RTC 2 Tier Issue: "NT AUTHORITY\ANONYMOUS LOGON"

MallikarjunaMallikarjuna Member Posts: 64
edited 2010-07-08 in NAV Three Tier
Hello All,

We are implementing RTC in 2 Tier Environment. 2 Tiers Details are as follows:

Server Machine Details:
Windows 2003 Server Enterprise SP1 with Active Directory installed
SQL 2005 Developer Edition
Visual Studio 2005
NAV 2009 SP1 (Installed with the option Install Demo)
Dynamics NAV Server Service is running on "NT AUTHORITY\NETWORK SERVICE"

Client Machine(s):
Windows XP SP2 (With Addin Installed)
NAV 2009 SP1 (Installed with the option Install Demo)
Dynamics NAV Server Service should run on which option? "NT AUTHORITY\NETWORK SERVICE" or Local System?

All (Server and Clients) the machines are in same domain. Firewall is off in all the machines. In Server machine I am able to open C/SIDE and RTC without any issue.

In the Client machine(s) Iam able to open C/SIDE without any problem, but when I tried to open RTC Iam getting the following error.
The Microsoft Dynamics NAV Server cannot connect the Change Listener to SQL Server because of the following error: Login failed for user "NT AUTHORITY\ANONYMOUS LOGON".


If anybody having any feedback/suggestion/solution for the above issue then please give some time on this...

Thanks in Advance...
Mallikarjuna

Answers

  • AdrianAkersAdrianAkers Member Posts: 137
    Normally I try to set all the tiers up running under a dedicated service account. Some of the Microsoft Documentation below may help you. Also do File->Database->Alter in the Classic Client. On the Options tab ensure that "Enable for Microsfot Dynamics NAV Server" is ticked.
    Microsoft Dynamics NAV Documentation
    Walkthrough: Installing the Three Tiers on Three Computers
    See Also
    Collapse All Expand All

    Microsoft Dynamics NAV 2009 introduces a new three-tier RoleTailored architecture that improves the security, scalability, and flexibility of Microsoft Dynamics NAV. For details, see RoleTailored Architecture. In this walkthrough, you will install the new architecture in a production environment on three computers:

    Computer Installed operating system and software Tier
    NAVSQL
    Server computer running Windows Server 2008 or Windows Server 2003, and Microsoft SQL Server 2008 or SQL Server 2005
    Database tier

    NAVSERV
    Server computer running Windows Server 2008 or Windows Server 2003 and Microsoft Dynamics NAV Server
    Server (middle) tier

    NAVCLIENT
    Client computer running Windows Vista
    Client tier


    The key characteristic of this walkthrough is that the client, Microsoft Dynamics NAV Server, and SQL Server are installed on separate computers. In a production environment, you may have multiple computers running SQL Server, multiple computers running Microsoft Dynamics NAV Server, and multiple computers running the RoleTailored client. But as long as you do not install multiple Microsoft Dynamics NAV tiers on the same computer, the procedures and issues presented in this walkthrough are relevant.

    For information about the steps involved in installing both Microsoft Dynamics NAV Server and SQL Server on a single computer, see Walkthrough: Installing the Three Tiers On Two Computers.

    Domain User Account vs. Network Service
    In this walkthrough, both the SQL Server service and the Microsoft Dynamics NAV Server service use a single domain user account. This is not a requirement for three-tier-on-three-computer configurations.

    In the three-tiers-on-two computers walkthrough (Walkthrough: Installing the Three Tiers On Two Computers), the SQL Server service uses a domain user account, but the Microsoft Dynamics NAV Server service uses the default account, which is the Network Service account.

    Security Note
    You can use the Network Service account for the Microsoft Dynamics NAV Server service—this is in fact how Setup installs the Microsoft Dynamics NAV Server. This alternative is considered less secure because the Network Service account is a shared account which might be used by other, unrelated, network services. Any users who have rights to this account have rights to all services running on this account. Running the Microsoft Dynamics NAV Server service under a dedicated domain user account is more secure but does require additional work by a domain administrator. For more information, see Configuring for a Domain User Account.


    About This Walkthrough
    After completing this walkthrough, you will have a functioning three-tier installation on three computers. The installation uses the Microsoft Dynamics NAV Demo database, containing the CRONUS International Ltd. demo company.

