Unable to import users in Cloud Hosted Environment

At one of my customers I just set up a couple of new Cloud Hosted Environments (version 10.0.37 which turns out to be important) and when I tried to import the users from EntraID/AzureAD I got the following error

Cannot Find Thumbprint by Certificatename

After some troubleshooting och looking through Yammer I saw others that had the same issue. Apparently the issue had started happen after 15:th November (which also turned out to be important).

It turns out that Microsoft had discovered a potential security issue in the template used for creating the Cloud Hosted Environments. There used to be a connection in every Cloud Hosted Environment that allowed it to make lookups toi Azure AD/EntraID to be able to import users. For security reasons, this connection is no longer there by default. You will still be able to manually add users, but if you want to import users you will need to create the connection in the Virtual Machine.

1. Create a new App Registration in EntraID

2. In the Cloud Hosted VM run the following PowerShell Snippet (in an elevated Powershell prompt, aka Run as Administrator) to create a new Certificate.

New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName "CHECert" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -KeySpec Signature -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotBefore (Get-Date -Year 2020 -Month 5 -Day 1) -NotAfter (Get-Date -Year 2033 -Month 12 -Day 31)

3. Start “Manage Computer Certificates” and find your newly created Cert. It should be in Local Computer – Personal – Certificates and it should be called “CHECert”. Export the certificate with default settings (Right-Click – All Tasks – Export) and save it in a folder you remember.

4. Go back to the App Registration you created in Step one, Go to Certificates and Secrets. Under Certificated, click upload certificate and choose you exported certificate

5. You need to add an Redirect URI to the AppRegistration. Go to Authentication, click Add a platform – Web and past the URL for the Cloud Hosted Dynamics environment

6. Add the following permissions to API Permissions and then click Grand admin concent…

7. In the Cloud Hosted VM, go back to “Manage Computer Certificates” and Right-Click (the Certificate) – All Tasks – Manage Private Keys. Give NETWORK SERVICE permissions to use the Certificate

8. In the Cloud Hosted VM, start Notepad as Admin and edit K:\AOS service\Webroot\web.config file. Edit the following keys:

<add key="Aad.Realm" value="spn:[TheAppIDfromStep1]" />
<add key="Infrastructure.S2SCertThumbprint" value="[YTheThumbPrintfromStep2]" />
<add key="GraphApi.GraphAPIServicePrincipalCert" value="[YTheThumbPrintfromStep2]" />

9. In the Cloud Hosted VM, start an elevated Command Prompt and run and iisreset

Validate by trying to import users

Links
Secure one-box development environments

Leave a Reply