« Adding a host header with SSL | Main | Basic FIX Routing Application using ShortCut »
Saturday
Apr022011

Configuring BizTalk Server for Dynamics AX Integration

Have been working on a Microsoft AX integration lately. When I first arrived the BizTalk environments weren't really setup that well and it was one of the first times I had worked with AX.

The main issue was around security, specifically the BizTalk AX adapter authenticating against AX through the .NET Business Connector Proxy.

There are three areas to keep in mind.

  1. AX .NET Business Connector Proxy
  2. AX itself
  3. BizTalk

.NET Business Connector Proxy

As per the Microsoft documentation this:

  • Must be a Windows domain account

  • Must be a dedicated account (used only by Business Connector)

  • Must have a password that does not expire

  • Must not have interactive logon rights

  • Must not be a Microsoft Dynamics AX user.

This link has instructions for configuring the business connector proxy user in AX.

image

AX

The BizTalk service account needs to be setup as an AX user usually with admin rights although I'm sure you can be more specific if you need to be. You must give this user access to the EndPoint that BizTalk will hit or at least the group.

image

BizTalk

For BizTalk you must also enter this account in either the send port or handler settings as the proxy user:

image

The Gateway user is the BizTalk service account, there are a few different ways to do this. I've seen the service account setup as the proxy user and as the AX user. It seems to work but Microsoft's documentation mentions that the proxy user should not be made an AX user so I wouldn't go down this route if you don't have too.

I would recommend setting this up in the handler settings (Adapters/Microsoft Dynamics AX 2009...) so you don't wipe out the password every time you import bindings if you don't a deployment framework. if you're dev and prod environments are in the same domain BizTalk has a nasty habit of locking accounts especially with receive adapters. You might want to use different accounts so a developer doesn't accidentally bring down production by keying in the wrong password.

If you're using multiple BizTalk hosts (and you should be) then you need to make sure all the hosts are using the same service account (or that they are all AX users). AX will know which service account "created" the message and if it isn't an authorized AX user the AIF will reject it. It's frustrating because you look at the message in the AIF queue and the users are correct but somewhere the adapter is passing the other account. The error is some thing like "user not an authorized endpoint user".

This configuration will work, if you keep getting errors check the action policies on the endpoint in AX and make sure all that works. Might be worth submitting a message through the AX file adapter to check all that side is setup correctly.

Keep in mind this is for AX 2009, apparently a lot changes with the next version of Dynamics AX.

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>