Howdy, Stranger!
Categories
- All Categories
- 73 General
- 73 Announcements
- 66.6K Microsoft Dynamics NAV
- 18.7K NAV Three Tier
- 38.4K NAV/Navision Classic Client
- 3.6K Navision Attain
- 2.4K Navision Financials
- 115 Navision DOS
- 854 Navision e-Commerce
- 1K NAV Tips & Tricks
- 772 NAV Dutch speaking only
- 615 NAV Courses, Exams & Certification
- 2K Microsoft Dynamics-Other
- 1.5K Dynamics AX
- 309 Dynamics CRM
- 109 Dynamics GP
- 10 Dynamics SL
- 1.5K Other
- 993 SQL General
- 384 SQL Performance
- 34 SQL Tips & Tricks
- 34 Design Patterns (General & Best Practices)
- Architectural Patterns
- 10 Design Patterns
- 5 Implementation Patterns
- 53 3rd Party Products, Services & Events
- 1.7K General
- 1.1K General Chat
- 1.6K Website
- 79 Testing
- 1.2K Download section
- 23 How Tos section
- 260 Feedback
- 12 NAV TechDays 2013 Sessions
- 13 NAV TechDays 2012 Sessions
Problem in RTC while connecting from a separate client m/c
Amitava_Mitra
Member Posts: 35
Hi,
I have installed database (SQL) tier, NAV server tier and RTC client tier in three separate machines. While opening the RTC and connecting to NAV server, it is showing the error
'A server was not found at "net.[url=tcp://NAVserver:7046/DynamicsNAV/Service]tcp://NAVserver:7046/DynamicsNAV/Service[/url]". But RTC client is also installed in the NAV server machine which opening correctly and connecting to the database.
There is no license limitation and firewall is off in the NAV server.
I could not find ClientUserSetting.config file as well.
Any suggession would be a great help.
Thanks
Amitava
I have installed database (SQL) tier, NAV server tier and RTC client tier in three separate machines. While opening the RTC and connecting to NAV server, it is showing the error
'A server was not found at "net.[url=tcp://NAVserver:7046/DynamicsNAV/Service]tcp://NAVserver:7046/DynamicsNAV/Service[/url]". But RTC client is also installed in the NAV server machine which opening correctly and connecting to the database.
There is no license limitation and firewall is off in the NAV server.
I could not find ClientUserSetting.config file as well.
Any suggession would be a great help.
Thanks
Amitava
0
Comments
Machine 1. NAV-SQL Database Server WIN2003(64bit)
Machine 2. Dynamics NAV Server and RTC Client WIN2003(64bit)
Machine 3. RTC Client WIN XP(32bit)
All of them are in same domain and the users have full permission.
Through C/SIDE Classic cliant I am able to access the database from both Machine 2 and 3 using wnodows authentication.
But RTC is opening the database by connecting to the local Dynamics NAV Server in Machine 2 only. On opening RTC in Machine 3 by trying to connect the Dynamics NAV Server of Machine 2, the error ocurs, 'A server was not found at "net.[url=tcp://Machine]tcp://Machine[/url] 2:7046/DynamicsNAV/Service".
](*,) ](*,) ](*,)
Any suggessions?
MVP - Dynamics NAV
My BLOG
NAVERTICA a.s.
Actually while connecting from Machine3 the services for the NAV server is not automatically started so you need to start the services first by going to services.msc in the Start --> RUN.
Also set the startup Type =Automatic and then try to open the RTC .
but the firewall is off in all the machines and the NAV service is running properly in Machine 2. RTC client of Machine 2 is connecting to the local NAV service. But RTC client of Machine 3 is not connecting to NAV service of Machine 2 and there is no connectivity issue...
](*,)
That you can access the DB from classic client mean nothing in this case. Check the event logs on the 2nd and 3rd PC for some info about hte problem like errors ormessages from Microsoft Dynamics NAV client or Server.
MVP - Dynamics NAV
My BLOG
NAVERTICA a.s.
Type: Microsoft.Dynamics.Nav.Types.NavServerNotFoundException
SuppressMessage: False
FatalityScope: None
Message: A server was not found at "net.[url=tcp://Machine]tcp://Machine[/url] 2:7046/DynamicsNAV/Service". Either the URL is incorrect or the server is currently not available.