    This walkthrough illustrates the following tasks:

    Installing the Microsoft Dynamics NAV database components

    Installing Microsoft Dynamics NAV Server

    Configuring for a domain user account

    Enabling the Object Change Listener

    Giving the Domain user account permissions for the server folder

    Installing the RoleTailored client

    Setting up delegation

    Prerequisites
    To complete this walkthrough, you need three computers that are configured as described in the introduction.

    For information on installing Microsoft SQL Server, see Installation Considerations for Microsoft SQL Server. (Specific SQL Server configuration issues are, however, covered at the appropriate location in the walkthrough.)

    For more information about configuring these computers according to Microsoft Dynamics NAV 2009 security best practices, see the Microsoft Dynamics NAV 2009 Security Hardening Guide.

    You must also have the setspn command-line tool installed on your server. In Windows Server 2008, the setspn tool is included if you have installed the Active Directory Domain Services server role. In Windows Server 2003, you must download the Windows Server 2003 Service Pack 2 32-bit Support Tools to get the setspn tool.

    Story
    A system implementer wants to install Microsoft Dynamics NAV 2009 to take advantage of the new three-tier architecture. She has already installed SQL Server on one server computer, and will install the Microsoft Dynamics NAV database components and the sample database on that same server computer. She will then install Microsoft Dynamics NAV Server on a separate server computer. Finally, she will install the RoleTailored client on a Windows Vista client computer.

    Installing the Microsoft Dynamics NAV Database Components
    Run Microsoft Dynamics NAV 2009 Setup and select the Database Components option to configure SQL Server to work with Microsoft Dynamics NAV 2009. This option also installs the Microsoft Dynamics NAV demo database, which contains the CRONUS International Ltd. company.

    To install the Microsoft Dynamics NAV database components and the demo database
    Insert the Microsoft Dynamics NAV 2009 DVD in the drive of NAVSQL, the server where Microsoft SQL Server is already installed.

    On the startup page, under Install, click Microsoft Dynamics NAV.

    On the Welcome page, click Next.

    To accept the license terms, click I accept.

    On the Microsoft Dynamics NAV 2009 Installer page, click Choose an installation option.

    On the Choose an installation option page, click Database Components.

    The demo database is included as part of this option.

    On the Specify parameters page, click Install.

    After the installation is complete, click Close to exit Setup.

    Installing Microsoft Dynamics NAV Server
    The next step is to install Microsoft Dynamics NAV Server on NAVSERV, which is the second server computer. This is a different server computer from the one where you installed SQL Server and the Microsoft Dynamics NAV database components.

    To install Microsoft Dynamics NAV Server
    Insert the Microsoft Dynamics NAV DVD into the drive of NAVSERV.

    On the startup page, under Install, click Microsoft Dynamics NAV.

    On the Welcome page, click Next.

    To accept the license terms, click I accept.

    On the Microsoft Dynamics NAV 2009 Installer page, click Choose an installation option.

    On the Choose an installation option page, click Server.

    On the Specify parameters page, click Server to open the Installation Parameters pane.

    In the SQL Server field, type NAVSQL, which is the name of the computer running SQL Server.

    In the SQL Database field, type Demo Database NAV (6-0).

    This is the Microsoft Dynamics NAV Demo database, containing the CRONUS International Ltd. demo company.

    Click Apply to save the Microsoft Dynamics NAV Server settings.

    Click Install to start installing software.

    After the installation is complete, click Close to exit Setup.

    Configuring for a Domain User Account
    The procedures in this section are necessary only when the logon for Microsoft Dynamics NAV Server is a domain user account (rather than the NETWORK SERVICE account). You can only perform these actions if you have domain administrator privileges.

    The steps involved in creating a domain user account, using the Active Directory Users and Computers utility (dsa.msc), are part of the Active Directory documentation, which is included in the Windows Server documentation.

    Raising the Domain Functional Level
    After you create the domain user account, you must verify that the Domain Functional Level or your domain is at Windows Server 2003 level or higher.

    Caution
    Do not raise the domain functional level if you have, or will have, any Windows NT 4.0 or earlier domain controllers. As soon as the domain functional level is raised to Windows 2000 native or Windows Server 2003, it cannot be changed back to a Windows 2000 mixed domain.


    To determine if the functional level of your domain is at Windows Server 2003 level (or higher), and to raise it if it is not, follow these steps:

    Choose Run from the Start menu in Windows, type dsa.msc and then press ENTER.

