[nav2013] Active Directory user groups not working?

Poltergeist

I've set up a three tier environment for Dynamics NAV 2013 Beta (build 33451), and users can login with their Windows Account if the users are added via CRONUS Nederland BV/Departments/Administration/IT Administration/General/Users. However, Active Directory User groups are not recognized. I can easily add the group (for example domain admins) to the list, but users which are a member of the group Domain admins are unable to sign in. When starting the RTC, the following message appears:

"You are not authorized to sign in. Verify that you are using valid credentials and that you have been set up as a user in Microsoft Dynamics NAV"

The applicationlogs give the following error:

Service: DynamicsNAV70
User: DOMAIN\administrator
Type: Microsoft.Dynamics.Nav.Types.Exceptions.NavInvalidCredentialException
SuppressMessage: False
FatalityScope: None
Message: The server has rejected the client credentials.
StackTrace:
at Microsoft.Dynamics.Nav.Service.NSServiceBase.ValidateAndCreateConnection(ConnectionRequest connectionRequest)
at Microsoft.Dynamics.Nav.Service.NSServiceBase.OpenConnection(ConnectionRequest connectionRequest)
Source: Microsoft.Dynamics.Nav.Service

with the following eventdata:

Service: DynamicsNAV70 User: DOMAIN\administrator Type: Microsoft.Dynamics.Nav.Types.Exceptions.NavInvalidCredentialException SuppressMessage: False FatalityScope: None Message: The server has rejected the client credentials. StackTrace: at Microsoft.Dynamics.Nav.Service.NSServiceBase.ValidateAndCreateConnection(ConnectionRequest connectionRequest) at Microsoft.Dynamics.Nav.Service.NSServiceBase.OpenConnection(ConnectionRequest connectionRequest) Source: Microsoft.Dynamics.Nav.Service

Is there no possibility to use AD groups anymore, or am I doing something wrong? (I´m hoping for the last, of course)

kine

I am afraid that groups are not working anymore. Because the records are really records for "users", which have some permission sets assigned, full name etc., and the authentication could be made by some providers like facebook etc., it is different than it was. Because there is no delegation behind, all is done by NAV. And this way of "users" is different than having users and groups which are together assigning permissions.

Poltergeist

I for sure certainly hope this will be "fixed" in the final version. It still uses the Security ID's from the active directory to login, so there s still some validation against the AD (at, least, I hope so...) it would be a drag to have to enter all users in every database, while microsoft advices to use groups as much as possible on the filesystems and other areas...

claband

Windows Groups does work in NAV 2013. You will have to add each user to the user table. You only need to assign permissions to the Windows Group instead of maintaining permissions on each individual user

/Claus

kine

OK, if I understand correctly, it is same situation like when using extended security model in older versions, when we can use groups to assign permissions, but each user must exist in NAV to have access...

jwikman

Hi guys,

Does anyone got this to work on NAV 2013 RTM?

I can't get it to work with User Permission Sets (SUPER) only set on a domain group. My domain user is also added, but without User Permission Sets. I even tried with a domain admin account as NST account, to rule out permissions issues with the AD, but with the same result. ](*,)

If Claus says it should work I really believe this should work, so I guess I'm missing something here...

Thanks,
Johannes

guardioo

i had tested on NAV 2013 RTM, by adding domain\domain users inside and set permission to super, it does work.

I had tested by adding few different group inside and i manage to login using designated user account.

jwikman

Thanks,

That's great news guardioo!

That means that there are some problems in our environment, but that should be solvable.

Thanks for the update,
Johannes

guardioo

After i try on NAV2013 RTM, its not working for domain group anymore, does anyone manage to make it work.

Excepti0nal

I am using AD groups in a live production environment right now. Have you applied the correct permission sets to the group? If not, assign the basic role and that should at least let you login. Also, when you added the group under the users, did you select that it is a windows group?

guardioo

Thanks for reply,

Was doing the same thing though,

quite weird it doesnt work suddenly, maybe will try redo all the thing again to check on this issues.

will update you once manage to solve it

Alex_Chow

One thing I noticed about the windows group is that it will need a few hours before it takes affect. I'm not exactly sure why.

came

Hi everbody,

since few day's I'm employ to NAV Security.
I like the new features and workaround.
No, SQL User will be require if you only want to use the RTC Client.
...

But what are the benefits of adding every user again in the RTC Client as an user?
Is it only security?

On the SQL Server you don't need it! Here it will be enough if you added the AD Group.

Thanks in advance!

Best regards
came

kriki

came wrote:

But what are the benefits of adding every user again in the RTC Client as an user?
Is it only security?

No, it is mandatory to be able to login. It is not needed to add "Permission Sets" (the old roles) to it. You can create a user that points to a windows group and just add the permission sets to it.

came wrote:

On the SQL Server you don't need it! Here it will be enough if you added the AD Group.

On SQL Server, you only need to add the user used by the Dynamics NAV server-service. No need to add other users for NAV.

came

kriki wrote:

came wrote:

But what are the benefits of adding every user again in the RTC Client as an user?
Is it only security?

No, it is mandatory to be able to login. It is not needed to add "Permission Sets" (the old roles) to it. You can create a user that points to a windows group and just add the permission sets to it.

But why it's not enough to add the AD Group with Permissions like SQL?

kriki wrote:

came wrote:

On the SQL Server you don't need it! Here it will be enough if you added the AD Group.

On SQL Server, you only need to add the user used by the Dynamics NAV server-service. No need to add other users for NAV.

This is only require if you want do go in DEV Client. Normaly, no SQL User is will created within a NAV User creation.
So, if you have 20 users it will be better to add an AD Group. That's not possible in RTC.
Here all users who are in the AD Group needs to be create as an new user in NAV.