Share This Post

Troubleshooting On-premises Deployments – Part 3

This article is a continuation of Troubleshooting Dynamics 365 F&O On-premises Deployments. The Dynamics 365 F&O On-premises Deployments option uses Finance and Operations cloud components running on-premises using Microsoft Azure Server Service Fabric standalone clusters.

Service Fabric is the next-generation Microsoft middleware platform for building and managing enterprise-class high-scale applications. Service Fabric standalone clusters can be deployed on any computer that is running Windows Server.

Troubleshooting Dynamics 365 F&O On-premises Deployments Steps (Continued)

19. Properties for Creating a DataEncryption Certificate

Utilize the following properties to create the DataEncryption certificate:

  • Is self-signed certificate – Enable this parameter only when you are using self-signed certificates.
  • Certificate purposes – Enable all purposes for this certificate.
  • Signature algorithm – Specify sha256RSA.
  • Signature hash algorithm – Specify sha256.
  • Issuer – Specify CN = DataEncryptionCertificate.
  • Public Key – Specify RSA (2048 bits).
  • Thumbprint algorithm – Specify sha1.

20. The Certificate and Private Key that Should be Used for Decryption Cannot be Found (0x8009200C)

If you’re missing a certificate and ACL, or if you have the wrong thumbprint entry, check for special characters, and look for thumbprints in C:\ProgramData\SF\<AOSMachineName>\Fabric\work\Applications\AXBootstrapperAppType_App<N>\log\ConfigureCertificates-<timestamp>.txt.

You can also validate the encrypted text by using the following command.

Invoke-ServiceFabricDecryptText -CipherText ‘longstring’ -StoreLocation LocalMachine | Set-Clipboard

Upon receiving the message, Cannot find the certificate and private key to utilize for decryption, check the axdataenciphermentcert and svc-AXSF$ AXServiceUser ACLs.

If the credentials.json file has changed, delete and redeploy the environment from LCS. If none of the preceding solutions work, follow these steps in Dynamics 365 F&O On-premises Deployments.

  • Verify that the domain name and Active Directory account names that are specified in the ConfigTemplate.xml file are correct.
  • Check that the thumbprints that are specified in the ConfigTemplate.xml file are correct if the certificate wasn’t generated by using the scripts that are provided.
  • Verify that the certificate thumbprints that are described in LCS are correct and that they match the thumbprints that are specified in ConfigTemplate.xml. Make sure that there are no special characters. You can run .\Get-DeploymentSettings.ps1 to obtain the thumbprints in an easy-to-copy manner.
  • If the certificates aren’t self-generated, make sure that the provider names match for the following certificate types:
    • ServiceFabricEncryption type: Microsoft Enhanced Cryptographic Provider v1.0
    • All other certificate types: Microsoft Enhanced RSA and AES Cryptographic Provider
  • Verify that the Set-CertificateAcls.ps1 and Test-D365FOConfiguration.ps1 scripts were successfully run on all Service Fabric machines.
  • Verify that the credentials.json file exists, and that the entries are decrypted to correct values.

On one of the AOS machines, run the following command to verify that the data encryption certificate is correct.

Invoke-ServiceFabricDecryptText ‘<encrypted string>’ -StoreLocation LocalMachine

  • If any of the certificates must be changed, or if the configuration was incorrect, follow these steps:
    • Edit the ConfigTemplate.xml file so that it has the correct values.
    • Run all the set up scripts and the Test-D365FOConfiguration script.
  • In LCS, reconfigure the environment.

21. Management Reporter

Additional logging can be performed by registering the providers. Download to the primary orchestrator machine and then execute the following commands. To determine which machine is the primary instance, in Service Fabric Explorer, expand Cluster > Applications > LocalAgentType > fabric:/LocalAgent/OrchestrationService > (GUID).

.\RegisterETW.ps1 -ManifestsAndDll @{“C:\Files\ETWManifest\” = “C:\Files\ETWManifest\Microsoft.Dynamics.Reporting.Instrumentation.dll”}

If you must unregister providers, use the following command.

.\RegisterETW.ps1 -ManifestsAndDll @{“C:\Files\ETWManifest\” = “C:\Files\ETWManifest\Microsoft.Dynamics.Reporting.Instrumentation.dll”} -Unregister

After providers are registered, additional details about the new deployment are logged in Event Viewer, at Applications and Services Logs > Microsoft > Dynamics. The following folders will be shown:

  • MR-Logger
  • MR-Sql

To see the new folders, you must close and reopen Event Viewer. To see additional details, you must deploy an environment again.

22. axdbadmin Cannot Connect to the Database Server

Reason: The user does not have permission to connect to the AXDB database.


  • Remove the axdbadmin user from the database, if it already exists.
  • In the ConfigTemplate.xml file, specify the user name that must be added to the AXDB database.

<User refName=”axdbadmin” type=”SqlUser” userName=”axdbadmin” />

  • Run the initialize database script again to add the axdbadmin user.

23. Unable to Resolve the xPath Value

In the expected behavior, the following xPath value can’t be resolved:


Therefore, the fact that the xPath value can’t be resolved isn’t an issue. The xPath value looks for AOS runtime user information. Although, because of integrated security, that information is not required. The fact that the xPath value can’t be resolved is communicated in case the failure must be investigated for another reason.

