Howdy, Stranger!
Categories
- All Categories
- 73 General
- 73 Announcements
- 66.6K Microsoft Dynamics NAV
- 18.7K NAV Three Tier
- 38.4K NAV/Navision Classic Client
- 3.6K Navision Attain
- 2.4K Navision Financials
- 115 Navision DOS
- 854 Navision e-Commerce
- 1K NAV Tips & Tricks
- 772 NAV Dutch speaking only
- 615 NAV Courses, Exams & Certification
- 2K Microsoft Dynamics-Other
- 1.5K Dynamics AX
- 305 Dynamics CRM
- 109 Dynamics GP
- 10 Dynamics SL
- 1.5K Other
- 993 SQL General
- 384 SQL Performance
- 34 SQL Tips & Tricks
- 34 Design Patterns (General & Best Practices)
- Architectural Patterns
- 10 Design Patterns
- 5 Implementation Patterns
- 53 3rd Party Products, Services & Events
- 1.7K General
- 1.1K General Chat
- 1.6K Website
- 79 Testing
- 1.2K Download section
- 23 How Tos section
- 260 Feedback
- 12 NAV TechDays 2013 Sessions
- 13 NAV TechDays 2012 Sessions
Nav Three Tier Web Services - Port 88 open for Kerberos?
ScottJones
Member Posts: 44
Hi,
We have developed a three tier solution:
SQL NAV-Database <
\:D/
> Middle Tier Runing Web Services <
](*,)
> IIS7.0 Web Server running ASP.NET application (DMZ) <
](*,)
> WWW
The solution is using Kerbros and tickets.There is a firewall between the Middle Tier and the Web Server running ASP.NET application.
For the inital ticket creation do we need Port 88 on the firewall open? This is a large organisation and firewall re-confiuration is a slow process and by third party company.
If you look at this article http://itservices.stanford.edu/service/kerberos/firewalls it indicates port 88 needs to be open for Kerbros?
We sometimes get a situation where the ASP.NET application or IE running on the IIS Web Server cannot get to the NAV middle tier Web Services .WSDL and gives service not available. If we login using same credentials on middle tier it works and then it seems to work from the IIS Web Server.
The setup can work for days and then stops. There are three DC and I am wondering how the IIS7.0 Web Server Requests a Kerberos ticket from the DC if it cannot use Port 88 or am i still miss-understanding Kerbros?
Your thoughts would be appreciated
)
We have developed a three tier solution:
SQL NAV-Database <
\:D/
> Middle Tier Runing Web Services <
](*,)
> IIS7.0 Web Server running ASP.NET application (DMZ) <
](*,)
> WWW
The solution is using Kerbros and tickets.There is a firewall between the Middle Tier and the Web Server running ASP.NET application.
For the inital ticket creation do we need Port 88 on the firewall open? This is a large organisation and firewall re-confiuration is a slow process and by third party company.
If you look at this article http://itservices.stanford.edu/service/kerberos/firewalls it indicates port 88 needs to be open for Kerbros?
We sometimes get a situation where the ASP.NET application or IE running on the IIS Web Server cannot get to the NAV middle tier Web Services .WSDL and gives service not available. If we login using same credentials on middle tier it works and then it seems to work from the IIS Web Server.
The setup can work for days and then stops. There are three DC and I am wondering how the IIS7.0 Web Server Requests a Kerberos ticket from the DC if it cannot use Port 88 or am i still miss-understanding Kerbros?
Your thoughts would be appreciated
) 0
Comments
Against the domain user the middle tier logs in as we changed the delegation from using 'Use Kerberos Only' to 'Use any authentication protocol' this uses something that networking people call "Protocol Transition" where you say that you allow any protocol until you reach the service and then delegation is done at the service level and authentication continues on Kerberos till it reaches the SQL Server.
We've tested it here and rolled it out to the client and it seems to have resolved it.
Any futher pointers would be appreciated if there are any Kerberos network guru's out there!!!