StackTrace:
at Microsoft.Dynamics.Nav.Client.ServiceConnection.OpenConnectionInternal(ConnectFailedEventArgs connectFailedArg)
at Microsoft.Dynamics.Nav.Client.ServiceConnection.OpenConnectionInternal(ConnectFailedEventArgs connectFailedArg)
at Microsoft.Dynamics.Nav.Client.ServiceConnection.OpenConnectionInternal(ConnectFailedEventArgs connectFailedArg)
at Microsoft.Dynamics.Nav.Client.ServiceConnection.OpenConnection()
at Microsoft.Dynamics.Nav.Client.FormBuilder.BuilderSession.Initialize()
at Microsoft.Dynamics.Framework.UI.UISession.Initialize()
at Microsoft.Dynamics.Framework.UI.Windows.ClientSessionBase.SetupUISession()
at Microsoft.Dynamics.Framework.UI.Windows.ClientSessionBase.Init()
at Microsoft.Dynamics.Nav.Client.Program.MainCore(String[] args)
at Microsoft.Dynamics.Nav.Client.Program.Main(String[] args)
Source: Microsoft.Dynamics.Nav.Client.ServiceConnection
Type: System.ServiceModel.Security.SecurityNegotiationException
Message: A call to SSPI failed, see inner exception.
StackTrace:
Server stack trace:
at System.ServiceModel.Channels.WindowsStreamSecurityUpgradeProvider.WindowsStreamSecurityUpgradeInitiator.OnInitiateUpgrade(Stream stream, SecurityMessageProperty& remoteSecurity)
at System.ServiceModel.Channels.StreamSecurityUpgradeInitiatorBase.InitiateUpgrade(Stream stream)
at System.ServiceModel.Channels.ConnectionUpgradeHelper.InitiateUpgrade(StreamUpgradeInitiator upgradeInitiator, IConnection& connection, ClientFramingDecoder decoder, IDefaultCommunicationTimeouts defaultTimeouts, TimeoutHelper& timeoutHelper)
at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.SendPreamble(IConnection connection, ArraySegment`1 preamble, TimeoutHelper& timeoutHelper)
at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.DuplexConnectionPoolHelper.AcceptPooledConnection(IConnection connection, TimeoutHelper& timeoutHelper)
at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ReliableChannelBinder`1.ChannelSynchronizer.SyncWaiter.TryGetChannel()
at System.ServiceModel.Channels.ReliableChannelBinder`1.ChannelSynchronizer.SyncWaiter.TryWait(TChannel& channel)
at System.ServiceModel.Channels.ReliableChannelBinder`1.ChannelSynchronizer.TryGetChannel(Boolean canGetChannel, Boolean canCauseFault, TimeSpan timeout, MaskingMode maskingMode, TChannel& channel)
at System.ServiceModel.Channels.ReliableChannelBinder`1.ChannelSynchronizer.TryGetChannelForOutput(TimeSpan timeout, MaskingMode maskingMode, TChannel& channel)
at System.ServiceModel.Channels.ReliableChannelBinder`1.Send(Message message, TimeSpan timeout, MaskingMode maskingMode)
at System.ServiceModel.Channels.SendReceiveReliableRequestor.OnRequest(Message request, TimeSpan timeout, Boolean last)
at System.ServiceModel.Channels.ReliableRequestor.Request(TimeSpan timeout)
at System.ServiceModel.Channels.ClientReliableSession.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ClientReliableDuplexSessionChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel channel, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Microsoft.Dynamics.Nav.Types.INavService.OpenConnection(ConnectionRequest connectionRequest)
at Microsoft.Dynamics.Nav.Client.ServiceConnection.OpenConnectionInternal(ConnectFailedEventArgs connectFailedArg)
Source: mscorlib
Type: System.Security.Authentication.AuthenticationException
Message: A call to SSPI failed, see inner exception.
StackTrace:
at System.Net.Security.NegoState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.NegotiateStream.AuthenticateAsClient(NetworkCredential credential, String targetName, ProtectionLevel requiredProtectionLevel, TokenImpersonationLevel allowedImpersonationLevel)
at System.ServiceModel.Channels.WindowsStreamSecurityUpgradeProvider.WindowsStreamSecurityUpgradeInitiator.OnInitiateUpgrade(Stream stream, SecurityMessageProperty& remoteSecurity)
Source: System
Type: System.ComponentModel.Win32Exception
NativeErrorCode: -2146893022
ErrorCode: -2147467259
Message: The target principal name is incorrect
For more information, see Help and Support Center at
MVP - Dynamics NAV
My BLOG
NAVERTICA a.s.
As you can see on the last line, "Target principal name" is incorrect. It seems that there is no correct SPN for the service. For more see the blogs and MSDN documentation about NAV server and SPN.
MVP - Dynamics NAV
My BLOG
NAVERTICA a.s.
