the latest NotBefore for filtering when listing the tasks.
  -->
  <add key="TaskSchedulerListTasksLookForwardPeriod" value="06:00:00" />
  <!--
    The default timeout for scheduled tasks created via CREATETASK.
  -->
  <add key="DefaultTaskSchedulerSessionTimeout" value="12:00:00" />
  <!--
    The max timeout for scheduled tasks created via CREATETASK.
  -->
  <add key="MaxTaskSchedulerSessionTimeout" value="2.00:00:00" />
  <!--
   Specifies a list of exceptions that will cause the task scheduler to retry the task if the given exception occurs during the execution of the task's main codeunit.
   The value is semicolon-separated list in a format like: Exception1;Exception2;Exception3.
   To specify the error code of the exception, use the following format instead: Exception1:ErrorCode1;Exception2:ErrorCode2.
  -->
  <add key="TaskSchedulerExecutionRetryExceptions" value="NavAppObjectMetadataException;NavAdministratorMadeChangesException;NavCSideException:22924076" />
  <!--
    The default timeout for sessions created via STARTSESSION.
  -->
  <add key="BackgroundSessionsDefaultTimeout" value="08:00:00" />
  <!--
    Specifies the maximum number of background sessions that can run concurrently per tenant.
   -->
  <add key="BackgroundSessionsMaxConcurrent" value="10" />
  <!--
    Specifies the maximum number of background sessions that can be waiting in the queue per tenant.
   -->
  <add key="BackgroundSessionsMaxQueued" value="100" />
  <!--
    Specifies the maximum timeout for a background session that can be spent waiting in the queue per tenant.
   -->
  <add key="BackgroundSessionsDefaultWaitTimeout" value="08:00:00" />
  <!--
    Specifies whether the simplified quick filter and simplified lookup filter should be used.
    A simplified filter will do a case-sensitive prefix search on the chosen column. This should enable use of the SQL indexes, improving search performance.
  -->
  <add key="UseSimplifiedFilters" value="false" />
  <!--
    The Azure AD client ID for the Excel add-in and other OAuth clients that access the Dynamics NAV Server.
  -->
  <add key="ExcelAddInAzureActiveDirectoryClientId" value="" />
  <!--
    Specifies whether to raise an error when AL code that is executed in the scope of a TryFunction writes to the database.
    It is recommended to update the AL code to avoid writing to the database from a TryFunction. However, in cases where this is not possible, setting this value to false allows TryFunctions to write to the database, and behave as they did in Dynamics NAV 2016.
  -->
  <add key="DisableWriteInsideTryFunctions" value="true" />
  <!--
    The number of hours  (0-24) that are added to the lifetime of Azure AD security tokens.
  -->
  <add key="ExtendedSecurityTokenLifetime" value="24" />
  <!--
    The interval of time that a client session can remain inactive before the session is dropped.
    Time interval format: [dd.]hh:mm:ss[.ff]
    You can also use MaxValue to indicate no timeout.
  -->
  <add key="ClientServicesIdleClientTimeout" value="MaxValue" />
  <!--
    Specifies whether Excel add-in annotations should be provided in OData metadata.
  -->
  <add key="ODataEnableExcelAddInAnnotations" value="true" />
  <!--
    Specifies the maximum size in megabytes of a response buffer used by the HttpClient AL function.
  -->
  <add key="NavHttpClientMaxResponseContentSize" value="150" />
  <!--
    Specifies the maximum allowed timeout value in minutes that can be set for the HttpClient Timeout AL function.<
  -->
  <add key="NavHttpClientMaxTimeout" value="00:05:00" />
  <!--
    Specifies whether parameters in SQL statements are bound by their ordinal number.
  -->
  <add key="SqlParametersByOrdinal" value="true" />
  <!--
    Specifies if Microsoft Dynamics NAV Server must allow, warn or prevent a connection from a client that is built with a different build number. Allowed values are: AlwaysConnect, WarnClient and DoNotAllow.
  -->
  <add key="ClientBuildRestriction" value="WarnClient" />
  <!--
    Specifies the lowest severity level of telemetry events to be recorded in the event log for the server instance. Telemetry events have IDs from 700-706.
    You can set the value to Critical, Error, Warning, Normal, Verbose or Off. These values correspond to the event severity levels (listed from highest to lowest).
  -->
  <add key="TraceLevel" value="Normal" />
  <!--
    Specifies the lowest severity level of telemetry events to be recorded in the event log for external systems which are interfaced from the server instance.
    The external events are used by integration components like CRM (Xrm) and maps the external event to a standard event log using the Normal trace level.
    You can set the value to Critical, Error, Warning, Information, Verbose. These values correspond to the event severity levels (listed from highest to lowest).
  -->
  <add key="ExternalTraceLevel" value="Error" />
  <!--
    Enables the use of the EXPORTDATA and IMPORTDATA functions from the application code.
  -->
  <add key="EnableDataExportImport" value="true" />
  <!--
    The limit where nested session creation is considered maximum recursion depth.
  -->
  <add key="MaximumSessionRecursionDepth" value="14" />
  <!--
   Specifies the maximum number of bytes that can be read from a stream (InStream object) in a single AL read operation. The default value is 1000000.
  -->
  <add key="MaxStreamReadSize" value="1000000" />
  <!--
   Specifies a semicolon-separated list of allowed audiences for AAD authentication.
  -->
  <add key="ValidAudiences" value="dataapplicationId;https://api.businesscentral.dynamics.com" />
  <!--
    Specifies which of the installed Dynamics NAV languages on the server instance will be used as the default language in the clients. Set the value to a valid language culture name, such en-US or da-DK.
    In the Dynamics NAV Web and Tablet clients, the Default Language setting determines the language that is used if the web browser's language setting does not match any installed language or a language in the Supported Languages setting, if used. In the Dynamics NAV Windows client, this is the language that is used if the language setting of the computer does not have a match.
    If there are application-specific configuration settings, this setting will be overridden by the default language setting that is specified in application-specific configuration file.
  -->
  <add key="DefaultLanguage" value="" />
  <!--
    Specifies which of the installed Dynamics NAV languages on the server instance will be available for use in the clients. If you do not specify a language, then all installed languages will be available. In the client, users can switch among the supported languages. The value is a semicolon-separated list that contains the language culture names for each language. For example, if you want client users to be able to choose among da-DK, en-US, and en-CA, set the value to da-DK;en-US;en-CA.
