NAV2009 R2 Webservices and delegation
dkavaliunas
Member Posts: 8
Hello,
we have NAV2009 R2 webservices, which should be accesible from the internet.
NAV service tier is installed on the server nav.internal.contoso.com. The same server from the internet is accessible as navws.contoso.com.
SPNs for both adresses are registered on the nav service user:
HTTP/nav
HTTP/nav:7047
HTTP/nav.internal.contoso.com
HTTP/nav.internal.contoso.com:7047
HTTP/navws.contoso.com
HTTP/navws.contoso.com:7047
Webservices work correctly when accessed from the internal network. Even from the computer which is not a part of the domain.
Attempt to open webservices from outside, only works if NAV service user is set to „Trust this user for delegation to specified services only“ -> "Use any authentication protocol“. But when using this option, it is not possible to access SMB2 shares (according to http://support.microsoft.com/kb/2621984)
When NAV service user is set as „Trust this user for delegation to any service (Kerberos only)“, then attempt to access web service ends with a message about failed login to sql server.
In the network trace I can see KRB5KDC_ERR_BADOPTION NT Status: STATUS_NOT_SUPPORTED.
So the question is: is it possible to use NAV webservices from the internet, when NAV service user is trusted to delegate to any service?
Any ideas would be appreciated.
we have NAV2009 R2 webservices, which should be accesible from the internet.
NAV service tier is installed on the server nav.internal.contoso.com. The same server from the internet is accessible as navws.contoso.com.
SPNs for both adresses are registered on the nav service user:
HTTP/nav
HTTP/nav:7047
HTTP/nav.internal.contoso.com
HTTP/nav.internal.contoso.com:7047
HTTP/navws.contoso.com
HTTP/navws.contoso.com:7047
Webservices work correctly when accessed from the internal network. Even from the computer which is not a part of the domain.
Attempt to open webservices from outside, only works if NAV service user is set to „Trust this user for delegation to specified services only“ -> "Use any authentication protocol“. But when using this option, it is not possible to access SMB2 shares (according to http://support.microsoft.com/kb/2621984)
When NAV service user is set as „Trust this user for delegation to any service (Kerberos only)“, then attempt to access web service ends with a message about failed login to sql server.
In the network trace I can see KRB5KDC_ERR_BADOPTION NT Status: STATUS_NOT_SUPPORTED.
So the question is: is it possible to use NAV webservices from the internet, when NAV service user is trusted to delegate to any service?
Any ideas would be appreciated.
Darius
0
Categories
- All Categories
- 73 General
- 73 Announcements
- 66.6K Microsoft Dynamics NAV
- 18.7K NAV Three Tier
- 38.4K NAV/Navision Classic Client
- 3.6K Navision Attain
- 2.4K Navision Financials
- 116 Navision DOS
- 851 Navision e-Commerce
- 1K NAV Tips & Tricks
- 772 NAV Dutch speaking only
- 617 NAV Courses, Exams & Certification
- 2K Microsoft Dynamics-Other
- 1.5K Dynamics AX
- 320 Dynamics CRM
- 111 Dynamics GP
- 10 Dynamics SL
- 1.5K Other
- 990 SQL General
- 383 SQL Performance
- 34 SQL Tips & Tricks
- 35 Design Patterns (General & Best Practices)
- 1 Architectural Patterns
- 10 Design Patterns
- 5 Implementation Patterns
- 53 3rd Party Products, Services & Events
- 1.6K General
- 1.1K General Chat
- 1.6K Website
- 83 Testing
- 1.2K Download section
- 23 How Tos section
- 252 Feedback
- 12 NAV TechDays 2013 Sessions
- 13 NAV TechDays 2012 Sessions