NAV2009 R2 Webservices and delegation

dkavaliunasdkavaliunas Member Posts: 8
edited 2014-01-29 in NAV Three Tier
Hello,

we have NAV2009 R2 webservices, which should be accesible from the internet.
NAV service tier is installed on the server nav.internal.contoso.com. The same server from the internet is accessible as navws.contoso.com.
SPNs for both adresses are registered on the nav service user:
HTTP/nav
HTTP/nav:7047
HTTP/nav.internal.contoso.com
HTTP/nav.internal.contoso.com:7047
HTTP/navws.contoso.com
HTTP/navws.contoso.com:7047

Webservices work correctly when accessed from the internal network. Even from the computer which is not a part of the domain.

Attempt to open webservices from outside, only works if NAV service user is set to „Trust this user for delegation to specified services only“ -> "Use any authentication protocol“. But when using this option, it is not possible to access SMB2 shares (according to http://support.microsoft.com/kb/2621984)

When NAV service user is set as „Trust this user for delegation to any service (Kerberos only)“, then attempt to access web service ends with a message about failed login to sql server.
In the network trace I can see KRB5KDC_ERR_BADOPTION NT Status: STATUS_NOT_SUPPORTED.


So the question is: is it possible to use NAV webservices from the internet, when NAV service user is trusted to delegate to any service?

Any ideas would be appreciated.
Darius
Sign In or Register to comment.