Creating more logins for a webservice

AlexWileyAlexWiley Member Posts: 230
edited 2010-03-22 in NAV Three Tier
Three tiers. RTC and webservices can be accessed on the middle tier.

Outside the middle tier, we can only access the webservices by signing in as the administrator (Login: [domain]\administrator) of the middle tier machine. No other logins work, we have added a tremendous list of SPNs. We cannot find a 'Delegation' tab mentioned in previous posts. The site has been added to 'trusted sites' in IE. Best Practice Analyzer in NAV is not giving us anything to work with.

SPNs, just in case it is important for analysis, DEVNAV0 is the service tier box:

Registered ServicePrincipalNames for CN=DEVNAV0,CN=Computers,DC=mynewplace,DC=lo
cal:
HTTP/DEVNAV0.nph.[domain] nph\DEVNAV0
[domain]/DEVNAV0
[domain]/DEVNAV0:7047
[domain]/DEVNAV0.[domain]:7047
HTTP/DEVNAV0.[domain]\DEVNAV0
HTTP/DEVNAV0.[domain].local:7047
DynamicsNAV/DEVNAV0.[domain].local:7046
HTTP/DEVNAV0.[domain].local
HTTP/DEVNAV0
WSMAN/DEVNAV0
WSMAN/DEVNAV0.[domain].local
TERMSRV/DEVNAV0
TERMSRV/DEVNAV0.[domain].local
HOST/DEVNAV0
HOST/DEVNAV0.[domain].local

Comments

  • rdebathrdebath Member Posts: 383
    If you can't find the delegation tab it probably means that your domain functional level isn't 2003 or later, this is the default with a 2003 PDC. Note the warnings about increasing it.

    Edit
    Below are the SPNs from a working 3 tier system (RTC and WS) using RTC and service tier with build 30286. You do need a post v6 SP1 build as there have been significant fixes and the SPNs have changed.
    Registered ServicePrincipalNames for CN=NAVSYS,CN=Users,DC=ttnav,DC=local:
        http/tt-st.ttnav.local
        http/tt-st.ttnav.local:7047
        MSSQLSvc/TT-DB
        http/TT-ST:7047
        MSSQLSvc/TT-DB:1433
        DynamicsNAV/TT-ST:7046
        MSSQLSvc/TT-DB.ttnav.local:1433
        DynamicsNAV/TT-ST.ttnav.local:7046
    

    The full name of the domain is "ttnav.local" and the DC's name is tt-dc.ttnav.local.
    I'm not 100% sure that all the SPNs are needed but most of them appear to be.
    The delegation is: "MSSQLSvc TT-DB.ttnav.local 1433 "

    Edit2
    The webservice URL format has changed too.
    http://tt-st.ttnav.local:7047/DynamicsNAV/WS/CRONUS%20UK%20Ltd./Page/Customer
    
  • AlexWileyAlexWiley Member Posts: 230
    Thanks for this information Robert, it is very helpful. Are the new SPN's and webservice address you listed pertain to the post SP1 build? Where is that available? This would all involve updating the database, reinstalling the service tier, and the clients, so it is not the most timely solution, if another one is available- we can access the webservice with the administrator login, so we are very close, just need to be able to get other users to be able to access it as well.
  • rdebathrdebath Member Posts: 383
    I just checked the version for SP1 and I have 6.0.29626.0, that's after KB968189 that changes the SPNs from their original (build 28795). So I think the SPNs should be the same for that version.

    Once thing I have not come across is different requirements for Admin vs non admin users. Which suggests you still don't have the correct SPNs and are probably running the service tier as the same admin user. If you are then your Admin login whould be using a two tier authentication not three tier. You may also need your equlivent of the SPN: "http/TT-ST", the computer name without domain or port number.

    One thing I would mention is that I'm having trouble setting this up on our real internal domain. It was working at one point but then failed again to the point where I spent several hours on it before more important things took over. So at the moment only 'Three tiers on two machines' is working in that domain (which is easy to get working).

    The updates I've mentioned are available at

    https://mbs.microsoft.com/knowledgebase/search.aspx
    http://support.microsoft.com/hotfix/KBH ... num=123456

    The first is the KB search, the second is downloading the KB fixes by kb number, it looks like you have to be logged in to access them; I don't know offhand if they are 'customer source' or 'partner source' but really the partner should be involved in installing anything like this.

    At the moment setting up a three tier system is very much a moving target; If this is a customer system, as you're hinting, I would strongly suggest getting Microsoft directly involved in the setup.
Sign In or Register to comment.