    If you specify any languages in this setting, then you must include the language that you specified in the Default Language setting.
    If there are application-specific configuration settings, this setting will be overridden by the supported language setting that is specified in application-specific configuration file.
  -->
  <add key="SupportedLanguages" value="" />
  <!--
      Specifies which of the installed Dynamics NAV languages on the server instance should not be available for use in the clients. Used to prevent
      the inclusion of languages with the same name but different LCIDs.
  -->
  <add key="UnsupportedLanguageIds" value="1034" />
  <!--
    Specifies whether the API web services are enabled.
  -->
  <add key="ApiServicesEnabled" value="True" />
  <!--
    Specifies whether subscriptions are enabled for the API endpoint.
  -->
  <add key="ApiSubscriptionsEnabled" value="true" />
  <!--
    Specifies the number of days that an API entity subscription lasts before it expires.
  -->
  <add key="ApiSubscriptionExpiration" value="3" />
  <!--
    Specifies the amount of time (in milliseconds) that the notification server has to respond to a verification request.
  -->
  <add key="ApiSubscriptionNotificationUrlTimeout" value="5000" />
  <!--
      Specifies the amount of time (in milliseconds) that the notification server has to respond to a notification message.
  -->
  <add key="ApiSubscriptionSendingNotificationTimeout" value="30000" />
  <!--
      Specifies the amount of time (in milliseconds) that we need to wait before we can start processing notificatoins.
  -->
  <add key="ApiSubscriptionDelayTime" value="30000" />
  <!--
      Specifies the maximum number of notifications that can be delivered per NotificationUrl.
  -->
  <add key="ApiSubscriptionMaxNumberOfNotifications" value="1000" />
  <!--
      Specifies the maximum number of subscriptions that can be created per tenant.
  -->
  <add key="ApiSubscriptionMaxNumberOfSubscriptions" value="200" />
  <!-- 
    Specifies whether user defined web services are cached.
  -->
  <add key="CacheUserDefinedWebServices" value="true" />
  <!--
    Specifies whether application symbol references should be loaded at server startup.
  -->
  <add key="EnableSymbolLoadingAtServerStartup" value="False" />
  <!--
    Specifies the amount in milliseconds before logging that a SQL statment was long running.
  -->
  <add key="SqlLongRunningThreshold" value="750" />
  <!--
    Specifies the amount of time (in milliseconds) that an SQL query can run before a warning event is recorded in the Application Insights resource for the server instance. If this threshold is exceeded, the following event is logged: The SQL query took longer to complete than the threshold that is set on the server instance.
  -->
  <add key="SqlLongRunningThresholdForApplicationInsights" value="750" />
  <!--
    Specifies if the server uses tri-state locking behaviour in when reading in AL from SQL with runtime determines isolation levels.
  -->
  <add key="EnableTriStateLocking" value="true" />
  <!--
    Specifies how many SQL memory chunks a data import must be distributed across. A small number increases the number of network transfers and decreases performance, but also lowers the amount of memory that the server instance consumes. If the database is on SQL Server 2016 or later, a low value of Bulk batch size can lead to large data files. To not use batching, specify 0.
  -->
  <add key="SqlBulkImportBatchSize" value="448" />
  <!--
  Specifies whether company should be deleted incrementally.
  -->
  <add key="UseIncrementalCompanyDelete" value="false" />
  <!--
    Specifies when system tasks are allowed to start running, specified in local time.
  -->
  <add key="TaskSchedulerSystemTaskStartTime" value="00:00:00" />
  <!--
    Specifies when system tasks have to stop running, specified in local time.
  -->
  <add key="TaskSchedulerSystemTaskEndTime" value="23:59:59" />
  <!--
    Specifies the maximum number of child sessions that can run concurrently per session. The default value is 5.
  -->
  <add key="ChildSessionsMaxConcurrency" value="5" />
  <!--
    Specifies the maximum number of child sessions that can be queued per session. The default value is 50.
  -->
  <add key="ChildSessionsMaxQueueLength" value="100" />
  <!--
    Specifies the default amount of time that page background tasks can run before being canceled. Page background tasks can be also given a timeout value when enqueued at runtime. The PageBackgroundTaskDefaultTimeout setting is used when no timeout is provided when a page background task is enqueued. The value has the format hh:mm:ss. The default value is 00:02:00.
  -->
  <add key="PageBackgroundTaskDefaultTimeout" value="00:02:00" />
  <!--
    Specifies the maximum amount of time page background tasks can run before being canceled. Page background tasks can be enqueued with a timeout as well. If a page background task is enqueued with a timeout that is greater than the PageBackgroundTaskMaxTimeout setting, the PageBackgroundTaskMaxTimeout setting is used instead. The value has the format hh:mm:ss. The default value is 00:10:00.
  -->
  <add key="PageBackgroundTaskMaxTimeout" value="00:10:00" />
  <!--
    Specifies the size of the XML metadata cache. This is a strict value on the number of objects that are stored in the cache. The larger the number the larger the cache size.
  -->
  <add key="XmlMetadataCacheSize" value="500" />
  <!--
    Specifies the size of the global symbol reference cache. This is a strict value on the number of objects that are stored in the cache. The larger the number the larger the cache size.
  -->
  <add key="GlobalSymbolReferenceCacheSize" value="200" />
  <!--
    The lifespan of entries in the global symbol reference cache in hours.
  -->
  <add key="GlobalSymbolReferenceCacheTTLInHours" value="24" />
  <!--
    Specifies the size of the PTE symbol reference cache. This is a strict value on the number of objects that are stored in the cache. The larger the number the larger the cache size.
  -->
  <add key="PTESymbolReferenceCacheSize" value="700" />
  <!--
    The lifespan of entries in the PTE symbol reference cache in hours.
  -->
  <add key="PTESymbolReferenceCacheTTLInHours" value="24" />
  <!--
    Sets the result set hash cache size. This is a value of the number of the item being cached.
  -->
  <add key="ResultSetHashCacheSize" value="100000" />
  <!--
    Specifies whether new client sessions can be created while the tenant is pending synchronization or data upgrade. For example, if you set this to 'false', client users will not be able to connect to Business Central if the tenant is pending a data upgrade. 
  -->
  <add key="AllowSessionWhileSyncAndDataUpgrade" value="false" />
  <!--
    Specifies the amount of time that a search operation on lists in the client will continue until it is terminated.

