Tag Archives: AIF

How to export configuration settings for AIF inbound/outbound ports

A very tedious task of mine has often been to deploy AIF services accross environments. I am used to do this the old school way = manually.

Today I had something that might be compared to as an epiphany – I stumbled upon this great technet artichle descripting how to export the configuration settings using the data import/export framework. Tried it out for the first time today and it’s working just great. The only downside so far, is that I haven’t been aware of this feature before…:-)

AIF – getting offline WSDL files

Quite often when dealing with AIF service I am asked to send a WSDL for a service to a 3rd party partner. Typically the partner dowsn’t have access to the service in that phase of the project. This means that I would have to send physical wsdl files (and not just an URL). In my experience the “singleWSDL” feature introduced with .net framework 4.5 doesn’t work for AIF services. In these cases AIF can be quite thedius to work with because the wsdl references other wsdl files as well as xsd’s. So in order to being able to send an offline wsdl file to a partner, you have to do a little bit of manual work. Ofcourse there are many ways to achieve the same, but here’s a guide of way, that I have found quite easy to work with.

  • Make sure the service has been published.
  • Open visual studio and create a console application. Add a new service reference pointing to the your service. Visuial studio now creates proxy classes as well as downloads referenced wsdl’s and xsd’s. You should see something similar to this in your project:
    Please note the 3 WSDL files and 6 XSD files.
  • Locate the physical location of the files (right click in VS and look at the file properties)
  • Copy all of the WSDL and XSD to a new folder of your choice (outside the project). This folder now contains the files that we want to send to our partner. But before sending them, we need to do some minor modifications.
  • Open the RoutingService.wsdl in your editor (VS will do just fine). Find and edit all import statements:
    You will se that the Locations attribute references a http address. Edit the location to point to the local file residing in the current folder.
    You will want to do the same for the service location:
    Make sure to point to the local file instead of the url.
  • Do the same for the other 2 WSDL files. It’s quickly done.
  • When finished You can test your work by going back into visual studio. Just simulate adding a new service reference pointing to the local wsdl files instead. Remember it is the RoutingService.wsdl that is Your point of entry. If VS doesn’t complain You are now finished.
  • Finally zip the folder and sent it to the partner.

If You know of a better/easier way please post a comment…

How to implement basic authentication in Dynamics AX2012 webservice

Recently I had to configure an inbound port for basic authentication. Furthermore I had to produce a guide in order to being able to set it up in the same way in other environments.

Lucky for me, I found this great guide, that I would like to share. You can also use it as a template for configuring other types of authentication.


AIf – Some or all identity references could not be translated.

In a recent task i struggled with that error when calling an AIF http service. It would work from visual studios internal casini browser but when the client was deployed to IIS the error “ Some or all identity references could not be translated.” would display in the AIF exception log.

It was not possible to set up proper debugging in a timely manner so a little fix was created in order to being able to see why the error was being thrown.

Analyzing the labelid’s it turned out that the error with that labelid would only be thrown from one single location data dictionary/tables/AifPortUser. From there a call to to AifUtil::getWindowsUserSid(windowsUser) would occur causing the exception to be thrown. So the interesting thing would be to analyze what windows user actually was submitted by the client. In order to do that the AifUtil::getWindowsUserSid was modified in order to write the domain, alias and usersid to a text file:

        TextIo textIo;
        FileIOPermission fileio;   





        fileio = new FileIOPermission(@"C:\test\", #io_append);
        textIo = new TextIo(@"C:\test\textIOtest.txt", #IO_WRITE);
        textIo.write("domain: " + domain + "\n");
        textIo.write("alias: " + alias + "\n");
        textIo.write("userSid: " + userSid + "\n");

That little snipped showed that the identity of the default apppool was submitted and not the actual windows user. Changing the apppool identity fixed the problem.

A call to SSPI failed–DynAx 2012 AIF/WCF

Recently I deployed an AIF service to a customer environment. Everything was working fine in my single server development environment, but after deploy to the distributed customer environment, calls to the webservice resulted in the error “A call to sspi failed”.

The scenario:

  • My service – a simple document service. No hex about that.
  • I needed to deploy the service to IIS in order for it to be consumable from a corporate website
  • The customer environment contained a standalone server for the AOS and a standalone server for IIS
  • I created a simple test webform – my test client, in order to being able to test that everything was working ok.

Having deployed the service, the service was browsable. The identity of the application running the AIF site was the same as the one used for the Business connector proxy account (System administration –> setup –-> service accounts) The app pool was configured like this:


Authentication was configured like this:


Here’s a nice reference on how to install AIF on IIS when using Ax2012

From AX my service was configured to use a customBinding using NTLM and my clienct was also configured to use NTLM. Any call from the client to the service would result in the error “A call to SSPI failed – see inner exception…” – and no inner exception were to be found.

Trying to narrow down the problem a basicHTTPBinding was tried – still the same error.

