BC17 Federation Service endpoint error and iOS access


A freshly installed BC17.1 throws alot of error messages in the eventviewer, my best guess is that it would be fixed if we start using SSO, and that might very well be the case in some scenarioes.

Message The Federation Service endpoint login failed because the following audience URI does not match an AppIdUri or wtrealm in server or application configuration.

How can these messages be fixed while running windows-login(if thats the case)?

Another thing, we cant get access from iOS devises.
Using an iPhone we get loginscreen, but after that, a blue circle with a white background is the only thing shown.
App is only showing logo.
Everything works on Android and windows, but iOS :frowning:
I have made the changes in navsettings.json
GlobalEndPoint - null,ms://businesscentral,ms://dynamicsnav,bc17.domain.dk,ms:/…/bc17.domain.dk
as MS describes Install the Business Central Mobile App - Business Central | Microsoft Docs

Any idears

Best regards Erik

Hi Erik,
Got a few questions. You write you use Windows, but AppIdUri is only used with AAD, so which authentication schema are you using? Windows or AAD?

Are you able to login with a normal web browser?

I use windowslogin, but still these errors occur.

Yes, no problem at all, only a problem on iOS devises. CRT are created by CertifyTheWeb, using Let’s Encrypt as provider.

The AppIdUri, WSFederationLoginEndpoint and ClientServicesFederationMetadataLocation settings are only to be used with Access Control Service authentication (AAD), they have no function with Windows auth. and should be removed here.

And it is empty, thats why i think its strange:

bc17.domain.dk/D365BC17"](https://bc17.domain.dk/D365BC17) />

login.microsoftonline.com/.../openid-configuration"](https://login.microsoftonline.com/common/.well-known/openid-configuration) />
https://sts.windows.net"](https://sts.windows.net) />

outlook.office365.com/.../beta"](https://outlook.office365.com/api/beta) />

Maybe it has something to do with this:

Special note for on-premises:

Please note that for on-premises and for iOS you need to modify your server settings as the app follows latest guidance from Apple. Again, only for on-premises and for iOS:

Dear partners please note that if customers are using an already set up Business Central on-premises with iOS devices they may need to get the admin to update the GlobalEndPoints parameter of their Business central on-premises instance to include “null,ms://businesscentral”.

This is clearly described in documentation here: https://go.microsoft.com/fwlink/?linkid=2143538

UPDATE: on top of that you need to apply latest CU if you’re using CS/AAD auth. More: https://www.yammer.com/dynamicsnavdev/threads/914113091682304

UPDATE2: this CU is already released for 14.x, 15.x and 16.x as part of November 2020 on-premises updates. Versions 17.0 and above were unaffected (as was the online edition).

If havent seen the Yammer post until now, but as far as i see, null should be enough, ms://businesscentral is for later releases.
This also explain why the APP does not work on my BC16 environments anymore, regular webclient still works, but i dont understand why BC17 APP and webclient does not work, even though GlobalEndPoints is set.

Finally I have some updates…
After a MS service ticket, witch did not give anything, a new iOS app is released, that fixes half of the problem.

I now have environments that works, and also some that does not work.

Difference as I see it, the ones that does NOT work, there is a Load Balancer or Application Gateway in front,
those that does work have direct connection without Load Balancer or Application Gateway in front, but have a public IP on Application server (witch are not best practice)

Android devices have no issues…

We don’t want to expose the Application server directly to the internet, and would atleast have a Load Balancer infront, preferable a Application Gateway.

I am pretty sure I’m not the first person in the world facing this issue, but I cant find any solutions for this mess?
I have customers and colleagues that wants this fixed, but I see no solution.

I know its probably a security thing by Apple.

Btw, [mention:61b2aa9ce72e429baa1ef43208ddbea4:e9ed411860ed4f2ba0265705b8793d05], that error I also mentioned, have been fixed by MS in 17.3 since it was a bug in earlier versions :wink:

Status update:

LoadBalancer is not the issue here.
BC17.1 is not working.
BC17.2 is working.
Newer versions not tested.

We have the same problem. We have some services using ACS, which don’t log this event, but the ones using Windows logins do. I don’t have a solution I’m afraid, but sometimes it is nice to know someone else has the same problem!