Authentication (kerberos / ntlm)
derek
Member Posts: 22
I have 3-tier installation on 3 server. Servers are SQLSERVER, NAVSERVER and REMOTESERVER. All of these servers are Win Server 2008's. I have three databases for different purposes. Every databases had they own NAV service (Demo, Dev, Prod) and these uses SQL default instance. Demo uses it's default (DynamicsNAV) instance and others are hand maded. Every service use the same default ports, so tcp-sharing is in use.
When I make a RTC connecton from NAVSERVER to SQLSERVER then everything goes fine with every service. Also, if I make connection from RTC (REMOTESERVER) to Demo instance, still everything are ok. But if change Server address to different service, then I get "The login failed when connecting to SQL server (servername)".
All config files are double checked and only differencies found on server instance names and databases. All of these authentication keys are same. Event viewer from NAVSERVER gives me different information when I change instance. When I make a successful login to demo, then security info is:
An account was successfully logged on.
New Logon:
Security ID: MyDOMAIN\MyUserName
Account Name: MyUserName
Account Domain: MyDOMAIN
Logon ID: 0x7155f0a
Logon GUID: {b15d0e52-e876-a20d-b8d0-7e2090335d282}
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
And when I try to connect to other service, then I get followed:
An account was successfully logged on.
New Logon:
Security ID: ANONYMOUS LOGON
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x715679a2
Logon GUID: {00000000-0000-0000-0000-000000000000}
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V1
Key Length: 128
I dunno what to do next. Every parameters are 'same' but Demo is still so special.
How and what parameters I have to change so, that I can get these others to work? Something to authentication keys or ports?
When I make a RTC connecton from NAVSERVER to SQLSERVER then everything goes fine with every service. Also, if I make connection from RTC (REMOTESERVER) to Demo instance, still everything are ok. But if change Server address to different service, then I get "The login failed when connecting to SQL server (servername)".
All config files are double checked and only differencies found on server instance names and databases. All of these authentication keys are same. Event viewer from NAVSERVER gives me different information when I change instance. When I make a successful login to demo, then security info is:
An account was successfully logged on.
New Logon:
Security ID: MyDOMAIN\MyUserName
Account Name: MyUserName
Account Domain: MyDOMAIN
Logon ID: 0x7155f0a
Logon GUID: {b15d0e52-e876-a20d-b8d0-7e2090335d282}
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
And when I try to connect to other service, then I get followed:
An account was successfully logged on.
New Logon:
Security ID: ANONYMOUS LOGON
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x715679a2
Logon GUID: {00000000-0000-0000-0000-000000000000}
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V1
Key Length: 128
I dunno what to do next. Every parameters are 'same' but Demo is still so special.
How and what parameters I have to change so, that I can get these others to work? Something to authentication keys or ports?
0
Answers
-
Google for Service Principal Name first, then either set SPN manually at remote SQL server, or elevate privileges of SQL Server service account to allow it to register its own SPN.
That would be my guess.Slawek Guzek
Dynamics NAV, MS SQL Server, Wherescape RED;
PRINCE2 Practitioner - License GR657010572SG
GDPR Certified Data Protection Officer - PECB License DPCDPO1025070-2018-030 -
Thanks for tips Slawek.
Problem has solved with SPN's. DynamicsNAV was only instance which has two SPN's (short and FQDN).
And because this was only service which works, then I made FQDN SPN's for these other instances.
I also set up UserAccountControl flag in Active Directory and I made some changes to CustomSettings file:
<add key="AllowNtlm" value="False" />
<add key="ServicePrincipalNameRequired" value="True" />
Now after all these changes, I get Network type: Connection authenticated (Kerberos) on RTC Select Server form.
Earlier this Network type was Negotiated Authentication (Kerberos or NTLM).
Now shortcuts are created for every instance, so now environment is ready to work.
When I start to make 3-tier to 3-server installation, I never believe in this could be so multifaceted installation.
After all these steps I should spend some time for documentation
0
Categories
- All Categories
- 73 General
- 73 Announcements
- 66.6K Microsoft Dynamics NAV
- 18.7K NAV Three Tier
- 38.4K NAV/Navision Classic Client
- 3.6K Navision Attain
- 2.4K Navision Financials
- 116 Navision DOS
- 851 Navision e-Commerce
- 1K NAV Tips & Tricks
- 772 NAV Dutch speaking only
- 617 NAV Courses, Exams & Certification
- 2K Microsoft Dynamics-Other
- 1.5K Dynamics AX
- 320 Dynamics CRM
- 111 Dynamics GP
- 10 Dynamics SL
- 1.5K Other
- 990 SQL General
- 383 SQL Performance
- 34 SQL Tips & Tricks
- 35 Design Patterns (General & Best Practices)
- 1 Architectural Patterns
- 10 Design Patterns
- 5 Implementation Patterns
- 53 3rd Party Products, Services & Events
- 1.6K General
- 1.1K General Chat
- 1.6K Website
- 83 Testing
- 1.2K Download section
- 23 How Tos section
- 252 Feedback
- 12 NAV TechDays 2013 Sessions
- 13 NAV TechDays 2012 Sessions