Howdy, Stranger!
Categories
- All Categories
- 73 General
- 73 Announcements
- 66.6K Microsoft Dynamics NAV
- 18.7K NAV Three Tier
- 38.4K NAV/Navision Classic Client
- 3.6K Navision Attain
- 2.4K Navision Financials
- 115 Navision DOS
- 854 Navision e-Commerce
- 1K NAV Tips & Tricks
- 772 NAV Dutch speaking only
- 615 NAV Courses, Exams & Certification
- 2K Microsoft Dynamics-Other
- 1.5K Dynamics AX
- 309 Dynamics CRM
- 109 Dynamics GP
- 10 Dynamics SL
- 1.5K Other
- 993 SQL General
- 384 SQL Performance
- 34 SQL Tips & Tricks
- 34 Design Patterns (General & Best Practices)
- Architectural Patterns
- 10 Design Patterns
- 5 Implementation Patterns
- 53 3rd Party Products, Services & Events
- 1.7K General
- 1.1K General Chat
- 1.6K Website
- 79 Testing
- 1.2K Download section
- 23 How Tos section
- 260 Feedback
- 12 NAV TechDays 2013 Sessions
- 13 NAV TechDays 2012 Sessions
Multiple Tier Authentication
rtaranti
Member Posts: 3
Hi there. After following the "three tiers on three computers" walthrough in the NAV 2009 nav_install.chm file, I ran into an authentication issue I cannot solve. I have asked Freddy K about this and he has kindly pointed to MIBUSO community in which I am familar with.
I am having an issue with my middle tier NAV server authenticating with my machine that is hosting the SQL server 2005 NAV database. Please note, these are all test machines being used for a proof of concept.
The NAV server is using the same test domain acount as the SQL server service for simplicity. My client reaches the NAV server with no issue. I set domain user delagation on the client settings config file. When the request reaches the SQL server, it is erroring due to AD sending it the ananymous login. We used setspn to register the mssqlsvc service with the sql machine and the test account. It stated that it (updated object), but I've had no luck. Interestingly, if I do list of the machines (sql server) spn's the new service does not show.
The message on the SQL server application log is "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. [CLIENT: <my NAV server IP>]"
Could anyone assist?
I am having an issue with my middle tier NAV server authenticating with my machine that is hosting the SQL server 2005 NAV database. Please note, these are all test machines being used for a proof of concept.
The NAV server is using the same test domain acount as the SQL server service for simplicity. My client reaches the NAV server with no issue. I set domain user delagation on the client settings config file. When the request reaches the SQL server, it is erroring due to AD sending it the ananymous login. We used setspn to register the mssqlsvc service with the sql machine and the test account. It stated that it (updated object), but I've had no luck. Interestingly, if I do list of the machines (sql server) spn's the new service does not show.
The message on the SQL server application log is "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. [CLIENT: <my NAV server IP>]"
Could anyone assist?
0
Comments
CREATE LOGIN [ReplaceWithNAVServerAccount] FROM WINDOWS;
CREATE USER [ReplaceWithNAVServerAccount] FOR LOGIN [ReplaceWithNAVServerAccount];
CREATE SCHEMA [$ndo$navlistener] AUTHORIZATION [ReplaceWithNAVServerAccount];
ALTER USER [ReplaceWithNAVServerAccount] WITH DEFAULT_SCHEMA = [$ndo$navlistener];
GRANT SELECT ON [ReplaceWithYourDatabaseName].[Object Tracking] TO [ReplaceWithNAVServerAccount];
GO
I'm guessing it's trying to login anonymously because my service tier is running on the Network Service account and I didn't specify that in the above code? I really don't understand this part of it so any help (preferably in as much detail as possible for us non-SQL people) is most appreciated.
http://msdn.microsoft.com/en-us/library/dd301254.aspx
Go through everything, even if you've already installed something, there might be additional components to install. And make sure your company doesn't have any weird security policies involving service accounts.
Thanks for the post. Fargo stated that the documentation on MSDN will be updated regularly and that they are working hard to clarify the steps required. I also asked them to post documentation on the approach for clustering the NAV servers for companies who wish to ensure failover capailities.
I went the guide ( http://msdn.microsoft.com/en-us/library/dd301254.aspx ) and i still have problem: the RTC connect only from the machine running the NAV server, every other machine give error "Username and Password are invalid. Try again". I have set all spn, delegation settings etc. and now I'm realy confused... what i am missing. On the SQLServer computer i see that the client try to log with NT AUTHORITY\ANONYMUS LOGON. If somebody have any suggestions i'll be very happy to know
Action: Unable to connect RTC to the SQL server on a NAV 2009 SP1 SQL 3 tier environment
Result: Error in SQL log 'NT AUTHORITY\ANONYMOUS LOGON
Cause: SQL Cluster environment
Solution: Create 4 SPNs (2 local and 2 FQDN) and delegate to the Account under which SQL server is running
DynamicsNAV/<machine-name>:7046
DynamicsNAV/<Fully Qualified Domain Name machine-name>:7046
MSSQLSvc/<machine-name>:1433
MSSQLSvc/< Fully Qualified Domain Name machine-name>:1433
If its not clustered environment then, FDQNs are not required.
and delegate SQL SPNs to the user running service.
PO Box 36500 | Dubai | UAE
Mobile:+97150 150 5389
Microsoft support helped me here:
"In you test enviroment, could you please bring up adsiedit.msc from Domain Controller and goto the user administrator, right click bring up the properties. Find useraccountcontrol double click on that and change the number to 17301504 which means TRUSTED_FOR_DELEGATION + TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION and then save it.
Please using "klist purge" on each server/PC to clear the kerbtickets. Then restart all the services(SQL and NAV service)."
This worked for me
The next time I logged on with the user, it asked me to change the password. So probably best to reset the password afterwards.