Web Services only works with a very strange workaround

josephdewey

Hi Everybody,

The very strange workaround that actually gets web services to work is this:

• I try a web services link on my computer: http://navrtc:7047/DynamicsNav/WS/Services , and it doesn't work
• I check the SQL server logs, and it failed in authentication, because of the following error: "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors"
• I remote into the middle tier, navrtc, and try the same link, and it does work
• I go back to my computer, and try the web services link again, and this time the link works, and it passed through the correct account to SQL server

So everything that I've read says that there's something wrong with the SPNs.

But:

• The RTC works
• The Best Practices Analyzer says everything is perfect
• I've removed all the unneeded SPNs, and tried over and over again recreating the SPNs with different capitalization, etc, and this still happens

Also, I've followed all of the instructions in: http://msdn.microsoft.com/en-us/library/dd301254.aspx . And, so far, the most helpful overview of setting up web services has been: http://msdn.microsoft.com/en-us/dynamics/nav/ff800873

Is there anything else that I'm missing, or anything else I can try?

ara3n

Your delegation is not setup correctly. When you RDP into the service tier and login locally there is no delegation required so the service tier gets the token and reuses it when you login remotely again.

josephdewey

Ah, thanks much for the info on why it works on the middle tier.

What resources are there for diagnosing an improper delegation? Especially after everything seems set up correctly?

ara3n

There is best practices tool you can download from the download section and run it on service tier.

josephdewey

I have downloaded it and it comes back that I have everything set up perfectly (I've resolved everything on the Best Practices Analyzer), but I'm still not able to connect web services.

Do you have any other ideas?

ara3n

can you also check and make sure you don't have duplicate spn?

Also what is your setting in custtomsetting.config file for NTML?

josephdewey

Hi ara3n,

Thanks for your reply! I have checked for duplicate SPNs with

setspn -X

We do have 5 duplicate SPNs in our network, but they are attached to machines and users that have nothing to do with the NAV servers.

I have tried both of the different settings for NTLM, both false and true.

<!--
  Turns on or off NTLM authentication protocol for Web Services
      false: Use SPNEGO (recommended)
      true: Use NTLM only
  -->
	<add key="WebServicesUseNTLMAuthentication" value="false"></add>

When it's false (using Kerebros), then it does exactly what I'm describing. When it's true (using NTLM), it still does the same thing, but if I have a user log into the middle tier first, then it will let that user use web services on other places. That's a crummy workaround, though, since users shouldn't have to log into the middle tier to get it to work. So right now it's false. Oh, I did notice that when I use NTLM, then the SQL server log gives me the "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON' error, but when I use Kerebros then it doesn't give me that error.

I also tried picking the "Trust this user for delegation to any service (Kerebros only)" on Active Directory, and I still couldn't connect. I switched it back to the secure method of delegation that NAV recommends, so both methods seem the same.

Any other ideas of stuff I could look at, or anything that I'm missing?

ara3n

Make sure you use Kerebros and the value should be false.

The 'NT AUTHORITY\ANONYMOUS LOGON' error means you spns aren't setup correctly. Also make sure the user in AD has permission for delegation.

What i've seen is that the computer could have setup delegation which it shouldn't

josephdewey

So, this is fixed now. Here's what fixed it:

#1: I added these SPNs, which are https without the ports. So, now I have four http SPNs
setspn -S http/navrtc corp\navrtcuser
setspn -S http/navrtc.corp.company.com corp\rtcuser

This made it so that the authentication passed through with the "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON' using Kerberos. When I wrote the original message, I was actually getting that far by setting WebServicesUseNTLMAuthentication = True. So, I set it back to false, and did this step, and then I was at least getting this far with Kerebros.

#2: Then I changed the delegation to "Use any authentication protocol" instead of the "Use Kereberos only." I'd tried the "Trust this user for delegation to any service (Kerebros only)" option before, and that didn't work, but "Use any authentication protocol" worked.

So for me, this is good enough, even though it's probably not ideal. At least Web Services works now. Thanks everybody who helped me to resolve this.