    The value has the format HH:MM:SS.
  -->
  <add key="SearchTimeout" value="00:00:30" />
  <!--
      Specifies whether to overwrite existing translations in the base application with translations included in extensions.
    -->
  <add key="OverwriteExistingTranslations" value="true" />
  <!--
    Specifies the number of failed authentication attempts on a user account (within the time window set by the LockoutPolicyFailedAuthenticationWindow setting) at which the user account is disabled.
  -->
  <add key="LockoutPolicyFailedAuthenticationCount" value="0" />
  <!--
    Specifies time window, in seconds, during which consecutive failed authentication attempts are counted. This setting works in conjunction with the LockoutPolicyFailedAuthenticationCount setting. When the number of failed sign-in attempts by a user hits the value of the LockoutPolicyFailedAuthenticationCount setting property within this time window, the user account is disabled.
  -->
  <add key="LockoutPolicyFailedAuthenticationWindow" value="0" />
  <!--
    Specifies whether the report execution timestamp should be replaced with the client timestamp instead of the server timestamp.
  -->
  <add key="ReplaceReportExecutionTimeWithClientTime" value="true" />
  <!--
    Specifies whether pages are initially populated by using FIND('-') instead of FIND('=><'). This setting is relevant to pages that display lists in descending order. Enabling this setting ensures that the first record, instead of the last record, is in focus when the page opens. Pages that use the OnFindRecord trigger will ignore this setting and always use FIND('=><').
  -->
  <add key="UseFindMinusWhenPopulatingPage" value="true" />
  <!--
      Specifies whether the OPTIMIZE FOR UNKNOWN Query Hint is used in queries. OPTIMIZE FOR UNKNOWN instructs the query optimizer to use statistical data instead of the initial values for all local variables when the query is compiled and optimized, including parameters created with forced parameterization.
    -->
  <add key="DisableQueryHintOptimizeForUnknown" value="true" />
  <!--
      Specifies the default security protocol level for the server. Possible values are: Ssl3, Tls, Tls11, Tls12, Tls13, SystemDefault. To specify multiple values, provide a comma separated list of the values. For example: "Tls12, Tls13".
    -->
  <add key="SecurityProtocol" value="SystemDefault" />
  <!--
      Specifies the setting to enable an upgrade step to preserve integration IDs. The value specifies the ID of the table that stores integration records. The table must match the schema and have at least the following fields (with exact naming): Integration ID, Record ID, Table ID. To skip the upgrade step to preserve integration IDs, set the value to 0. This settings applies only when upgrading from Business Central version 14.0 to Business Central version 15.0.
    -->
  <add key="IntegrationRecordsTableId" value="5151" />
  <!--
      Specifies if the Legacy OptionCaption resolution logic should be used.
    -->
  <add key="LegacyOptionCaptionResolution" value="false" />
  <!--
   Specifies whether to use multiple threads for compiling AL extensions that are published to the server instance.
   Using multiple threads can make compilation faster, but might impact the responsiveness of other sessions that are running on the server instance.
  -->
  <add key="EnableMultithreadedCompilation" value="true" />
  <!--
  Specifies the instrumentation key of the Microsoft Azure Application Insights resource to use for gathering and analyzing telemetry data emitted by the server instance.