I am a NAV newbie (so I do this ](*,) several times a day), but don't you have to setup a delegation in order to use 2nd tier (application server) for RTC connection from different computer? It seems to be crucial which account you use to run service on tier 2.
http://msdn.microsoft.com/en-us/library/dd568720.aspx
PO
No PM,please use the forum. || May the <SOLVED>-attribute be in your title!
I just added the line <add key="DelegationInfo" value="DomainUser" />
in the ClientUserSettings file of the client and created SPN in both NAV and SQL service.
For normal user, it is still showing some permission error (not the previous one), but as a domain admin, it is actually connecting from RTC client tier to NAV service tier but then throwing some "login failed" error while connecting from NAV service tier to SQL database tier.
Any idea about the minimum domain user permission required for RTC client tier to connect the NAV service tier and from NAV service tier to SQL database tier? Both NAV and SQL services are using domain admin account as login.
I think we are very close to the solution and thanks in advance.
Amitava.
2) You need to have correct NAV permission set for the user who runs the RTC. (you can set it through classic client - the Windows Logins).
MVP - Dynamics NAV
My BLOG
NAVERTICA a.s.
but I am talking about windows domain permissions required for the domain user using the RTC client to access the SQL database tier through the NAV service tier. NAV permission is already set to 'Super'.
MVP - Dynamics NAV
My BLOG
NAVERTICA a.s.
Type: Microsoft.Dynamics.Nav.Types.Exceptions.NavSCOpenConnectionException
SuppressMessage: False
FatalityScope: None
Message: The login failed when connecting to SQL Server JSQL01.
StackTrace:
at Microsoft.Dynamics.Nav.Client.ServiceConnection.OpenConnection()
at Microsoft.Dynamics.Nav.Client.Forms.ChangeServiceTierForm.ConnectToUrl(String url)
Source: Microsoft.Dynamics.Nav.Client.ServiceConnection
Type: Microsoft.Dynamics.Nav.Types.NavDatabasePasswordException
SuppressMessage: False
FatalityScope: None
Message: The login failed when connecting to SQL Server JSQL01.
StackTrace:
at Microsoft.Dynamics.Nav.Client.ServiceConnection.OpenConnectionInternal(ConnectFailedEventArgs connectFailedArg)
at Microsoft.Dynamics.Nav.Client.ServiceConnection.OpenConnection()
Source: Microsoft.Dynamics.Nav.Client.ServiceConnection
Type: Microsoft.Dynamics.Nav.Types.NavDatabasePasswordException
SuppressMessage: False
FatalityScope: None
Message: The login failed when connecting to SQL Server JSQL01.
StackTrace:
at Microsoft.Dynamics.Nav.Runtime.NavRuntimeAdapter.ErrorHandler(Int32 errorCode, Int32 errorNumber, Int32 moduleNumber, String errorText)
at Microsoft.Dynamics.Nav.Runtime.NativeMethods.AdapterOpenConnection(IntPtr databaseHandle, String serverName, NetProtocolType netType, String databaseName, Int32 clientConnectionType, DeadConnectionHandler deadConnectionHandler)
at Microsoft.Dynamics.Nav.Runtime.NavConnection.Open()
at Microsoft.Dynamics.Nav.Service.NSService.CreateConnection(NavEnvironment parent, Guid connectionId, ConnectionType connectionType)
at Microsoft.Dynamics.Nav.Service.NSService.<>c__DisplayClass4.<OpenConnection>b__3(Connection connection)
at Microsoft.Dynamics.Nav.Service.NSService.ExecuteOperation[T](String operationName, ServiceOperation`1 operation, Connection connection, WindowsIdentity impersonationIdentity)
Source: Microsoft.Dynamics.Nav.Ncl
Additional Exception
Type: Microsoft.Dynamics.Nav.Types.NavCloseConnectionException
Message: The connection to the server has been lost. The application will close.
StackTrace:
at Microsoft.Dynamics.Nav.Client.ServiceConnection.CloseConnection()
at Microsoft.Dynamics.Nav.Client.ServiceConnection.CleanupConnection(Exception originatingException)
Source: Microsoft.Dynamics.Nav.Client.ServiceConnection
Type: Microsoft.Dynamics.Nav.Types.NavConnectionLostException
Message: The connection to the server has been lost. The application will close.
