Saturday, March 5, 2011

Enterprise portal security issues with Refresh 3.5 and AX 2009

I wanted to play around with a well-built demo environment so that I could experiment with some workflow ideas I had, so I downloaded Microsoft's Refresh 3.5 VPC from partnersource (located here).

I prefer to work as a typical user with typical security settings so that I can identify issues quickly.  After booting up the VPC and restarting it a few times so that it would adjust to my machine, there were quite a few changes I had to make to get it usable.

Firstly, I had to change the client configuration to point to AX593 and the business connector configuration as well.  If you forget the business connector, you will have EP issues, amongst other things.

I randomly chose contoso\Nancy as my testing user, and I immediately notice that I don't have access to EP at all:

So I switch back over to contoso\administrator to take a look at the security settings in EP and notice there really isn't anything setup:

Let's add Nancy to the viewer's group and see what happens...

So now we can at least see the role centers, but the KPIs are having an issue...hmm...this issue is typically related to Kerberos, but on the Refresh 3.5 VPC, it's only NTLM security because everything is on the same machine.

Let's remove Nancy from the viewers group, and just create our own "AX Users" group, but let's make it "Read" only instead of "View only", add Nancy to it, then refresh our role center:

And we're good.  The only difference between View Only and Read is the ability to view the source of documents with server-side file handlers.  See Sharepoint permissions matrix here for security differences.


  1. Thank you for this article Alex. I am very new to Dynamics, and am not yet completely knowledable when it come to knowing where all the configuration controls are located. While this article exactly describes what I am experiencing in the Refresh 3.5 VM, I cannot determine where to go to make your suggessted settings.

    Here is where I'm at:
    1. I did change the Configuration Utility to point to the AX593 AOS. This allowed my client to connect. The Role Center was not displayed; the error "An error has occurred. Contact your administrator for further assistance." was displayed.

    2. I do not know where to go to change the "business connector configuration"

    3. When logged on as the administrator, I do not know where to go to change "security settings in EP"

    If you could post a screen shot of where to go for 2 and 3 above, or a detailed instruction (i.e., Start -> Control Pane; -> etc.,) I would greatly appreciate it.

    Thanks in advance,

  2. @Kevin M.

    1.) This is good.

    2.) This is changed in the same place as #1. The "Configuration Target" section drop down where it says "Local Client", there is another option that says "Business Connector". When you hit that drop down, make sure the config is correct. I believe this will fix your initial issue because you're already logging in as administrator.

    3.) If you've completed #2 correctly, you should be able to open the EP page in IE and view it. Administration>Setup>Internet>EP>Web Sites>View in Browser. This should display correctly, then go to Site Actions>Site Settings, then permissions (From memory, so may be named something slightly different). You would set permissions here for other users, but since you're just logging in as administrator, you probably can skip step #3.

  3. Thanks! I feel silly now for missing where the business connector config was located, but I'll never forget about it now!

    Definately didn't know where the EP config was in AX Administration! Although seeing the SharePoint URL; it's easy to get there outside of AX now that I know it. I've worked with SP before, so I have no problem assigning security groups and permission levels. I do want to be able to log in as the other users to see the different role centers and AX UI as it appears to different user roles.

    My "energy consumption" and other graph's aren't populating, but I'm guessing maybe some cubes need to be refreshed.

    I'm curious to now if there were any other tweaks you made to the VM. I'm thinking about bumpng up the memory, at least (I have the ability to activate the software due to the hardware change). Any other idea's/suggestions?

    Thanks again,
    -Kevin M.

  4. @Kevin M

    No problem. It's very easy to miss the BC configuration. I restarted the VM so that it adjusted to my hardware and also did some updates. I have a couple 25" screens that windows VPC wouldn't stretch to, so I enabled the 2nd NIC (disabled by default in the OS) and was able to browse the internet from inside the VPC. I then changed the default RDP port to something random, and then opened a port in my firewall and now I can get to my sandbox VPC from anywhere in the world :P.

    It's almost definitely not safe from a security standpoint though because everybody knows the password...but I didn't worry about it. If you decide to change the administrator password, expect many EP/SAS/SRS things not to work as many services are running as the admin user.

  5. Excellent Post. One thing to mention is that the default site on the VPC 3.5 image is not the EP site and at the time of changing the security settings one need to make a note of that.