  This setting only applies to a server instance that is configured as a single-tenant instance (that is, the Multitenant is False). For a multitenant server instance, this setting is ignored, and the Application Insights instrumentation key is set on a per-tenant basis by using the -ApplicationInsightsKey parameter of the Mount-NAVTenant cmdlet.
  -->
  <add key="ApplicationInsightsInstrumentationKey" value="" />
  <!--
  Specifies the Connection String of the Microsoft Azure Application Insights resource to use for gathering and analyzing telemetry data emitted by the server instance.

  This setting only applies to a server instance that is configured as a single-tenant instance (that is, the Multitenant is False). For a multitenant server instance, this setting is ignored, and the Application Insights connection string is set on a per-tenant basis by using the -ApplicationInsightsConnectionString parameter of the Mount-NAVTenant cmdlet.
  -->
  <add key="ApplicationInsightsConnectionString" value="" />
  <!--
    Specifies whether consistency checks should be done on tasks.
    This guards against impersonation of users in tasks, only allowing oneself to edit ones tasks.
  -->
  <add key="EnableUserConsistencyValidationOnTasks" value="true" />
  <!--
    Sets whether users should be able to view the contents of application database tables containing cross-tenant information when using the run table feature.
  -->
  <add key="AllowReadingCrossTenantApplicationDatabaseTables" value="false" />
  <!--
    Sets whether the Application name should be reserved. If this is enabled, only one app named Application can exist on the system.
  -->
  <add key="EnableExclusiveApplicationPackageRole" value="true" />
  <!--
    Sets whether malware scanning is enabled for the server.
  -->
  <add key="EnableMalwareScanning" value="false" />
  <!--
    Specifies whether the Designed Query web services are enabled.
  -->
  <add key="DesignedQueryServicesEnabled" value="false" />
  <!--
    The listening HTTP port for the Microsoft Dynamics NAV
    Designed Query services.
    This is part of the data service's URL.
    Valid range: 1-65535
  -->
  <add key="DesignedQueryServicesPort" value="7048" />
  <!--
    Turns on or off the https for Designed Query Services
  -->
  <add key="DesignedQueryServicesSSLEnabled" value="false" />
  <!--
  Gets or sets a value for the cache size of navigation data.
  -->
  <add key="CacheSizeForSearchGroups" value="500" />
  <!--
    Gets or sets the list of report IDs which must maintain the old preview behavior in which a report "preview"
    would close the report request page.

