How to: Set Up LS Central to Use OAuth

Open the Web Service Setup page on the Server and the Client.
Enable SSL, if the server URL is https.
Enable SaaS because the server is running on SaaS.
Fill in all fields as in the above image.
In the Client Credentials FastTab, enable Override Client Credentials and change Http Authentication Type to S2S.
In the Client ID field, enter the App ID that you created on the Azure portal (see How to: Set Up an Azure Active Directory App).
Go to the Web Requests 2.0 page, and click the Publisher action on the server and the Subscriber action on the client.
Go to the POS Functionality Profile List, and select the profile you want to change (for example ##DEFAULT).
On the POS Functionality Profile Card, click the Profile action and then Web Servers.
Clear the Local Request check box, and select the distribution location.
Back on the Profile Card, in the Web Services FastTab, enable Distribution Location in the Send Transactions section.
Open the Distribution Location Card, for example for HO.
In the Web Server FastTab, add the same information as in the web service setup.

The POS will now send requests to the Server on SaaS, and will authenticate using OAuth 2.0.

Troubleshooting

User permission

The user must have sufficient permission. The best way to start is to assign the user with a SUPER equivalent permission set, because at this point you do not know which objects the permission set must have.

The super user permission set cannot be assigned to this user, so you must create a new permission set based on the SUPER permission set.

Create a new Permission Set, name it Super_S2S, for example.
Copy the existing super permission set, and assign that to the S2S user.
You can refine this permission set, if needed.

Testing the S2S Setup

The following is a PowerShell script that you can use to test the S2S setup:

#########################

# Variables to update

#########################

$clientid = ""

$clientsecret = ""

$tenant = ""

$environmentName = ""

$companyName = ""

#########################

# Other variables

#########################

$scope = "https://api.businesscentral.dynamics.com/.default"

$baseurl = "https://lscentral.api.bc.dynamics.com/v2.0/$tenant/$environmentName"

# Get access token

$body = @{grant_type="client_credentials";scope=$scope;client_id=$ClientID;client_secret=$ClientSecret}

$oauth = Invoke-RestMethod -Method Post -Uri $("https://login.microsoftonline.com/$tenant/oauth2/v2.0/token") -Body $body

$oauth.access_token

If the access token is a valid one, you should be able to get the list of companies by running the following script:

# Get companies

$companies = Invoke-RestMethod `

-Method Get `

-Uri $("$baseurl/api/v2.0/companies") `

-Headers @{Authorization='Bearer ' + $oauth.access_token}

foreach ($company in $companies.value) {

$company.id + " - " + $company.displayName

}

To test the web services connection, you can run these lines:

# Test WS connection

try

{

$ws_url = "$baseurl/WS/$companyName/Codeunit/TestConnection"

$headers = @{

"Authorization" = "Bearer " + $oauth.access_token

}

$response = Invoke-WebRequest -UseBasicParsing `

-Method Post `

-Uri $("$ws_url") `

-Headers $headers

$response

}

catch {

$reader = New-Object System.IO.StreamReader($_.Exception.Response.GetResponseStream())

$reader.BaseStream.Position = 0

$reader.DiscardBufferedData()

$reader.ReadToEnd()

}

Error publishing web services

500 - Internal Server Error

If you get this error message, 500 - Internal Server Error, when you click the Subscriber action on the Web Service Setup page, you most likely have a user permissions issue.

Check the user setup in the Azure Active Directory Application Card, and make sure it has the proper permissions.

To check the failure reason, run these lines:

# Test Web Services subscription

try

{

$ws_url = "$baseurl/WS/$companyName/Codeunit/RetailMessageGetActiveList"

$headers = @{

"Authorization" = "Bearer " + $oauth.access_token

}

$response = Invoke-WebRequest -UseBasicParsing `

-Method Post `

-Uri $("$ws_url") `

-Headers $headers

$response

}

catch {

$reader = New-Object System.IO.StreamReader($_.Exception.Response.GetResponseStream())

$reader.BaseStream.Position = 0

$reader.DiscardBufferedData()

$reader.ReadToEnd()

}

Common issues

Response: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><s:Fault><faultcode xmlns:a="urn:microsoft-dynamics-schemas/error">a:Microsoft.Dynamics.Nav.Service.SOAP.ServiceBrokerException</faultcode><faultstring xml:lang="en-US">Service "Codeunit/RetailMessageGetActiveList" was not found!</faultstring><detail><string xmlns="http://schemas.microsoft.com/2003/10/Serialization/">Service "Codeunit/RetailMessageGetActiveList" was not found!</string></detail></s:Fault></s:Body></s:Envelope>

Reason: The user configured in the Azure Active Directory Application Card does not have proper permissions (review the setup).

To view details about your permissions, see the Effective Permissions page.

To report a problem, refer to the following server session ID: '42060'.</faultstring><detail><string xmlns="http://schemas.microsoft.com/2003/10/Serialization/">You do not have the following permissions on XmlPort LSCRetailMSGGetActiveListXML: Execute.

To view details about your permissions, see the Effective Permissions page.

To report a problem, refer to the following server session ID: '42060'.</string></detail></s:Fault></s:Body></s:Envelope>

Reason: The user is not configured in the Azure Active Directory Application Card and does not have the proper permissions or consent was not granted (check Troubleshooting - User permissions).

Http Error to [GET:

https://lscentral.api.bc.dynamics.com/v2.0/<tenant id>/<Environment Name>/WS/<Company Name>/services

If you get this error message, Http Error to [GET: https://lscentral.api.bc.dynamics.com/v2.0/<tenant id>/<Environment Name>/WS/<Company Name>/services?Tenant=<tenant id>, when you click the Publisher action on the Web Service Setup page, in a Sandbox environment, it might be because the LS Central extension is not allowed to make web services calls.

To check that, open the LS Central extension card in the Extension Management page and enable the field Allow HttpClient Requests.

For more information, see Precautions for sandbox environments with production data.

Multi-tenant setup

Note: The application and Business Central must be on the same AAD (Azure Active Directory). They can be on different tenants, but setup only works if they are both in the same AAD.

Company names with empty space

When you create the web service URL in Web Service Setup, for company names with a blank space in it, like LS Retail for example, make sure you replace the space with %20 to avoid creating an incorrect URL. The correctly entered company name now reads LS%20Retail instead.