Authentication (kerberos / ntlm)

derekderek Member Posts: 22
edited 2011-03-15 in NAV Three Tier
I have 3-tier installation on 3 server. Servers are SQLSERVER, NAVSERVER and REMOTESERVER. All of these servers are Win Server 2008's. I have three databases for different purposes. Every databases had they own NAV service (Demo, Dev, Prod) and these uses SQL default instance. Demo uses it's default (DynamicsNAV) instance and others are hand maded. Every service use the same default ports, so tcp-sharing is in use.

When I make a RTC connecton from NAVSERVER to SQLSERVER then everything goes fine with every service. Also, if I make connection from RTC (REMOTESERVER) to Demo instance, still everything are ok. But if change Server address to different service, then I get "The login failed when connecting to SQL server (servername)".

All config files are double checked and only differencies found on server instance names and databases. All of these authentication keys are same. Event viewer from NAVSERVER gives me different information when I change instance. When I make a successful login to demo, then security info is:
An account was successfully logged on.

New Logon:
Security ID: MyDOMAIN\MyUserName
Account Name: MyUserName
Account Domain: MyDOMAIN
Logon ID: 0x7155f0a
Logon GUID: {b15d0e52-e876-a20d-b8d0-7e2090335d282}

Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

And when I try to connect to other service, then I get followed:
An account was successfully logged on.

New Logon:
Account Domain: NT AUTHORITY
Logon ID: 0x715679a2
Logon GUID: {00000000-0000-0000-0000-000000000000}

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V1
Key Length: 128

I dunno what to do next. Every parameters are 'same' but Demo is still so special.
How and what parameters I have to change so, that I can get these others to work? Something to authentication keys or ports?


  • Slawek_GuzekSlawek_Guzek Member Posts: 1,690
    Google for Service Principal Name first, then either set SPN manually at remote SQL server, or elevate privileges of SQL Server service account to allow it to register its own SPN.

    That would be my guess.
    Slawek Guzek
    Dynamics NAV, MS SQL Server, Wherescape RED;
    PRINCE2 Practitioner - License GR657010572SG
    GDPR Certified Data Protection Officer - PECB License DPCDPO1025070-2018-03
  • derekderek Member Posts: 22
    Thanks for tips Slawek.

    Problem has solved with SPN's. DynamicsNAV was only instance which has two SPN's (short and FQDN).
    And because this was only service which works, then I made FQDN SPN's for these other instances.

    I also set up UserAccountControl flag in Active Directory and I made some changes to CustomSettings file:
    <add key="AllowNtlm" value="False" />
    <add key="ServicePrincipalNameRequired" value="True" />

    Now after all these changes, I get Network type: Connection authenticated (Kerberos) on RTC Select Server form.
    Earlier this Network type was Negotiated Authentication (Kerberos or NTLM).
    Now shortcuts are created for every instance, so now environment is ready to work.

    When I start to make 3-tier to 3-server installation, I never believe in this could be so multifaceted installation.
    After all these steps I should spend some time for documentation :lol:
Sign In or Register to comment.