    Format for this setting is a comma-separated list of IDs, i.e. "13,27,28" including "*" if the new report
    preview behavior is to be ignored entirely.
  -->
  <add key="ReportsCloseOnPreviewList" value="" />
  <!--
    Gets or sets the threshold in ms for when an AL function call is considered "long running".
    AL functions taking longer will be recorded and used to establish performance impact.
    Set value to -1 to disable the long running AL function tracing logging.
    -->
  <add key="ALLongRunningFunctionTracingThreshold" value="1000" />
  <!--
    Gets or sets the idle administration tool timeout.
    Long running powershell operation, using Invoke-NAVCodeunit will be closed, after this interval, has elapsed.
  -->
  <add key="ManagementServicesIdleClientTimeout" value="10:00:00" />
  <!--
    Gets or sets the threshold in ms for when an AL function call is considered "long running".
    AL functions taking longer will be recorded and used to establish performance impact.
    Set value to -1 to disable the long running AL function tracing logging.
    This setting is specific to application insights telemetry.
  -->
  <add key="ALLongRunningFunctionTracingThresholdForApplicationInsights" value="10000" />
  <!--
    Gets or sets the boolean indicating whether or not AL function timing should be enabled.
    This includes all the functionality of ALFunctionTimingExecutionListener which includes:
    - Long running AL functions being logged in internal telemetry
    - Long running AL functions being logged in partner telemetry
    - Extension metrics being captured
    - Extension metrics being presented to users on the Page Inspector
  -->
  <add key="ALFunctionTimingEnabled" value="true" />
  <!--
    Gets or sets the list of language cultures which must maintain legacy AL date formatting behavior for dates for
    standard formats 4 and 7.
    Format for this setting is a comma-separated list of language culture names, such as "sv-SE,da-DK,en-AU".
    Use "*" to specific legacy AL date formatting for all language cultures.
  -->
  <add key="ALCompatibleDateFormatCultureList" value="" />
  <!--
    Specifies whether to keep the cloud replication status in the database up to date. When enabled, synchronization operations on tenants and extensions will update records in the Intelligent Cloud Status table, and also set change tracking on tables that are configured to replicate data.
  -->
  <add key="EnableCloudReplicationMaintenance" value="false" />
  <!--
    Gets whether the profile cache synchronization across server instances is enabled.
  -->
  <add key="EnableProfileCacheSynchronization" value="true" />
  <!--
    Gets whether the profiles from extension should be inserted in the tenant profile table.
  -->
  <add key="EnableExtensionProfileInsertionInTenantProfileTable" value="false" />
  <!--
    Specifies whether callbacks from the server instance to clients are allowed during write transactions.
  -->
  <add key="AllowSessionCallSuspendWhenWriteTransactionStarted" value="true" />
  <!--
    Specifies whether the Business Events functionality is enabled at the server level. When disabled, this functionality cannot be enabled at the environment level. However, when enabled, it can be overridden (disabled) at the environment level.
  -->
  <add key="ExternalEventsEnabledServiceLevel" value="true" />
  <!--
    Specifies whether the Business Events functionality is enabled by default at the environment level. This setting can be used in conjunction with the 'EnableExternalEvents' environment setting to override behavior for specific environments. If the server setting 'ExternalEventsEnabledServiceLevel' is disabled, however, this setting is ignored.
  -->
  <add key="ExternalEventsEnabledEnvironmentLevel" value="true" />
  <!--
    Specifies whether the number of days records in External Event Activity Log table should be retained for.
  -->
  <add key="ExternalEventsActivityLogRetentionDays" value="7" />
  <!--
    Specifies the maximum number of records to remove from External Event Activity Log table during cleanup as a part of a single transaction.
  -->
  <add key="ExternalEventsActivityLogCleanupBatchSize" value="50000" />
</appSettings>

