Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LCS Database refresh API error #875

Open
eatufano opened this issue Jan 29, 2025 · 9 comments
Open

LCS Database refresh API error #875

eatufano opened this issue Jan 29, 2025 · 9 comments

Comments

@eatufano
Copy link

Hi,
I'm getting the issue of screen below.
Credentials are ok, indeed I'm logged in, also source and target env ids.
The service account on lCS is a Project Owner and the application registered has the right permissions.
Can you help to identify the root cause?
Many thx

Image

Image
@FH-Inway
Copy link
Member

FH-Inway commented Jan 29, 2025
edited
Loading

Thanks for reporting.

  • Could you post the script that is being executed? Especially the part where it authenticates with LCS. It looks like it is using Get-D365LcsApiToken.
  • It also looks like the script is executed as part of an automated task (e.g. Azure DevOps Pipeline). If so, try executing the script directly in a PowerShell session to see if that makes a difference.
  • Do other LCS commands of the d365fo.tools (e.g. downloading or uploading an asset) work?
  • Did the script work before or is this the first attempt to execute it?

@eatufano
Copy link
Author

Hi,

below you could find all our answers. It's first time I use it.
Many thx in advance, let me know if you need further information.

Image

@FH-Inway
Copy link
Member

FH-Inway commented Jan 29, 2025
edited
Loading

Thanks. Looks like it is an authorization issue.

  • Are there other projects you are involved in where the LCS API is being used? Or is this in general the first time you/your company are working with it?
  • Can you try it with another user that also has the project owner or environment manager security role in LCS?
  • Is the user a member or a guest of the tenant of the app registration? If the user is a guest, try a user that is a member instead.
  • Can you share the LcsApiUri parameter value being used?
  • Does the app registration have the "Allow public client flows" setting enabled?

@FH-Inway
Copy link
Member

Just noticed, could you try changing this line

Get-D365LcsApiToken -ClientId $env:lcsClientId -Username $env:lcsUserId -Password $env:lcsPwd -LcsApiUri $env:lcsUrl | Set-D365LcsApiConfig -ProjectId $env:lcsProject

to this:

Get-D365LcsApiToken -ClientId $env:lcsClientId -Username $env:lcsUserId -Password $env:lcsPwd -LcsApiUri $env:lcsUrl | Set-D365LcsApiConfig -ProjectId $env:lcsProject -ClientId $env:lcsClientId

This adds -ClientId $env:lcsClientId to the Set-D365LcsApiConfig call. Unfortunately, this value is not transfered from the call to Get-D365LcsApiToken. See also #736 (comment)
Example 2 of Get-D365LcsApiToken states incorrectly that the value is transferred and needs to be fixed.

@eatufano
Copy link
Author

Thanks. Looks like it is an authorization issue.

  • Are there other projects you are involved in where the LCS API is being used? Or is this in general the first time you/your company are working with it?[ ] Can you try it with another user that also has the project owner or environment manager security role in LCS?[ ] Is the user a member or a guest of the tenant of the app registration? If the user is a guest, try a user that is a member instead.[x] Can you share the LcsApiUri parameter value being used?[ ] Does the app registration have the "Allow public client flows" setting enabled?

We used d365fo.tools library in the past to Import Locally a db on a CHE. I don't have other service account (no other users without MFA). The actual one is a member of Entra. LcsApiUrl is https://lcsapi.lcs.dynamics.com. I double checked and "Allow public client flows" is enabled.

@eatufano
Copy link
Author

Just noticed, could you try changing this line

Get-D365LcsApiToken -ClientId $env:lcsClientId -Username $env:lcsUserId -Password $env:lcsPwd -LcsApiUri $env:lcsUrl | Set-D365LcsApiConfig -ProjectId $env:lcsProject

to this:

Get-D365LcsApiToken -ClientId $env:lcsClientId -Username $env:lcsUserId -Password $env:lcsPwd -LcsApiUri $env:lcsUrl | Set-D365LcsApiConfig -ProjectId $env:lcsProject -ClientId $env:lcsClientId

This adds -ClientId $env:lcsClientId to the Set-D365LcsApiConfig call. Unfortunately, this value is not transfered from the call to Get-D365LcsApiToken. See also #736 (comment) Example 2 of Get-D365LcsApiToken states incorrectly that the value is transferred and needs to be fixed.

Changed, same result, same error.

@eatufano
Copy link
Author

@FH-Inway I tried with our admin onmicrosoft.com service account, but same issue.
I guess root cause it's the missing ClientSecret parameter in the client_credentials login flow....

@eatufano
Copy link
Author

@FH-Inway same issue using native API, opened a tkt to MS

Image

@FH-Inway
Copy link
Member

Good luck with the MS support!

One more thought I had, are you using some kind of local active directory or okta? We had issues reported with those in the past, see #727 and #705

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@FH-Inway @eatufano