As different kinds of blogposts suggested, I was able to call the AIF/WCF service when the service itself was using the ipaddress (to avoid the use of kerberos) of the aos server instead of the url. However this wasn’t an acceptable solution, as any new deployment of the service from AX, would result in a non working webservice, since the web.config would be overwritten when deploying from AX. And as it turned out, it was not possible to alter settings in AX forcing ax to deploy the service and having the endpoint in web.config reference the ip address instead af the FQDN. However the problem was now narrowed down to be caused by kerberos. I found this great blogpost explaining some basic things about Kerberos.

Another thing we tried out was to set the spn for the user running the service:

Setspn –A HTTP/2012webtest.myDomain.local myDomain\sa-proxy-lon

Having done that we tried to setup trust for delegation in AD according to this. We are not sure whether this had any effect, but we didn’t reverse the process.

This blogpost (see comment from Eric Ledoux and Brian Kinser) suggested that this might be caused by a kernel error. My customer recently upgraded to R2CU7 and I was expecting this to be fine, but talking with the technician from the customer revealed that IIS might not have been updated in that process with the new AX components. Running the setup file from the CU7 install media, suggested to update some core AX components. Choosing yes to update, restarting IIS and the AOS service, fault messages from ax started to show up when calling the webservice – meaning that everything was starting to work as expected.


In my case the “a call to sspi failed” error turned out to be resolved when upgrading to CU7. The problem I was facing was just caused by the fact that only the AOS had been upgraded – not IIS. Resolving this mismatch solved the problem.

Thanks to my colleague Morten Uldall for both moral and technical support:-)

AX2012 AIF – CallContext

Working with AIF on the Dynamics AX 2009 platform you had to create the SoapHeader manually. In that you had to specify the destination endpoint and the source endpoint user in order to being able to target a specific company using and maybe using a specific AX user. It could look like something similar to this:


public static class SoapHeader



        /// <summary>

        /// Helper method – adds a SOAP Header defining the destination endpoint (local endpoint) in Dynamics AX

        /// </summary>

        /// <param name="nameOfEndpoint">The name of the local endpoint</param>

        public static void SetDestinationEndpoint(string _nameOfEndpoint)


            OperationContext.Current.OutgoingMessageHeaders.Add(MessageHeader.CreateHeader("DestinationEndpoint", "http://schemas.microsoft.com/dynamics/2008/01/services&quot;, _nameOfEndpoint));



        /// <summary>

        /// Helper method – adds a SOAP Header defining the source endpoint name and the source endpoint user to use

        /// </summary>

        /// <param name="sourceEndpointName">the name of the source endpoint</param>

        public static void SetSourceEndpointAndUser(string _sourceEndpointName, string _userName)


            //string userName = HttpContext.Current.User.Identity.Name.ToString(); //returns the current user and domian – eg. egdk\tomph

            var addressHeader = AddressHeader.CreateAddressHeader("SourceEndpointUser", "http://schemas.microsoft.com/dynamics/2008/01/services&quot;, _userName);

            var addressBuilder = new EndpointAddressBuilder(

            new EndpointAddress(new Uri("urn:" + _sourceEndpointName), addressHeader));

            var endpointAddress = addressBuilder.ToEndpointAddress();

            OperationContext.Current.OutgoingMessageHeaders.From = endpointAddress;





            //call the webservice’s find method



                //SOAP header info

                using (new OperationContextScope(client.InnerChannel))



       //this assumes that a endpoint (inside AX) with the selected (dataareaid in this case) name has
       been created for all companies



       //this assumes that a local endpoint (inside ax) with the name [ddlDataAraeId.SelectedValue] has
       been configured and is associated with a company that exists in dynamics ax

                    SoapHeader.SetSourceEndpointAndUser("Default", Helper.GetCurrentUser());

                    //submit the request and retrieve the respons


                response = client.find(qc);

                enumerEmplTable = response.EmplTable.GetEnumerator();




Now in AX 2012 AIF you can simply specify the CallContext – which I may say is a h… of a lot easier…


            //create the AX call context in order to being able to define Ax company and submitting user

            CallContext axContext = new CallContext();

            axContext.Company = ddlDataAraeId.SelectedValue;

            axContext.LogonAsUser = Helper.GetCurrentUser();




                #if DEBUG

                CreateXmlMessageTextFileFromCreate(axdEGF_HRMWebRecruitment, Guid.NewGuid().ToString());


                keys = client.create(axContext, axdEGF_HRMWebRecruitment);

                txtResult.Text = "SUCCESS: " + keys[0].KeyData[0].Field + " = " + keys[0].KeyData[0].Value;


Thank You MS for making my life just a little bit easier:-)

You may find it relevant to look at the this peace of documention on technet.

AIF–Invalid data container type

Recently Ive been developping a AIF document service. After days of testing and customizing my requests suddenly started to fail and I would receive an AIF error in the Exception log in AX stating that “Invalid data container type”. Tome, this came out of the blue, since everything up to taht point worked just fine. I can’t explain the error, but the sollution to me was to:

  • update the document service using the AIF wizard with the switch to update AxBC classes (not regenerate)
  • Recompile the entire private service project.
  • Perform incremental CIL
  • Unpublish an publish the service.

I’m not sure whart part actually solved the problem – but the main goal was to get everything working again – and it did.