@freddydk
Copy link
Contributor

Yeah, so even though the publicwebbaseUrl is https:// - then ClientServicesSSLEnabled is false.
Apparently BC changes the protocol from your setting based on the setting from ClientServicesSSLEnabled - that seems like a bug in BC.
You could try to add the http:// as reply-to addresses in your AAD app and see whether this makes a difference?

@ChrisChristophers
Copy link
Author

ChrisChristophers commented Aug 16, 2024

Thanks for the reply , we already tried that, unfortunately as per https://learn.microsoft.com/en-us/entra/identity-platform/reply-url reply-to addresses have to begin with https://

can i by any chance manually change the settings after the Container is created?

@freddydk
Copy link
Contributor

Is this a new bug - or did this bug exist in older versions of BC as well?

@ChrisChristophers
Copy link
Author

We noticed the bug around dec 23 - jan 24 in BC23 , when we first started trying to implement Oauth. so at least since then.

@freddydk
Copy link
Contributor

freddydk commented Aug 16, 2024

Could you try to modify the WSFederationLoginEndpoint setting to

  <add key="WSFederationLoginEndpoint" value="https://login.microsoftonline.com/53d93613-0e8d-4be0-854b-9df85429e6b3/wsfed?wa=wsignin1.0%26wtrealm=api://dataapplicationId%26wreply=https://www.google.com/xxx/SignIn" />

Just to see whether the parameter is ignored totally or reconstructed.

Remember to restart the container after making the change.

@ChrisChristophers
Copy link
Author

ChrisChristophers commented Aug 16, 2024

Ok. I changed the Setting

image

restarted the container

image

but the redirection URI is the same as before

image

so apparently the URI is ignored completely

@freddydk
Copy link
Contributor

I have emailed the product team which is working on this area on whether this is a bug in the platform?

@ChrisChristophers
Copy link
Author

ok thanks, i hope to get an update whether this will be fixed or there is a workaround

@lukasz-zoglowek
Copy link

Hi,
How do you access BC, is it with http endpoint? Could you share the har file, with the sign-in flow from the browser?

@lukasz-zoglowek
Copy link

lukasz-zoglowek commented Aug 19, 2024

I think the problem could be that your proxy server needs to include the right header to BC web server as described here:
https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-8.0

The most important is to set X-Forwarded-Proto header. (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto)

@freddydk
Copy link
Contributor

@tfenster do you know how to get traefik to transfer this header?