    This opens the Active Directory Users and Computers utility. This utility is part of Windows Server 2003 or Windows Server 2008.

    Right-click the domain where Microsoft Dynamics NAV is installed and click Raise Domain Functional Level.

    If the level is Windows Server 2003 or higher, you can exit the utility. Otherwise, continue to the final step.

    Under Select an available domain functional level, click Windows Server 2003, and then click Raise.

    Change the Logon Account for the Microsoft Dynamics NAV Server Service and the SQL Server Service
    Change the logon account for the Microsoft Dynamics NAV Server service and the SQL Server service to use your domain user account. For information about how to configure Windows Services, see How to: Configure Windows Services.

    Note
    As described in How to: Configure Windows Services, you should actually use different tools to configure the respective services: use the Service tool from Windows Control Panel for the Microsoft Dynamics NAV Server service, and use the SQL Server Configuration Manager tool for the SQL Server service. This assures that that permissions required for the SQL Server service account are granted.


    Enabling the Object Change Listener
    The Object Change Listener (OCL) component of Microsoft Dynamics NAV Server monitors the database for changes that are made to application objects, such as adding a new field to a page. If OCL cannot start because of permissions errors, then you cannot connect clients to the server. When you try to start the RoleTailored client, you see a message that mentions that specifies "Cannot connect the Change Listener to SQL Server." For further details, see Enabling the Object Change Listener.

    To enable and assign minimum permissions for the Object Change Listener
    Open SQL Server Management Studio and connect to your SQL Server instance.

    On the File menu, point to New, and then click Query with Current Connection.

    Type the following SQL statements.

    Copy Code
    USE MASTER
    CREATE LOGIN [ReplaceWithNAVServerAccount] FROM WINDOWS;
    GO


    Highlight the lines that you typed and, on the Query menu, click Execute.

    Now type these lines below the existing lines.

    Copy Code
    USE [ReplaceWithYourDatabaseName]
    CREATE USER [ReplaceWithNAVServerAccount] FOR LOGIN [ReplaceWithNAVServerAccount];


    Highlight the lines that you just typed and, on the Query menu, click Execute.

    Now type these lines below the existing lines.

    Copy Code
    CREATE SCHEMA [$ndo$navlistener] AUTHORIZATION [ReplaceWithNAVServerAccount];
    GO


    Highlight the lines that you just typed and, on the Query menu, click Execute.

    It's very possible that you will see an error stating that the schema in question already exists. This is not a problem.

    Now type these lines below the existing lines.

    Copy Code
    ALTER USER [ReplaceWithNAVServerAccount] WITH DEFAULT_SCHEMA = [$ndo$navlistener];
    GRANT SELECT ON [Object Tracking] TO [ReplaceWithNAVServerAccount];
    GO


    Highlight the lines that you just typed and, on the Query menu, click Execute.

    Note
    The Object Tracking table name may be in a different language than English. If it is, replace "Object Tracking" with the actual table name from your database.


    Save your query to keep a record of these actions.

    You can use many of these command again when you create a new database or change the account you use to run Microsoft Dynamics NAV Server.

    Giving the Domain User Account Permissions for the Server Folder
    The next step is to give the domain user account full permissions for the Microsoft Dynamics NAV Server folder on the computer where you installed Microsoft Dynamics NAV Server.

    To grant the domain user account permissions on the Microsoft Dynamics NAV Server folder
    In Windows Explorer, navigate to the Microsoft Dynamics NAV Server folder on the computer where you have installed Microsoft Dynamics NAV Server. On Windows Server 2003, the default location is:

    Documents and Settings\All Users\Application Data\Microsoft\Microsoft Dynamics NAV\60

    On Windows Server 2008 or Windows Vista, the location is:

    ProgramData\Microsoft\Microsoft Dynamics NAV\60\

    Right-click the Service folder, and then click Properties to open the Service Properties dialog box.

    Click the Security tab.

    Select the domain user account from the list in the top half of the dialog box, and then, in the Permissions for… section in the bottom half, select Allow next to the Full Control permission.

    This grants the domain user account full control of the folder.

    Select the NETWORK SERVICE account in the top half, and then clear the Allow field next to the Full control permission in the bottom half.

    This revokes permissions on the folder for the Network Service account. No account other than you domain user account should have access to the server folder.