StackTrace:
at Microsoft.Dynamics.Nav.Client.ConnectionStateManager.HandleCommunicationFailure[T](CallServerMethod`1 callServerMethod, Exception e, Int32 messageNumber)
at Microsoft.Dynamics.Nav.Client.ConnectionStateManager.CallServer[T](CallServerMethod`1 callServerMethod)
at Microsoft.Dynamics.Nav.Client.ServerInvocationHandler.CallServer[T](CallServerMethod`1 callServerMethod)
at Microsoft.Dynamics.Nav.Client.ServiceConnectionBase.CallServer[T](CallServerMethod`1 callServerMethod)
at Microsoft.Dynamics.Nav.Client.ServiceConnectionBase.CallServer(CallServerMethod callServerMethod)
at Microsoft.Dynamics.Nav.Client.ServiceConnection.CloseConnection()
Source: Microsoft.Dynamics.Nav.Client.ServiceConnection
Type: System.ServiceModel.FaultException
Action: http://schemas.microsoft.com/net/2005/1 ... cher/fault
Message: The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs.
StackTrace:
Server stack trace:
at System.ServiceModel.Channels.ServiceChannel.ThrowIfFaultUnderstood(Message reply, MessageFault fault, String action, MessageVersion version, FaultConverter faultConverter)
at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Microsoft.Dynamics.Nav.Types.INavService.CloseConnection()
at Microsoft.Dynamics.Nav.Client.ServiceConnection.<CloseConnection>b__3()
at Microsoft.Dynamics.Nav.Client.ServiceConnectionBase.<>c__DisplayClass1.<CallServer>b__0()
at Microsoft.Dynamics.Nav.Client.ServerCallContext`1.InvokeCall(Object instance)
at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Int32 methodPtr, Boolean fExecuteInContext, Object[]& outArgs)
at System.Runtime.Remoting.Messaging.StackBuilderSink.PrivateProcessMessage(RuntimeMethodHandle md, Object[] args, Object server, Int32 methodPtr, Boolean fExecuteInContext, Object[]& outArgs)
at System.Runtime.Remoting.Messaging.StackBuilderSink.AsyncProcessMessage(IMessage msg, IMessageSink replySink)
Exception rethrown at [1]:
at System.Runtime.Remoting.Proxies.RealProxy.EndInvokeHelper(Message reqMsg, Boolean bProxyCase)
at System.Runtime.Remoting.Proxies.RemotingProxy.Invoke(Object NotUsed, MessageData& msgData)
at System.Threading.WaitCallback.EndInvoke(IAsyncResult result)
at Microsoft.Dynamics.Nav.Client.ServerInvocationManager.CallServer[T](CallServerMethod`1 callServerMethod)
at Microsoft.Dynamics.Nav.Client.ServerInvocationHandler.CallServer[T](CallServerMethod`1 callServerMethod)
at Microsoft.Dynamics.Nav.Client.ConnectionStateManager.CallServer[T](CallServerMethod`1 callServerMethod)
Source: mscorlib
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
](*,) ](*,)
I have defined required SPNs for the user account of NAV Service (10.10.5.13) and SQL Service (10.10.5.11).
Now it is connecting from RTC Client machine (10.10.5.112) to NAV Server. But while connecting from NAV Service Tier to SQL Service Tier it is showing the following error entry in the event log of SQL server:
'Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. [CLIENT: 10.10.5.13]'
I guess it is not delegating the login info from client to SQL through NAV server.
Any sugession...
](*,) ](*,)
We are experiencing the same problem.
The problem only rises when we connect from 3th computer. When we start the RTC on the service tier-server there is no problem.
Our Info:
We checked the SPN by using command "setspn domainuser" an het output like:
WS08-****-T_DynamicsNAV/WS08-****-T:7046
WS08-****-T_DynamicsNAV/WS08-****-T.domainx.be:7046
MSSQLSvc/WS08-****-DB1.domainx.be:53931
MSSQLSvc/WS08-****-DB1.domainx.be:1433
MSSQLSvc/WS08-****-DB1.domainx.be
MSSQLSvc/WS08-****-DB1.domainx.be:59873
So this seems to be ok by me?
We added the tag <add key="DelegationInfo" value="DomainUser" /> at client side.
Trying to connect we get logon failed exactly as above (anonymous).
When we check the security log (service tier) we can see the following event on every attempt of connection:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 27/05/2009 9:29:16
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: WS08-****-T.domainx.be
Description:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name:
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2009-05-27T07:29:16.137Z" />
<EventRecordID>14207</EventRecordID>
<Correlation />
<Execution ProcessID="732" ThreadID="828" />
<Channel>Security</Channel>
<Computer>WS08-****-T.domainx.be</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">
</Data>
<Data Name="TargetDomainName">
</Data>
<Data Name="Status">0xc000006d</Data>
<Data Name="FailureReason">%%2313</Data>
<Data Name="SubStatus">0xc000006a</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">Kerberos</Data>
<Data Name="AuthenticationPackageName">Kerberos</Data>
<Data Name="WorkstationName">-</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">-</Data>
<Data Name="IpPort">-</Data>
</EventData>
</Event>
So it seems to me that the client is not sending its user? Or how must we interpret this message?