@lukasz-zoglowek
Copy link

Which load balancer do you use?

@freddydk
Copy link
Contributor

Which load balancer do you use?

It is setup with traefik

@freddydk
Copy link
Contributor

It is likely something like this: https://doc.traefik.io/traefik/v2.3/routing/entrypoints/#forwarded-headers which needs to be setup for the traefik container

@tfenster
Copy link
Contributor

@freddydk if I remember correctly, I was never able to successfully set this up with Traefik v1, because I could never make BC pick it up. The relevant documentation should be here https://doc.traefik.io/traefik/v1.7/configuration/entrypoints/#forwarded-header, at least if bccontainerhelper is used to set up Traefik, which still uses v1.7, I think

@ChrisChristophers
Copy link
Author

ChrisChristophers commented Aug 20, 2024

Does that mean that it is currently impossible to use BC with traefik and AAD oauth? where would be the correct place be to raise that issue?

@freddydk
Copy link
Contributor

It means that the problem is in the traefik setup - which I unfortunately know very little about.

Not sure whether there are anybody out there who could update the traefik implementation in BcContainerHelper to a newer version and include support for this.

@tfenster
Copy link
Contributor

@ChrisChristophers have you tried running the containers with https? Technically speaking not required as the client would never get the https cert from the container, but that way the container should generate an https redirect

@ChrisChristophers
Copy link
Author

@tfenster , we're using the -useSSL switch when creating the container or is there something else to it?

@tfenster
Copy link
Contributor

@ChrisChristophers, no I expected this switch to do the trick. Very weird. Can you check the environment variables of the container, does it have useSSL as Y?

@ChrisChristophers
Copy link
Author

ChrisChristophers commented Aug 23, 2024

Unfortunately it's not , despite us having the switch in the script:

image

@tfenster
Copy link
Contributor

Very weird, can't see why this

if ($useSSL) {
$parameters += "--env useSSL=Y"
} else {
$parameters += "--env useSSL=N"
}
could go wrong. I now remember actually even adding this
Write-Host "Enabling SSL as otherwise all clients will see mixed HTTP / HTTPS request, which will cause problems e.g. on the mobile and modern windows clients"
$useSSL = $true
}
as we had problems running containers with http behind Traefik. And I guess you haven't set forceHttpWithTraefik, which would trigger this?
Write-Host "Disabling SSL on the container as you have configured -forceHttpWithTraefik"
$useSSL = $false
} else {

@freddydk, any idea why useSSL isn't passed down to the container?

@ChrisChristophers
Copy link
Author

ChrisChristophers commented Aug 23, 2024

@tfenster we are not setting the switch manually ( the script i'm using is in my first post )

but i'm not sure whether this might set it?

`
        if ((Get-Content (Join-Path $traefikForBcBasePath "config\traefik.toml") | Foreach-Object { $_ -match "^insecureSkipVerify = true$" } ) -notcontains $true) {
            $forceHttpWithTraefik = $true
        }
`

@tfenster
Copy link
Contributor

@ChrisChristophers how does your traefik.toml look like?

@ChrisChristophers
Copy link
Author

ChrisChristophers commented Aug 23, 2024

@tfenster

`debug = false
defaultEntryPoints = ["https","http"]

[api]
# Check https://docs.traefik.io/v1.7/configuration/api/#security
# to enable authentication on the dashboard for extra security

[docker]
domain = "bctest.sw.com"
watch = true
endpoint = "npipe:////./pipe/docker_engine"

[entryPoints]
  [entryPoints.http]
  address = ":80"
  [entryPoints.https]
  address = ":443"
  [entryPoints.https.tls]
  minVersion = "VersionTLS12"

[acme]
email = "noned"
storage = "c:/etc/traefik/acme.json"
entryPoint = "https"
[acme.httpChallenge]
entryPoint = "http"
[[acme.domains]]
   main = "bctest.sw.buhl-data.com"

[file]
[backends]
  [backends.host]
    [backends.host.servers.server1]
       url = "http://10.11.42.202:8180"