24. AD FS

The sign-in page doesn’t redirect you

The sign-in page might not redirect you but continues to prompt for credentials. Alternatively, you might be redirected but receive the following message:

An error occurred. Contact your administrator for more information.

In these cases, you can follow these steps to resolve the issue:

  • Add the AD FS link to the list of trusted sites.
  • Adding the Dynamics 365 link to the list of trusted sites.
  • Add a trailing slash (/), and see whether the behavior changes.

Verify the AD FS Manager by going to ADFS > Application groups. Double-click Dynamics 365 F&O On-premises Deployments. Then, under Native application, double-click Dynamics 365 F&O On-premises Deployments – Native application.

Note the Redirect URI value. It should be equivalent to the DNS forward lookup zone for MS D365 Finance and Operations.

25. Sign-in Issues

If you or other users experience sign-in issues, in Service Fabric Explorer, verify that the Provisioning_AdminPrincipalName and Provisioning_AdminIdentityProvider values are valid. If the values are valid, run the following command on the primary SQL Server machine.


On each AOS machine, in Task Manager, select AXService.exe, and then select End task. To verify that a user has been reset, run the following select query in the AXDB SQL database.

select SID, NETWORKDOMAIN, NETWORKALIAS, * from AXDB.dbo.USERINFO where id = ‘admin’

In some cases, you still might not be able to sign in, and you might receive the following error:

You are not authorized to login with your current credentials. You will be redirected to the login page in a few seconds.

If this error occurs, follow these steps in Dynamics 365 F&O On-premises Deployments.

  • In the AD FS machine, go to the Server Manager > Tools > AD FS Management.
  • Right click the AD FS and then choose Edit Federation Service Properties.
  • Make sure that the Federation Service Identifier value matches the Userinfo.NetworkDomain and UserInfo.IdentityProvider values.
  • On the AD FS machine, open Windows PowerShell and execute Get-AdfsProperties.
  • Make sure that the IdTokenIssuer value matches the Federation Service Identifier value from step 3, and also the Provisioning_AdminIdentityProvider value on the fabric:/AXSF Details tab at Service Fabric Explorer > Cluster > Applications > AXSFType.
  • In Service Fabric Explorer, verify that the Provisioning_AdminPrincipalName and Provisioning_AdminIdentityProvider values are valid.

26. System.Data.SqlClient.SqlException (0x80131904) and System.ComponentModel.Win32Exception (0x80004005)

You might receive one of the following errors:

System.Data.SqlClient.SqlException (0x80131904): A connection was successfully established with the server, but then an error occurred during the sign-in process. (provider: SSL Provider, error: 0 – Certificate chain was issued by an authority that is not trusted.)

System.ComponentModel.Win32Exception (0x80004005): Certificate chain was issued by an authority that is not trusted

In this case, either the certificates are not installed, or are not given permits to the correct users. To resolve this error, add the public key SQL Server certificate to all the Service Fabric nodes.

27. Error: “RunAsync Failed Due to an Unhandled FabricException Causing Replica to Fault”

You might receive the following error:

RunAsync failed due to an unhandled FabricException causing replica to fault: System.Fabric.FabricException: First Fabric upgrade must specify both the code and the config versions. Requested value:

In this case, in the ClusterConfig.json file, change diagnosticsStore from a network share to a local path. For example, change \\server\path to a default value of C:\ProgramData\SF\DiagnosticsStore.

28. Service Fabric AOS Node Error During Build: The Execution Time-out Expired


The timeout period elapsed prior to completion of the operation or the server is not responding.
The statement has been terminated.

Only one AOS machine can execute DB Sync at a time. You can safely disregard this error, because it means that one of the AOS VMs is running DB Sync. Therefore, the other VMs produce a warning that they can’t run it.

To verify that DB Sync is running, on the AOS VM that is not producing warnings, in Event Viewer, go to Applications and Services Log > Microsoft > Dynamics > AX-DatabaseSynchronize/Operational.

29. Error: “RequireNonce is ‘true’ (default) but validationContext.Nonce is Null”

You might receive the following error in Dynamics 365 F&O On-premises Deployments:

RequireNonce is ‘true’ (default) but validationContext.Nonce is null

This error also displays as an HTTP error 500 in Internet Explorer after you sign in to the client. The nonce that is issued can not be validated if Internet Explorer is in Enhanced Security Configuration.

To sign in to the client, disable Enhanced Security Configuration for Internet Explorer via Server Manager.

30. Error: “Invalid Algorithm Specified / Cryptography”

If you receive an “Invalid algorithm specified / Cryptography” error, you must use the Microsoft Enhanced RSA and AES Cryptographic Provider. Additionally, verify that the structure of the credentials.json file is correct.

If you must re-create the certificate by using the correct provider, follow these steps.

  • Create the certificate again by using the correct provider.
  • Change the ConfigTemplate.xml file.
  • Run the infrastructure scripts on all machines in the cluster, and make sure that the Test-D365FOConfiguration.ps1 script passes.
  • Reconfigure the environment from LCS.

For more information on Microsoft Dynamics 365 F&O On-premises Deployments Troubleshooting, please contact us. For getting the continuation of the previous steps please refer to the previous articles: and and for the continuation of the further steps please refer to this article:

Share This Post

Leave a Reply

Notify of
Skip to toolbar