mibuso.com
Home NAV Three Tier

[nav2013] Active Directory user groups not working?

PoltergeistPoltergeist Member Posts: 200
edited 2013-05-14 in NAV Three Tier
I've set up a three tier environment for Dynamics NAV 2013 Beta (build 33451), and users can login with their Windows Account if the users are added via CRONUS Nederland BV/Departments/Administration/IT Administration/General/Users. However, Active Directory User groups are not recognized. I can easily add the group (for example domain admins) to the list, but users which are a member of the group Domain admins are unable to sign in. When starting the RTC, the following message appears:

"You are not authorized to sign in. Verify that you are using valid credentials and that you have been set up as a user in Microsoft Dynamics NAV"

The applicationlogs give the following error:

Service: DynamicsNAV70
User: DOMAIN\administrator
Type: Microsoft.Dynamics.Nav.Types.Exceptions.NavInvalidCredentialException
SuppressMessage: False
FatalityScope: None
Message: The server has rejected the client credentials.
StackTrace:
at Microsoft.Dynamics.Nav.Service.NSServiceBase.ValidateAndCreateConnection(ConnectionRequest connectionRequest)
at Microsoft.Dynamics.Nav.Service.NSServiceBase.OpenConnection(ConnectionRequest connectionRequest)
Source: Microsoft.Dynamics.Nav.Service

with the following eventdata:

Service: DynamicsNAV70 User: DOMAIN\administrator Type: Microsoft.Dynamics.Nav.Types.Exceptions.NavInvalidCredentialException SuppressMessage: False FatalityScope: None Message: The server has rejected the client credentials. StackTrace: at Microsoft.Dynamics.Nav.Service.NSServiceBase.ValidateAndCreateConnection(ConnectionRequest connectionRequest) at Microsoft.Dynamics.Nav.Service.NSServiceBase.OpenConnection(ConnectionRequest connectionRequest) Source: Microsoft.Dynamics.Nav.Service

Is there no possibility to use AD groups anymore, or am I doing something wrong? (I´m hoping for the last, of course)

Comments

  • kinekine Member Posts: 12,562
    I am afraid that groups are not working anymore. Because the records are really records for "users", which have some permission sets assigned, full name etc., and the authentication could be made by some providers like facebook etc., it is different than it was. Because there is no delegation behind, all is done by NAV. And this way of "users" is different than having users and groups which are together assigning permissions.
    Kamil Sacek
    MVP - Dynamics NAV
    My BLOG
    NAVERTICA a.s.
  • PoltergeistPoltergeist Member Posts: 200
    I for sure certainly hope this will be "fixed" in the final version. It still uses the Security ID's from the active directory to login, so there s still some validation against the AD (at, least, I hope so...) it would be a drag to have to enter all users in every database, while microsoft advices to use groups as much as possible on the filesystems and other areas...
  • clabandclaband Member, Microsoft Employee Posts: 26
    Windows Groups does work in NAV 2013. You will have to add each user to the user table. You only need to assign permissions to the Windows Group instead of maintaining permissions on each individual user

    /Claus
    Claus Busk Andersen
    Program Manager
    Microsoft Dynamics NAV
  • kinekine Member Posts: 12,562
    OK, if I understand correctly, it is same situation like when using extended security model in older versions, when we can use groups to assign permissions, but each user must exist in NAV to have access...
    Kamil Sacek
    MVP - Dynamics NAV
    My BLOG
    NAVERTICA a.s.
  • jwikmanjwikman Member Posts: 25
    Hi guys,

    Does anyone got this to work on NAV 2013 RTM?

    I can't get it to work with User Permission Sets (SUPER) only set on a domain group. My domain user is also added, but without User Permission Sets. I even tried with a domain admin account as NST account, to rule out permissions issues with the AD, but with the same result. ](*,)

    If Claus says it should work I really believe this should work, so I guess I'm missing something here...

    Thanks,
    Johannes
  • guardiooguardioo Member Posts: 13
    i had tested on NAV 2013 RTM, by adding domain\domain users inside and set permission to super, it does work.

    I had tested by adding few different group inside and i manage to login using designated user account.
  • jwikmanjwikman Member Posts: 25
    Thanks,

    That's great news guardioo!

    That means that there are some problems in our environment, but that should be solvable. :)

    Thanks for the update,
    Johannes
  • guardiooguardioo Member Posts: 13
    After i try on NAV2013 RTM, its not working for domain group anymore, does anyone manage to make it work.
  • Excepti0nalExcepti0nal Member Posts: 74
    I am using AD groups in a live production environment right now. Have you applied the correct permission sets to the group? If not, assign the basic role and that should at least let you login. Also, when you added the group under the users, did you select that it is a windows group?
  • guardiooguardioo Member Posts: 13
    Thanks for reply,

    Was doing the same thing though,

    quite weird it doesnt work suddenly, maybe will try redo all the thing again to check on this issues.

    will update you once manage to solve it
  • Alex_ChowAlex_Chow Member Posts: 5,063
    One thing I noticed about the windows group is that it will need a few hours before it takes affect. I'm not exactly sure why.
    Confessions of a Dynamics NAV Consultant = my blog
    AP Commerce, Inc. = where I work

    Getting Started with Dynamics NAV 2013 Application Development = my book
    Implementing Microsoft Dynamics NAV - 3rd Edition = my 2nd book
  • camecame Member Posts: 12
    Hi everbody,

    since few day's I'm employ to NAV Security.
    I like the new features and workaround.
    No, SQL User will be require if you only want to use the RTC Client.
    ...

    But what are the benefits of adding every user again in the RTC Client as an user?
    Is it only security?

    On the SQL Server you don't need it! Here it will be enough if you added the AD Group.

    Thanks in advance!

    Best regards
    came
  • krikikriki Member, Moderator Posts: 9,112
    came wrote:
    But what are the benefits of adding every user again in the RTC Client as an user?
    Is it only security?
    No, it is mandatory to be able to login. It is not needed to add "Permission Sets" (the old roles) to it. You can create a user that points to a windows group and just add the permission sets to it.

    came wrote:
    On the SQL Server you don't need it! Here it will be enough if you added the AD Group.
    On SQL Server, you only need to add the user used by the Dynamics NAV server-service. No need to add other users for NAV.
    Regards,Alain Krikilion
    No PM,please use the forum. || May the <SOLVED>-attribute be in your title!

  • camecame Member Posts: 12
    kriki wrote:
    came wrote:
    But what are the benefits of adding every user again in the RTC Client as an user?
    Is it only security?
    No, it is mandatory to be able to login. It is not needed to add "Permission Sets" (the old roles) to it. You can create a user that points to a windows group and just add the permission sets to it.
    But why it's not enough to add the AD Group with Permissions like SQL?
    kriki wrote:
    came wrote:
    On the SQL Server you don't need it! Here it will be enough if you added the AD Group.
    On SQL Server, you only need to add the user used by the Dynamics NAV server-service. No need to add other users for NAV.
    This is only require if you want do go in DEV Client. Normaly, no SQL User is will created within a NAV User creation.
    So, if you have 20 users it will be better to add an AD Group. That's not possible in RTC.
    Here all users who are in the AD Group needs to be create as an new user in NAV.
Sign In or Register to comment.