 [frontends]
  [frontends.host]
    backend = "host"
    [frontends.host.routes.route1]
      rule = "PathPrefix:/" 
`

@tfenster
Copy link
Contributor

How did you set that up? It indeed is missing the insecureSkipVerify = true that would be needed for SSL in the container

@ChrisChristophers
Copy link
Author

ChrisChristophers commented Aug 23, 2024

we are using the standard BCContainerHelper 6.0.19 module , with the script above ( first post )

the only thing we customized is:

"-l `"traefik.frontend.entryPoints=https`""

to

"-l `"traefik.frontend.entryPoints=http`""

in New-NavContainer.ps1

( idk how to reference properly )

@tfenster
Copy link
Contributor

yes, but at some point you have set up the Traefik containers. And it looks like you forced http there

@ChrisChristophers
Copy link
Author

ChrisChristophers commented Aug 23, 2024

yes indeed it was setup like this

image

but if i manually set $forcehttpwithtraefik to false in New-NavContainer.ps1 traefik doesn't pick up the container at all.

can't see it in the dashboard or connect to the web client

The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.

could setting up a new traefik container help?

@tfenster
Copy link
Contributor

I don't know how advanced your setup currently is, but the Setup-TraefikContainersForBcContainers cmdlet also has an option to recreate everything, so if you run that without the -forceHttpWithTraefik option, it should work. The problem however will most likely be that your existing containers won't work anymore. So what I would do is the following, but that of course very much depends on your current setup and your flexibility, which I both have no clue at all about... I would:

  • Set up a new host, run Setup-TraefikContainersForBcContainers without -forceHttpWithTraefik
  • Create a new container with your existing script and validate that OAuth works
  • Decide whether you want to just replace the old infrastructure with the old containers. If yes, then you could run Setup-TraefikContainersForBcContainers with -Recreate, throw away the existing containers and create new ones as your databases seem to be decoupled anyway
  • If that is not an option, then you need to figure out a path from the existing containers to the new setup. It could mean keeping some as is and only moving those where you need OAuth to a new infrastructure

Could that work for you?

@djanoschka
Copy link

Thank you for your reply. We will try to set up a new host within our organization and follow your instructions. As soon as we have progress here, @ChrisChristophers or I will provide feedback.

@ChrisChristophers
Copy link
Author

ChrisChristophers commented Sep 20, 2024

@tfenster Hi, unfortunately we have to run the script with -forceHttpWithTraefik because our Loadbalancer is handling the SSL and the we have no certificate option for the traefik container. Our Loadbalancer is sending the X-Forwarded-For that apparently doesn't get passed through? Is there an option to maybe modify the traefik.toml for SSL to work within the BC container anyway ?

Thanks for the help so far !

@tfenster
Copy link
Contributor

@ChrisChristophers Unfortunately not that I know of. The setup explained above was the only one I could get to work. Doesn't mean that it is impossible, but I don't know how

@KristofKlein
Copy link

well, your container can just use it's own certificate that it created anyway when you have useSSL enabled, or?
Correct me here, not my territory, but: you say the LB handles the SSL. So, send a request against the LB on https, so there you will have Client/Server trusting on the certificate that you have setup there. Now the request passes traefik, and gets forwarded to the container. Now insecureSkipVerify = true kicks in, as you forward the request to a services running itself with a certificate, but you simply don't care (skip the verification). and that should be it. Or?

I really hope it does, caus that's also what I am doing :D
at least this is how it works for me with a traefik v2 setup... and no, I have no bccontainerhelper that has v2 support. That is selfmade with compose :P

@ChrisChristophers
Copy link
Author

ChrisChristophers commented Sep 24, 2024

@KristofKlein , so you're traefik container is setup without -forcehttpwithtraefik , but still listens on :80 ? if i use -forcehttpwithtraefik the -useSSL switch doesn't work in container.

image

Will there be native support of traefik v2 in the future?

@freddydk
Copy link
Contributor

I probably won't have any time to look at traefik v2 support for containerhelper, but I would be happy to review a contribution if someone can create a PR.
traefik v1 was also a contribution

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

6 participants