    Click OK to close the Service Properties dialog box.

    Installing the RoleTailored Client
    The third and final tier is the client tier. The first task is to install the RoleTailored client to a workstation computer.

    To install the RoleTailored client
    Insert the Microsoft Dynamics NAV DVD into the drive of NAVCLIENT, your Microsoft Dynamics NAV client computer.

    On the startup page, under Install, click Microsoft Dynamics NAV.

    On the Welcome page, click Next.

    To accept the license terms, click I accept.

    On the Microsoft Dynamics NAV 2009 Installer page, click Choose an installation option.

    On the Choose an installation option page, click Client to install the RoleTailored client.

    On the Specify parameters page, click RoleTailored client to configure the component.

    In the Installation Parameters dialog box, type NAVSERV, which is the name of the computer running Microsoft Dynamics NAV Server, in the Server Name field.

    It is a good idea to fully qualify the domain name in this field (in the form YourServer.YourDomain.YourCompany.com).

    Click Apply, and then click Apply on the Specify parameters page to start installing software.

    After installation is complete, click Close to exit.

    Setting Up Delegation
    When the RoleTailored client, Microsoft Dynamics NAV Server, and SQL Server are installed on separate computers, the client interacts with the database through an intermediate computer, which is running Microsoft Dynamics NAV Server. The server is performing actions on the client's behalf. This process is known as impersonation.

    Delegation is when a front-end service forwards the client’s request to a back-end service so that the back-end service can also impersonate the client. Complete the procedures in this section to set up delegation on your Microsoft Dynamics NAV installation. For more information on delegation, see How To: Set Up Delegation.

    Create Service Principal Names
    The first step in setting up delegation is to create Service Principal Names (SPNs). To make delegation more secure, Active Directory uses Kerberos to authenticate services. An SPN is the name by which a client uniquely identifies an instance of a service, using the account under which the service runs. You must create two SPNs to make delegation work: one for the Microsoft Dynamics NAV Server service and one for the SQL Server service.

    To create service principal names
    Open an elevated command prompt. To do this, click Start, and in the search window, type Command Prompt. Then right-click Command Prompt and click Run as administrator.

    At the command prompt, create an SPN for the Microsoft Dynamics NAV Server service. The syntax is:

    Copy Code
    setspn –A InstanceName/FullyQualifiedDomainNameOfServer:Port Domain\User


    Using NAVSERV (the computer running Microsoft Dynamics NAV Server) and DynamicsNAV (the default instance name for Microsoft Dynamics NAV Server), the actual command has the format:

    Copy Code
    setspn -A DynamicsNAV/NAVSERV.yourDomain.yourCompany.com:7046 yourDomain\yourUser


    Replace "yourDomain," "yourCompany," and "yourUser" with the appropriate values.

    Create an SPN for the SQL Server service. This service runs on the NAVSQL computer with a default instance name of MSSQLSvc. Type the following command:

    Copy Code
    setspn -A MSSQLSvc/NAVSQL.yourDomain.yourCompany.com:1433 yourDomain\yourUser


    Again, replace "yourDomain," "yourCompany," and "yourUser" with the appropriate values.

    Delegating Access to the SQL Server Service
    Configuring delegation means explicitly configuring the Microsoft Dynamics NAV Server service on NAVSERV to delegate its access to the database server on behalf of the RoleTailored client. To make the access more secure, you specify delegation to a specific service on a specific server. In this walkthrough, you specify delegation on the SQL Server database service (MSSQLSERVER). This is known as constrained delegation.

    You must run the following procedure on a computer where the Active Directory Users and Computers utility (dsa.msc) is available.

    To delegate access to the SQL Server service
    Click Start, and then click Run.

    In the Open field, type dsa.msc.

    This opens the Active Directory Users and Computers utility.

    Right-click the node for the domain where you have installed Microsoft Dynamics NAV, and then click Find.

    In the Find Users, Contacts, and Group dialog box, type the name of the domain user in the Name field, and then press ENTER.

    In the Search results area, right-click the domain user, and then click Properties.

    On the Delegation tab, click Trust this user for delegation to specified services only, and then click Use Kerberos only.

    There is also the option to not restrict authorization to Kerberos, though the environment is not as secure when you are less restrictive. Your decision on this point must be reflect in the value you assign to the AllowNtlm setting in the RoleTailored client configuration file (ClientUserSettings.config). See Configuring the RoleTailored Client for details.

