It’s quite important to understand how EP logs on to Ax4. Since a graphic is much easier to understand than a large text, here’s a flow diagram that shows the initialization process that happens in the Init-method of the SessionItem-class in the WebParts-assembly (a little bit simplified):

EP Authentication and Axapta Logon An exception will increase the FatalSessionExceptions and the FailedLogons performance counter.

In the first step, EP tries to convert the identity of the current user to a WindowsIdentity. This because Dynamics Ax requires the user to be configured in the Active Directory and in any case the logon must be done with a valid WindowsIdentity.

If this fails, the user of the Windows thread, which should be the Ax proxy user that has been configured as owner of the IIS application pool, is impersonated. This case happens usually if the authentication has been done with Forms-authentication. Since the Ax proxy should be configured as a non interactive user, Dynamics Ax will not be able to logon with that account. If it does nevertheless, you have not configured the Ax proxy user as described in the documentation. Unfortunately I have no idea why this results not directly in an error because as we see, you can’t logon to Dynamics Ax if everything is well configured. Instead of this the process continues without any notification. Perhaps somebody might have an idea why this is done ?

If the identity of the user has been a WindowsIdentity, it is checked if the user is authenticated or not. If he is, the user of the Windows thread is (like described in point 2) impersonated and the EP logs on to Dynamics Ax with the username of the user in Point 3. If the user isn’t authenticated, the impersonation is done here, too but in this case the EP tries to log on Dynamics Ax as guest. This guest log-on can be used for example for online product-catalog. Here you can find on MSDN a description how to configure Ax for such kind of scenarios.

As we have seen, Dynamics Ax requires a user that has been configured in the AD and the EP does not allow identities other than WindowsIdentities. This is the reason why it is so difficult to create web-shops. It might be reasonable to configure all clients if you don’t have too many (as this is often the case in B2B scenarios), but for a B2C scenario it is definitely unreasonable to configure all clients in the AD.