Thnx !
http://msdn.microsoft.com/en-us/library/dd568720.aspx
/Claus
Program Manager
Microsoft Dynamics NAV
http://msdn.microsoft.com/en-us/library/dd568720.aspx
/Claus
Program Manager
Microsoft Dynamics NAV
The delegation was/is setup in AD on the user that runs the Service Tier, we added all the SQL server services just to be sure. We rechecked this, but this does not seem to be the problem. Is there a way to check at which level something goes wrong?
Is the account which the Service Tier us running under marked as "Sensitive for delegation"? and what happens if you allow the Service Tier to delegate to any machine in the domain as opposed to a specific SPN?
/Claus
Program Manager
Microsoft Dynamics NAV
Amitava
We enabled the option for all services instead of specifying the individual services but to no avail. The problem remains the same, the error messages/log are the same.
Is there a way to check if the SPN is setup correctly (setspn command), the output of the user seems to be OK, but just to check if it is working properly.
thnx.
Further to reading Claus' link, I would check the following (it sounds like you already did some of this, but I’ll give you my complete list):
The machine name in the SPN must match the Server key in the ClientUserSettings.config file - both must be either netbios (e.g. mymachine) or fully qualified machine names (e.g. mymachine.corp.domain.com). Use setspn -l domain\username to see the spn's for your NAV service user.
The ServerInstance key in ClientUserSettings.config must match the service's CustomSettings.config key, and also the instance name part of the SPN. Likewise the port (default is 7046) in the config files and SPN.
The NAV service user account must be trusted to present delegated credentials to the SQL Server service account in Active Directory. If you followed the walkthrough, they will both be the same account. Otherwise check the service account on the SQL machine. In the AD snap in, on the properties of the NAV service user account, in the delegation tab, you should be able to see MSSQLSvc.
If you have multiple DNS lookup zones in your domain, check the DNS suffix append order. You can find this in the advanced TCP/IP settings of your network adaptor under DNS. The primary DNS suffix should match that used in the SPN etc.
The DelegationInfo key must be present in the ClientUserSettings.config file of every user account which accesses the RTC. This key is not in the config file by default.
After making any configuration changes please restart the NAV service and ensure Kerberos tickets are purged on the client machine (either by logging off or by using the klist command line utility). Sometimes you can have a good config, but still have a bad ticket.
Alex
We rechecked all, but all seem to be set according to the spec. Rebooted our servers. But still receive the same error messages.
- that the clocks are synchronised across all machines
- the client account is not marked as sensitive for delegation
- that you do not have duplicate SPNs (see http://technet.microsoft.com/en-us/library/cc772897(WS.10).aspx)
- all the domain controllers are at the same domain functional level
For more detailed instructions on Kerberos troubleshooting please refer to this guide: http://technet.microsoft.com/en-us/library/cc786325(WS.10).aspx.
Finally http://support.microsoft.com/default.aspx?scid=kb;EN-US;262177 describes how to enable Kerberos event logging, which should give you a little more information to go on.
Alex
There was a duplicate for the SPN (SQL Server) and we had to contact our domainadmin to resolve this, but still the logon does not succeed.
We enabled the kerberos logging and found an new error (service tier):
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 14:48:56.0000 6/8/2009 Z
Error Code: 0x1b Unknown Error
Extended Error:
Client Realm:
Client Name:
Server Realm: MyDomain.BE
Server Name: MyName@MyDomain.BE
Target Name: MyName@MyDomain.BE@MyDomain.BE
Error Text:
File: 9
Line: d86
Error Data is in record data.
As I can interpret this there are several things wrong. The servername contains the username and not the servername, and the format of the targetname is slaso very weird. Does anyone has an idea what can be the cause?
In the event logs in my test environment the Server Realm, Server Name and Target Name have the same format, so I believe they are correct.
Unfortuanately the Kerberos error you got is not very informative. Since I have never seen this, it is likely that it does not stem from any of the problems we have already discussed. Is your environment part of a multi domain forest?
Are you able to enable Kerberos event logging on the domain controller(s)? This may yeild a more useful error message.
I'm also curious if when you open the role tailored client, a Kerberos ticket actually issued. Try using kerbtray to list tickets on the client and determine whether a delegatable DynamicsNAV ticket is issued. kerbtray is available here: http://www.microsoft.com/downloads/details.aspx?FamilyID=4E3A58BE-29F6-49F6-85BE-E866AF8E7A88&displaylang=en
Alex