Kerberos 3 Tier Install Nightmare
pfancy79
Member Posts: 9
Hi,
I am currently having an issue with installing NAV 2009 R2 on a 3 Tier environment.
I have followed the MSDN walk-through and spent many many hours searching and reading through various blogs e.t.c, but without finding a successful result.
The problem that I am experiencing is when running the RTC from a client machine I am getting "The Login failed when connecting to SQL Server XXXXX".
Obviously this error has been reported many times and nearly always is an issue with delegation and SPN's. I am fairly sure that I have set this all up correctly.
Environment:
SQLServer
Server 2003
SQL 2005
The service is running under LocalSystem.
NAV Server
Server 2008
The service is running under XXXXX\NAVRTCService which for the purpose of testing has been set as DOMAIN ADMIN.
Config file has been setup correctly to point to the database. This works as an RTC client on NAV Server connects correctly.
SPN's
setspn -A DynamicsNAVSpikes/W2008-TS.XXXXX.local:7046 XXXXX\NAVRTCService
setspn -A DynamicsNAVSpikes/W2008-TS:7046 XXXXX\NAVRTCService
setspn -A MSSQLSvc/SQLSRV1.XXXXX.local:1433 XXXXX\NAVRTCService
Delegation then set against User Active Directory object for both services. Have tried just the SQL one but made no difference.
Have tried allowing delegation for any service option but this made no difference.
No duplicate SPN's found
When connecting I get a Security event on NAV Server saying that user XXXXX\Paul authenticated by Kerberos.
On SQL Server get a Security event saying that NT AUTHORITY\ANONYMOUS USER logged on using NTLM.
Have tried both AllowNTLM = true and false on the UserSettings.config on client machine.
Have run out of ideas now and feel that going around in circles.
Also have made sure that before each connection attempt that KLIST PURGE has been called on all 3 machines.
Any one have any suggestions, or even words of encouragement would be grateful.
Thanks
Paul
I am currently having an issue with installing NAV 2009 R2 on a 3 Tier environment.
I have followed the MSDN walk-through and spent many many hours searching and reading through various blogs e.t.c, but without finding a successful result.
The problem that I am experiencing is when running the RTC from a client machine I am getting "The Login failed when connecting to SQL Server XXXXX".
Obviously this error has been reported many times and nearly always is an issue with delegation and SPN's. I am fairly sure that I have set this all up correctly.
Environment:
SQLServer
Server 2003
SQL 2005
The service is running under LocalSystem.
NAV Server
Server 2008
The service is running under XXXXX\NAVRTCService which for the purpose of testing has been set as DOMAIN ADMIN.
Config file has been setup correctly to point to the database. This works as an RTC client on NAV Server connects correctly.
SPN's
setspn -A DynamicsNAVSpikes/W2008-TS.XXXXX.local:7046 XXXXX\NAVRTCService
setspn -A DynamicsNAVSpikes/W2008-TS:7046 XXXXX\NAVRTCService
setspn -A MSSQLSvc/SQLSRV1.XXXXX.local:1433 XXXXX\NAVRTCService
Delegation then set against User Active Directory object for both services. Have tried just the SQL one but made no difference.
Have tried allowing delegation for any service option but this made no difference.
No duplicate SPN's found
When connecting I get a Security event on NAV Server saying that user XXXXX\Paul authenticated by Kerberos.
On SQL Server get a Security event saying that NT AUTHORITY\ANONYMOUS USER logged on using NTLM.
Have tried both AllowNTLM = true and false on the UserSettings.config on client machine.
Have run out of ideas now and feel that going around in circles.
Also have made sure that before each connection attempt that KLIST PURGE has been called on all 3 machines.
Any one have any suggestions, or even words of encouragement would be grateful.
Thanks
Paul
0
Comments
-
The problem is:
1) SQL is under localsystem - it have no access to network. Use the Network service account instead
2) If you are using system service, the account for the SPN must be the server domain account, it means
setspn -A MSSQLSvc/SQLSRV1.XXXXX.local:1433 XXXXX\SQLSRV1$0 -
And I recommend to use this tool> http://www.iis.net/community/default.as ... g=6&i=1887
You can easily use it to check what is needed for connecting your "frontend" (NST) to the "backend" (SQL).0
Categories
- All Categories
- 75 General
- 75 Announcements
- 66.7K Microsoft Dynamics NAV
- 18.8K NAV Three Tier
- 38.4K NAV/Navision Classic Client
- 3.6K Navision Attain
- 2.4K Navision Financials
- 116 Navision DOS
- 851 Navision e-Commerce
- 1K NAV Tips & Tricks
- 772 NAV Dutch speaking only
- 610 NAV Courses, Exams & Certification
- 2K Microsoft Dynamics-Other
- 1.5K Dynamics AX
- 253 Dynamics CRM
- 103 Dynamics GP
- 6 Dynamics SL
- 1.5K Other
- 991 SQL General
- 383 SQL Performance
- 34 SQL Tips & Tricks
- 28 Design Patterns (General & Best Practices)
- Architectural Patterns
- 9 Design Patterns
- 4 Implementation Patterns
- 53 3rd Party Products, Services & Events
- 1.6K General
- 1K General Chat
- 1.6K Website
- 77 Testing
- 1.2K Download section
- 23 How Tos section
- 249 Feedback
- 12 NAV TechDays 2013 Sessions
- 13 NAV TechDays 2012 Sessions