    Click Add to open the Add Services dialog box.

    Click Users or Computers, and then specify the domain user.

    In the list of services for the domain user, click MSSQLSvc, which is the SQL Server service.

    Click OK to close the Add Services dialog box. Continue clicking OK to close all open dialog boxes.

    Delegation from the domain user to the SQL Server service on a separate computer is now enabled.

    Establishing a Connection
    It's a lot of work but the configuration is now complete. You should be able to start the RoleTailored client and see it connect to the Cronus International Ltd. Demo database immediately.

    If you are unable to connect the RoleTailored client to Microsoft Dynamics NAV Server after completing this procedure, the problem may be that Microsoft Dynamics NAV Server is not able to connect to SQL Server. See Troubleshooting SQL Server Connection Problems.

    Next Steps
    You have now installed all Microsoft Dynamics NAV software. When you start the RoleTailored client, it connects to Microsoft Dynamics NAV Server and to CRONUS International Ltd., which is the fictional company that is associated with the demo database.

    The next steps are to upload your license, create users, and integrate them into the Microsoft Dynamics NAV security system. For information, see How to: Activate the License File and Security in the RoleTailored Environment.

    See Also
    Tasks
    How to: Activate the License File
    How to: Create Users
    How To: Set Up Delegation

    Concepts
    RoleTailored Architecture
    Configuring Microsoft SQL Server
    Configuring Microsoft Dynamics NAV Server
    Configuring the RoleTailored Client




    Documentation Feedback

    © 2009 Microsoft Corporation. All rights reserved.
  • MallikarjunaMallikarjuna Member Posts: 64
    Hi AdrianAkers,

    Thanks for the immediate reply...

    On the Options tab "Enable for Microsfot Dynamics NAV Server" option is ticked and we are implementing the project in 2-tier environment.

    I think delegation is not required in our case.

    Any inputs are highly appreciated.

    Thanks in Advance...
    Mallikarjuna
  • AdrianAkersAdrianAkers Member Posts: 137
    Correct delegation is not required. I am wondering whether or not the object change listener steps need to be followed though?
  • MallikarjunaMallikarjuna Member Posts: 64
    I guess object change listener steps also need not to be followed.
  • kinekine Member Posts: 12,562
    I guess object change listener steps also need not to be followed.
    Why do you think that? When the error says:
    The Microsoft Dynamics NAV Server cannot connect the Change Listener to SQL Server because of the following error: Login failed for user "NT AUTHORITY\ANONYMOUS LOGON"

    Than the CHange listener must be created and allowed for the account... what is not clear on the error message? :wink:
    Kamil Sacek
    MVP - Dynamics NAV
    My BLOG
    NAVERTICA a.s.
  • AdrianAkersAdrianAkers Member Posts: 137
    Exactly! =D>
  • MallikarjunaMallikarjuna Member Posts: 64
    Hi Kamil adn Andiran,

    Thanks for the replies...

    I will try to open RTC after creating the Change Listener and let you know once this activity is done.

    Thanks,
    Mallikarjuna
  • MallikarjunaMallikarjuna Member Posts: 64
    Hi Kamil,

    Thanks for the reply...

    I have tried to create the Change Listener by using the Walkthrough: Installing the Three Tiers on Three Computers, but the thing was not done. :thumbsdown:

    Will you please tell me the process of creating the Change Listner, and how to allowed for the account(which account) :?:

    Thanks in Advance,
    Mallikarjuna
  • MallikarjunaMallikarjuna Member Posts: 64
    Hi All,

    Thanks for the replies...

    I have created the Change Listener and allowed for the account abc\admin (domain\machinename). :thumbsup:

    Still while opening RTC from this (abc\admin) machine, I am getting same following error.

    The Microsoft Dynamics NAV Server cannot connect the Change Listener to SQL Server because of the following error: Login failed for user "NT AUTHORITY\ANONYMOUS LOGON"

    Please guide me to proceed further...

    Thanks in Advance,
    Mallikarjuna
  • MallikarjunaMallikarjuna Member Posts: 64
    Thanks for the feedback/replies...

    Issue resolved by running the SQL Server Service with Domain User Account (domain/Administrator) in the
    Server machine. \:D/ :whistle:

    Thanks,
    Mallikarjuna
Sign In or Register to comment.